Defender Installation and Administration...

Defender 5.3Installation and Administration Guide

©2008 Quest Software, Inc. ALL RIGHTS RESERVED.

This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc.

If you have any questions regarding your potential use of this material, contact:

Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com email: [email protected]

Refer to our Web site for regional and international office information.

TRADEMARKS

Quest, Quest Software, the Quest Software logo, Aelita, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Fastlane, Final, Foglight, Funnel Web, I/Watch, Imceda, InLook, InTrust, IT Dad, JClass, JProbe, LeccoTech, LiveReorg, NBSpool, NetBase, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Speed Change Manager, Speed Coefficient, Spotlight, SQL Firewall, SQL Impact, SQL LiteSpeed, SQL Navigator, SQLab, SQLab Tuner, SQLab Xpert, SQLGuardian, SQLProtector, SQL Watch, Stat, Stat!, Toad, T.O.A.D., Tag and Follow, Vintela, Virtual DBA, and XRT are trademarks and registered trademarks of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners.

Disclaimer

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

Defender Installation and Administration GuideUpdated - November 2008Software Version - 5.3

http://www.quest.com/

mailto:[email protected]

http://www.quest.com/

mailto:[email protected]

Contents iii

Contents

Chapter 1 IntroductionIntended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1User Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1What is Defender 5? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3Communications Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4Defender Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Defender Token Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5Defender Self-Registration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Defender Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7Defender WebMail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7Planning your Defender Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8License Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

Acquiring a License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9Defender Desktop Token License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

iv Contents

Chapter 2 InstallationInstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1

Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1Installation Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-3Installing the Defender Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-4

Installing the Defender Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-9After Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-17

Installing a Defender User License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-18Contents of your Defender User License Email . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-18Installing the License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-19

Installing a Defender Desktop Token License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-25Installing the Defender Report Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-29Installing the Self-Registration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-37Defender Delegated Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-41

Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-41Administration Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-41Control Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-42

Setting Permissions and Control Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-44Creating a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-44Setting Active Directory Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-44Setting Permissions on the Users OU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-45Setting Permissions on the Defender License OU . . . . . . . . . . . . . . . . . . . . . . . . . . .2-51Setting Permissions on the Defender User License . . . . . . . . . . . . . . . . . . . . . . . . . .2-54Setting Permissions on the Defender Token License . . . . . . . . . . . . . . . . . . . . . . . .2-56

Setting Control Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-58Setting Control Access Rights on the Defender Users OU . . . . . . . . . . . . . . . . . . . .2-58Setting Control Access Rights on the Defender Token OU . . . . . . . . . . . . . . . . . . .2-60After Setting Control Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-62

Removing Control Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-63Defender Desktop Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-64

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-64Installing the Defender Desktop Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-64Uninstalling the Defender Desktop Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-64

Contents v

Pluggable Authentication Module (PAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-65Configuring Defender to use PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-65After Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-67

Chapter 3 AdministrationAdministration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1Defender Access Node Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4Defender Security Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5Defender Security Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-6RADIUS Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-7

Aggregating RADIUS Payloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-7Stopping and Restarting the Defender Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9About Defender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-11

Chapter 4 Access Node ConfigurationCreating a New Access Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1Defender Access Node Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-7

Changing Defender Access Node Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-7Adding Users or User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-12Assigning a Defender Security Policy to an Access Node . . . . . . . . . . . . . . . . . . . .4-14Changing the RADIUS Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-22

Chapter 5 Security Policy ConfigurationCreating a New Defender Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1Changing Policy Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-7

Account Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-11Expiry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-13Mobile Provider Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-15Access Category Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-16Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-18Logon Hours Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-19

Defining the RADIUS Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-20

vi Contents

Chapter 6 Security Server ConfigurationCreating a New Defender Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1Changing Defender Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-3

Assigning a Defender Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-7Changing the Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-13Changing the RADIUS Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-15

Chapter 7 Token ConfigurationTokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-1

Importing Defender Token Serial Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-1Token Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-7Token Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-13

User Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-19Defining a Token Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-19Assigning a Defender Security Policy to a User . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-31Changing the RADIUS Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-35

Chapter 8 Token ProgrammingProgramming Defender Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-1

Defender Token Programming Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-1Programming a Defender Handheld Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-4Manually Programming a Defender Handheld Token . . . . . . . . . . . . . . . . . . . . . . . .8-10Programming a Defender Handheld Token Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-16Programming a Defender One Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-26Programming a Defender Desktop Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-33Programming a Defender SMS Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-41Distributing Defender Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-44

Defender Desktop Token Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-45Defender Self-Registration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-46

Registering a Defender Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-46Token Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-47

Enabling Defender Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-48

Contents vii

Chapter 9 MigrationMigration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-1

What is Migrated? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-1Migration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-2Migrating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-3

Chapter 10 Defender Report ServiceReport Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1

Report Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1Defender Report Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3

Scheduling Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-5Generated Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-11Authentication Violation Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-13User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-16Authentication Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-18Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-21Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-23Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-25DSS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-27License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-30User Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-32RADIUS Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-35Proxied Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-37

Index

List of Figures ix

List of Figures

Figure 1-1 Defender Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3Figure 1-2 Defender Self-Registration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-6Figure 2-1 Defender ADE MMC Installation dialog box . . . . . . . . . . . . . . . . . . . . . . . .2-4Figure 2-2 Defender Console Installation (Install Location) dialog box . . . . . . . . . . . .2-5Figure 2-3 Defender MMC (Component Installation) dialog box . . . . . . . . . . . . . . . . .2-6Figure 2-4 Defender Console Installation (Control Access Rights) dialog box . . . . . . .2-7Figure 2-5 Defender Console Installation (Installation Progress) dialog box . . . . . . . . .2-8Figure 2-6 Defender Security Server Installation dialog box . . . . . . . . . . . . . . . . . . . . .2-9Figure 2-7 Defender Security Server Installation (Install Location) dialog box . . . . . .2-10Figure 2-8 Defender Security Server Installation (AD LDAP) dialog box . . . . . . . . . .2-11Figure 2-9 Defender Security Server (Test Connection) dialog . . . . . . . . . . . . . . . . . .2-12Figure 2-10 Defender Security Server (Test Results) dialog . . . . . . . . . . . . . . . . . . . . .2-13Figure 2-11 Defender Security Server Installation (Installation Progress) dialog . . . . .2-13Figure 2-12 Defender Security Server Installation (Installation Complete) dialog box .2-14Figure 2-13 Defender Security Server Installation (AD LDAP) dialog box . . . . . . . . . .2-15Figure 2-14 Defender Security Server Configuration (Service) dialog box . . . . . . . . . .2-16Figure 2-15 Defender Security Server Configuration (Audit) dialog box . . . . . . . . . . .2-17Figure 2-16 Defender User License Key and Details . . . . . . . . . . . . . . . . . . . . . . . . . . .2-18Figure 2-17 Install User License option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-19Figure 2-18 Defender License Import Wizard - Welcome dialog box . . . . . . . . . . . . . .2-20Figure 2-19 Defender Import Wizard (File and Key) dialog box . . . . . . . . . . . . . . . . . .2-21Figure 2-20 Example Defender License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-21Figure 2-21 Defender Import Wizard (File and Key) dialog box . . . . . . . . . . . . . . . . . .2-22Figure 2-22 Defender Import Wizard (License Type) dialog box . . . . . . . . . . . . . . . . .2-22Figure 2-23 Defender Import Wizard (Storage Location) dialog box . . . . . . . . . . . . . .2-23Figure 2-24 Defender Import Wizard (Import Progress) dialog box . . . . . . . . . . . . . . .2-23Figure 2-25 Defender Import Wizard (Defender Import Complete) dialog box . . . . . . .2-24Figure 2-26 Install Desktop Token License option . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-26Figure 2-27 Defender License Import Wizard - Welcome dialog box . . . . . . . . . . . . . .2-26

