Defender 5.6 Installation Guide
©2010 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com email:
[email protected] Refer to our Web site for regional and international office information.
TRADEMARKS Quest, Quest Software, the Quest Software logo and iToken are trademarks and registered trademarks of Quest Software, Inc. in the United States of America and other countries. Gridsure and the Gridsure logos are trademarks and registered trademarks of Gridlock TS Limited. All other trademarks and registered trademarks are property of their respective owners.
Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. Defender Installation Guide Updated - November 2010 Software Version - 5.6
Contents ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 QUEST ONE IDENTITY SOLUTION . . . . . . . . . . . . . . . . . . . . . . 6 WHY DEFENDER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 RADIUS AUTHENTICATION . . . . . . . . . . . . . . . . . . . . . . 7 COMMUNICATIONS PROTOCOL. . . . . . . . . . . . . . . . . . . . . 8 DEFENDER TOKENS . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 DEFENDER TOKEN DEPLOYMENT SYSTEM . . . . . . . . . . . . . . 9 BENEFITS OF DEFENDER . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 AUDIENCE AND SCOPE . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 CONVENTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 ABOUT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . .11 CONTACTING QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . .11 CONTACTING CUSTOMER SUPPORT . . . . . . . . . . . . . . . . . .12 CHAPTER 1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . .13 DEFENDER COMPONENTS . . . . . . . . . . . . . . . . . . . . . . . . . .14 PLANNING YOUR DEFENDER INSTALLATION . . . . . . . . . . . . . . . .15 LICENSE REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . .16 TRIAL LICENSES . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 OBTAINING A PERMANENT LICENSE . . . . . . . . . . . . . . . . .16 ACQUIRING A LICENSE KEY
. . . . . . . . . . . . . . . . . . . . .16
DEFENDER DESKTOP TOKEN LICENSE . . . . . . . . . . . . . . . .17 SYSTEM REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . .17
iii
Defender Installation Guide
CHAPTER 2 INSTALLATION . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 INSTALLATION PREREQUISITES . . . . . . . . . . . . . . . . . . . . . . .22 PRE-INSTALLATION CHECKLIST . . . . . . . . . . . . . . . . . . . .23 INSTALLATION SEQUENCE . . . . . . . . . . . . . . . . . . . . . . .24 INSTALLING THE DEFENDER SECURITY SERVER . . . . . . . . . . . . .31 INSTALLING A DEFENDER USER LICENSE . . . . . . . . . . . . . . . . .40 CONTENTS OF YOUR DEFENDER USER LICENSE EMAIL . . . . . .40 INSTALLING THE LICENSE . . . . . . . . . . . . . . . . . . . . . . .41 DEFENDER DESKTOP TOKEN LICENSE . . . . . . . . . . . . . . . . . . .46 INSTALLING THE DEFENDER REPORT CONSOLE . . . . . . . . . . . . .50 DEFENDER TOKEN DEPLOYMENT SYSTEM . . . . . . . . . . . . . . . . .54 DEFENDER DELEGATED ADMINISTRATION . . . . . . . . . . . . . . . . .55 CONTROL ACCESS RIGHTS . . . . . . . . . . . . . . . . . . . . . . . . .55 SETTING PERMISSIONS AND CONTROL ACCESS RIGHTS . . . . . . . .57 CREATING A GROUP . . . . . . . . . . . . . . . . . . . . . . . . . .57 SETTING ACTIVE DIRECTORY PERMISSIONS . . . . . . . . . . . .57 SETTING PERMISSIONS ON THE USERS OU . . . . . . . . . . . .57 SETTING PERMISSIONS ON THE DEFENDER LICENSE OU. . . . .62 SETTING PERMISSIONS ON THE DEFENDER USER LICENSE . . .65 SETTING PERMISSIONS ON THE DEFENDER TOKEN LICENSE . . .67 SETTING CONTROL ACCESS RIGHTS . . . . . . . . . . . . . . . . . . . .69 SETTING CONTROL ACCESS RIGHTS ON THE DEFENDER USERS OU . . .69 SETTING CONTROL ACCESS RIGHTS ON THE DEFENDER TOKEN OU . . .71 AFTER SETTING CONTROL ACCESS RIGHTS . . . . . . . . . . . .73 REMOVING CONTROL ACCESS RIGHTS . . . . . . . . . . . . . . . . . .74 DEFENDER DESKTOP LOGIN . . . . . . . . . . . . . . . . . . . . . . . . .75 PLUGGABLE AUTHENTICATION MODULE (PAM) . . . . . . . . . . . . .75
iv
About this Guide • Quest One Identity Solution • Why Defender • RADIUS Authentication • Communications Protocol • Defender Tokens • Benefits of Defender • Audience and Scope • Conventions • About Quest Software • Contacting Quest Software
Defender Installation Guide
Quest One Identity Solution Defender is a component of the Quest One Identity Solution, a set of enabling technologies, products, and integration that empowers organizations to simplify identity and access management by: •
Reducing the number of identities
•
Automating identity administration
•
Ensuring the security of identities
•
Leveraging existing investments, including Microsoft Active Directory
Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance by addressing identity and access management challenges as they relate to:
6
•
Single sign-on
•
Directory consolidation
•
Provisioning
•
Password management
•
Strong authentication
•
Privileged account management
•
Audit and compliance.
