Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
NetWrix Password Manager
Administrator Guide
NetWrix Password Manager Administrator Guide
Page 2 of 18
Contents Introduction ..................................................................................................................................... 3
How It Works .............................................................................................................................. 3
Security Considerations .............................................................................................................. 4
Web Application Security ....................................................................................................... 4
Password Manager Service Security ....................................................................................... 4
Enhanced Security Scenario: Installation in DMZ ................................................................. 5
Logon Prompt Extension Security .......................................................................................... 7
Profile Database Security ........................................................................................................ 7
Built-in Security Policies ........................................................................................................ 8
Administrative Tasks ....................................................................................................................... 8
Configuring Managed Domains .................................................................................................. 9
Configuring Roles ......................................................................................................................11
Configuring Self-Service Portal .................................................................................................11
Appearance and Available Actions ........................................................................................11
Password Policy .................................................................................................................... 12
Verification Questions ........................................................................................................... 12
Notifications .......................................................................................................................... 13
Enabling Self-Service for Users................................................................................................ 14
Manual Enrollment ............................................................................................................... 14
Automatic Enrollment ........................................................................................................... 15
Profile Preload ...................................................................................................................... 16
Disconnected Mode for Remote Users ..................................................................................... 16
Licensing ................................................................................................................................... 16
Further Information ....................................................................................................................... 17
NetWrix Password Manager Administrator Guide
Page 3 of 18
Introduction In an Active Directory environment, administration of user passwords includes many tasks, such
as enforcing password security requirements through Group Policy, help desk activity, and bulk
configuration of user account options. Typically, these operations are decentralized, and account
owners are left out of account management.
NetWrix Password Manager is a solution that helps reduce help desk and administration
workload by doing the following:
Giving end-users self-service Web access to common password administration tasks
Letting help desk operators unlock accounts and view reports on account state through a
simple Web interface
Letting administrators enforce restrictions on what kinds of passwords can be set
To achieve these tasks, the product distinguishes three roles:
Self-service Users
Help desk Operators
Administrators
By assigning these roles to groups and users, you can control who can perform which password
management actions.
To enable users to perform password self-service actions, you need to make sure they complete
the process called enrollment. This involves defining verification questions and answers to them
as an identity verification mechanism.
Enrollment and subsequent self-service operations can be performed using the self-service portal
or the Logon Prompt Extension. There is no difference in functionality between these
components—if one of them is deployed, the other is not required. However, with both
components in place, password self-service may be more convenient for end users.
How It Works
The product includes 3 components:
Web application
This component provides the three Web portals that make Password Manager functionality
available: administrative portal, help desk portal and self-service portal.
Core Password Manager service
This service executes actions requested by the Web portals.
Windows Logon Prompt Extension
This component is called GINA on pre-Windows Vista computers and Credentials Provider
on Windows Vista and Windows Server 2008. This application extends the standard
NetWrix Password Manager Administrator Guide
Page 4 of 18
Windows logon prompt and pops up a dialog box that lets end-users enroll for password self-
service operations.
Both the Logon Prompt Extension and Web clients can connect to the Web service via the secure
HTTPS protocol. The Web service, in turn, connects to the Password Manager service via the
RPC protocol. The Password Manager service holds a secure profile database in the local file
system and communicates with Active Directory via encrypted LDAP and RPC channels.
Security Considerations
Web Application Security
Standard security considerations apply to the Web application security. You should install an SSL
certificate (obtained from VeriSign, for example) on your Web server and enable the HTTPS
protocol at port 443. It is recommended that you disable non-secure HTTP on port 80.
To install an SSL certificate:
1. On the Password Manager server, open the Internet Information Services MMC snap-in
and open the properties of the default Web site: Internet Information Services (IIS)
Manager | <computer_name> | Web Sites | Default Web Site.