x List of Figures

Figure 2-28 Defender Import Wizard (License Files) dialog box . . . . . . . . . . . . . . . . . 2-27Figure 2-29 Defender Import Wizard (Import Progress) dialog box . . . . . . . . . . . . . . .2-28Figure 2-30 Defender Import Wizard (Defender Import Complete) dialog box . . . . . . 2-28Figure 2-31 Defender Report Console Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29Figure 2-32 Defender Report Console Installation - Software License Agreement . . . . 2-30Figure 2-33 Defender Report Console Installation (Install Location) . . . . . . . . . . . . . . 2-31Figure 2-34 Defender Report Console Installation (IIS Configuration) . . . . . . . . . . . . . 2-32Figure 2-35 Defender Report Console Installation (User Privileges) . . . . . . . . . . . . . . . 2-33Figure 2-36 Defender Report Console Installation (Installation Progress) . . . . . . . . . . 2-34Figure 2-37 Defender Report Console Installation (Installation Complete) . . . . . . . . . . 2-35Figure 2-1 username Properties - Defender tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-43Figure 2-2 Welcome page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45Figure 2-3 Users or Groups dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-46Figure 2-4 Tasks to Delegate dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-47Figure 2-5 Active Directory Object Type dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48Figure 2-6 Permissions dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49Figure 2-7 Completion dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-50Figure 2-8 Active Directory Object Type dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . 2-52Figure 2-9 Permissions dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-53Figure 2-10 Permission Entry for licensename - Properties . . . . . . . . . . . . . . . . . . . . . . 2-55Figure 2-11 Permission Entry for licensename - Properties . . . . . . . . . . . . . . . . . . . . . . 2-57Figure 2-12 Permission Entry for Users dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-59Figure 2-13 Permission Entry for Tokens dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-61Figure 2-14 username Properties - Defender dialog box . . . . . . . . . . . . . . . . . . . . . . . . 2-62Figure 2-15 Advanced Security Settings for groupname dialog box . . . . . . . . . . . . . . .2-63Figure 3-1 Directory Users and Computers tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2Figure 3-2 Defender Security Server Configuration - Service dialog box . . . . . . . . . . . 3-9Figure 3-3 User License tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11Figure 3-4 Defender Desktop Token License tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12Figure 4-1 New Object – Defender Access Node (name and description) dialog box . . 4-2Figure 4-2 New Object - Defender Access Node (node type) dialog box . . . . . . . . . . . 4-3Figure 4-3 New Object - Defender Access Node (connection details) dialog box . . . . . 4-5Figure 4-4 New Object - Defender Access Node (summary) dialog box . . . . . . . . . . . . 4-6Figure 4-5 accessnodename Properties - Access Node dialog box . . . . . . . . . . . . . . . . . 4-8Figure 4-6 Select Defender Security Servers dialog box . . . . . . . . . . . . . . . . . . . . . . . 4-11Figure 4-7 nodename Properties - Members dialog box . . . . . . . . . . . . . . . . . . . . . . . .4-12Figure 4-8 Select Users or Groups dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13Figure 4-9 accessnodename Properties - Policy dialog box . . . . . . . . . . . . . . . . . . . . . 4-15Figure 4-10 Select Defender Policies dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16Figure 4-11 Check Names - Multiple Objects Found dialog box . . . . . . . . . . . . . . . . . . 4-17

List of Figures xi

Figure 4-12 Effective Policy dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19Figure 4-13 Select Users dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20Figure 4-14 servername Properties - RADIUS Payload dialog box . . . . . . . . . . . . . . . . 4-22Figure 4-15 accessnodename Properties - RADIUS Payload dialog box . . . . . . . . . . . . 4-23Figure 4-16 Effective Payload dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24Figure 4-17 Select Users dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25Figure 5-1 New Object - Defender Policy (name and description) dialog box . . . . . . . 5-1Figure 5-2 New Object - Defender Policy (authentication method) dialog box . . . . . . . 5-2Figure 5-3 New Object - Defender Policy (second authentication method) dialog box .5-3Figure 5-4 New Object - Defender Policy (account lockout) dialog box . . . . . . . . . . . . 5-4Figure 5-5 New Object - Defender Policy (password and PIN expiry) dialog box . . . . 5-5Figure 5-6 New Object - Defender Policy (summary) dialog box . . . . . . . . . . . . . . . . . 5-6Figure 5-7 policyname Properties – Policy dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8Figure 5-8 policyname Properties – Account dialog box . . . . . . . . . . . . . . . . . . . . . . . 5-11Figure 5-9 policyname Properties – Expiry dialog box . . . . . . . . . . . . . . . . . . . . . . . . 5-13Figure 5-10 policyname Properties – Mobile Provider dialog box . . . . . . . . . . . . . . . . . 5-15Figure 5-11 Access Categories dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17Figure 5-12 policyname Properties - Security dialog box . . . . . . . . . . . . . . . . . . . . . . . 5-18Figure 5-13 policyname Properties - Logon Hours dialog box . . . . . . . . . . . . . . . . . . . 5-19Figure 5-14 RADIUS Payload (name and description) dialog box . . . . . . . . . . . . . . . . 5-20Figure 5-15 New Object - Defender RADIUS Payload (attributes) dialog box . . . . . . .5-21Figure 5-16 New Object - Defender RADIUS Payload (attributes) dialog box . . . . . . .5-25Figure 5-17 RADIUS Payload Attributes (summary) dialog box . . . . . . . . . . . . . . . . . 5-26Figure 6-1 New Object – Security Server (name and description) dialog box . . . . . . . . 6-1Figure 6-2 New Object – Defender Security Server (prompts) dialog box . . . . . . . . . . 6-2Figure 6-3 New Object – Defender Security Server (summary) dialog box . . . . . . . . . 6-3Figure 6-4 securityservername Properties - Security Server dialog box . . . . . . . . . . . . 6-4Figure 6-5 Select Defender Access Nodes dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6Figure 6-6 securityservername Properties - Security Server dialog box . . . . . . . . . . . . 6-7Figure 6-7 securityservername Properties - Policy dialog box . . . . . . . . . . . . . . . . . . . . 6-8Figure 6-8 Select Defender Policies dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9Figure 6-9 Effective Policy dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10Figure 6-10 Select Users dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11Figure 6-11 servername Properties - Prompts dialog box . . . . . . . . . . . . . . . . . . . . . . . 6-14Figure 6-12 servername Properties - RADIUS Payload dialog box . . . . . . . . . . . . . . . . 6-15Figure 6-13 securityservername Properties - RADIUS Payload dialog box . . . . . . . . . 6-16Figure 6-14 Effective Payload dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17Figure 6-15 Select Users dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18Figure 7-1 Import Tokens option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

