NetWrix Password Manager

NetWrix Password Manager

Administrator Guide

NetWrix Password Manager Administrator Guide

Page 2 of 18

Contents Introduction ..................................................................................................................................... 3

How It Works .............................................................................................................................. 3

Security Considerations .............................................................................................................. 4

Web Application Security ....................................................................................................... 4

Password Manager Service Security ....................................................................................... 4

Enhanced Security Scenario: Installation in DMZ ................................................................. 5

Logon Prompt Extension Security .......................................................................................... 7

Profile Database Security ........................................................................................................ 7

Built-in Security Policies ........................................................................................................ 8

Administrative Tasks ....................................................................................................................... 8

Configuring Managed Domains .................................................................................................. 9

Configuring Roles ......................................................................................................................11

Configuring Self-Service Portal .................................................................................................11

Appearance and Available Actions ........................................................................................11

Password Policy .................................................................................................................... 12

Verification Questions ........................................................................................................... 12

Notifications .......................................................................................................................... 13

Enabling Self-Service for Users................................................................................................ 14

Manual Enrollment ............................................................................................................... 14

Automatic Enrollment ........................................................................................................... 15

Profile Preload ...................................................................................................................... 16

Disconnected Mode for Remote Users ..................................................................................... 16

Licensing ................................................................................................................................... 16

Further Information ....................................................................................................................... 17


Page 3 of 18

Introduction In an Active Directory environment, administration of user passwords includes many tasks, such

as enforcing password security requirements through Group Policy, help desk activity, and bulk

configuration of user account options. Typically, these operations are decentralized, and account

owners are left out of account management.

NetWrix Password Manager is a solution that helps reduce help desk and administration

workload by doing the following:

Giving end-users self-service Web access to common password administration tasks

Letting help desk operators unlock accounts and view reports on account state through a

simple Web interface

Letting administrators enforce restrictions on what kinds of passwords can be set

To achieve these tasks, the product distinguishes three roles:

Self-service Users

Help desk Operators

Administrators

By assigning these roles to groups and users, you can control who can perform which password

management actions.

To enable users to perform password self-service actions, you need to make sure they complete

the process called enrollment. This involves defining verification questions and answers to them

as an identity verification mechanism.

Enrollment and subsequent self-service operations can be performed using the self-service portal

or the Logon Prompt Extension. There is no difference in functionality between these

components—if one of them is deployed, the other is not required. However, with both

components in place, password self-service may be more convenient for end users.

How It Works

The product includes 3 components:

Web application

This component provides the three Web portals that make Password Manager functionality

available: administrative portal, help desk portal and self-service portal.

Core Password Manager service

This service executes actions requested by the Web portals.

Windows Logon Prompt Extension

This component is called GINA on pre-Windows Vista computers and Credentials Provider

on Windows Vista and Windows Server 2008. This application extends the standard


Page 4 of 18

Windows logon prompt and pops up a dialog box that lets end-users enroll for password self-

service operations.

Both the Logon Prompt Extension and Web clients can connect to the Web service via the secure

HTTPS protocol. The Web service, in turn, connects to the Password Manager service via the

RPC protocol. The Password Manager service holds a secure profile database in the local file

system and communicates with Active Directory via encrypted LDAP and RPC channels.

Security Considerations

Web Application Security

Standard security considerations apply to the Web application security. You should install an SSL

certificate (obtained from VeriSign, for example) on your Web server and enable the HTTPS

protocol at port 443. It is recommended that you disable non-secure HTTP on port 80.

To install an SSL certificate:

1. On the Password Manager server, open the Internet Information Services MMC snap-in

and open the properties of the default Web site: Internet Information Services (IIS)

Manager | <computer_name> | Web Sites | Default Web Site.

2. On the Directory Security tab, click the Server Certificate button.

3. Complete the Web Server Certificate Wizard by specifying your certificate.

Note: The Web service component doesn’t have any security logic; it acts only as a

communication and presentation layer between web clients/GINA and the Password Manager

service. All security checks and policy enforcements are done at the Password Manager server

side. However, communications must be secure—this is why SSL is required to prevent data

eavesdropping and tampering.

Password Manager Service Security

All connections to the Password Manager Service can be done only via the RPC protocol. Setup

configures default RPC security settings used on the server machine, and you can manually

change them via the Component Services snap-in (the application name is NetWrix Password

Manager). Packet Privacy authentication level is setup by default for maximum security.

The Password Manager service authenticates help desk operators and administrators by means of

integrated Windows authentication. To configure security roles, use the administrative Web

portal. For details, see the Configuring Roles section.

No Windows authentication is done for self-service clients. This is to enable password resets

without logon, after question-answer verification. Please do not change Launch, Activation and

Access permissions in the DCOM configuration (anonymous IIS users must be allowed to access

the service).