About
Why Defender Defender is an easy-to-install, simple-to-use product that utilizes the power and flexibility of Microsoft Active Directory (AD) to provide strong two-factor authentication for your organization. The two-factor authentication requires something unique the user has (a security token) and something unique that the user knows (a PIN).
Figure 1: Defender Environment
RADIUS Authentication Defender allows authentication by means of the RADIUS protocol for environments that include RADIUS users and/or RADIUS protected access devices. Devices that use the RADIUS protocol for authentication must be able to communicate with the Defender Security Server on the ports that they have been configured to use.
7
Defender Installation Guide
Defender includes the facility for Vendor Specific Attributes (VSAs) to be specified in the RADIUS Payload. For further information on VSAs, refer to the RADIUS RFC at www.ietf.org/rfc.
Communications Protocol Defender uses TCP/IP to communicate with AD via LDAP on port 389.
Defender Tokens Defender 5 supports the following token types:
8
•
iToken™
•
Authenex OATH Compliant Token
•
Defender Go-3 Token
•
Defender Go-6 Token
•
Defender Go-7 Token
•
Defender DualTok Token
•
Digipass Pro 260 Token
•
Digipass Pro 300 Token
•
Defender One Token
•
Defender Hand-Held Token
•
Defender Hand-Held Token Plus
•
Defender Desktop Token for the following platforms: •
Android
•
Palm
•
Blackberry
•
iPhone
•
Palm
•
Windows Desktop
•
Windows Mobile/iPaq
•
Defender SMS
•
Email OTP
•
GrIDsure.
About
Defender Token Types A Defender token implemented in software or hardware helps remote users gain access to computer resources on a Defender-protected network. The process of gaining access to a secure network through the use of passwords, challenge/response methods, and synchronous methods is called authentication. The Defender solution includes a variety of token options. All provide strong two-factor authentication.
Defender Token Deployment System This feature allows users to register and request hardware and software tokens. This means that the administrator does not have to perform this task for each user and the administrative overheads are significantly reduced. The Defender Token Deployment System is implemented as a Web-based service, typically provided on a company’s Intranet.
Benefits of Defender Some of the benefits that Defender brings to your organization are: •
seamless integration with Microsoft AD, using AD administration tools and techniques
•
centralized administration for all Defender users
•
simple migration from earlier versions of Defender with no change to end-user experience
•
automated replication and backup for Defender data
•
multiple points of authentication for load balancing and redundancy
•
the ability for users to register their own hardware and software tokens using the Token Deployment System
•
Defender Desktop Login for Windows
•
extensive reporting facilities
•
integration with other Quest products including Webthority, Quest Password Manager, ActiveRoles Server, Change Auditor and Quest Authentication Services.
9
Defender Installation Guide
Audience and Scope This book is intended for administrators who want to install and configure Defender, assign and distribute Defender tokens and manage Defender agents and the Defender Security Server. This book does not provide tutorial information on the use of the Windows operating system or on network communication concepts. Users must have experience in using the specified operating system and an understanding of networking concepts
Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes, and cross-references. ELEMENT
CONVENTION
Select
This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons.
Bolded text
Used to highlight installation questions and responses.
courier text
File, daemon, utility, option, attribute names.
Italic text
Used for comments.
Bold Italic text
Used for emphasis.
Blue text
Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care.
10
About
ELEMENT
CONVENTION
+
A plus sign between two keystrokes means that you must press them at the same time.
|
A pipe symbol (vertical bar) between elements means that you must select the elements in that particular sequence.
\
The back slash, immediately followed by a new line, indicates a Unix command line continuation.
.
References to the product version you are installing are displayed with . in angle brackets.
About Quest Software Quest Software, Inc., a two-time winner of Microsoft’s Global Independent Software Vendor Partner of the Year award, delivers innovative products that help organizations get more performance and productivity from their applications, databases Windows infrastructure and virtual environments. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 100,000 customers worldwide meet higher expectations for enterprise IT. Quest’s Windows management solutions simplify, automate secure and extend Active Directory, Exchange Server, SharePoint, SQL Server, .NET and Windows Server as well as integrating Unix, Linux and Java into the managed environment. Quest Software can be found in offices around the globe and at www.quest.com.
Contacting Quest Software Phone
949.754.8000 (United States and Canada)
Email
[email protected]
Mail
Quest Software World Headquarters 5 Polaris Way Aliso Viejo, CA 92656
Web site
www.quest.com
Please refer to our Web site for regional and international office information. 11
Defender Installation Guide
Contacting Customer Support Quest Software's world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink
www.quest.com/support
Email at
[email protected]
You can use SupportLink to do the following: •
12
Create, update, or view support requests
•
Search the knowledge base
•
Access FAQs
•
Download patches
1 Introduction • Defender Components • Planning your Defender Installation • License Requirements • System Requirements
13
Defender Installation Guide
Defender Components Defender consists of four main components: COMPONENT
FUNCTION
Defender Security Server
a software device that performs two-factor authentication of users.
Defender Management GUI
AD schema and MMC snap-in extensions used to manage Defender users and tokens.
Defender Token deployment System
a system that allows users to request and register their own hardware and software tokens.
Defender Report Service
a report console provides access to a variety of reports that can be extracted for viewing or printing, based on specific selection criteria.