xii List of Figures

Figure 7-2 Defender Token Import Wizard Welcome dialog box . . . . . . . . . . . . . . . . . 7-2Figure 7-3 Defender Import Wizard (File and Key) dialog box . . . . . . . . . . . . . . . . . . . 7-3Figure 7-4 Import Defender Token Definitions (File and Key) dialog box . . . . . . . . . . 7-4Figure 7-5 Defender Import Wizard (Available Tokens) dialog box . . . . . . . . . . . . . . . 7-4Figure 7-6 Defender Import Wizard (Storage Location) dialog box . . . . . . . . . . . . . . . 7-5Figure 7-7 Defender Import Wizard (Import Progress) dialog box . . . . . . . . . . . . . . . . 7-6Figure 7-8 Defender Import Wizard (Defender Import Complete) dialog box . . . . . . . 7-6Figure 7-9 token Properties (Token) dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7Figure 7-10 Test Token dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10Figure 7-11 token Properties (Details) dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13Figure 7-12 Defender Software Token token Properties (Details) dialog box . . . . . . . . 7-15Figure 7-13 Defender HandHeld Token token Properties (Details) dialog box . . . . . . .7-17Figure 7-14 username Properties - Defender dialog box . . . . . . . . . . . . . . . . . . . . . . . . 7-20Figure 7-15 Assign Token To User dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21Figure 7-16 Select Defender Tokens dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22Figure 7-17 Test Token dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24Figure 7-18 Helpdesk dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25Figure 7-19 Select Defender Tokens dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28Figure 7-20 Set PIN dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29Figure 7-21 Set Defender Password dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-30Figure 7-22 username Properties - Policy dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32Figure 7-23 Select Defender Policies dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33Figure 7-24 Effective Policy dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-34Figure 7-25 username Properties - RADIUS Payload dialog box . . . . . . . . . . . . . . . . . 7-35Figure 7-26 username Properties - RADIUS Payload dialog box . . . . . . . . . . . . . . . . . 7-36Figure 7-27 Effective Payload dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37Figure 8-1 Program Tokens option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2Figure 8-2 Defender Token Programming Wizard (Welcome) dialog box . . . . . . . . . . 8-2Figure 8-3 Token Programming Wizard (Token Types) dialog box . . . . . . . . . . . . . . . 8-3Figure 8-4 Token Programming Wizard (Serial Number) dialog box . . . . . . . . . . . . . . 8-4Figure 8-5 Token Programming Wizard (Communications Port) dialog box . . . . . . . . 8-5Figure 8-6 Token Programming Wizard (Token Options) dialog box . . . . . . . . . . . . . . 8-6Figure 8-7 Token Programming Wizard (Confirmation) dialog box . . . . . . . . . . . . . . . 8-7Figure 8-8 Defender Token Programming Wizard

(Programming Progress) dialog box 8-7 . . . . . . . . . . . . . . . . Figure 8-9 Token Programming Wizard (Programming Complete) dialog box . . . . . . . 8-9Figure 8-10 Token Programming Wizard (Serial Number) dialog box . . . . . . . . . . . . . 8-10Figure 8-11 Token Programming Wizard (Token Options) dialog box . . . . . . . . . . . . . 8-11Figure 8-12 Token Programming Wizard (Confirmation) dialog box . . . . . . . . . . . . . . 8-12

List of Figures xiii

Figure 8-13 Token Programming Wizard (Programming Progress) dialog box . . . . . . 8-12Figure 8-14 Token Programming Wizard (Programming Progress) dialog box . . . . . . 8-13Figure 8-15 Token Programming Wizard (Checksum) dialog box . . . . . . . . . . . . . . . . 8-14Figure 8-16 Token Programming Wizard (Programming Complete) dialog box . . . . . . 8-15Figure 8-17 Token Programming Wizard (Communications Port) dialog box . . . . . . . 8-16Figure 8-18 Token Programming Wizard (PIN) dialog box . . . . . . . . . . . . . . . . . . . . . . 8-17Figure 8-19 Token Programming Wizard (Display Options) dialog box . . . . . . . . . . . . 8-18Figure 8-20 Token Programming (Token Mode) dialog box . . . . . . . . . . . . . . . . . . . . . 8-19Figure 8-21 Token Programming Wizard (Confirmation) dialog box . . . . . . . . . . . . . . 8-20Figure 8-22 Token Programming Wizard (Programming Progress - 1) dialog box . . . . 8-21Figure 8-23 Token Programming Wizard (Programming Progress - 2) dialog box . . . . 8-23Figure 8-24 Token Programming Wizard (Programming Progress - 3) dialog box . . . . 8-24Figure 8-25 Token Programming Wizard (Programming Complete) dialog box . . . . . . 8-25Figure 8-26 Token Programming Wizard (Communications Port) dialog box . . . . . . . 8-26Figure 8-27 Token Programming Wizard (PIN) dialog box . . . . . . . . . . . . . . . . . . . . . . 8-27Figure 8-28 Token Programming Wizard (Token Mode) dialog box . . . . . . . . . . . . . . . 8-28Figure 8-29 Token Programming Wizard (Confirmation) dialog box . . . . . . . . . . . . . . 8-29Figure 8-30 Token Programming Wizard (Programming Progress - 1) dialog box . . . . 8-29Figure 8-31 Token Programming Wizard (Programming Progress - 2) dialog box . . . . 8-30Figure 8-32 Token Programming Wizard (Programming Progress - 3) dialog box . . . . 8-31Figure 8-33 Token Programming Wizard (Programming Complete) dialog box . . . . . . 8-32Figure 8-34 Token Programming Wizard

(Defender Desktop Token Types) dialog box . . . . . . . . . 8-33Figure 8-35 Token Programming Wizard (Token Options) dialog . . . . . . . . . . . . . . . . 8-34Figure 8-36 Token Programming Wizard (Select Token Mode) dialog box . . . . . . . . . 8-36Figure 8-37 Token Programming Wizard (Select Users) dialog box . . . . . . . . . . . . . . . 8-37Figure 8-38 Token Programming Wizard (Select Users) dialog box . . . . . . . . . . . . . . . 8-37Figure 8-39 Token Programming Wizard (Checking User License) dialog box . . . . . . 8-38Figure 8-40 Token Programming Wizard (Save Activation Codes) dialog box . . . . . . 8-39Figure 8-41 Token Programming Wizard (Complete) dialog box . . . . . . . . . . . . . . . . . 8-40Figure 8-42 Token Programming Wizard (Select Token Mode) dialog box . . . . . . . . . 8-41Figure 8-43 Token Programming Wizard (Select Users) dialog box . . . . . . . . . . . . . . . 8-42Figure 8-44 Token Programming Wizard (Select Users) dialog box . . . . . . . . . . . . . . . 8-42Figure 8-45 Token Programming Wizard (Checking User License) dialog box . . . . . . 8-43Figure 8-46 Token Programming Wizard (Complete) dialog box . . . . . . . . . . . . . . . . . 8-44Figure 9-1 AD Users and Computer page -Migrate Defender 4 Users . . . . . . . . . . . . . . 9-3Figure 9-2 Defender Migration Wizard (Welcome) page . . . . . . . . . . . . . . . . . . . . . . . . 9-4Figure 9-3 Defender Migration Wizard (Search Options) dialog box . . . . . . . . . . . . . . 9-4Figure 9-4 Defender Migration Wizard (DSS Connection Settings) dialog box . . . . . . 9-5

xiv List of Figures

Figure 9-5 Defender Migration Wizard (Database Connection) dialog box . . . . . . . . . 9-6Figure 9-6 Defender Migration Wizard (Search for user records) dialog box . . . . . . . . 9-7Figure 9-7 Defender Migration Wizard (Options) dialog box . . . . . . . . . . . . . . . . . . . . 9-7Figure 9-8 Defender Migration Wizard (Reimport) dialog box . . . . . . . . . . . . . . . . . . . 9-8Figure 9-9 Defender Migration Wizard (Migrating Records (Simulated)) . . . . . . . . . . . 9-9 Figure 9-10 Defender Migration Wizard (Migration Complete) dialog box . . . . . . . . . 9-10Figure 9-11 Defender Migration Wizard (Migrating Records) dialog box . . . . . . . . . . 9-11Figure 9-12 Defender Migration Wizard (Migration Complete) dialog box . . . . . . . . . 9-12Figure 9-13 Defender 4 - 5 Migration (Simulated) Report . . . . . . . . . . . . . . . . . . . . . . . 9-13Figure 10-1 Defender Report Console - Home page . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3Figure 10-2 Defender Report Console options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4Figure 10-3 Schedule Report Generation dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5Figure 10-4 Schedule Report Generation (Daily) dialog box . . . . . . . . . . . . . . . . . . . . . 10-6Figure 10-5 Schedule Report Generation (Weekly) dialog box . . . . . . . . . . . . . . . . . . . 10-7Figure 10-6 Schedule Report Generation (Monthly) dialog box . . . . . . . . . . . . . . . . . . 10-8Figure 10-7 Schedule Report Generation (One Time Only) dialog box . . . . . . . . . . . . . 10-9Figure 10-8 Generated Reports dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11Figure 10-9 Scheduled Tasks dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12Figure 10-10 Authentication Violation Log - Specify Selection Criteria dialog box . . . 10-13Figure 10-11 Authentication Violation Log Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14Figure 10-12 User Activity Reports - Specify Selection Criteria dialog box . . . . . . . . . 10-16Figure 10-13 User Activity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17Figure 10-14 Authentication Log - Specify Selection Criteria dialog box . . . . . . . . . . . 10-18Figure 10-15 Authentication Log Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19Figure 10-16 Audit Trail - Specify Selection Criteria dialog box . . . . . . . . . . . . . . . . . 10-21Figure 10-17 Audit Trail Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22Figure 10-18 Authentication Statistics - Specify Selection Criteria dialog box . . . . . . . 10-23Figure 10-19 Authentication Statistics Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24Figure 10-20 Tokens - Specify Selection Criteria dialog box . . . . . . . . . . . . . . . . . . . . 10-25Figure 10-21 Token Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26Figure 10-22 DSS Configuration Report - Specify Selection Criteria dialog box . . . . . 10-27Figure 10-23 Defender Security Server Configuration Report . . . . . . . . . . . . . . . . . . . . 10-28Figure 10-24 License Information Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-30Figure 10-25 User Information Reports -Specify Selection Criteria dialog box . . . . . . 10-32Figure 10-26 User Information Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-34Figure 10-27 RADIUS Payload Report -Specify Selection Criteria dialog box . . . . . . 10-35Figure 10-28 RADIUS Payload Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-36Figure 10-29 Proxied User Report -Specify Selection Criteria dialog box . . . . . . . . . . 10-37Figure 10-30 Proxied User Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-38