The service account (specified during installation) must be powerful enough to unlock accounts

and reset passwords in the managed domains, because all actions, both self-service and helpdesk,

are performed under the service account. The following rights must be delegated on the managed


Page 5 of 18

OUs: Change Password, Reset Password, Read Account Restrictions, Write Account Restrictions,

Read pwdLastSet, Write pwdLastSet, Read lockoutTime, Write lockoutTime. Please refer to

Q294952 and Q279723 on the Microsoft support website to learn how to delegate specific rights

to the service account.

Enhanced Security Scenario: Installation in DMZ

As an additional security measure some organizations may want to consider separating the

Internet-facing Web Application and the Password Manager Service acting as backend to

interface with Active Directory domain accounts and passwords. This measure decreases the

potential attack surface and improves the overall security.

Installation steps are as follows:

1. Backend server (running the Password Manager Service):

a) Install the product as usual under a domain account having necessary permissions

and rights as described in the previous section.

b) In Active Directory Users and Computers snap-in, find the computer account for a

selected server in DMZ and set the checkbox named Trust this computer for

delegation.

c) Create a new domain account called IUSR_NetWrix_DMZ and include this

account in the following local groups on the backed server: Guests and

Distributed COM Users.

d) On the backend server, limit dynamic port number range for RPC connections by

running the Component Services snap-in (dcomcnfg.exe), properties of My

Computer, Default Protocols tab, Connection-oriented TCP/IP. Specify a range

of least 5 ports, e.g. 4000-4004. Example:

e) In firewall settings between DMZ and internal network, allow port 135 (TCP) and

the port range configured above FROM the DMZ server TO the backend server.

http://support.microsoft.com/kb/294952

http://support.microsoft.com/kb/279723


Page 6 of 18

f) On the backed server, please also verify that Default Properties tab is configured

as follows in Component Services | My Computer | Properties:

g) Reboot the backend server.

2. Server in DMZ (running the Web Application)

a) Install the product as usual, under any domain account.

b) Go to Services snap-in (services.msc), stop the service named NetWrix Password

Manager, set startup mode to Disabled.

c) Go to Component Services (dcomcnfg.exe), Computers\My Computer\DCOM

Config, find the item named NetWrix Password Manager, and right-click it for

properties.

d) On the Location tab, uncheck the checkbox Run application on this computer,

check Run application on the following computer, and enter the name of the

backend server installed in step 1(a) above. Click OK


Page 7 of 18

e) Run the IIS Manager snap-in, find the virtual directory created by the installation

(usually named PM), right-click for properties, Directory Security tab, click Edit

in the Authentication box, and replace the default user name with the user created

in step 1(c) above. Don’t forget to supply the current password.

3. Perform test on the client side: navigate to the Password Manager self-service portal

(running on the DMZ server) from the outside network to test connectivity and perform

basic actions (e.g. enroll and reset password).

Logon Prompt Extension Security

The GINA extension (on Windows XP) or Credentials Provider (on Vista) connects to the Web

application using the same mechanism (HTTPS protocol). Therefore, the same security

considerations apply: make sure that you specify an https-prefixed URL during installation and

configuration.

The Logon Prompt Extension supports disconnected mode of operation, that is no actual

connection to domain is required after the password was reset using the Password Manager. To

read more, please refer to the Disconnected Mode for Remote Users section below.

GINA deployment and configuration can be done via Group Policy. Please see the Password

Manager Quick Start Guide for more information.

Profile Database Security

The profile database is maintained exclusively by the Password Manager service. All question-

answer pairs for users are stored using non-reversible encryption (as MD5 hashes). Only the first

and the last letter of answers can be decrypted by the Password Manager service (to assist help

desk operators in manual user verification).

http://www.netwrix.com/download/QuickStart/Password_Manager_Quick_Start.pdf



Page 8 of 18

The profile database is stored in binary files named alinfo.bin, inv_logon.bin and secrets.bin

located in the installation folder (%ProgramFiles%\NetWrix Password Manager by default).

For additional security, you can apply NTFS permissions and encryption settings to these files.

Regular backup of the profile database files is strongly recommended to avoid potential data

loss.

Database backups should be encrypted when copied to backup media (in the simplest case, use

password-protected *.zip files).

Built-in Security Policies

Password Manager provides a number of built-in security policies configurable from the

administrative portal. The following settings are highly recommended:

Self-service Roles – allow regular users to perform password resets but don’t include

domain administrators and other sensitive users in this role.

Questions/Answers Policy – configure these settings to make sure that users provide sets

of secure question-answer pairs (enforce minimum answer length, prevent duplicates).