14
Introduction
Planning your Defender Installation This section describes the information you need to gather and the actions to perform before you install Defender. Ask yourself the following questions: •
Where should I locate the Defender components? Quest strongly recommends that all machines running Defender are located where you can strictly control physical access to them. You should consider adding a backup Defender Security Server to enable you to continue authenticating users if your primary Defender Security Server becomes unavailable.
•
What are the network considerations? Defender components communicate with each other using the methods described below. If your environment uses routers and firewalls, these must be configured to allow the Defender components to communicate. The DSS uses LDAP to communicate with the domain controllers in Active Directory using port 389 (and port 636 if enabled). Defender Access Nodes are the firewalls, VPN devices, etc within your environment. These use RADIUS to communicate with the DSS. RADIUS communication uses ports UDP 1812/1813 or 1645/1646. Defender Agents use TCP port 2626 to communicate with the DSS. Defender components use TCP/IP to communicate with AD via LDAP on port 389. The machines on which you install the Defender components must be able to communicate with one another. If your environment uses routers and firewalls, these will need to be configured appropriately. Devices that use the RADIUS protocol for authentication must be able to communicate with the Defender Security Server on the ports that they have been configured to use.
15
Defender Installation Guide
License Requirements Trial Licenses During installation of the Defender Administration Console, 25 user licenses and 25 licenses for each type of Desktop token can be installed. These trial licenses help to get you started quickly and easily. Trial licenses are installed only with a new Defender installation. They are not included in an upgrade from an earlier version of Defender to Defender 5.6, or if existing licenses are detected. When you install a permanent user license, the trial 25 user trial license is overwritten. All other trial Desktop Token licenses remain in place. All trial licenses will expire after 90 days.
If you want to use the trial licenses, please ensure that the Defender Security Server version 5.6.0.1476 or later is installed.
Obtaining a Permanent License To run a Defender Security Server, you must have a valid user license for the number of users that will authenticate to the Defender Security Server. The Defender Security Server user license is installed into AD using the Defender Administration Console.
For a permanent Defender license, you will need to provide the fully qualified domain name of the domain in which the Defender Security Server is installed.
Acquiring a License Key Complete the form located at the following link for licensing assistance with any Quest product: https://support.quest.com/SUPPORT/index?page=licenseKey To obtain a trial license for a Quest product, send an email to
[email protected]. 16
Introduction
Defender Desktop Token License If you want to generate Defender Desktop Tokens, you must have a valid Defender Desktop Token license. Multiple licenses of the same type can be installed on the same platform, enabling you to purchase licenses for additional tokens as required. For further information, refer to Defender Desktop Token License on page 46.
System Requirements This section describes the system requirements for Defender components: DEFENDER COMPONENTS
Defender Administration Console
SYSTEM REQUIREMENTS Windows Windows Windows Windows Windows Windows Windows
Server Server 7 Server Server XP Vista
2008 R2 2008 2003 2000
Microsoft Active Directory Active Directory Administration Tools 128 MB RAM Disk space usage per user: 2K
17
Defender Installation Guide
DEFENDER COMPONENTS
SYSTEM REQUIREMENTS Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 128 Mb RAM Disk space usage per authentication: 300 bytes Memory usage per authentication: 4K (transient)
Defender Security Server
A single server should be able to handle between 30,000 to 40,000 authentications per day depending on Active Directory performance, with a maximum transaction turnaround time of 2 authentications per second. Recommended Server specification: - physical or virtual - 1 x Dual core (at 2GHz per core) - 2GB RAM - diskspace 40GB nominal
Defender Token Deployment System
Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Internet Information Services 128 MB RAM Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Internet Information Services 128 Mb RAM Note: Clients require Internet Explorer 6 or higher
Defender Reports Console
Disk space usage: approximately 100 bytes per (historic) authentication. Recommended Server specification: - physical or virtual - 2GHz - 2GB RAM - diskspace 40GB
18
Introduction
DEFENDER COMPONENTS
Defender Desktop Token
SYSTEM REQUIREMENTS Windows Windows Windows Windows Windows Windows Windows
Server Server 7 Server Server XP Vista
2008 R2 2008 2003 2000
19
Defender Installation Guide
Defender WebMail If you are using Defender WebMail, define the WebMail Agent as a new Access Node, as described in the Defender Configuration Guide.
20
2 Installation • Installation Prerequisites • Pre-installation Checklist • Installation Sequence • Installing the Defender Security Server • • Installing a Defender User License • Contents of your Defender User License Email • Defender Desktop Token License • Installing the Defender Report Console • Defender Token Deployment System • Defender Delegated Administration • Setting Permissions and Control Access Rights • Setting Control Access Rights • Removing Control Access Rights • Defender Desktop Login
21
Defender Installation Guide
This section provides all the information you need to install the Defender components.