List of Tables xv

List of Tables

Table 2-1 GINA Command Line and Registry Settings . . . . . . . . . . . . . . . . . . . . . . .2-18Table 2-2 GINA Command Line Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-19Table 3-1 Fields on the Access Node page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-8Table 3-2 Fields on the Policy Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-17Table 3-3 Fields on the policyname Properties - Policy page . . . . . . . . . . . . . . . . . . .3-23Table 3-4 Fields on the policyname Properties - Account page . . . . . . . . . . . . . . . . .3-26Table 3-5 Fields on the policyname Properties - Mobile Provider page . . . . . . . . . . .3-28Table 3-6 Radius Payload Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-34Table 3-7 Fields on the securityserver Properties - Security Server page . . . . . . . . . .3-43Table 3-8 Fields and buttons on the Defender page . . . . . . . . . . . . . . . . . . . . . . . . . .3-58Table 6-1 Fields on the Authentication Violation Log Report . . . . . . . . . . . . . . . . . . .6-5Table 6-2 Fields on the DSS Configuration Report . . . . . . . . . . . . . . . . . . . . . . . . . . .6-19Table 6-3 Fields on the License Information Report . . . . . . . . . . . . . . . . . . . . . . . . . .6-21

Introduction 1-1

1 Introduction

This guide provides step-by-step procedures for Defender administrators. It includes:

• an introduction to Defender

• a description of the Defender components

• how to plan your installation

• license requirements

• system requirements

• how to install Defender

• how to configure Defender

• how to use the Self-Registration Service to register a Defender Go-1, Defender Go-3 or ActivIdentity Smart Card

• how to migrate from earlier versions of Defender to Defender 5.3.

Intended Audience

This book is intended for administrators who want to install and configure Defender, assign and distribute Defender tokens and manage Defender agents and the Defender Security Server.

User Requirements

This book does not provide tutorial information on the use of the Windows operating system or on network communication concepts. Users must have experience in using the specified operating system and an understanding of networking concepts.

1-2 Introduction

What is Defender 5?

Defender is an easy-to-install, simple-to-use product that utilizes the power and flexibility of Microsoft Active Directory (AD) to provide strong two-factor authentication for your organization.

The two-factor authentication requires something unique the user has (a security token) and something unique that the user knows (a PIN).

Defender provides:

• seamless integration with Microsoft AD, using AD administration tools and techniques

• centralized administration for all Defender users

• simple migration from earlier versions of Defender with no change to end-user experience

• automated replication and backup for Defender data

• multiple points of authentication for load balancing and redundancy

• the ability for users to register their own Defender Go-1, Defender Go-3 and ActivIdentity Smart Card information, using the Self-Registration Service

• support for Webthority

• support for Defender 4 agents

• Defender Desktop Login for Windows

• extensive reporting facilities.

Introduction 1-3

Figure 1-1: Defender Environment

RADIUS Authentication

Defender allows authentication by means of the RADIUS protocol for environments that include RADIUS users and/or RADIUS protected access devices.

Devices that use the RADIUS protocol for authentication must be able to communicate with the Defender Security Server on the ports that they have been configured to use.

Defender includes the facility for Vendor Specific Attributes (VSAs) to be specified in the RADIUS Payload. For further information on VSAs, refer to the RADIUS RFC at www.ietf.org/rfc.

1-4 Introduction

Communications Protocol

Defender uses TCP/IP to communicate with AD via LDAP on port 389.

Defender Tokens

Defender 5 supports the following token types:

• Authenex OATH Compliant Token

• Defender Go-1 Token

• Defender Go-3 Token

• Defender DualTok Token

• Digipass Pro 260 Token

• Digipass Pro 300 Token

• Defender One Token

• Defender Hand-Held Token

• Defender Hand-Held Token Plus

• Defender USB Token

Introduction 1-5

• Defender Desktop Token for the following platforms:

• Windows

• Palm

• Blackberry

• Windows Mobile

• iPaq

• Defender Mobile.

Defender Token Types

A Defender token implemented in software or hardware helps remote users gain access to computer resources on a Defender-protected network. The process of gaining access to a secure network through the use of passwords, challenge/response methods, and synchronous methods is called authentication.

The Defender solution includes a variety of token options. All provide strong two-factor authentication.

Note: If you are using Defender Desktop Tokens for the Palm device, you must install the Palm HotSync software.

1-6 Introduction

Defender Self-Registration Service

This feature allows users to register both new and replacement Defender Go-x tokens. This means that the administrator does not have to perform this task for each user and the administrative overheads are significantly reduced. The Defender Self-Registration Service is implemented as a Web-based service, typically provided on a company’s Intranet.

Figure 1-2: Defender Self-Registration Service

Introduction 1-7

Defender Components

Defender consists of four main components:

Defender WebMail

If you are using Defender WebMail, define the WebMail Agent as a new Access Node, as described in Creating a New Access Node on page 4-1.

If you a running a version of Defender WebMail:

• earlier than 1.2, ensure that you define an Access Node Type of Defender Agent

• 1.2 or higher, ensure that you specify a Node Type of Radius Agent.

Component Function

Defender Security Server a software device that performs two-factor authentication of users.

Defender Management GUI

AD schema and MMC snap-in extensions used to manage Defender users and tokens.


a service that allows users to register their own new and replacement Defender Go-x tokens.

Defender Report Service a report console provides access to a variety of reports that can be extracted for viewing or printing, based on specific selection criteria.

1-8 Introduction

Planning your Defender Installation

This section describes the information you need to gather and the actions to perform before you install Defender. Ask yourself the following questions:

• Where should I locate the Defender components? Quest strongly recommends that all machines running Defender are located where you can strictly control physical access to them. You should consider adding a backup Defender Security Server to enable you to continue authenticating users if your primary Defender Security Server becomes unavailable.

• What are the network considerations? Defender components communicate with each other using the methods described below. If your environment uses routers and firewalls, these must be configured to allow the Defender components to communicate. The DSS uses LDAP to communicate with the domain controllers in Active Directory using port 389 and port 636. Defender Access Nodes are the firewalls, VPN devices, etc within your environment. These use RADIUS to communicate with the DSS. RADIUS communication uses ports UDP 1812/1813 or 1645/1646. Defender Agents use TCP port 2626 to communicate with the DSS. Defender components use TCP/IP to communicate with AD via LDAP on port 389. The machines on which you install the Defender components must be able to communicate with one another. If your environment uses routers and firewalls, these will need to be configured appropriately. Devices that use the RADIUS protocol for authentication must be able to communicate with the Defender Security Server on the ports that they have been configured to use.

