Defender 5.7. Token Administration Guide

Defender 5.7 Token Administration Guide © 2012 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by ...
Author: Emory Jacobs
3 downloads 0 Views 2MB Size
Defender 5.7 Token Administration Guide

©

2012 Quest Software, Inc. ALL RIGHTS RESERVED.

This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com email: [email protected] Refer to our Web site for regional and international office information.

TRADEMARKS Quest, Quest Software, the Quest Software logo, and Defender are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software's trademarks, please see http://www.quest.com/legal/trademark-information.aspx. Other trademarks and registered trademarks are property of their respective owners.

Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

Quest Defender Token Administration Guide Updated: April 2012 Software Version - 5.7

ABOUT

THIS

GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

QUEST ONE IDENTITY SOLUTION . . . . . . . . . . . . . . . . . . . . . . 6 DEFENDER TOKENS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 DEFENDER TOKEN TYPES . . . . . . . . . . . . . . . . . . . . . . . 8 AUDIENCE AND SCOPE . . . . . . . . . . . CONVENTIONS . . . . . . . . . . . . . . . . ABOUT QUEST SOFTWARE . . . . . . . . . CONTACTING QUEST SOFTWARE . . . . . CONTACTING CUSTOMER SUPPORT .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. 8 . 9 .10 .10 .10

CHAPTER 1 TOKEN PROGRAMMING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 PROGRAMMING DEFENDER TOKENS . . . . . . . . . . . . . . . . . . . .12 DEFENDER TOKEN PROGRAMMING WIZARD . . . . . . . . . . . . .13 PROGRAMMING

A

DEFENDER HANDHELD TOKEN . . . . . . . . . .16

MANUALLY PROGRAMMING

A

DEFENDER HANDHELD TOKEN . . .22

PROGRAMMING

A

DEFENDER HANDHELD TOKEN PLUS . . . . . .27

PROGRAMMING

A

DEFENDER ONE TOKEN . . . . . . . . . . . . . .35

PROGRAMMING

A

DEFENDER DESKTOP TOKEN . . . . . . . . . . .41

CONFIGURING DEFENDER PROGRAMMING

A

FOR

QUEST SOFT TOKEN

QUEST SOFT TOKEN

FOR

FOR

SMS .50

SMS . . . . . . . . .53

CONFIGURING DEFENDER FOR QUEST SOFT TOKEN FOR E-MAIL OTP . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 PROGRAMMING

THE

QUEST SOFT TOKEN

FOR

E-MAIL OTP . . .60

DISTRIBUTING DEFENDER TOKENS . . . . . . . . . . . . . . . . . .64 DEFENDER DESKTOP TOKEN ACTIVATION . . . . . . . . . . . . . . . . .64 CHAPTER 2 DEFENDER TOKEN LOGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 TOKEN EVENT LOGGING . . . . . . . . . . . . . . . . . . . . . . . . . . .66 ENABLING DEFENDER EVENT LOGGING . . . . . . . . . . . . . . . . . .67

iii

About this Guide • Quest One Identity Solution • RADIUS Authentication • Communications Protocol • Audience and Scope • Conventions • About Quest Software • Contacting Quest Software

Defender Token Administration

Quest One Identity Solution Defender is a component of the Quest One Identity Solution, a set of enabling technologies, products, and integration that empowers organizations to simplify identity and access management by: •

Reducing the number of identities



Automating identity administration



Ensuring the security of identities



Leveraging existing investments, including Microsoft Active Directory

Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance by addressing identity and access management challenges as they relate to:

6



Single sign-on



Directory consolidation



Provisioning



Password management



Strong authentication



Privileged account management



Audit and compliance.

About

Defender Tokens The Defender solution includes a variety of token options. All provide strong two-factor authentication: •

Authenex OATH Compliant Token



Defender Go-3 Token



Defender Go-6 Token



Defender Go-7 Token



Defender DualTok Token



Digipass Pro 260 Token



Digipass Pro 300 Token



Defender One Token



Defender Hand-Held Token



Defender Hand-Held Token Plus



Quest Soft Token for SMS



Defender USB Token



Defender Slim Token



Quest Soft Token for GrIDsure



Quest Soft Token for E-mail



Quest® Soft Tokens: •

for Android



for BlackBerry



for Java



for Palm



for Windows



for Windows Mobile/iPAQ



Windows Phone



Oath Compliant Tokens



Defender® VeriSign VIP Credential.

7

Defender Token Administration

Defender Token Types A Defender token implemented in software or hardware helps remote users gain access to computer resources on a Defender-protected network. The process of gaining access to a secure network through the use of passwords, challenge/response methods, and synchronous methods is called authentication.

If you are using Defender Desktop Tokens for the Palm device, you must install the Palm HotSync software.

Audience and Scope This book is intended for administrators who want to configure, assign and distribute Defender tokens. This book does not provide tutorial information on the use of the Windows operating system or on network communication concepts. Users must have experience in using the specified operating system and an understanding of networking concepts

8

About

Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes, and cross-references. ELEMENT

CONVENTION

Select

This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons.

Bolded text

Used to highlight installation questions and responses.

courier text

File, daemon, utility, option, attribute names.