Installation Prerequisites Quest recommends that all machines running Defender are located where you can strictly control access to them. Consider adding a second Defender Security Server (DSS) to ensure that user authentication can continue if one becomes unavailable. Before you install Defender, ensure that: •
the account you will use to install Defender is a member of the Domain Admins group
•
the account you will use to install the Schema updates is a member of the Schema Admins group
•
you have created the service account that the DSS will use to access the Active Directory, and that this account is a member of the Domain Admins group or has the permissions required to access the Defender attributes within Active Directory. For further information, refer to the Delegation of Administration Rights guide available from http://support.quest.com
•
TCP/IP is installed on the machines where you will install Defender
•
the machines where you will install the Defender components have static IP addresses
•
you have administrative privileges on all the machines on which you install Defender components
•
you are familiar with the Microsoft Active Directory system that will be used by Defender
•
If you are installing the Defender Management Console on a: Windows 2008 x64 system, the following redistributables are required: - Microsoft Visual C++ 2008 SP 1 Redistributable Package (x86) - Microsoft Visual C++ 2008 SP 1 Redistributable Package (x64). Windows 2003 x86 system, the following redistributable is required: - Microsoft Visual C++ 2008 SP 1 Redistributable Package (x86). The redistributables are available on the Defender Installation CD.
22
Installation
•
If you are installing the Defender Management Console, Defender Group Policy feature, ensure that .Net 2.0 or higher is installed on the server where you are installing the Defender Management Console. The Defender Management Console must be installed after .Net to ensure that the required dll’s are registered correctly.
Pre-installation Checklist Before installing the Defender components, take a moment to complete the following checklist. This will ensure that you have completed the pre-installation requirements and have all the necessary information to-hand for the Defender installation procedure. 1.
Where do you want to install the Defender Management Console? You can specify a directory path or accept the default path offered by Defender.
2.
If you are performing a first-time installation of Defender, check the Schema Updates checkbox when prompted. The MMC Snap-in Extensions check box is checked by default.
3.
If you are upgrading from Defender version 4.x to Defender 5.6, contact Customer Support for assistance.
4.
Where do you want to install the Defender Security Server? You can specify a directory path or accept the default path offered by Defender.
5.
What is the DNS name or IP address of the machine on which Active Directory is running?
6.
What is the number of the LDAP port for Active Directory. This is the port number that Defender will use to access the Active Directory. You can specify a port number or accept the default port number offered by Defender (389).
7.
What is the full distinguished user name for the administrator or service account that is used to change passwords?
8.
What is the password for the administrator or service account?
23
Defender Installation Guide
Installation Sequence You are now ready to start the installation procedure. Install the Defender components in the following sequence: •
24
Defender Management Console: •
Schema updates - updates to your Active Directory Schema required to support Defender
•
Defender OU - default container for Defender objects
•
MMC Snap-ins - extends the Active Directory User and Computers tool to include the Defender Management Console
•
Defender Security Server - authenticates RADIUS and Defender Agent requests
•
Defender User License
•
Defender Tokens
•
Defender Desktop Token License (if you want to generate Desktop Tokens)
•
Defender Reports Service (optional)
•
Defender Token Deployment System (optional).
Installation
Installing the Defender Management Console To install the Schema updates, MMC Snap-ins and create the Defender container: 1.
From the Defender 5.6 Autorun, select Defender, Defender Administration Console.
2.
If Visual C++ Runtime redistributable package is not installed on this machine, the following message is displayed:
The information on the above example applies to a Defender Management Console installation on a Windows 2003 x86 system. If you are installing the Defender management Console on Windows 2008 x64 system, the following redistributables are required: - Microsoft Visual C++ 2008 SP 1 Redistributable Package (x86) - Microsoft Visual C++ 2008 SP 1 Redistributable Package (x64) To install the Visual C++ Runtime redistributable package(s), click Yes. On completion of the installation, the Defender Management Console installation will proceed, as shown in Step 3. If you click No, choosing not to install the Visual C++ Runtime redistributable package(s), the Defender Management Console installation will terminate.
25
Defender Installation Guide
3.
The Defender ADE MMC Installation dialog box is displayed:
Figure 1: Defender ADE MMC Installation dialog box
4.
Click Next. The Software License Agreement is displayed.
5.
Click Next. The Defender Console Installation (Install Location) dialog box is displayed:
Figure 2: Defender Console Installation (Install Location) dialog box
6.
26
Click Next to accept the default location. Alternatively, click Browse to choose a different installation directory, then click Next to continue.
Installation
The Defender ADE MMC Installation (Component Installation) dialog box is displayed:
Figure 3: Defender MMC (Component Installation) dialog box
7.
If you are performing a first installation of Defender, you must check the Schema Updates (on quest.com) checkbox.
8.
The Create ‘Defender’ Organizational Unit checkbox is checked by default. This will create an organizational unit in Active Directory called Defender.
9.
The MMC Snap-in Extensions check box is checked by default. This will install the Defender Management Console extensions.
The schema updates are only installed once for the enterprise. The MMC extensions are installed on all PCs that will be used to manage Defender.
27
Defender Installation Guide
10. Click Next. The Defender Console Installation (Control Access Rights) dialog box is displayed:
Figure 4: Defender Console Installation (Control Access Rights) dialog box
11. To delegate access control rights to Defender users, check the Install Defender Control Access Rights checkbox. On completion of the installation, refer to Defender Control Access Rights on page 40, for information on how to delegate control access rights. 12. Click Finish. The Defender Console Installation (Installation Progress) dialog box is displayed.
28
Installation
13. The Defender Console Installation Progress dialog is displayed:
Figure 5: Defender Console Installation (Installation Progress) dialog box
14. On completion, the Defender Console Installation Complete dialog is displayed.
29
Defender Installation Guide
Optional Installation Switches The table below describes the installation switches that can be used if you are installing the Defender Management Console from the command line. Table 1: Defender Management Console Installation Switches
30
Switch
Description
/SILENT
Silent installation.