2. On the Directory Security tab, click the Server Certificate button.
3. Complete the Web Server Certificate Wizard by specifying your certificate.
Note: The Web service component doesn’t have any security logic; it acts only as a
communication and presentation layer between web clients/GINA and the Password Manager
service. All security checks and policy enforcements are done at the Password Manager server
side. However, communications must be secure—this is why SSL is required to prevent data
eavesdropping and tampering.
Password Manager Service Security
All connections to the Password Manager Service can be done only via the RPC protocol. Setup
configures default RPC security settings used on the server machine, and you can manually
change them via the Component Services snap-in (the application name is NetWrix Password
Manager). Packet Privacy authentication level is setup by default for maximum security.
The Password Manager service authenticates help desk operators and administrators by means of
integrated Windows authentication. To configure security roles, use the administrative Web
portal. For details, see the Configuring Roles section.
No Windows authentication is done for self-service clients. This is to enable password resets
without logon, after question-answer verification. Please do not change Launch, Activation and
Access permissions in the DCOM configuration (anonymous IIS users must be allowed to access
the service).
The service account (specified during installation) must be powerful enough to unlock accounts
and reset passwords in the managed domains, because all actions, both self-service and helpdesk,
are performed under the service account. The following rights must be delegated on the managed
NetWrix Password Manager Administrator Guide
Page 5 of 18
OUs: Change Password, Reset Password, Read Account Restrictions, Write Account Restrictions,
Read pwdLastSet, Write pwdLastSet, Read lockoutTime, Write lockoutTime. Please refer to
Q294952 and Q279723 on the Microsoft support website to learn how to delegate specific rights
to the service account.
Enhanced Security Scenario: Installation in DMZ
As an additional security measure some organizations may want to consider separating the
Internet-facing Web Application and the Password Manager Service acting as backend to
interface with Active Directory domain accounts and passwords. This measure decreases the
potential attack surface and improves the overall security.
Installation steps are as follows:
1. Backend server (running the Password Manager Service):
a) Install the product as usual under a domain account having necessary permissions
and rights as described in the previous section.
b) In Active Directory Users and Computers snap-in, find the computer account for a
selected server in DMZ and set the checkbox named Trust this computer for
delegation.
c) Create a new domain account called IUSR_NetWrix_DMZ and include this
account in the following local groups on the backed server: Guests and
Distributed COM Users.
d) On the backend server, limit dynamic port number range for RPC connections by
running the Component Services snap-in (dcomcnfg.exe), properties of My
Computer, Default Protocols tab, Connection-oriented TCP/IP. Specify a range
of least 5 ports, e.g. 4000-4004. Example:
e) In firewall settings between DMZ and internal network, allow port 135 (TCP) and
the port range configured above FROM the DMZ server TO the backend server.
NetWrix Password Manager Administrator Guide
Page 6 of 18
f) On the backed server, please also verify that Default Properties tab is configured
as follows in Component Services | My Computer | Properties:
g) Reboot the backend server.
2. Server in DMZ (running the Web Application)
a) Install the product as usual, under any domain account.
b) Go to Services snap-in (services.msc), stop the service named NetWrix Password
Manager, set startup mode to Disabled.
c) Go to Component Services (dcomcnfg.exe), Computers\My Computer\DCOM
Config, find the item named NetWrix Password Manager, and right-click it for
properties.
d) On the Location tab, uncheck the checkbox Run application on this computer,
check Run application on the following computer, and enter the name of the
backend server installed in step 1(a) above. Click OK
NetWrix Password Manager Administrator Guide
Page 7 of 18
e) Run the IIS Manager snap-in, find the virtual directory created by the installation
(usually named PM), right-click for properties, Directory Security tab, click Edit
in the Authentication box, and replace the default user name with the user created
in step 1(c) above. Don’t forget to supply the current password.
3. Perform test on the client side: navigate to the Password Manager self-service portal
(running on the DMZ server) from the outside network to test connectivity and perform
basic actions (e.g. enroll and reset password).
