Hideez Enterprise Server Version 2.0

ADMINISTRATOR MANUAL

Version 2.0.

© Hideez Group Inc, 2018

1

Table of Contents

1. General Information 3

1.1. Purpose and scope 3

1.2. System requirements 3

2. Setting Hideez Enterprise Server 3

2.1. HES system installation description 3

2.2. The first launch of the site 4

2.3. HES Administrator Account 4

3. Using of Hideez Enterprise Server 5

3.1. Basic concepts 5

3.1.1. Storage of identification information 5

3.1.2. Hideez device management 5

3.1.3. Catalog of Enterprise IT-resources 5

3.1.4. User’s cabinet 5

3.1.5. Administrator’s workplace. 5

3.2. System Setup 5

3.2.1 User roles 5

3.2.2. Mail settings 6

3.2.3. Mailchimp settings 7

3.3. User management 7

3.3.1. Groups of users 7

3.3.2. Creating the user 8

3.3.3. Editing user 9

3.4. Enterprise Resource Management 9

3.4.1. Catalog of Enterprise IT-resources 9

3.4.2. Adding credentials to the user’s device 10

3.4.3. Using User Credentials on Client Devices 12

Determination of the target application 13

Defining the target web page 13

Examples of pointing applications and web pages. 13

3.5. Additional Features 13

3.5.1. Adding Hideez Device 13

3.5.2. User Device History 14

2

3

1. General Information

1.1. Purpose and scope Software Hideez Enterprise Server (HES) is designed for managing Hideez devices and stored on them

information about the corporate ID. The applying of HES allows the enterprise to:

● exclude the exchange of control information between tokens and external resources - control is

carried out inside the enterprise.

● solve the problem of secure password transfer to user. The password is transmitted over the

encrypted channel between server and token and it is can’t be intercepted.

● remotely manage (add, edit or delete) the passwords in user devices.

● monitor complexity of the passwords and their validity, forcibly change them.

● move to the strict authorization: replace the passwords on keys, that are unknown to the user.

1.2. System requirements

To work with HES v1 you need the following:

Microsoft Windows Server 2012 or higher

Microsoft IIS v 10 or higher

Microsoft SQL Server 2012 or higher

RAM – 4Gb, free space on hard drive – 20Gb

HES access through HTTP/HTTPS protocol on the port specified during the installation of the system.

Users and administrators of HES use the Internet browser for work. Server will work with browsers Google

Chrome v 58 or higher, Microsoft Internet Explorer v. 11.0 or higher, Microsoft Edge, Safari (MacOS).

2. Setting Hideez Enterprise Server

2.1. HES system installation description Description of the installation of Hideez Enterprise Server is given for a personal computer with installed

Windows 10 operating system.

The installation of the Hideez Enterprise Server system includes the following components and automatic

settings:

1. Enable and configure Internet Information Services (IIS) components.

2. Install SQL Server.

3. Install .NET Core Windows Server Hosting.

4. Installing Hideez Enterprise Server.

5. Creating a database and establishing a site connection with IIS components.

6. Creating a user in the IIS Manager snap-in for accessing the Hideez Enterprise Server website to the SQL

database.

4

After installation, the site has a local address of the form http://localhost:8092 Port 8092 is set by default and

can be changed by the administrator in the IIS Manager snap-in: select the HideezEnterprise site, click

Bindings in the Actions console, and set the desired port:

2.2. The first launch of the site Creation of the database and the implementation of the preparatory actions are performed at the moment of

the first visit to the site. Go to the browser at http: // localhost: 8092 (or to another address assigned to the

site)

For remote access to the site, in the address bar of the browser, instead of localhost, enter the ip-address of

the computer on which Hideez Enterprise Server is installed.

2.3. HES Administrator Account When installing, a single user with administrator rights is created

Login: HideezAdmin

Password: HideezAdmin

It is recommended that when you first start to go into the office and change the password of the system

administrator.

5

3. Using of Hideez Enterprise Server

3.1. Basic concepts

3.1.1. Storage of identification information Since Hideez Key ST101 Hideez devices storage user’s identifiers such as logins, passwords, two-factor secret

keys inside the device.