Italic text

Used for comments.

Bold Italic text

Used for emphasis.

Blue text

Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care.

+

A plus sign between two keystrokes means that you must press them at the same time.

|

A pipe symbol (vertical bar) between elements means that you must select the elements in that particular sequence.

\

The back slash, immediately followed by a new line, indicates a Unix command line continuation.

.

References to the product version you are installing are displayed with . in angle brackets.

9

Defender Token Administration

About Quest Software Quest Software, Inc., a two-time winner of Microsoft’s Global Independent Software Vendor Partner of the Year award, delivers innovative products that help organizations get more performance and productivity from their applications, databases Windows infrastructure and virtual environments. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 100,000 customers worldwide meet higher expectations for enterprise IT. Quest’s Windows management solutions simplify, automate secure and extend Active Directory, Exchange Server, SharePoint, SQL Server, .NET and Windows Server as well as integrating Unix, Linux and Java into the managed environment. Quest Software can be found in offices around the globe and at www.quest.com.

Contacting Quest Software Phone

949.754.8000 (United States and Canada)

Email

[email protected]

Mail

Quest Software World Headquarters 5 Polaris Way Aliso Viejo, CA 92656

Web site

www.quest.com

Please refer to our Web site for regional and international office information.

Contacting Customer Support Quest Software's world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink

www.quest.com/support

Email at

[email protected]

You can use SupportLink to do the following:

10



Create, update, or view support requests



Search the knowledge base



Access FAQs



Download patches

Token Programming • Introduction • Defender Token Programming Wizard • Programming a Defender Handheld Token • Manually Programming a Defender Handheld Token • Programming a Defender Handheld Token Plus • Programming a Defender One Token • Programming a Defender Desktop Token • Configuring Defender for Quest Soft Token for SMS • Programming a Quest Soft Token for SMS • Configuring Defender for Quest Soft Token for E-mail OTP • Programming the Quest Soft Token for E-mail OTP • Distributing Defender Tokens • Defender Desktop Token Activation

11

Defender Token Administration Guide

Introduction This section describes how to program the hardware and software tokens supported by Defender.

Programming Defender Tokens The Defender Token Programming Wizard enables you to program the:

12



Defender Handheld Token



Defender Handheld Token (manual)



Defender Handheld Token Plus



Defender One Token



Defender Desktop Token (Android, BlackBerry, E-mail OTP, GrIdsure, iToken, Java, Palm, Windows, Windows Mobile/iPaq)



Defender SMS Token



Email OTP



VeriSign VIP Credentials.

Token Programming

Defender Token Programming Wizard 1.

To start the Defender Token Programming Wizard, from Active Directory Users and Computers, click Defender on the menu bar. Note: The Defender menu option will be displayed after you have selected the Defender OU.

2.

Select Program Tokens from the menu.

Figure 1: Program Tokens option

Alternatively, select Program on the username Properties, Defender tab. 3.

The Defender Token Programming Wizard (Welcome) dialog box is displayed:

Figure 2: Defender Token Programming Wizard (Welcome) dialog box

13

Defender Token Administration Guide

4.

Click Next. The Defender Token Programming Wizard (Token Types) dialog box is displayed:

Figure 3: Token Programming Wizard (Token Types) dialog box

14

Token Programming

5.

Select the option button for the token type that you want to program, then click Next. For information on the programming procedure for the: •

ActivIdentity Series. If you require information on using the ActivIdentity Series Token with Defender, please contact Customer Support.



Defender Handheld Token (manual), refer to Manually Programming a Defender Handheld Token on page 22



Defender Handheld Token Plus, refer to Programming a Defender Handheld Token Plus on page 27



Defender One Token, refer to Programming a Defender One Token on page 35



Defender Desktop Token, refer to Programming a Defender Desktop Token on page 41



Defender SMS, refer to Configuring Defender for Quest Soft Token for SMS on page 50



Email OTP Token, refer to Configuring Defender for Quest Soft Token for E-mail OTP on page 57.



Quest Soft Tokens, refer to the Administration Guide for the required token type: •

Quest® Soft Token for Android Administration Guide



Quest® Soft Token for BlackBerryAdministration Guide



Quest® Token for Java Administration Guide



Quest® Soft Token for Palm Administration Guide



Quest® Soft Token for Windows Administration Guide



Quest® Soft Token for Windows Mobile/iPAQ Administration Guide



Quest® Soft Token Windows Phone Administration Guide



GrIDsure Token, refer to the guide entitled Defender - How To Configure for Use with GrIDsure Tokens



VeriSign VIP Credential, refer to the guide entitled Defender - VeriSign VIP Credential Support Administration Guide.

15

Defender Token Administration Guide

Programming a Defender Handheld Token To program the Defender Handheld token: 1.

The Defender Token Programming Wizard (Serial Number) dialog box is displayed:

Figure 4: Token Programming Wizard (Serial Number) dialog box

2.

In the Serial Number field, type the serial number of the Defender Handheld token you want to program. The serial number is found on the back of the token. If you have reached this dialog box via the Defender, Tokens, HandHeld, tokenserialnumber, Program options, the serial number of your token is automatically displayed in the Serial Number field.