Introduction 1-9

License Requirements

To run a Defender Security Server, you must have a valid user license for the number of users that will authenticate to the Defender Security Server.

The Defender Security Server user license is installed into AD using the Defender Management Console.

Note: For a permanent Defender license, you will need to provide the fully qualified domain name of the domain in which the Defender Security Server is installed.

Acquiring a License Key

Complete the form located at the following link for licensing assistance with any Quest product:

https://support.quest.com/SUPPORT/index?page=licenseKey

To obtain a trial license for a Quest product, send an email to [email protected].

Defender Desktop Token License

If you want to generate Defender Desktop Tokens, you must have a valid Defender Desktop Token license.

Multiple licenses of the same type, either temporary or permanent, can be installed on the same platform, enabling you to purchase licenses for additional tokens as required. For further information, refer to Installing a Defender Desktop Token License on page 2-25.

1-10 Introduction

System Requirements

This section describes the system requirements for Defender components:

Defender Component System Requirements

Defender MMC Snap-in Windows 2000 ServerWindows 2003 ServerWindows 2008 ServerMicrosoft Active DirectoryActive Directory Administration Tools128 Mb RAM

Defender Security Server Windows 2000 ServerWindows 2003 ServerWindows 2008 Server128 Mb RAM


Windows 2000 ServerWindows 2003 ServerWindows 2008 ServerInternet Information Services128 Mb RAMNote: Clients require Internet Explorer 6 or higher

Defender Reports Console Windows 2000 ServerWindows 2003 ServerWindows 2008 ServerInternet Information Services128 Mb RAMNote: Clients require Internet Explorer 6 or higher

Installation 2-1

2

Installation

Installation

This section provides all the information you need to install the Defender components.

Installation Prerequisites

Quest recommends that all machines running Defender are located where you can strictly control access to them. Consider adding a second Defender Security Server (DSS) to ensure that user authentication can continue if one becomes unavailable.

Before you install Defender, ensure that:

• the account you will use to install Defender is a member of the Domain Admins group

• the account you will use to install the Schema updates is a member of the Schema Admins group

• you have created the service account that the DSS will use to access the Active Directory, and that this account is a member of the Domain Admins group or has the permissions required to access the Defender attributes within Active Directory. For further information, refer to the Delegation of Administration Rights guide available from http://support.quest.com

• TCP/IP is installed on the machines where you will install Defender

• the machines where you will install the Defender components have static IP addresses

• you have administrative privileges on all the machines on which you install Defender components

• you are familiar with the Microsoft Active Directory system that will be used by Defender.

http://support.quest.com/


2-2 Installation

Pre-installation Checklist

Before installing the Defender components, take a moment to complete the following checklist. This will ensure that you have completed the pre-installation requirements and have all the necessary information to-hand for the Defender installation procedure.

1. Where do you want to install the Defender Management Console? You can specify a directory path or accept the default path offered by Defender.

2. If you are performing a first-time installation of Defender, check the Schema Updates checkbox when prompted. The MMC Snap-in Extensions check box is checked by default.

3. Are you upgrading from Defender 5 to Defender 5.3? If yes: do you want to migrate your Defender 5 token assignments? check the Migrate Defender 5.0 Token Assignments box when prompted. If you are upgrading from Defender version 4.x to Defender 5.3, use the Defender Migration Wizard. Refer to Chapter 9, Migration, for further information.

4. Where do you want to install the Defender Security Server? You can specify a directory path or accept the default path offered by Defender.

5. What is the DNS name or IP address of the machine on which Active Directory is running?

6. What is the number of the LDAP port for Active Directory. This is the port number that Defender will use to access the Active Directory. You can specify a port number or accept the default port number offered by Defender (389).

7. What is the full distinguished user name for the administrator that is used to change passwords?

8. What is the password used by the administrator?

Installation 2-3

Installation Sequence

You are now ready to start the installation procedure. Install the Defender components in the following sequence:

• Defender Management Console:

• Schema updates - updates to your Active Directory Schema required to support Defender

• Defender OU - default container for Defender objects

• MMC Snap-ins - extends the Active Directory User and Computers tool to include the Defender Management Console

• Defender Security Server - authenticates RADIUS and Defender Agent requests from Access Nodes

• Defender Security Server User License

• Defender Tokens

• Defender Desktop Token License (if you want to generate Desktop Tokens)

• Defender Reports Service (optional)

• Defender Self-Registration Service (optional) (refer to the Defender Self-Registration Quick Start Guide).

2-4 Installation

Installing the Defender Management Console

To install the Schema updates, MMC Snap-ins and create the Defender container:

1. Run DefenderADE MMC Installer.exe. The Defender ADE MMC Installation dialog box is displayed:

Figure 2-1: Defender ADE MMC Installation dialog box

2. Click Next. The Software License Agreement is displayed.

Installation 2-5

3. Click Next. The Defender Console Installation (Install Location) dialog box is displayed:

Figure 2-2: Defender Console Installation (Install Location) dialog box

4. Click Next to accept the default location. Alternatively, click Browse to choose a different installation directory, then click Next to continue. The Defender ADE MMC Installation (Component Installation) dialog box is displayed:

2-6 Installation

Figure 2-3: Defender MMC (Component Installation) dialog box

5. If you are performing a first installation of Defender, you must check the Schema Updates (on quest.com) checkbox.

6. The Create ‘Defender’ Organizational Unit checkbox is checked by default. This will create an organizational unit in Active Directory called Defender.

7. The MMC Snap-in Extensions check box is checked by default. This will install the Defender Management Console extensions.

Note: The schema updates are only installed once for the enterprise. The MMC extensions are installed on all PCs that will be used to manage Defender.

Installation 2-7

8. Click Next. The Defender Console Installation (Control Access Rights) dialog box is displayed:

Figure 2-4: Defender Console Installation (Control Access Rights) dialog box

9. To delegate access control rights to Defender users, check the Install Defender Control Access Rights checkbox. On completion of the installation, refer to Defender Control Access Rights on page 40, for information on how to delegate control access rights.

10. Click Finish. The Defender Console Installation (Installation Progress) dialog box is displayed.

2-8 Installation

11. The Defender Console Installation Progress dialog is displayed:

Figure 2-5: Defender Console Installation (Installation Progress) dialog box

12. On completion, the Defender Console Installation Complete dialog is displayed.

Installation 2-9

Installing the Defender Security Server

To install the Defender Security Server:

1. Run Defender Security Server Installer.exe. The Defender Security Server Installation dialog box is displayed:

Figure 2-6: Defender Security Server Installation dialog box

2. Click Next. The Software License Agreement is displayed.

2-10 Installation

3. Click Next. The Defender Security Server Installation (Install Location) dialog box is displayed:

Figure 2-7: Defender Security Server Installation (Install Location) dialog box

4. Click Finish to accept the default setting as the location where the Defender Security Server will be installed. Alternatively, click Browse to choose a different directory, then click Finish. The following message is displayed:

5. If you click No, you must perform the configuration via the shortcut on the Programs menu before the Defender Security Server is started for the first time. To configure the

Installation 2-11

Defender Security Server now, click Yes. The Defender Security Server Configuration dialog box is displayed:

Figure 2-8: Defender Security Server Installation (AD LDAP) dialog box

6. In the Address field, type the DNS name or IP address of either the domain or individual domain controller used by the Defender Security Server.

7. In the Port field, type the number of the LDAP port that the Defender Security Server will use to establish a connection to the Active Directory. The default port number is 389.

8. In the SSL Port field, type the number of port that the Defender Security Server will use to establish a secure connection to the Active Directory. This port number will be used to communicate user password changes only between the Defender Security Server and the Active Directory. If you want the Defender Security Server to establish a secure connection to the Active Directory for all communication, do not specify a port number in the Port field in Step 7 on page 2-11. The default SSL port number is 636.