Logon Prompt Extension Security
The GINA extension (on Windows XP) or Credentials Provider (on Vista) connects to the Web
application using the same mechanism (HTTPS protocol). Therefore, the same security
considerations apply: make sure that you specify an https-prefixed URL during installation and
configuration.
The Logon Prompt Extension supports disconnected mode of operation, that is no actual
connection to domain is required after the password was reset using the Password Manager. To
read more, please refer to the Disconnected Mode for Remote Users section below.
GINA deployment and configuration can be done via Group Policy. Please see the Password
Manager Quick Start Guide for more information.
Profile Database Security
The profile database is maintained exclusively by the Password Manager service. All question-
answer pairs for users are stored using non-reversible encryption (as MD5 hashes). Only the first
and the last letter of answers can be decrypted by the Password Manager service (to assist help
desk operators in manual user verification).
NetWrix Password Manager Administrator Guide
Page 8 of 18
The profile database is stored in binary files named alinfo.bin, inv_logon.bin and secrets.bin
located in the installation folder (%ProgramFiles%\NetWrix Password Manager by default).
For additional security, you can apply NTFS permissions and encryption settings to these files.
Regular backup of the profile database files is strongly recommended to avoid potential data
loss.
Database backups should be encrypted when copied to backup media (in the simplest case, use
password-protected *.zip files).
Built-in Security Policies
Password Manager provides a number of built-in security policies configurable from the
administrative portal. The following settings are highly recommended:
Self-service Roles – allow regular users to perform password resets but don’t include
domain administrators and other sensitive users in this role.
Questions/Answers Policy – configure these settings to make sure that users provide sets
of secure question-answer pairs (enforce minimum answer length, prevent duplicates).
Prevent answer-guessing (brute force attacks) – use these settings to enforce account
blocking after certain number of invalid answers are entered during self-serve operations.
For example, block for 30 minutes after 10 invalid answer attempts.
E-mail Notifications - account owners should be alerted by e-mail if someone is trying to
perform a self-service operation against their account (See the Notifications section).
Audit Trail – the products creates full audit trail and reports on all user activity. It’s
recommended to perform regular reviews of user activity reports.
Administrative Tasks This section describes tasks that users with the administrator role can perform. For details about
the tasks reserved for help desk operators and self-service access users, see the Password
Manager online help.
Most of the administrative tasks are done in the administrative portal, which is available at
http://<web_server>/<password_manager_virtual_directory>/admin.
The following screenshot shows the main page of the administrative portal.
NetWrix Password Manager Administrator Guide
Page 9 of 18
If the Web page cannot be displayed due to authentication problems, add the Password Manager
site to the list of trusted sites in the Internet Properties dialog box on the Security tab (Internet
Options facility in the Control Panel).
Configuring Managed Domains
To set the domains where the help desk and self-service portals will be available, open the
administrative portal and click the Domains button.
On the page that opens, modify the list of managed domains using the Edit or Remove buttons,
or the Add link.
When you add a managed domain or edit an existing managed domain, you can also specify the
following settings to be applied to all accounts in the domain:
Whether to use AD password policy settings
This option is enabled by default, so that all password policy options managed in Active
Directory (such as password age and history) are applied during self-service operations. Note
that this option has no effect and should be turned off if a minimum password age policy is
enabled in your Active Directory.
Answer guessing prevention settings
These settings help control the security of self-service operations where users need to
answer secret questions to proceed.
Whether and where to detect account lockouts
NetWrix Password Manager Administrator Guide
Page 10 of 18
Turning this option on enables monitoring of account lockout events, which helps users
examine the probable causes of account lockouts. This monitoring can occur either on the PDC
emulator or on all domain controllers in the domain. Enabling the Only on PDC emulator
option (the default) is more efficient, because it generates less network traffic. However, if the
PDC emulator is offline, some account lockout events may be lost. The On all domain
controllers option helps avoid this. If all your DCs are in the same site, the On all domain
controllers option usually works best.