16

Token Programming

3.

Click Next. The Defender Token Programming Wizard (Communications Port) dialog box is displayed:

Figure 5: Token Programming Wizard (Communications Port) dialog box

4.

In the Programming port field, click the arrow to select the port on which the token programming device is connected.

5.

Click Next. The Defender Token Programming Wizard (Enhanced Security) dialog box is displayed:

Figure 6: Token Programming Wizard (Token Options) dialog box

17

Defender Token Administration Guide

6.

To increase token security, click the arrow in the Erase enabled field and select True. Each time the PIN is incorrectly entered, Error appears in the token’s display. Five consecutive incorrect PIN entries will cause all information stored in the token to be erased. The token must then be re-programmed before it can be used. The default setting is False.

7.

In the Response Mode field, click the arrow to select the format that token responses must be typed in, either decimal or hexadecimal. The default setting is decimal.

8.

Click Next. The Defender Token Programming Wizard (Confirmation) dialog box is displayed:

Figure 7: Token Programming Wizard (Confirmation) dialog box

18

Token Programming

9.

Click Next. The Defender Token Programming Wizard (Programming Progress) dialog box is displayed:

Figure 8: Defender Token Programming Wizard (Programming Progress) dialog box

To ensure that the Defender Handheld token is in EO mode, follow the on-screen instructions.

19

Defender Token Administration Guide

An example dialog is shown below: Make sure the token is in E0 mode To do this press the following keys on the token ON 0 0 0 0 ENT 0 0 0 0 0 0 0 0 ENT ENT 0 0 0 0 ENT 0 0 0 0 0 0 0 0 ENT The token should now be in E0 mode. Press the 'Continue' button on this dialog to program the token. The token should now be displaying the following checksum AEFE8D If programming failed then press the following keys on the token 0 ENT 314 065 113 206 020 264 061 354 ENT Press ENT on the token then enter a four digit PIN. Press ENT again and confirm your PIN. The token is now programmed. Press the 'Continue' button. The token details have been written successfully to Active Directory. Press the 'Continue' button on this dialog to finish.

20

Token Programming

10. Click Continue. The Defender Token Programming Wizard (Programming Complete) dialog box is displayed:

Figure 9: Token Programming Wizard (Programming Complete) dialog box

11. Click Finish to return to the Users and Computers tree.

21

Defender Token Administration Guide

Manually Programming a Defender Handheld Token To manually program the Defender Handheld token: 1.

The Defender Token Programming Wizard (Serial Number) dialog box is displayed:

Figure 10: Token Programming Wizard (Serial Number) dialog box

2.

In the Serial Number field, type the serial number of the Defender Handheld token you want to program. The serial number is found on the back of the token. If you are programming a token that is already defined in the Active Directory, the serial number of the selected token is automatically displayed in the Serial Number field.

22

Token Programming

3.

Click Next. The Defender Token Programming Wizard (Token Options) dialog box is displayed:

Figure 11: Token Programming Wizard (Token Options) dialog box

4.

If you want to increase the token security, click the arrow in the Erase enabled field and select True. Each time the PIN is incorrectly entered, Error appears in the token’s display. Five consecutive incorrect PIN entries will cause all information stored in the token to be erased. The token must then be re-programmed before it can be used.

5.

In the Response Mode field, click the arrow to select the format that token responses must be typed in, either decimal or hexadecimal. The default setting is decimal.

23

Defender Token Administration Guide

6.

Click Next. The Defender Token Programming Wizard (Confirmation) dialog box is displayed:

Figure 12: Token Programming Wizard (Confirmation) dialog box

7.

Click Next. The Defender Token Programming Wizard (Programming Progress) dialog box is displayed:

Figure 13: Token Programming Wizard (Programming Progress) dialog box

24

Token Programming

8.

Click Continue. The next dialog displays the DES key that you must enter into the Defender Handheld token:

Figure 14: Token Programming Wizard (Programming Progress) dialog box

9.

Click Continue.

10. Click Continue. The Defender Token Programming Wizard (Checksum) dialog box is displayed:

Figure 15: Token Programming Wizard (Checksum) dialog box

11. In the Checksum field, type the checksum displayed on the Defender Handheld token.

25

Defender Token Administration Guide

12. Click Continue. 13. On the Defender Handheld token’s keypad, type your PIN. Press ENT. 14. Type your PIN again to confirm that it is correct. Press ENT. 15. Click Continue. The Defender Token Programming Wizard (Programming Complete) dialog box is displayed:

Figure 16: Token Programming Wizard (Programming Complete) dialog box

16. Click Finish to return to the Users and Computers tree.

26

Token Programming

Programming a Defender Handheld Token Plus To program the Defender Handheld Token Plus: 1.

The Defender Token Programming Wizard (Communications Port) dialog box is displayed:

Figure 17: Token Programming Wizard (Communications Port) dialog box

2.

In the Programming Port field, click the arrow to select the port number to which the token programming device is connected during the token programming procedure.

27

Defender Token Administration Guide

3.