Such information is stored in the Password Manager in the Hideez device in an encrypted form and not transmitted outside.

Password Manager entries can be created by owners of Hideez devices (personal records) and by HES administrators (corporate records). Personal records are available for use only to the authorized device owner. Corporate records are available for use to owner of device that is linked to the appropriating account in the HES. Editing and deletion of corporate records is available to the administrator and operator of HES, and, if it allowed by the administrator, to the device owner.

3.1.2. Hideez device management Corporate use of Hideez devices involves "linking" devices to the enterprise and users to provide their safe authorized use. Administrator can add new devices for management, delete them and block them in case of loss.

3.1.3. Catalog of Enterprise IT-resources The directory contains a configurable list of enterprise IT-resources, such as PC operating systems, domain services, mail services, databases, etc., access to which can be automated for users that are using Hideez devices.

The directory serves as a template for quickly generating a list of resources for each specific user (user group).

3.1.4. User’s cabinet In the personal cabinet of the HES service, users of Hideez devices can delete, and also block their devices in

the event of loss or theft.

3.1.5. Administrator’s workplace. The administrator workplace is the main tool for working with HES, in which:

● Configures catalog of enterprise it-resources ● Configures roles of HES users ● Manage users ● Manage Hideez devices that belong to the enterprise ● Perfom other administration tasks ● Other administration tasks are performed

3.2. System Setup To go to the system settings, click "Settings". Section contains: User roles, Mail settings, Mailchimp settings.

3.2.1 User roles HES provides two default user roles: Administrator (admin) and user (user). Roles are distinguished by rights to

perform operations.

6

3.2.2. Mail settings HES uses a third-party SMTP service for sending messages to users (for example, a confirmation e-mail). In this

section you need to specify the data of this service:

● hostname/IP address

● port

● Login of e-mail account (for example HES@myorg.com)

● Mail account password

Click "Save" to save the changes.

Please note that the mail account HES@myorg.com must be created and activated before the first use.

7

3.2.3. Mailchimp settings This settings are used to configure integration with Mailchimp.

3.3. User management

3.3.1. Groups of users

User groups are used to formalize the structure of an enterprise.

To create the group click the "My Groups" tab:

And click “Add”:

Specify a group name and, if necessary, a description.

8

After saving, the group will appear in the general list of groups and will be available for management

(“Manage”)

3.3.2. Creating the user After the group has been created, the administrator will have access to the general group settings (menu on

the left) and user management in the table header.

To add a new user, click “Add”.

Enter a list of e-mail users that you want to add to the group, separated by commas (without spaces).

9

After clicking the “Add users” button, emails will be sent to the specified e-mail with a link to confirm account

creation. All new users will appear in the “Users” table.

3.3.3. Editing user

To change information about a user, assign a role to him, as well as manage information in his Hideez devices,

follow these steps:

1. In the main menu, click on Users.

2. In the opened list, find the needed entry. You can use filtering for the search - to do this, enter part of the

name/email in the search bar at the top of the list.

3. Click on the “Edit” icon in the “Actions” column to switch on the changing user information.

By default, each user has role “User”. To add a role to him with higher rights, turn on the switch in the

appropriate field on the “Roles” tab.

On the “Devices” tab, you can view a list of devices registered to the user. An administrator can remove a

device from a user account by clicking the “Remove” button. This will erase the user information in the device

and reset it to the factory settings.

The “Edit” button allows you to edit the enterprise information on the user's device. For more on this, see

“Enterprise Resource Management”.

3.4. Enterprise Resource Management

3.4.1. Catalog of Enterprise IT-resources

“Accounts catalog” is intended for adding, changing or deleting records on enterprise resources to which

access is later provided.

To add a new entry to the "Accounts Catalog", follow the next steps:

1. In the main menu, go to the “Remote control”, then in the opened sub-item “Manage account

catalog”

10

2. Click the “Add new” button and fill in the fields.

3. Specify the account name (for example, Gmail business account)

4. Specify the list of URLs of websites and / or applications for which the account will be used.

5. Click the button “Create”

Note. Credentials of the created accounts are filled for each user individually.