/NODLG
No dialog. This is not the same as silent mode. The progress dialog and message boxes are displayed.
/PATH:xxxxx
Specify an installation location. If an installation already exists, the existing installation location overrides this setting.
/NOLOG
Do not write to the installation log.
/SCHEMA
Install the Schema extensions.
/NOSCHEMA
Do not install the Schema extensions.
/NOORGUNIT
Do not create the Defender organizational unit.
/NOGUI
Do not install the GUI.
/CAR
Install Defender Control Access Rights.
/NOVER
Overwrite existing files.
/NOTRIAL
Do not install the trial licences.
Installation
Installing the Defender Security Server To install the Defender Security Server: 1.
Run Defender Security Server Installer.exe. The Defender Security Server Installation dialog box is displayed:
Figure 6: Defender Security Server Installation dialog box
2.
Click Next. The Software License Agreement is displayed.
31
Defender Installation Guide
3.
Click Next. The Defender Security Server Installation (Install Location) dialog box is displayed:
Figure 7: Defender Security Server Installation (Install Location) dialog box
4.
Click Finish to accept the default setting as the location where the Defender Security Server will be installed. Alternatively, click Browse to choose a different directory, then click Finish. The following message is displayed:
5.
If you click No, you must perform the configuration via the shortcut on the Programs menu before the Defender Security Server is started for the first time. To configure the Defender Security Server now, click Yes. The Defender Security Server Configuration dialog box is displayed:
32
Installation
Figure 8: Defender Security Server Installation (AD LDAP) dialog box
6.
In the Address field, type the DNS name or IP address of either the domain or individual domain controllers used by the Defender Security Server.
7.
In the Port field, type the number of the LDAP port that the Defender Security Server will use to establish a connection to the Active Directory. The default port number is 389.
8.
In the SSL Port field, type the number of port that the Defender Security Server will use to establish a secure connection to the Active Directory. This port number will be used to communicate user password changes only between the Defender Security Server and the Active Directory. The default port number is 636. On installation the SSL Port field is set to 0. If you do not want to use SSL, ensure that the SSL Port field remains set to 0 to avoid errors appearing when you run the connectivity tests.
9.
In the Account Name field, type the full distinguished user name for the service account that will be used to communicate with Active Directory. This user ID must have administrative authority. For example: cn=service_account,cn=users,dc=quest,dc=com
10. In the Account Password field, type the password used by the account defined in the Account Name field above.
33
Defender Installation Guide
11. To configure Defender logging information, select the Audit Log tab. The Defender Security Server (Audit Log) tab is displayed:
12. To specify a different log path for the Defender Security Server log file, click Browse and navigate to the required location. 13. To change the maximum size of the Defender Security Server log file, enter the required size in the Size of Log field. 14. To create a duplicate copy of the current Defender Security Server log, check the Create additional log with fixed name field, and then enter the name of the log file in the Log name field. 15. If you want to save Defender Security Server logging information to a syslog server, as well as to the Defender Security Server log, check the Enable syslog checkbox. 16. In the Collector hostname field, enter the name of the host computer where the syslog server is running. 17. In the Collector Port field, enter the port number used by the computer specified in the Collector hostname field.
34
Installation
18. To test the connections between the Defender Security Server and the domain controllers in your environment, select the Test Connection tab. The Defender Security Server (Test Connection) dialog is displayed:
Figure 9: Defender Security Server (Test Connection) dialog Figure 10: Click Test. The Defender Security Server will now check that it is able to connect to LDAP and communicate with the domain controllers within the Defender environment. After a short delay, the test results are displayed:
Defender Security Server (Test Results) dialog
35
Defender Installation Guide
If you want to run connectivity tests while the Defender Security Server if running, check Perform periodic connectivity tests whilst the DSS operates checkbox. Tests will be performed every 3 hours. If a test is unsuccessful, it will be repeated at 30 minute intervals until a successful result is achieved. Results of the tests can be viewed in the Defender Security Server log, available in: C:\Program Files\Quest Software\Defender\DSS Active Directory Edition\Logs or C:\Program Files(x86)\Quest Software\Default\DSS Active Directory Edition\Logs 19. Click OK. The Defender Security Server Installation Progress dialog is displayed:
Figure 11: Defender Security Server Installation (Installation Progress) dialog
20. To display a log of the actions performed during the Defender Security Server installation procedure, check the Show Log checkbox. The log includes the names and version numbers of files copied and the directory locations they are copied into during installation.
36
Installation
21. Click Next. The Defender Security Server (Installation Complete) dialog is displayed:
Figure 12: Defender Security Server Installation (Installation Complete) dialog
22. Click Finish. On completion of the installation, a Defender Active Directory Edition program group is created.
37
Defender Installation Guide
After Installation To configure the Defender Security Server after installation: 1.
From the Start menu, select Defender Active Directory Edition program group, then Configure Defender Security Server. The Defender Security Server Installation dialog box is displayed:
Figure 13: Defender Security Server Installation (AD LDAP) dialog
2.
To test the connections between the Defender Security Server, LDAP and the domain controllers, select the Test Connection tab. For a description of the Test Connection dialog, refer to Step 18.