Click Next. The Defender Token Programming Wizard (PIN) dialog box is displayed:

Figure 18: Token Programming Wizard (PIN) dialog box

4.

In the Initial PIN field, type the PIN that will be entered the first time this token is used.

5.

In the Minimum Length field, click the arrow and select the minimum number of digits that the PIN can contain. The PIN must contain between 4 and 8 digits.

6.

In the Maximum Length field, click the arrow and select the maximum number of digits that the PIN can contain. The PIN must contain between 4 and 8 digits.

7.

In the Weak PIN field, accept the default setting of False if you do not want to allow a weak PIN to be specified. If you want to allow a weak PIN to be specified, click the arrow and select True. Your Defender HandHeld Token Plus is configured to check for weak (easy to guess) PIN codes and reject such PIN codes. A PIN code is considered weak if the distance between subsequent digits is a constant value. For example, 0000, 1234 and 9753 are weak PIN codes. If you entered a weak PIN code, the Defender HandHeld Token Plus displays the ERROR message and then re-displays the NEW PIN message so you can try a different new PIN code.

8.

28

In the Bad PIN attempts field, select the maximum number of times a user can enter an invalid PIN before the token is disabled on the Defender Security Server. Valid entries are 1 through 10, or No limit. If you select No limit, the user can enter a PIN as many times as needed.

Token Programming

However, choosing not to have a limit increases the vulnerability of the token to attack. 9.

Click Next. The Defender Token Programming Wizard (Display Options) dialog box is displayed:

Figure 19: Token Programming Wizard (Display Options) dialog box

10. In the Slot Name field, type the name that will uniquely identify this token to this application. The slot name is only required if this token is used for more than one application. 11. In the Response Format field, click the arrow and select the display format for token responses. The options are Decimal or Hexadecimal.

29

Defender Token Administration Guide

12. Click Next. The Defender Token Programming Wizard (Token Mode) dialog box is displayed:

Figure 20: Token Programming (Token Mode) dialog box

13. In the Token field, click the arrow and select the authentication method for this token, either Synchronous or Challenge/Response. 14. In the Response Length field, click the arrow and select the length of the response for this token, either 24 Bit (8 characters synchronous) or 32 Bit (10 characters synchronous). 15. In the Time window field, click the arrow and select the time difference that is allowed between the time clock in the Defender Security Server and the time clock in the token. The time difference can range from 0 seconds to 24,855.13 days.

30

Token Programming

16. Click Next. The Defender Token Programming Wizard (Confirmation) dialog box is displayed:

Figure 21: Token Programming Wizard (Confirmation) dialog box

17. Click Continue. The Defender Token Programming Wizard (Programming Progress -1) dialog box is displayed:

Figure 22: Token Programming Wizard (Programming Progress - 1) dialog box

18. Ensure that the token is inserted into the programmer and switched on. Click Continue to start programming the token. in the token’s display indicates that communication through the ActivCoupler is occurring. 31

Defender Token Administration Guide

19. To ensure that the Defender Handheld Token Plus is in EO mode, follow the on-screen instructions. An example dialog is shown below: Make sure the token is in E0 mode To do this press the following keys on the token ON 0 0 0 0 ENT 0 0 0 0 0 0 0 0 ENT ENT 0 0 0 0 ENT 0 0 0 0 0 0 0 0 ENT The token should now be in E0 mode. Press the 'Continue' button on this dialog to program the token. The token should now be displaying the following checksum AEFE8D If programming failed then press the following keys on the token 0 ENT 314 065 113 206 020 264 061 354 ENT Press ENT on the token then enter a four digit PIN. Press ENT again and confirm your PIN. The token is now programmed. Press the 'Continue' button. The token details have been written successfully to Active Directory. Press the 'Continue' button on this dialog to finish.

32

Token Programming

20. Click Continue. The Defender Token Programming Wizard (Programming Progress - 2) dialog box is displayed:

Figure 23: Token Programming Wizard (Programming Progress - 2) dialog box

21. Click Continue. The Defender Token Programming Wizard (Programming Progress - 3) dialog box is displayed:

Figure 24: Token Programming Wizard (Programming Progress - 3) dialog box

33

Defender Token Administration Guide

22. Click Continue. The Defender Token Programming Wizard (Programming Complete) dialog box is displayed:

Figure 25: Token Programming Wizard (Programming Complete) dialog box

23. Click Finish to return to the Users and Computers tree.

34

Token Programming

Programming a Defender One Token To program a Defender One token: 1.

The Defender Token Programming Wizard (Communications Port) dialog box is displayed:

Figure 26: Token Programming Wizard (Communications Port) dialog box

2.

In the Programming port field, click the arrow and select the port to which the ActivCoupler is connected.

35

Defender Token Administration Guide

3.

Click Next. The Defender Token Programming Wizard (PIN) dialog box is displayed:

Figure 27: Token Programming Wizard (PIN) dialog box

4.

In the Initial PIN field, type the PIN that the user will enter the first time this token is used.

5.

In the Minimum PIN length field, click the arrow and select the minimum number of digits that can be included in a PIN. The PIN can include a minimum of 1 and a maximum of 8 characters. The default is 4 characters.

6.