Prevent answer-guessing (brute force attacks) – use these settings to enforce account

blocking after certain number of invalid answers are entered during self-serve operations.

For example, block for 30 minutes after 10 invalid answer attempts.

E-mail Notifications - account owners should be alerted by e-mail if someone is trying to

perform a self-service operation against their account (See the Notifications section).

Audit Trail – the products creates full audit trail and reports on all user activity. It’s

recommended to perform regular reviews of user activity reports.

Administrative Tasks This section describes tasks that users with the administrator role can perform. For details about

the tasks reserved for help desk operators and self-service access users, see the Password

Manager online help.

Most of the administrative tasks are done in the administrative portal, which is available at

http://<web_server>/<password_manager_virtual_directory>/admin.

The following screenshot shows the main page of the administrative portal.


Page 9 of 18

If the Web page cannot be displayed due to authentication problems, add the Password Manager

site to the list of trusted sites in the Internet Properties dialog box on the Security tab (Internet

Options facility in the Control Panel).

Configuring Managed Domains

To set the domains where the help desk and self-service portals will be available, open the

administrative portal and click the Domains button.

On the page that opens, modify the list of managed domains using the Edit or Remove buttons,

or the Add link.

When you add a managed domain or edit an existing managed domain, you can also specify the

following settings to be applied to all accounts in the domain:

Whether to use AD password policy settings

This option is enabled by default, so that all password policy options managed in Active

Directory (such as password age and history) are applied during self-service operations. Note

that this option has no effect and should be turned off if a minimum password age policy is

enabled in your Active Directory.

Answer guessing prevention settings

These settings help control the security of self-service operations where users need to

answer secret questions to proceed.

Whether and where to detect account lockouts


Page 10 of 18

Turning this option on enables monitoring of account lockout events, which helps users

examine the probable causes of account lockouts. This monitoring can occur either on the PDC

emulator or on all domain controllers in the domain. Enabling the Only on PDC emulator

option (the default) is more efficient, because it generates less network traffic. However, if the

PDC emulator is offline, some account lockout events may be lost. The On all domain

controllers option helps avoid this. If all your DCs are in the same site, the On all domain

controllers option usually works best.


Page 11 of 18

Configuring Roles

To assign the administrator, help desk operator and self-service user roles, open the

administrative portal and click the Roles button.

A page opens where you can assign the three roles (self-service access user, help desk operator,

and administrator) to groups and users. The descriptions of the roles are given on the screenshot

above.

Use the Edit button to make the Role members text box editable. You can supply multiple

accounts separated by semicolons without spaces. Use the Check button to verify if the names

you specify exist in your Active Directory.

Configuring Self-Service Portal

This section describes settings that control the operation of the self-service portal. To navigate to

these options, click the Settings button on the main page of the administrative portal.

Appearance and Available Actions

To customize the look of the self-service portal and the range of self-service activity available to

enrolled users, use the Branding and Interface tabs.

The Branding tab lets you personalize the interface by adding information specific to your

company, such as logo, support phone number and hyperlink to a page listing password policy

requirements.


Page 12 of 18

The Interface tab lets you enable or disable specific self-service actions, as shown in the

following screenshot:

Password Policy

Use the Password Policy tab to set the minimum and maximum password length. These settings

apply to all managed domains. You can also configure other password-related settings on a per-

domain basis. For details about such settings, see the Configuring Managed Domains section.

Verification Questions

Some self-service operations require answering verification questions as a security measure.

When a user enrolls for password self-service, they give an answer to a preset question, and the

answer is stored for each user. From then on, the same answer must be given whenever this

question pops up again. To define these questions and set constraints for answers, use the

Predefined Questions and Question Policy tabs.

On the Predefined Questions tab, edit the list of questions and select whether or not they are


Page 13 of 18

used. On the Questions Policy tab, configure the constraints you want to impose on the answers

and how many questions to ask in which situations.

Notifications

You can configure Password Manager to send users e-mail notifications when specific events

occur that have to do with the state of their accounts, passwords and enrollment status.


Page 14 of 18

This tab also contains SMTP server settings for e-mail delivery.

Enabling Self-Service for Users

Before members of the Self-service access role can perform self-service operations, they must be

enrolled for these operations. Password Manager supports 3 user enrollment options:

Manual enrollment

End-users must open the self-service portal manually, as instructed by the system

administrator.

Automatic enrollment

End-users are automatically prompted to enroll at logon.

Profile preload

The system administrator enrolls users based on existing verification data (taken, for

example, from an HR database).

Manual Enrollment

After Password Manager deployment, the system administrator sends the URL of the self-service

portal to all users in a quick introductory e-mail message explaining the purpose of this system

and how to use it. All users need to follow the link in the message to enroll into the system

before they can perform self-service tasks.