2-12 Installation

9. In the Admin User field, type the full distinguished user name for the administrator that will be used to communicate with Active Directory. This user ID must have administrative authority. For example: cn=administrator,cn=users,dc=quest,dc=com

10. In the Admin Password field, type the password used by the account defined in the Admin User field above.

11. To test the connections between the Defender Security Server and the domain controllers in your environment, select the Test tab. The Defender Security Server (Test Connection) dialog is displayed:

Figure 2-9: Defender Security Server (Test Connection) dialog

Installation 2-13

12. Click Test. The Defender Security Server will now check that it is able to connect to LDAP and communicate with the domain controllers and access nodes configured within the Defender environment. After a short delay, the test results are displayed:

Figure 2-10: Defender Security Server (Test Results) dialog

13. Click OK. The Defender Security Server Installation Progress dialog is displayed:

Figure 2-11: Defender Security Server Installation (Installation Progress) dialog

2-14 Installation

14. To display a log of the actions performed during the Defender Security Server installation procedure, check the Show Log checkbox. The log includes the names and version numbers of files copied and the directory locations they are copied into during installation.

15. Click Next. The Defender Security Server (Installation Complete) dialog is displayed:

Figure 2-12: Defender Security Server Installation (Installation Complete) dialog box

16. Click Finish. On completion of the installation, a Defender Active Directory Edition program group is created.

Installation 2-15

After Installation

To configure the Defender Security Server after installation:

1. From the Start menu, select Defender Active Directory Edition program group, then Configure Defender Security Server. The Defender Security Server Installation dialog box is displayed:

Figure 2-13: Defender Security Server Installation (AD LDAP) dialog box

For a description of the fields in the Defender Security Server Installation (Active Directory LDAP) dialog box, refer to Step 6 on page 2-11.

2. To test the connections between the Defender Security Server, LDAP and the domain controllers, select the Test Connection tab. For a description of the Test Connection dialog, refer to Step 11 on page 2-12.

2-16 Installation

3. To check the status of the Defender Security Server service, select the Service tab. The Defender Security Server Configuration (Service) dialog box is displayed:

Figure 2-14: Defender Security Server Configuration (Service) dialog box

The Service dialog box indicates whether the Defender Security Server service is installed and whether it is currently running or stopped. To restart the service if it is currently stopped, click Restart Service.To stop the service if it is currently running, click Stop Service.

Configuring Defender Security Server Logs

Log files record all authentication activity for the Defender Security Server and are stored in the default location shown below:

C:\Program Files\Quest Software\Defender\DSS Active Directory Edition\Logs

To configure the Security Server logs:

Installation 2-17

1. Select the Audit tab:

Figure 2-15: Defender Security Server Configuration (Audit) dialog box

2. To change the location where the log file is stored, click Browse and navigate to the required location.

3. In the Size of Log field, specify the maximum size of the log file.

4. If required you can create an additional log file which is a copy of the latest complete Defender Security Server log file. The additional log file is assigned a fixed name, including the .txt extension, for example currentlog.txt, making it easy to identify and use with other logging systems. To create an additional log file, check the Create additional log file with fixed name checkbox, then enter the name of the additional log file in the Name field.

5. Click OK.

2-18 Installation

Installing a Defender User License

Before you can assign tokens to users, add or authenticate users at the Defender Security Server, you must install your user license.

Contents of your Defender User License Email

Your user license is in the email received from Quest Software. The license key and details are contained in the attachment called customername - licensetype - dateofissue.msg:

Figure 2-16: Defender User License Key and Details

The user license must be valid for the total number of users that will be assigned tokens. Check the details carefully before installing your license.

Attached to the license details is a .txt file, called customername - licensetype - dateofissue.txt. This .txt file contains your encrypted license file:

Right-click customername - licensetype - dateofissue.txt and select Save as from the list. Save this file to a location of your choice. You will retrieve the file from this location during the license installation procedure.

Installation 2-19

Installing the License

To install your Defender user license:

1. From the Users and Computers tree, click Defender on the menu bar.

Figure 2-17: Install User License option

2-20 Installation

2. Select Install User License from the menu. The Defender License Import Wizard starts:

Figure 2-18: Defender License Import Wizard - Welcome dialog box

Installation 2-21

3. Click Next. The Defender Import Wizard (File and Key) dialog box is displayed:

Figure 2-19: Defender Import Wizard (File and Key) dialog box

4. Click Browse to navigate to the directory where the customername - licensetype - dateofissue.txt file is located. Select the file, then click Open. The name of the license file is displayed in the Filename field.

5. You need your Defender user license key to unlock the license file. The license key is in the email sent to you from Quest Software Licensing. An example email is shown below:

Figure 2-20: Example Defender License Key

6. Open the email, then highlight the license key.

7. From the menu bar, select Edit, Copy to copy the license key.

2-22 Installation

8. Return to the Defender Import Wizard (File and Key) dialog box, then click Paste to paste the license key into the Key fields.


9. Click Next. The Defender Import Wizard (License Type) dialog box is displayed:

Figure 2-22: Defender Import Wizard (License Type) dialog box

Installation 2-23

10. Click Next. The Defender Import Wizard (Storage Location) dialog box is displayed:

Figure 2-23: Defender Import Wizard (Storage Location) dialog box

11. Click Select to navigate to the location where you want to store the user license. Alternatively, click Next to accept the default location and continue. The Defender Import Wizard (Import Progress) dialog box is displayed:

Figure 2-24: Defender Import Wizard (Import Progress) dialog box

2-24 Installation

12. Click Next. The Defender Import Wizard (Defender Import Complete) dialog box is displayed:

Figure 2-25: Defender Import Wizard (Defender Import Complete) dialog box

Installation 2-25

Installing a Defender Desktop Token License

Before you can generate Defender Desktop Tokens, you must have a valid Defender Desktop Token license.

Multiple licenses of the same type, either temporary or permanent, can be installed on the same platform, enabling you to purchase licenses for additional tokens as required. Before installing a Defender Desktop Token license, read the following information:

• ensure that your license covers the total number of Defender Desktop Tokens that you want to generate

• ensure that all licenses for a specific platform are of the same type, either temporary or permanent. It is not possible to have a temporary license and a permanent license installed on the same platform at the same time

• if a temporary license already exists on the platform, you must delete it before installing a permanent license

• if you have already generated tokens under an existing temporary license, and now you want to install a permanent license, the permanent license must be valid for the same number of tokens as the temporary license, or more. You cannot replace an existing license with a new license that is valid for less than the number of tokens you have already generated.

• a temporary license cannot be installed after its expiry date.

The Defender Desktop Token license is required in addition to the Defender User license. For further information about the Defender User license, refer to Installing a Defender User License on page 2-18.

2-26 Installation

To install a Defender Desktop Token license:

1. From the Users and Computers tree, click Defender on the menu bar.

Figure 2-26: Install Desktop Token License option2. Select Install Desktop Token License from the menu. The Defender License Import

Wizard starts:

Figure 2-27: Defender License Import Wizard - Welcome dialog box

Installation 2-27


Figure 2-28: Defender Import Wizard (License Files) dialog box

4. To add a license file to the Licenses to install list, click Add File. A list of available software token license files is displayed. Click on the required file, then click Open. The selected file is added to the Licenses to install list.