In the Maximum PIN length field, click the arrow and select the maximum number of digits that can be included in a PIN. The PIN can include a minimum of 1 and a maximum of 8 characters. The default is 8 characters.

7.

In the Weak PIN field, select False if you do not want to allow a weak PIN to be specified, for example, a PIN that includes repeated characters which make it easy to guess. To allow a weak PIN to be specified, select True.

8.

In the Bad PIN attempts field, click the arrow and select the number of unsuccessful attempts that the user can make when entering the PIN, before the Defender One token is locked.

36

Token Programming

9.

Click Next. The Defender Token Programming Wizard (Token Mode) dialog box is displayed:

Figure 28: Token Programming Wizard (Token Mode) dialog box

10. In the Token field, click the arrow and select the authentication method for this token, either Synchronous or Challenge/Response. 11. In the Response Length field, click the arrow and select the length of the response for this token, either 24 Bit (8 characters synchronous) or 32 Bit (10 characters synchronous). 12. In the Time window field, click the arrow and select the time difference that is allowed between the time clock in the Defender Security Server and the time clock in the token. The time difference can range from 0 seconds to 24,855.13 days.

37

Defender Token Administration Guide

13. Click Next. The Defender Token Programming Wizard (Confirmation) dialog box is displayed:

Figure 29: Token Programming Wizard (Confirmation) dialog box

14. Click Next. The Defender Token Programming Wizard (Programming Progress - 1) dialog box is displayed:

Figure 30: Token Programming Wizard (Programming Progress - 1) dialog box

15. Ensure that the token is inserted into the programmer and switched off. Click Continue to start programming the token. in the token’s display indicates that communication through the ActivCoupler is occurring. 38

Token Programming

16. Click Continue. The Defender Token Programming Wizard (Programming Progress - 2) dialog box is displayed:

Figure 31: Token Programming Wizard (Programming Progress - 2) dialog box

17. Click Continue. The Defender Token Programming Wizard (Programming Progress - 3) dialog box is displayed:

Figure 32: Token Programming Wizard (Programming Progress - 3) dialog box

39

Defender Token Administration Guide

18. Click Continue. The Defender Token Programming Wizard (Programming Complete) dialog box is displayed:

Figure 33: Token Programming Wizard (Programming Complete) dialog box

19. Click Finish to return to the Users and Computers tree.

40

Token Programming

Programming a Defender Desktop Token To program the Defender Desktop Token: 1.

The Defender Token Programming Wizard (Defender Desktop Token Types) dialog box is displayed:

Figure 34: Token Programming Wizard (Defender Desktop Token Types) dialog box

2.

Select the option button adjacent to the required platform.

Only the platforms for which you have a valid user license installed are available in this dialog. The token programming instructions provided in this section apply to the Windows Desktop Token. Individual administration and user guides are available for other token types: •

Quest® Soft Token for Android Administration Guide Quest® Soft Token for Android User Guide



Quest® Soft Token for BlackBerry Administration Guide Quest® Soft Token for BlackBerry User Guide



How To Configure Defender for Use with GrIDsure Tokens



Quest® iToken Administration Guide Quest® iToken User Guide



Quest® Soft Token for Java Administration Guide Quest® Soft Token for Java User Guide

41

Defender Token Administration Guide



Quest® Soft Token for Palm Administration Guide Quest® Soft Token for Palm User Guide



Quest® Soft Token for Windows Mobile Administration Guide & Quest® Soft Token for Windows Mobile User Guide



Quest® Soft Token for Windows Phone Administration Guide Quest® Soft Token for Windows Phone User Guide.

Further documentation for the Windows Desktop Token can be found in the Quest® Soft Token for Windows Desktop Administration Guide and Quest® Soft Token for Windows Desktop User Guide. 3.

The Defender Token Programming Wizard (Token Options) dialog is

Figure 35: Token Programming Wizard (Token Options) dialog

4.

5.

42

The Configure field includes the following options: •

For Old Desktop Token Software (5.2.0.10 or older) Select this option if your Desktop Token Software is version 5.2.0.10 or older. Go to Step 11.



For Desktop Token Software version 5.2.0.11 Select this option if your Desktop Token Software is version 5.2.0.11



All Settings manually (default setting) Select this option if your Desktop Token Software is the current version or later than 5.2.0.11.

If you want to specify the number of days within which the user must activate the token, check the Enable time limited token activation box,

Token Programming

then specify the number of days within which the user must activate the token. If the user does not activate the token within this time period, the token is invalidated and a new token must be generated. If you selected For Desktop Token Software version 5.2.0.11 in Step 4, go to Step 10.

43

Defender Token Administration Guide

6.

To ensure the user is aware that he has entered an incorrect passphrase, check the Alert user when incorrect passphrase entered box. For this option to be effective, you must also check the User is required to have passphrase box, described in Step 9.

7.

To lock the user’s token after a specified number of incorrect passcode entries, check the Enable passphrase locking box.

8.

In the Lock passphrase after n incorrect attempts box, specify the number of incorrect passphrase entries the user can make before the token is locked.

9.

To specify that the user must have a passphrase, check the User is required to have passphrase box.