38
Installation
3.
To check the status of the Defender Security Server service, select the Service tab. The Defender Security Server Configuration (Service) dialog box is displayed:
Figure 14: Defender Security Server Configuration (Service) dialog box
The Service dialog box indicates whether the Defender Security Server service is installed and whether it is currently running or stopped. To restart the service if it is currently stopped, click Restart Service. To stop the service if it is currently running, click Stop Service.
39
Defender Installation Guide
Installing a Defender User License Before you can assign tokens to users, add or authenticate users at the Defender Security Server, you must install your user license.
Contents of your Defender User License Email Your user license is in the email received from Quest Software. The license key and details are contained in the attachment called customername - licensetype - dateofissue.msg:
Figure 15: Defender User License Key and Details
The user license must be valid for the total number of users that will be assigned tokens. Check the details carefully before installing your license. Attached to the license details is a .txt file, called customername - licensetype dateofissue.txt. This .txt file contains your encrypted license file:
Right-click customername - licensetype - dateofissue.txt and select Save as from the list. Save this file to a location of your choice. You will retrieve the file from this location during the license installation procedure.
40
Installation
Installing the License To install your Defender user license: 1.
From the Users and Computers tree, click Defender on the menu bar.
Figure 16: Install User License option
2.
Select Install User License from the menu. The Defender License Import Wizard starts:
Figure 17: Defender License Import Wizard - Welcome dialog box
41
Defender Installation Guide
3.
Click Next. The Defender Import Wizard (File and Key) dialog box is displayed:
Figure 18: Defender Import Wizard (File and Key) dialog box
4.
Click Browse to navigate to the directory where the customername licensetype - dateofissue.txt file is located. Select the file, then click Open. The name of the license file is displayed in the Filename field.
5.
You need your Defender user license key to unlock the license file. The license key is in the email sent to you from Quest Software Licensing. An example email is shown below:
Figure 19: Example Defender License Key
6.
Open the email, then highlight the license key.
7.
From the menu bar, select Edit, Copy to copy the license key.
42
Installation
8.
Return to the Defender Import Wizard (File and Key) dialog box, then click Paste to paste the license key into the Key fields.
Figure 20: Defender Import Wizard (File and Key) dialog box
9.
Click Next. The Defender Import Wizard (License Type) dialog box is displayed:
Figure 21: Defender Import Wizard (License Type) dialog box
43
Defender Installation Guide
10. Click Next. The Defender Import Wizard (Storage Location) dialog box is displayed:
Figure 22: Defender Import Wizard (Storage Location) dialog box
11. Click Select to navigate to the location where you want to store the user license. Alternatively, click Next to accept the default location and continue. The Defender Import Wizard (Import Progress) dialog box is displayed:
Figure 23: Defender Import Wizard (Import Progress) dialog box
44
Installation
12. Click Next. The Defender Import Wizard (Defender Import Complete) dialog box is displayed:
Figure 24: Defender Import Wizard (Defender Import Complete) dialog box
45
Defender Installation Guide
Defender Desktop Token License Before you can generate Defender Desktop Tokens, you must have a valid Defender Desktop Token license. Your Desktop Token license is in the email received from Quest Software. The license key and details are contained in the attachment called customername licensetype - dateofissue.msg:
Figure 25: Defender Desktop Token License Key and Details
The Desktop Token license must be valid for the total number of tokens that you require. Check the details carefully before installing your license. Attached to the license details is a .txt file, called customername - licensetype dateofissue.txt. This .txt file contains your encrypted license file:
Right-click customername - licensetype - dateofissue.txt and select Save as from the list. Save this file to a location of your choice. You will retrieve the file from this location during the license installation procedure. The Defender Desktop Token license is required in addition to the Defender User license. For further information about the Defender User license, refer to Installing a Defender User License.
46
Installation
To install a Defender Desktop Token license: 1.
From the Users and Computers tree, click Defender on the menu bar.
Figure 26: Install Desktop Token License option
2.
Select Install Desktop Token License from the menu. The Defender License Import Wizard starts:
Figure 27: Defender License Import Wizard - Welcome dialog box
47
Defender Installation Guide
3.
Click Next. The Defender Import Wizard (File and Key) dialog box is displayed:
Figure 28: Defender Import Wizard (License Files) dialog box
4.
To add a license file to the Licenses to install list, click Add File. Browse to the Defender Desktop License file that you saved earlier, as described on page 46. Click on the required file, then click Open. The selected file is added to the Licenses to install list.
5.
Click Next. The Defender Import Wizard (Import Progress) dialog box is displayed:
Figure 29: Defender Import Wizard (Import Progress) dialog box
48
Installation
6.
Click Next. The Defender Import Wizard (Defender Import Complete) dialog box is displayed:
Figure 30: Defender Import Wizard (Defender Import Complete) dialog box
49
Defender Installation Guide
Installing the Defender Report Console To install the Defender Report Console: 1.
Run the Defender Reports Installer.exe file. The Defender Report Console Installation Wizard starts:
Figure 31: Defender Report Console Installation
2.
Click Next. The Software License Agreement is displayed.
3.
Check the I accept the license agreement checkbox.
50
Installation
4.
Click Next. The Defender Report Console Installation (Install Location) dialog box is displayed.