2-28 Installation

5. Click Next. The Defender Import Wizard (Import Progress) dialog box is displayed:

Figure 2-29: Defender Import Wizard (Import Progress) dialog box

6. Click Next. The Defender Import Wizard (Defender Import Complete) dialog box is displayed:

Figure 2-30: Defender Import Wizard (Defender Import Complete) dialog box

Installation 2-29

Installing the Defender Report Console

To install the Defender Report Console:

1. Run the Defender Reports Installer.exe file. The Defender Report Console Installation Wizard starts:

Figure 2-31: Defender Report Console Installation

2. Click Next. The Software License Agreement is displayed:

2-30 Installation

Figure 2-32: Defender Report Console Installation - Software License Agreement

7. Check the I accept the license agreement checkbox.

Installation 2-31

8. Click Next. The Defender Report Console Installation (Install Location) dialog box is displayed.

Figure 2-33: Defender Report Console Installation (Install Location)

9. Click Next to accept the default location. Alternatively, click Browse to choose a different installation location, then click Next.

2-32 Installation

10. The Defender Report Console Installation (IIS Configuration) dialog box is displayed:

Figure 2-34: Defender Report Console Installation (IIS Configuration)

To enable Defender to automatically configure IIS Web Services, ensure that the Automatically Configure IIS Web Services checkbox is checked. Quest recommends that you allow Defender to automatically configure IIS Web Services.In the TCP Port field, enter the port number that will be used for communications between Defender and the Web site. If you do not want to automatically configure IIS Web Services, uncheck the Automatically Configure IIS Web Services checkbox. To configure IIS Web Services after installation, refer to Defender Report Service Configuration on page 2-36. Alternatively, refer to the readme file installed with the Defender Reports Console.

Installation 2-33

11. Click Next. The Defender Report Console Installation (User Privileges) dialog box is displayed:

Figure 2-35: Defender Report Console Installation (User Privileges)

12. To add the names of users who are authorized to access the Defender Reports Console to the list, click Add.

13. In the User field, type the name of the user account that will be used to run the Defender Reports Console. The user account you specify here must have administrative privileges. To select a user name, click Browse.

14. In the Password field, type the password used by the user name specified in Step 13 on page 2-33.

15. In the Confirm field, type the password again to confirm it.

2-34 Installation

16. Click Next. The Defender Report Console Installation (Installation Progress) dialog box is displayed:

Figure 2-36: Defender Report Console Installation (Installation Progress)

Installation 2-35

17. Click Next. The Defender Report Console Installation (Installation Complete) dialog box is displayed:

Figure 2-37: Defender Report Console Installation (Installation Complete)

18. Click Finish. The readme file is displayed. The Defender Report Console installation procedure is now complete.

2-36 Installation

Defender Report Service Configuration

This section describes the Defender Reports Service configuration procedure. If you checked the Automatically Configure IIS Web Server checkbox during the installation procedure, skip to Step 16 on page 2-35.

1. In the domain containing the users protected by Defender, set up a machine to provide the Web services.

2. Install Internet Information Services on the Web server machine.

3. From the server machine, open the Internet Information Services applet and create a new Web site.

4. When prompted for the home directory for the Web site, specify the directory where the Defender Report Service files are installed.

5. Uncheck the Allow anonymous access to this web site box.

6. At the prompt for web site access permissions, grant Execute, Read and Run Scripts permissions.

7. Open the Properties dialog for the new Web site.

8. Select the Documents tab.

9. Remove all entries from the list of documents and add d5ReportFrame.htm.

10. Open the Properties dialog for the Downloads folder for the new Web site.

11. Select the HTTP Headers tab, then click Add.

12. In the Add/Edit Custom HTTP Header dialog, add Content-Disposition as the Custom header name and attachment; filename=DefenderReport.xml as the Custom header value.

Installation 2-35

13. Click OK.

14. On the Properties dialog, click OK. Repeat Steps 10 through 14 for the downloads\html folder, but set the Custom header value as attachment; filename=DefenderReport.html.

15. If you are running Windows 2003 Server with IIS 6.0 or higher, use the Web Service Extensions Manager in IIS to add a new Web service extension and allow the following files: d5activityreport.exe d5dssauditreport.exe d5dssconfigreport.exe d5dsslicensereport.exe d5dssrawaudit.exe d5dssviolations.exe d5tokenreport.exe d5userlogonreport.exe d5payloadreport.exe d5proxiedusersreport.exe d5userinforeport.exe updateSchedule.exe

16. The Defender Report Console extracts information from Defender Security Server logs. For this to function correctly, set up the mappings that define the network path to the logs produced by each DSS:

- On each machine running a Defender Security Server, set up a network share for the Defender Security Server log directory. This is normally located at C:\Program Files\Quest Software\Defender\DSS Active Directory Edition\Log

- The share should give read access to users who are authorized to view the reports

- On the Web server machine, add an entry to the mappath.ini file in C:\Program Files\Quest Software\Defender\Defender Report Console\cgi-bin that maps the name of the DSS object defined in Active Directory with the name of the network share

- Repeat this procedure for each DSS.

2-36 Installation

17. Using the DCOMCNFG utility, configure the DSSLog DCOM server object to permit Domain Users to launch and access the object, and run under the identity of a specific user with administrative privileges. See the relevant Microsoft Windows documentation for information on the use of DCOMCNFG.

18. Stop the default Web site and start your new Defender Report Console Web site.

19. Test the Web site to ensure it is contactable and that it serves the initial Defender Report Console page at this point.

20. Restrict permissions to the Web site as required.

For information on how to access, view and print the Defender Reports, refer to Chapter 10, Defender Report Service.

Installation 2-37

Installing the Self-Registration Service

To install the Self-Registration Service:

1. Run TokenSelfReg Installer.exe and follow the instructions displayed on the screen. Ensure the machine that will provide the services for the Self-Registration Service is running:

• Windows 2000 or higher, in the domain that contains the users who will be authenticated

• Internet Information Services.

2. On the machine where the Self-Registration Service is installed, select Settings, Control Panel, Administrative Tools, Internet Services Manager to open the Internet Information Services applet. If you checked the Automatically Configure IIS Web Server checkbox during the Self-Registration installation procedure, skip to Step 8 on page 2-40.

3. Create a new Web site as described below:

- Right-click on the Web Server machine icon in the Internet Information Services tree.

- Select New, then Web Site. Click Next.

- Type a suitable name for the Web site (e.g. Defender). Click Next.

- Accept the default IP address and port number settings. Click Next.

- Type the home directory for the Web site (typically C:\Inetpub\wwwroot).

- Uncheck the Allow Anonymous access to this web site check box. Click Next.

- Accept the Web site access permissions default setting. Click Next.

- Click Finish.

4. Set up the default page as described below:

- In the Internet Information Services tree, right-click the site icon for your new site.

2-38 Installation

- Select Properties.

- Click the Documents tab.

- Remove Default.htm and Default.asp from the list of documents.

- Add self-serv0.asp to the list of documents.

- Create a virtual directory that points to the physical directory where you installed the files (default C:\Program Files\Quest Software\Defender).

- In the Internet Information Services tree, right-click the site icon for your new site.

- Select New, then Virtual Directory.

- Click Next.

- Type a suitable alias (e.g. DefSelfServe).

- Click Next.

- Select the physical directory where you installed the files.

- Click Next.

- Accept the default settings for the Access Permissions.

- Click Next.

- Click Finish.

Installation 2-39

5. Configure DCOM server settings for the Defender object. To launch DCOM configurator:

- From the Start menu, select Run and type dcomcnfg in the Open box.

- Open Component Services.

- Open My Computer.

- Open DCOM Config.

- Right-click the Defender object.

- From the context menu, select Properties.

- Select the Security tab.

- Under Launch Permissions, click Customize then click Edit.

- Add Domain Users to the access control list displayed.

- Click OK.

- Under Access Permissions, click Customize, then click Edit.

- Add Domain Users to the access control list displayed.

- Click OK.

- Select the Identity tab.

- Under Which user account do you want to use to run this application, click This user.

- Type the credentials of a user with sufficient privileges to write to and read from objects within Users and Defender containers in Active Directory.

- Click OK.

- Click OK.