10. To ensure that the user chooses a passphrase that is difficult for others to guess, check the User must use ‘strong’ passphrase box. 11. Click Next. 12. The Defender Token Programming Wizard (Select Token Mode) dialog box is displayed:

Figure 36: Token Programming Wizard (Select Token Mode) dialog box

13. In the Token Mode box, select an option button to select the required token mode, either Synchronous (response only) or Challenge/Response. 14. In the Encryption Strength box, select an option button to select the encryption strength for the Defender Desktop Token, either Defender SNK Encryption, AES Encryption, Triple DES Encryption or OATH Compliant HMAC/SHA1.

44

Token Programming

15. In the Response Length box, select an option button to select the length of the response that will be issued by the Defender Desktop Token. 16. Click Next. The Defender Token Programming Wizard (Select Users) dialog box is displayed:

Figure 37: Token Programming Wizard (Select Users) dialog box

This dialog is not displayed if you use the Program button on the username Properties, Defender page. To add a user to the Selected Users box, click Add Users. The Select Users dialog box is displayed:

Figure 38: Token Programming Wizard (Select Users) dialog box

45

Defender Token Administration Guide

To specify the directory location that will be searched, click Locations. The Locations dialog box is displayed. Select the required directory location, then click OK. The Select Users dialog box is displayed. To search for a specific object name, in the Enter the object names to select field, type the required object name, either in full or in part. Click Check Names. All object names that match the search criteria are displayed. If more than one object name matched your search criteria, a list is displayed. To select an object name, double-click the required object name. The object name is displayed in the Enter the object names to select field. For more extensive search options, click Advanced. 17. Click Next. The Defender Token Programming Wizard (Checking User License) dialog box is displayed:

Figure 39: Token Programming Wizard (Checking User License) dialog box

18. In the Licensing Information box, the Allocated field, Maximum Allocation field and Licenses required field are display only fields:

46



Allocated - number of licenses currently allocated to users



Maximum Allocation - maximum number of user licenses available, including licenses already allocated to users



Licenses required - number of additional user licenses you will need in order to allocate a license to each selected user.

Token Programming

19. Click Next. The Defender Token Programming Wizard (Save Activation Codes) dialog box is displayed:

Figure 40: Token Programming Wizard (Save Activation Codes) dialog box

When the Defender Desktop Token is used for the first time, the user is required to enter an activation code. You can specify in the Save Activation Codes dialog, how the activation code will be saved and then delivered to the user. 20. To save the Defender Desktop Token activation code to a file, check the Save to File box, then select either: •

Single File - all activation codes are saved to a single file



File per user - separate files are created for each user.

21. You can either accept the default location in which to save the file, or click Browse to choose a different location. 22. To append the activation code to the end of any existing information in the selected file, check the Append activation codes to existing file checkbox. If the Append activation codes to existing file checkbox is not checked, the contents of the selected file will be overwritten. 23. To deliver the activation code to the user by email, check the Send E-Mail box, enter the user’s email address in the Send To field.

The Send E-mail option is only available if the Defender Management Console version 5.5 and .Net 2.0 or later are installed and the related policy has been configured. 47

Defender Token Administration Guide

Figure 41: Token Programming Wizard (Save Activation Codes) dialog box

24. Click Next. The Defender Token Programming Wizard (Complete) dialog box is displayed. 25. If you want to program tokens for multiple users and deliver the activation codes to each user by email, check the Send E-Mail box, then click Next. The E-mail Addresses dialog is displayed:

Figure 42: Token Programming Wizard (E-mail Addresses) dialog box

48

Token Programming

26. Enter the email addresses and usernames, then click Next. The Defender Token Programming Wizard (Complete) dialog box is displayed:

Figure 43: Token Programming Wizard (Complete) dialog box

Defender Desktop Token Activation Defender Desktop Tokens must be activated by the user before they can be used for authentication. To enable the user to activate the token, you must make available: •

the Token software (available from the Quest download site or from individual token product sites such as the Apps Store or Marketplace)



the location of the file containing the activation key for the user’s Defender Desktop Token

Defender 5.6 and later includes a web-based portal that allows users to request and receive software tokens. Further details can be found in the following documents: Defender Management Portal Installation and Configuration Guide Defender Token Deployment System Quick Start Defender Token Deployment System User Guide

49

Defender Token Administration Guide

Configuring Defender for Quest Soft Token for SMS Defender SMS enables you to use your cell phone to receive a token response from Defender. The Mobile Provider dialog box enables you to specify mobile provider information and the settings for your SMS tokens. To configure a token policy: 1.

50

In Active Directory Users & Computers (ADUC) select the token policy that will be enabled for SMS token support.

Token Programming

FIELD NAME

DESCRIPTION

Enable SMS OTP Tokens

Select this option to enable SMS Tokens. If unchecked SMS Tokens are not usable

Responses per SMS

Enter then number of OTP responses that will be included in the SMS message. Valid options are 1 to 10. A new SMS containing this number of OTP responses will be sent either when a keyword is used by the user during authentication or if the user has already received an SMS containing OTP’s then using the penultimate or last OTP response will also trigger the sending of a new SMS

Keyword

If a keyword is provided in this field when this is entered during the authentication process it will trigger the sending of the SMS message. If a PIN has been assigned to the SMS token on the users properties page then this can also be used as the trigger to send the SMS. Also, on first use, a blank token response during the authentication process or an invalid token response will also trigger the DSS to send the SMS containing OTP responses.