Figure 32: Defender Report Console Installation (Install Location)
5.
Click Next to accept the default location. Alternatively, click Browse to choose a different installation location, then click Next.
6.
The Defender Report Console Installation (IIS Configuration) dialog box is displayed:
Figure 33: Defender Report Console Installation (IIS Configuration)
51
Defender Installation Guide
To enable Defender to automatically configure IIS Web Services, ensure that the Automatically Configure IIS Web Services checkbox is checked. Quest recommends that you allow Defender to automatically configure IIS Web Services. In the TCP Port field, enter the port number that will be used for communications between Defender and the Web site. If you do not want to automatically configure IIS Web Services, uncheck the Automatically Configure IIS Web Services checkbox. To configure IIS Web Services after installation, refer to the ReadMe file installed with Defender Reports. Alternatively, refer to the ReadMe file installed with the Defender Reports Console. 7.
Click Next. The Defender Report Console Installation (User Privileges) dialog box is displayed:
Figure 34: Defender Report Console Installation (User Privileges)
8.
To add the names of users who are authorized to access the Defender Reports Console to the list, click Add.
9.
In the User field, type the name of the user account that will be used to run the Defender Reports Console. The user account you specify here must have administrative privileges. To select a user name, click Browse.
10. In the Password field, type the password used by the user name specified in Step 9. 11. In the Confirm field, type the password again to confirm it. 52
Installation
12. Click Next. The Defender Report Console Installation (Installation Progress) dialog box is displayed:
Figure 35: Defender Report Console Installation (Installation Progress)
13. Click Next. The Defender Report Console Installation (Installation Complete) dialog box is displayed:
Figure 36: Defender Report Console Installation (Installation Complete)
14. Click Finish. The readme file is displayed. The Defender Report Console installation procedure is now complete. 53
Installation
Defender Token Deployment System For details of the Defender Token Deployment System, please refer to: •
Defender Token Deployment System Quick Start Guide
•
Defender Token Deployment System Installation and Configuration Guide
•
Defender Token Deployment System User Guide.
54
Defender Installation Guide
Defender Delegated Administration For details of Defender Delegated Administration, please refer to the Defender Delegated Administration User Guide.
Control Access Rights If you checked the Defender control access rights checkbox during the Defender installation procedure, you can enable and disable specific token administration option buttons in the Defender Administration Utility. The token option buttons are only available to an administrative user and are located on the username Properties - Defender tab and the tokenname Properties tab. You can specify control access rights for the following token administration options:
55
•
Program program a token for a Defender user
•
Recover unlock a token
•
Test perform a non-intrusive test to verify the token’s response
•
Helpdesk
•
Reset - re-synchronize the user’s token
•
Assign - allocate a temporary token response to the user
•
Unassign unassign a Defender token from a user
•
Add assign a Defender token to a user
•
Set PIN set a PIN for the user to use with this token
•
Password specify or change the user’s Defender password.
Installation
Figure 1: username Properties - Defender tab
56
Defender Installation Guide
Setting Permissions and Control Access Rights This section describes the steps you need to perform to set permissions and control access rights for Defender Administrators. The example uses a group called Defender Admins. The steps are: 1.
Create a user group called Defender Admins.
2.
Add your Defender Administrator(s) to the Defender Admins group.
3.
Set Schema Permissions in Active Directory for the Defender Admins group.
4.
Set access control rights.
Creating a Group In Active Directory, create a group called Defender Admins, then add your Defender Administrator(s) to this group.
Setting Active Directory Permissions You now need to set Active Directory permissions for the Defender Admins group on the OU containing the Defender users and on the OU containing the Defender tokens. The following example uses an OU called Users.
Setting Permissions on the Users OU To set permissions for the Defender Admins group on the OU containing the Defender users, perform the following steps: 1.
57
In Active Directory, Users and Computers, right-click the OU containing the Defender users.
Installation
2.
From the dropdown list, select Delegate Control. The Delegation of Control Wizard starts:
Figure 2: Welcome page
3.
Click Next. The Users or Groups dialog box is displayed:
Figure 3: Users or Groups dialog box
58
Defender Installation Guide
4.
Click Add. The Select Users, Computers or Groups dialog box is displayed.
5.
Add the Defender Admins group.
6.
Click Next. The Tasks to Delegate dialog box is displayed:
Figure 4: Tasks to Delegate dialog box
7.
59
Click the Create a custom task to delegate option button.
Installation
8.
Click Next. The Active Directory Object Type dialog box is displayed:
Figure 5: Active Directory Object Type dialog box
9.
Click the Only the following objects in the folder option button.
10. Check the User objects checkbox. 11. Click Next. The Permissions dialog box is displayed:
Figure 6: Permissions dialog box 60
Defender Installation Guide
12. Check the Property-specific checkbox. 13. Check the boxes adjacent to the following permissions: •
Read defender-tokenUsersDNs
•
Write defender-tokenUsersDNs
•
Read defender-userTokenData
•
Write defender-userTokenData.
14. Click Next. The Completing the Delegation of Control Wizard dialog box is displayed:
Figure 7: Completion dialog box
15. Click Finish.
61
Installation
Setting Permissions on the Defender License OU To set permissions for the Defender Admins group on the OU containing the Defender license, perform the following steps:
To view the screen images from the Delegation of Control Wizard, refer to Setting Permissions on the Users OU on page 57. 1.