Advantages:

No client software deployment.

Easy to accomplish (just send e-mail).

Disadvantage:

Many users won't open the URL (they may be too busy or may not understand, etc.),

resulting in additional help desk calls.


Page 15 of 18

Automatic Enrollment

The automatic enrollment feature works every time users log on to their computers. The

following enrollment dialog box pops up as part of the logon process:

This feature is enabled automatically on all computers with the Logon Prompt Extension module

installed (GINA on Windows 2000/XP/2003 and Credentials Provider on Vista and later). Logon

Prompt Extension deployment and configuration can be done via Group Policy (please see the

Deployment Through Group Policy section in the Quick Start Guide for more information).

If you do not want to install the Logon Prompt Extension on your client computers, you can still

use automatic enrollment through Group Policy scripts. Take the following configuration steps:

1. Temporarily install the Logon Prompt Extension on any computer and copy the

prmmain.exe file to file server share accessible to all users (the default location of the

file is %ProgramFiles%\Logon Prompt Extension for NetWrix Password Manager).

For example, \\pmserver\Enroll\prmmain.exe.

2. Open the Default Domain Policy or create a new Group Policy object using standard

Microsoft tools (GPMC or ADUC).

3. Navigate to User Configuration | Windows Settings | Scripts (Logon/Logoff) and add a

new logon script that starts prmmain.exe without any arguments.

Advantage:

Enforces enrollment for self-service to minimize the number of help desk calls.

Disadvantage:

Requires client deployment (only for the Logon Prompt Extension).



Page 16 of 18

Profile Preload

Many organizations have user-specific data in their HR databases, such as Social Security

numbers, places of birth, or similar. With Password Manager, you can preload their existing

verification data so they can perform their first self-service task without doing extra steps. This

also ensures that all users are enrolled for password self-service and further minimizes the

number of IT help desk calls.

Advantage:

Enforces enrollment to minimize help desk calls.

Disadvantage:

Requires existing user data (from the HR database).

The profile import utility (ProfileImporter.exe) is installed into the program installation folder

(%ProgramFiles%\NetWrix Password Manager by default). The utility accepts plain-text

Unicode *.csv files with user names and key-value pairs. For example:

ACME\jdoe, Social Security=123-45-6789, Mother's Maiden Name=Parker

ACME\msmith, Social Security=789-56-1234, Mother's Maiden Name=Cameron

Import tool syntax:

ProfileImporter.exe [/O] [/E] <accountlist.txt>

Use the /O option to forcibly overwrite all existing profiles with the new data

Use the /E option to load profiles as expired and force users to enter new verification key-value

pairs after profile validation, while still allowing self-service operations. This option is

recommended.

Disconnected Mode for Remote Users

The Password Manager supports disconnected mode of operation for remote users who don’t

have access to domain at logon time (e.g. laptop users during business trips or remote employees

working from home). The Logon Prompt Extension component must be installed on client

computers and users must be connected to the Internet and the Password Manager must be open

via HTTPS for outside access. This mode works as follows:

1. When user can't logon and wants to reset their password he or she clicks the Logon

Assistance button on the logon screen.

2. The user answers verification questions and if successful goes to the next step.

3. The password is updated on the Password Manager server and replicated to the entire

domain right away. If successful goes to the next step.

4. The password is updated in the local credential cache and after this the user can type

this password and logon successfully in disconnected mode. Both passwords are

synchronized at this point and the user can connect to the domain.

Licensing

The freshly installed Password Manager core service is licensed for a free evaluation period of


Page 17 of 18

20 days. To obtain a permanent commercial license from NetWrix, take the following steps:

1. Open the administrative portal and click License to go to the Licensing Information page.

This page shows a message like the following: ―To obtain your license code, please send

the following ID to a technical support representative: 970ac979.‖

2. Send a message at http://www.netwrix.com/contact.html requesting a license code and

containing the following information:

Company name

Estimated number of users

ID that you looked up on the previous step

3. When you receive the response, fill in the fields on the Licensing Information page:

Company name

License code obtained from NetWrix

Number of users

Further Information For more information about Password Manager not found in this guide, see the following

documents:

Quick Start Guide—explains the deployment and initial configuration of the product

Help Desk Portal Help (click Help link in the portal) —describes the use of the help desk

portal

Self-service Portal Help (click Help link in the portal)—describes the use of the self-

service portal

http://www.netwrix.com/contact.html



Page 18 of 18

©2009 NetWrix Corporation. All rights reserved. NetWrix and Password Manager are

trademarks of NetWrix Corporation and/or one or more of its subsidiaries, and may be registered

in the U.S. Patent and Trademark Office and in other countries. All other trademarks and

registered trademarks are the property of their respective owners.

Documents

NetWrix Password Manager