Note. The principles for applying user credentials to applications and web sites are described in “Principles for

Applying User Credentials in Client Devices”.

3.4.2. Adding credentials to the user’s device The administrator can add credentials to the user's device. The user will see them in the section "Password Manager" of the client application Hideez Safe along with those that he added by himself.

To add an account to the user device, complete the steps:

1. In the main menu click the "Users".

2. In the opened lust find the necessary entry. You can use filtering for the search - to do this, enter part

of the name/email in the search bar at the top of the list.

3. Click the “Devices” icon in the column “Actions“ on the user card to go to the list of registered user

devices.

11

4. Select the necessary device from the list of devices and click “Edit”.

5. In the “Password Manager” click the “Add” button to create a new entry.

6. If it’s applicable, select an item from the list of company accounts in the "Select account" field to

automatically fill in other fields according to the selected template.

12

7. Fill in the “URL List” and “Apps” fields according to the 3.4.3."Using User Credentials on Client Devices".

8. Specify a login with which the user will enter the application/web page in the Login field

9. Specify a password with which the user will enter the application/web page in the Password field.

10. Save the entry with the "Add" button

3.4.3. Using User Credentials on Client Devices The use of Hideez Safe device user credentials on client devices is performed by using the Hideez Safe application. The resident part of the application is permanently in memory and always look after the running applications.

On a certain event (pressing a button on the device or a hotkey on the keyboard), the credentials are substituted into the active applications. Defining the credentials for the substitution, Hideez Safe for Windows uses the methods described below.

13

Determination of the target application

The credentials (login, password, one-time password) are inserted into the application which has an active focus on the input from the keyboard. The name of the corresponding process in the operating system is used as the application identifier.

You can see the name of the process in the Windows Task Manager in the Details tab.

For example:

● Application Skype - the corresponding process has Name Skype.exe ● The Hideez Safe application includes two parts, the processes are named HideezHostServ.exe

HideezUI.exe

Defining the target web page

If the active window is a browser (supported by Internet Explorer, Firefox, Google Chrome, Opera) Hideez Safe analyzes the current address line (URL).

The key parameter is the domain and subdomain in the string.

For example, for a page: https://accounts.google.com/AddSession?hl=en&continue= https://mail.google.com/mail&service=mail#identifier the key parameter is the domain accounts.google.com.

Examples of pointing applications and web pages.

Field Content The account will be applied to:

URL address photos.google.com

drive.google.com

accounts.google.com

To these three addresses and their subdomains.

URL address google.com To any subdomain of google.com, including

drive.google.com, mail.google.com, and others.

application EXCEL.EXE Only for Microsoft Excel

application EXCEL.EXE

Skype.exe

Microsoft Excel or Skype

Note. The applied method of identifying applications by the name of the process is not safe, and it is currently used for research purposes. The company Hideez is constantly working to eliminate possible vulnerabilities.

3.5. Additional Features

3.5.1. Adding Hideez Device The device protection architecture Hideez includes the Device Key digital keys, stitched into the devices in the

factory. Hideez uses these keys to authorize devices and ensure secure communication with them.

Your copy of Hideez Enterprise Server can manage employee devices only after “importing” device keys. The

procedure for requesting a key from a vendor is not covered in this document.

The transfer of device keys is done using an HDZ file.

To import a file with device keys, follow these steps:

1. In the Actions section of the main menu, click "Import devices"

14

2. Specify the key file received from the vendor, for example:

“Devices_ST10102160600021_ST10102160600023.hdz” and download it

3.5.2. User Device History HES logs all actions that occurring with devices, such as device registration, binding and unbinding from the

user's account, entering the Hideez Safe application on the client’s side.

To view the key usage history, go to the Users tab, click on the device of the desired user. The “Device history”

table will open with the necessary information.

15

When you start the Hideez Safe application for the first time (before authorization), you need to perform

Network settings in the Menu by entering the address of the host you are using: http://localhost:8092