NetWrix Password Manager Administrator Guide
Page 11 of 18
Configuring Roles
To assign the administrator, help desk operator and self-service user roles, open the
administrative portal and click the Roles button.
A page opens where you can assign the three roles (self-service access user, help desk operator,
and administrator) to groups and users. The descriptions of the roles are given on the screenshot
above.
Use the Edit button to make the Role members text box editable. You can supply multiple
accounts separated by semicolons without spaces. Use the Check button to verify if the names
you specify exist in your Active Directory.
Configuring Self-Service Portal
This section describes settings that control the operation of the self-service portal. To navigate to
these options, click the Settings button on the main page of the administrative portal.
Appearance and Available Actions
To customize the look of the self-service portal and the range of self-service activity available to
enrolled users, use the Branding and Interface tabs.
The Branding tab lets you personalize the interface by adding information specific to your
company, such as logo, support phone number and hyperlink to a page listing password policy
requirements.
NetWrix Password Manager Administrator Guide
Page 12 of 18
The Interface tab lets you enable or disable specific self-service actions, as shown in the
following screenshot:
Password Policy
Use the Password Policy tab to set the minimum and maximum password length. These settings
apply to all managed domains. You can also configure other password-related settings on a per-
domain basis. For details about such settings, see the Configuring Managed Domains section.
Verification Questions
Some self-service operations require answering verification questions as a security measure.
When a user enrolls for password self-service, they give an answer to a preset question, and the
answer is stored for each user. From then on, the same answer must be given whenever this
question pops up again. To define these questions and set constraints for answers, use the
Predefined Questions and Question Policy tabs.
On the Predefined Questions tab, edit the list of questions and select whether or not they are
NetWrix Password Manager Administrator Guide
Page 13 of 18
used. On the Questions Policy tab, configure the constraints you want to impose on the answers
and how many questions to ask in which situations.
Notifications
You can configure Password Manager to send users e-mail notifications when specific events
occur that have to do with the state of their accounts, passwords and enrollment status.
NetWrix Password Manager Administrator Guide
Page 14 of 18
This tab also contains SMTP server settings for e-mail delivery.
Enabling Self-Service for Users
Before members of the Self-service access role can perform self-service operations, they must be
enrolled for these operations. Password Manager supports 3 user enrollment options:
Manual enrollment
End-users must open the self-service portal manually, as instructed by the system
administrator.
Automatic enrollment
End-users are automatically prompted to enroll at logon.
Profile preload
The system administrator enrolls users based on existing verification data (taken, for
example, from an HR database).
Manual Enrollment
After Password Manager deployment, the system administrator sends the URL of the self-service
portal to all users in a quick introductory e-mail message explaining the purpose of this system
and how to use it. All users need to follow the link in the message to enroll into the system
before they can perform self-service tasks.
Advantages:
No client software deployment.
Easy to accomplish (just send e-mail).
Disadvantage:
Many users won't open the URL (they may be too busy or may not understand, etc.),
resulting in additional help desk calls.
NetWrix Password Manager Administrator Guide
Page 15 of 18
Automatic Enrollment
The automatic enrollment feature works every time users log on to their computers. The
following enrollment dialog box pops up as part of the logon process:
This feature is enabled automatically on all computers with the Logon Prompt Extension module
installed (GINA on Windows 2000/XP/2003 and Credentials Provider on Vista and later). Logon
Prompt Extension deployment and configuration can be done via Group Policy (please see the
Deployment Through Group Policy section in the Quick Start Guide for more information).
If you do not want to install the Logon Prompt Extension on your client computers, you can still
use automatic enrollment through Group Policy scripts. Take the following configuration steps:
1. Temporarily install the Logon Prompt Extension on any computer and copy the
prmmain.exe file to file server share accessible to all users (the default location of the
file is %ProgramFiles%\Logon Prompt Extension for NetWrix Password Manager).