User AD Password

If this option is enabled the user can enter their AD Password during the authentication process to act as the trigger for the DSS to send the SMS message. If enabled and the user enters an incorrect AD Password or an invalid token response then the DSS will still check this against the users AD Password. If an AD ‘Account lockout policy’ is enforced then a number of invalid attempts could lockout the users AD account. This option should be used with caution.

SMS Provider URL

Type the URL of the Service Provider. The exact URL will vary depending on the service provider who should be contacted for the correct details.

Phone Attribute

This option allows for a choice of which attribute to be used for the phone number The default option is to use the Mobile attribute

51

Defender Token Administration Guide

FIELD NAME

DESCRIPTION

[USERID]

This is the User Account name required to access your Service Provider’s web site.

[PASSWORD]

This is the password for the user account specified above.

POST Data

Enter the information that will be sent to your Service Provider at the URL specified above. Default XML Post data is provided but this may need to be modified to work with your specific mobile provider Your service provider should be able to provide the syntax for this data.

Test

2.

52

A Test option is provided so that you can confirm your settings.

Select Apply to save your settings.

Token Programming

Programming a Quest Soft Token for SMS To program the Quest Soft Token for SMS: 1.

On the username Properties, Defender tab, select Program.

2.

The Defender Token Programming Wizard (Welcome) dialog box is displayed:

Figure 44: Defender Token Programming Wizard (Welcome) dialog box

3.

Click Next. The Defender Token Programming Wizard (Token Types) dialog box is displayed:

Figure 45: Defender Token Programming Wizard (Token Types) dialog box 53

Defender Token Administration Guide

4.

Select Defender SMS, then click Next.

5.

The Defender Token Programming Wizard (Select Token Mode) dialog box is displayed:

Figure 46: Defender Token Programming Wizard (Select Token Mode)

6.

The Defender SMS token is a synchronous OATH Compliant token so only these options will be available.

7.

In the Response Length box, select an option button to select the length of the token response that will be issued.

54

Token Programming

8.

Click Next. The Defender Token Programming Wizard (Checking User License) dialog box is displayed:

Figure 47: Defender Token Programming Wizard (Checking User License)

9.

In the Licensing Information box, the Allocated field, Maximum Allocation field and Licenses required field are display only fields: •

Allocated - number of licenses currently allocated to users



Maximum Allocation - maximum number of user licenses available, including licenses already allocated to users



Licenses required - number of additional user licenses you will need in order to allocate a license to each selected user.

55

Defender Token Administration Guide

10. Click Next. The Defender Token Programming Wizard (Complete) dialog box is displayed:

Figure 48: Defender Token Programming Wizard (Programming Complete)

11. The token has now been assigned to the user allowing the user to authenticate using the Quest Soft Token for SMS.

Figure 49: Defender username Properties

56

Token Programming

Configuring Defender for Quest Soft Token for E-mail OTP E-mail OTP enables you to receive your one-time password(s) in an email. The E-mail OTP dialog box enables you to configure the required settings.

Figure 50: Defender Token Programming Wizard (E-mail OTP)

57

Defender Token Administration Guide

FIELD NAME

DESCRIPTION

Enable E-mail OTP Tokens

Select this option to enable E-mail OTP Tokens with this policy.

Responses per Mail

Enter then number of OTP responses that will be included in each e-mail. The responses must be used sequentially. The penultimate or last response will trigger the sending of a new E-mail OTP.

Keyword

If a keyword is provided in this field when this is entered during the authentication process it will trigger the sending of the E-mail OTP message. If a PIN has been assigned to the E-mail OTP token on the users properties page then this can also be used as the trigger to send the E-mail. Also, on first use, a blank token response during the authentication process or an invalid token response will also trigger the DSS to send the E-mail containing OTP responses.

User AD Password

If this option is enabled the user can enter their AD Password during the authentication process to act as the trigger for the DSS to send the SMS message. If enabled and the user enters an incorrect AD Password or an invalid token response then the DSS will still check this against the users AD Password. If an AD ‘Account lockout policy’ is enforced then a number of invalid attempts could lockout the users AD account. This option should be used with caution.

E-mail attribute

This option allows for a choice of which attribute to be used for the E-mail address. The default option is to use the Mail attribute..

Subject

The text that will appear in the subject line of the e-mail sent to the user.

From address

The e-mail address from which the e-mail containing the OTP(s) will be sent.

Copy (cc) address

The e-mail address to which a copy of the email containing the OTP(s) will be sent.

58

Token Programming

FIELD NAME

DESCRIPTION

Mail Content

1. Enter the descriptive text that will appear in the body of e-mails sent to the email OTP token users. Token responses will be inserted at the foot of the text. To specify where the responses should be positioned in the email, enter [RESPONSES] in the required position. 2.Click OK. Mail Server

1.In the Name field, enter the name or IP Address of the SMTP Server.