From the Active Directory, Users and Computers page, right-click the Defender OU.
2.
From the dropdown list, select Delegate Control. The Delegation of Control Wizard is displayed:
3.
Click Next. The User and Groups dialog box is displayed.
4.
Click Add.
5.
Type the name of the group, Defender Admins.
6.
Click OK.
7.
Click Next. The Tasks to Delegate dialog box is displayed.
8.
Click the Create a custom task to delegate option button.
9.
Click Next. The Active Directory Object Type dialog box is displayed.
10. Select the Only the following objects in the folder option button.
62
Defender Installation Guide
11. Check the Defender License objects check box.
Figure 8: Active Directory Object Type dialog box
12. Click Next. The Permissions dialog box is displayed. 13. Select the Property Specific option button. 14. Check the Read defender-tokenData checkbox.
63
Installation
15. Check the Write defender-tokenData checkbox.
Figure 9: Permissions dialog box
16. Click Next. The Completion dialog box is displayed. 17. Click Finish.
64
Defender Installation Guide
Setting Permissions on the Defender User License To set permissions on the Defender user license, perform the following steps: 1.
From the Active Directory, Users and Computers page, select the Defender OU.
2.
In the right-hand pane, right-click the required Defender user license.
3.
Select Properties.
4.
Select the Security tab.
5.
Click Advanced. The Advanced Security Settings for licensename dialog is displayed.
6.
Click Add.
7.
Type the name of the Defender Administrators group.
8.
Click OK.
65
Installation
9.
Select the Properties tab.
Figure 10: Permission Entry for licensename - Properties
10. In the Allow column, check the following boxes: •
Read defender-tokenData
•
Write defender-tokenData.
11. Click OK until you return to the AD Users and Computers page.
66
Defender Installation Guide
Setting Permissions on the Defender Token License To set permissions on the Defender token license, perform the following steps: 1.
From the Active Directory, Users and Computers page, select the Defender OU.
2.
In the right-hand pane, right-click the required Defender token license.
3.
Select Properties.
4.
Select the Security tab.
5.
Click Advanced. The Advanced Security Settings for licensename dialog is displayed.
6.
Click Add.
7.
Type the name of the Defender Administrators group.
8.
Click OK.
67
Installation
9.
Select the Properties tab.
Figure 11: Permission Entry for licensename - Properties
10. In the Allow column, check the following boxes: •
Read defender-tokenData
•
Write defender-tokenData.
11. Click OK until you return to the AD Users and Computers page.
68
Defender Installation Guide
Setting Control Access Rights You can now set control access rights on the OU containing the Defender users and the OU containing the Defender tokens. The access control rights determine which token administration option buttons will be available to the Defender Administrator. The token administration option buttons are located on the tokenname Properties page and the username Properties - Defender page.
Setting Control Access Rights on the Defender Users OU To set permissions on the OU containing the Defender users, perform the following steps: 1.
From the Active Directory, Users and Computers page, right-click the OU containing the Defender users.
2.
From the dropdown list, select Properties.
3.
Select the Security tab, then click Advanced.
4.
Click Add.
5.
Select the Defender Admins group, then click OK. The Permission Entry for Users dialog box is displayed.
6.
In the Apply Onto field, select User Objects.
69
Installation
7.
In the Permissions list, check the boxes adjacent to the Defender Token properties that you want the Defender Admins group to administer.
Figure 12: Permission Entry for Users dialog box
8.
Click OK. A warning message is displayed.
9.
Click Yes.
10. On the Permissions tab, click OK. A warning message is displayed. 11. Click Yes.
70
Defender Installation Guide
Setting Control Access Rights on the Defender Token OU To set control access rights on the OU containing the Defender tokens, perform the following steps: 1.
Right-click the OU containing the Defender tokens.
2.
From the dropdown list, select Properties.
3.
Select the Security tab.
4.
Click Advanced.
5.
Click Add.
6.
Select the Defender Admins group, then click OK. The Permission Entry for Tokens dialog box is displayed.
7.
In the Apply Onto field, select Token Objects.
71
Installation
8.
In the Permissions list, check the boxes adjacent to the Defender Token properties that you want the Defender Admins group to administer.
Figure 13: Permission Entry for Tokens dialog box
9.
Click OK. A warning message is displayed.
10. Click Yes. 11. On the Permissions tab, click OK. A warning message is displayed. 12. Click Yes.
72
Defender Installation Guide
After Setting Control Access Rights When you have set the required control access rights, the token administration options that you delegated to the Defender Administrator are available in the username Properties - Defender dialog box:
Figure 14: username Properties - Defender dialog box
73
Installation
Removing Control Access Rights To remove control access rights for a group: 1.
Locate the permission entry in the Permission entries table in the Advanced Security Settings dialog box:
Figure 15: Advanced Security Settings for groupname dialog box
2.
Click Remove.
3.
Click OK.
74
Defender Installation Guide
Defender Desktop Login For information on Defender Desktop Login, please refer to the Defender Desktop Login Installation and Configuration Guide.
Pluggable Authentication Module (PAM) For information about installing and configuring the Defender Pluggable Authentication Module (PAM), refer to the guide entitled Defender - Pluggable Authentication Module (PAM).
75