For example, \\pmserver\Enroll\prmmain.exe.
2. Open the Default Domain Policy or create a new Group Policy object using standard
Microsoft tools (GPMC or ADUC).
3. Navigate to User Configuration | Windows Settings | Scripts (Logon/Logoff) and add a
new logon script that starts prmmain.exe without any arguments.
Advantage:
Enforces enrollment for self-service to minimize the number of help desk calls.
Disadvantage:
Requires client deployment (only for the Logon Prompt Extension).
NetWrix Password Manager Administrator Guide
Page 16 of 18
Profile Preload
Many organizations have user-specific data in their HR databases, such as Social Security
numbers, places of birth, or similar. With Password Manager, you can preload their existing
verification data so they can perform their first self-service task without doing extra steps. This
also ensures that all users are enrolled for password self-service and further minimizes the
number of IT help desk calls.
Advantage:
Enforces enrollment to minimize help desk calls.
Disadvantage:
Requires existing user data (from the HR database).
The profile import utility (ProfileImporter.exe) is installed into the program installation folder
(%ProgramFiles%\NetWrix Password Manager by default). The utility accepts plain-text
Unicode *.csv files with user names and key-value pairs. For example:
ACME\jdoe, Social Security=123-45-6789, Mother's Maiden Name=Parker
ACME\msmith, Social Security=789-56-1234, Mother's Maiden Name=Cameron
Import tool syntax:
ProfileImporter.exe [/O] [/E] <accountlist.txt>
Use the /O option to forcibly overwrite all existing profiles with the new data
Use the /E option to load profiles as expired and force users to enter new verification key-value
pairs after profile validation, while still allowing self-service operations. This option is
recommended.
Disconnected Mode for Remote Users
The Password Manager supports disconnected mode of operation for remote users who don’t
have access to domain at logon time (e.g. laptop users during business trips or remote employees
working from home). The Logon Prompt Extension component must be installed on client
computers and users must be connected to the Internet and the Password Manager must be open
via HTTPS for outside access. This mode works as follows:
1. When user can't logon and wants to reset their password he or she clicks the Logon
Assistance button on the logon screen.
2. The user answers verification questions and if successful goes to the next step.
3. The password is updated on the Password Manager server and replicated to the entire
domain right away. If successful goes to the next step.
4. The password is updated in the local credential cache and after this the user can type
this password and logon successfully in disconnected mode. Both passwords are
synchronized at this point and the user can connect to the domain.
Licensing
The freshly installed Password Manager core service is licensed for a free evaluation period of
NetWrix Password Manager Administrator Guide
Page 17 of 18
20 days. To obtain a permanent commercial license from NetWrix, take the following steps:
1. Open the administrative portal and click License to go to the Licensing Information page.
This page shows a message like the following: ―To obtain your license code, please send
the following ID to a technical support representative: 970ac979.‖
2. Send a message at http://www.netwrix.com/contact.html requesting a license code and
containing the following information:
Company name
Estimated number of users
ID that you looked up on the previous step
3. When you receive the response, fill in the fields on the Licensing Information page:
Company name
License code obtained from NetWrix
Number of users
Further Information For more information about Password Manager not found in this guide, see the following
documents:
Quick Start Guide—explains the deployment and initial configuration of the product
Help Desk Portal Help (click Help link in the portal) —describes the use of the help desk
portal
Self-service Portal Help (click Help link in the portal)—describes the use of the self-
service portal
NetWrix Password Manager Administrator Guide
Page 18 of 18
©2009 NetWrix Corporation. All rights reserved. NetWrix and Password Manager are
trademarks of NetWrix Corporation and/or one or more of its subsidiaries, and may be registered
in the U.S. Patent and Trademark Office and in other countries. All other trademarks and
registered trademarks are the property of their respective owners.