2.in the Port field, enter the port number used by the SMTP Server. The default port is 25. 3.If the SMTP Server requires authentication, select Basic or NTLM from the dropdown list in the Authentication field. When prompted, enter the username and password credentials. 4.Click OK. Test

Enables the administrator to send a test email to a specified address to check that the email send function is working correctly.

If you have made any changes in the E-mail OTP dialog box, click OK to save your settings.

59

Defender Token Administration Guide

Programming the Quest Soft Token for E-mail OTP To program the Quest Soft Token for Email OTP: 1.

On the username Properties, Defender tab, select Program.

2.

The Defender Token Programming Wizard (Welcome) dialog box is displayed:

Figure 51: Defender Token Programming Wizard (Welcome) dialog box

3.

Click Next. The Defender Token Programming Wizard (Token Types) dialog box is displayed:

Figure 52: Defender Token Programming Wizard (Token Types) dialog box

60

Token Programming

4.

Select Defender Desktop Token, then click Next.

Figure 53: Defender Token Programming Wizard (Desktop Token Types)

5.

Select E-mail OTP, then select Next to continue. The Defender Token Programming Wizard (Select Token Mode) dialog box is displayed:

Figure 54: Defender Token Programming Wizard (Select Token Mode)

6.

The Defender E-mail OTP token is a synchronous OATH Compliant token so only these options will be available.

7.

In the Response Length box, select an option button to select the length of the token response that will be issued.

61

Defender Token Administration Guide

8.

Click Next. The Defender Token Programming Wizard (Checking User License) dialog box is displayed:

Figure 55: Defender Token Programming Wizard (Checking User License)

9.

In the Licensing Information box, the Allocated field, Maximum Allocation field and Licenses required field are display only fields: •

Allocated - number of licenses currently allocated to users



Maximum Allocation - maximum number of user licenses available, including licenses already allocated to users



Licenses required - number of additional user licenses you will need in order to allocate a license to each selected user.

10. Click Next. The Defender Token Programming Wizard (Complete) dialog box is displayed:

Figure 56: Defender Token Programming Wizard (Programming Complete)

62

Token Programming

11. The token has now been assigned to the user allowing the user to authenticate using the Quest Soft Token for E-mail.

Figure 57: Defender username Properties

.

63

Defender Token Administration Guide

Distributing Defender Tokens Before using the Defender token, the user needs the following information from you: •

user ID



initial PIN (this is only required if you have set PINs for some or all of the Defender tokens).

Defender Desktop Token Activation Defender Desktop Tokens must be activated by the user before they can be used for authentication. For further information, refer to the token user guide for your token type.

64

Defender Token Logs • Introduction • Token Event Logging • Enabling Defender Event Logging

65

Defender Token Administration Guide

Introduction This section provides a list of the messages that may appear in the Token Event Log and describes how to enable the Token Event Logs.

Token Event Logging Token events performed by the Defender Administrator, such as assigning a token to a user, assigning a Defender password to a user, setting a token PIN, etc, can be logged to the Defender event log for auditing purposes. The Defender event log can be viewed using the Windows Event Viewer. The Defender event log may include the messages shown in the table below: Table 1: Defender Event Log Messages

ID

MESSAGE

1000

Token tokenname assigned to user username

1001

Failed to assign token tokenname to user username, error (messageID) messagetext

1002

Defender Password assigned to user username

1003

Failed to assign Defender Password to user username, error (messageID) messagetext

1004

Set PIN on token tokenname assigned to user username

1005

Failed to set PIN on token tokenname assigned to user username, error (messageID) messagetext

1006

Set temporary response on token tokenname assigned to user username

1007

Failed to set temporary response on token tokenname assigned to user username, error (messageID) messagetext

1008

Cleared temporary response on token tokenname assigned to user username

1009

Failed to clear temporary response on token tokenname assigned to user username, error (messageID) messagetext

1010

Modified data of token tokenname assigned to user username

66

Token Event Logging

1011

Failed to modify data of token tokenname assigned to user username, error (messageID) messagetext

1012

Token tokenname unassigned from user username

1013

Failed to unassign token tokenname from user username, error (messageID) messagetext

1014

Defender Password unassigned from user username

1015

Failed to unassign Defender Password from user username, error (messageID) messagetext

1016

Clear PIN on token tokenname assigned to user username

where: tokenname is the distinguished name of the token. username is the distinguished name of the user. messageID is the message ID. messagetext is the descriptive text of the message.

Enabling Defender Event Logging To enable logging to the Defender event log, create the Registry key shown below: HKEY_LOCAL_MACHINE:SOFTWARE\PassGo Technologies\Defender\Defender AD MMC:LoggingEnabled:1:REG_DWORD:

For x64 platforms: HKEY_LOCAL_MACHINE:SOFTWARE\Wow6432Node\PassGo Technologies\Defender\Defender AD Name

Log messages are written to the local event log and the event log on the PDC emulator. To allow all authenticated users to write to the PDC’s event log, you must edit the existing Registry key as shown below: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Defender:CustomSD:(A;;0x3;;;NU)

67