6. Stop the default Web site, and start your new Defender Self-Registration Service Web site.

7. Test the site to ensure that it is contactable, and that the initial Self-Registration Service page is displayed.

2-40 Installation

8. If required, you can customize the appearance of your pages to suit your organization. You can also control the use of PINs by modifying the initial statements contained in self-serv0.asp. To do this, change:

- PINReqd to specify whether a PIN is required

- PINMinLen to specify the minimum number of digits allowed in a PIN

- PINMaxLen to specify the maximum number of digits allowed in a PIN.

The Defender Self-Registration Service is now installed and ready for use. Refer to Defender Desktop Token Activation on page 8-45 for further information.

Installation 2-41

Defender Delegated Administration

This section describes how Domain administrators can delegate administration rights to Defender Administrators.

Note: Defender Administrators do not require domain administration rights.

Version Information

To delegate administration rights, you must be running the Defender Administration Utility version 5.2.0.34 or higher.

Administration Rights

To delegate administration rights to a Defender administrator you must:

• set Active Directory permissions on the Defender objects. You can set permissions on selected objects or all objects, depending on your requirements. The Defender objects are:

• users and tokens

• access nodes

• policies

• RADIUS payload

• security servers.

• optionally, enable or disable the token administration option buttons using the control access rights facility.

Note: Control access rights can currently be set for Defender token administration option buttons only.

2-42 Installation

Control Access Rights

If you checked the Defender control access rights checkbox during the Defender installation procedure, you can enable and disable specific token administration option buttons in the Defender Administration Utility. The token option buttons are only available to an administrative user and are located on the username Properties - Defender tab and the tokenname Properties tab.

You can specify control access rights for the following token administration options:

• Program program a token for a Defender user

• Recover unlock a token

• Test perform a non-intrusive test to verify the token’s response

• Helpdesk

• Reset - re-synchronize the user’s token

• Assign - allocate a temporary token response to the user

• Unassign unassign a Defender token from a user

• Add assign a Defender token to a user

• Set PIN set a PIN for the user to use with this token

• Password specify or change the user’s Defender password.

Installation 2-43

Figure 2-1: username Properties - Defender tab

2-44 Installation

Setting Permissions and Control Access Rights

This section describes the steps you need to perform to set permissions and control access rights for Defender Administrators. The example uses a group called Defender Admins.

The steps are:

1. Create a user group called Defender Admins.

2. Add your Defender Administrator(s) to the Defender Admins group.

3. Set Schema Permissions in Active Directory for the Defender Admins group.

4. Set access control rights.

Creating a Group

In Active Directory, create a group called Defender Admins, then add your Defender Administrator(s) to this group.

Setting Active Directory Permissions

You now need to set Active Directory permissions for the Defender Admins group on the OU containing the Defender users and on the OU containing the Defender tokens.

The following example uses an OU called Users.

Installation 2-45

Setting Permissions on the Users OU

To set permissions for the Defender Admins group on the OU containing the Defender users, perform the following steps:

1. In Active Directory, Users and Computers, right-click the OU containing the Defender users.

2. From the dropdown list, select Delegate Control. The Delegation of Control Wizard starts:

Figure 2-2: Welcome page

2-46 Installation

3. Click Next. The Users or Groups dialog box is displayed:

Figure 2-3: Users or Groups dialog box

4. Click Add. The Select Users, Computers or Groups dialog box is displayed.

5. Add the Defender Admins group.

Installation 2-47

6. Click Next. The Tasks to Delegate dialog box is displayed:

Figure 2-4: Tasks to Delegate dialog box

7. Click the Create a custom task to delegate option button.

2-48 Installation

8. Click Next. The Active Directory Object Type dialog box is displayed:

Figure 2-5: Active Directory Object Type dialog box

9. Click the Only the following objects in the folder option button.

10. Check the User objects checkbox.

Installation 2-49

11. Click Next. The Permissions dialog box is displayed:

Figure 2-6: Permissions dialog box

12. Check the Property-specific checkbox.

13. Check the boxes adjacent to the following permissions:

• Read defender-tokenUsersDNs

• Write defender-tokenUsersDNs

• Read defender-userTokenData

• Write defender-userTokenData.

2-50 Installation

14. Click Next. The Completing the Delegation of Control Wizard dialog box is displayed:

Figure 2-7: Completion dialog box

15. Click Finish.

Installation 2-51

Setting Permissions on the Defender License OU

To set permissions for the Defender Admins group on the OU containing the Defender license, perform the following steps:

Note: To view the screen images from the Delegation of Control Wizard, refer to Setting Permissions on the Users OU on page 45.

1. From the Active Directory, Users and Computers page, right-click the Defender OU.

2. From the dropdown list, select Delegate Control. The Delegation of Control Wizard is displayed:

3. Click Next. The User and Groups dialog box is displayed.

4. Click Add.

5. Type the name of the group, Defender Admins.

6. Click OK.

7. Click Next. The Tasks to Delegate dialog box is displayed.

8. Click the Create a custom task to delegate option button.

9. Click Next. The Active Directory Object Type dialog box is displayed.

10. Select the Only the following objects in the folder option button.

2-52 Installation

11. Check the Defender License objects check box.

Figure 2-8: Active Directory Object Type dialog box

12. Click Next. The Permissions dialog box is displayed.

13. Select the Property Specific option button.

14. Check the Read defender-tokenData checkbox.

Installation 2-53

15. Check the Write defender-tokenData checkbox.

Figure 2-9: Permissions dialog box

16. Click Next. The Completion dialog box is displayed.

17. Click Finish.

2-54 Installation

Setting Permissions on the Defender User License

To set permissions on the Defender user license, perform the following steps:

1. From the Active Directory, Users and Computers page, select the Defender OU.

2. In the right-hand pane, right-click the required Defender user license.

3. Select Properties.

4. Select the Security tab.

5. Click Advanced. The Advanced Security Settings for licensename dialog is displayed.

6. Click Add.

7. Type the name of the Defender Administrators group.

8. Click OK.

Installation 2-55

9. Select the Properties tab.

Figure 2-10: Permission Entry for licensename - Properties

10. In the Allow column, check the following boxes:

• Read defender-tokenData

• Write defender-tokenData.

11. Click OK until you return to the AD Users and Computers page.

2-56 Installation

Setting Permissions on the Defender Token License

To set permissions on the Defender token license, perform the following steps:

1. From the Active Directory, Users and Computers page, select the Defender OU.

2. In the right-hand pane, right-click the required Defender token license.

3. Select Properties.


5. Click Advanced. The Advanced Security Settings for licensename dialog is displayed.

6. Click Add.

7. Type the name of the Defender Administrators group.

8. Click OK.

Installation 2-57

9. Select the Properties tab.

Figure 2-11: Permission Entry for licensename - Properties

10. In the Allow column, check the following boxes:

• Read defender-tokenData

• Write defender-tokenData.

11. Click OK until you return to the AD Users and Computers page.

2-58 Installation

Setting Control Access Rights

You can now set control access rights on the OU containing the Defender users and the OU containing the Defender tokens. The access control rights determine which token administration option buttons will be available to the Defender Administrator.

The token administration option buttons are located on the tokenname Properties page and the username Properties - Defender page.

Setting Control Access Rights on the Defender Users OU

To set permissions on the OU containing the Defender users, perform the following steps:

1. From the Active Directory, Users and Computers page, right-click the OU containing the Defender users.

2. From the dropdown list, select Properties.

3. Select the Security tab, then click Advanced.

4. Click Add.

5. Select the Defender Admins group, then click OK. The Permission Entry for Users dialog box is displayed.

6. In the Apply Onto field, select User Objects.

Installation 2-59

7. In the Permissions list, check the boxes adjacent to the Defender Token properties that you want the Defender Admins group to administer.

Figure 2-12: Permission Entry for Users dialog box

8. Click OK. A warning message is displayed.

9. Click Yes.

10. On the Permissions tab, click OK. A warning message is displayed.

11. Click Yes.

2-60 Installation

Setting Control Access Rights on the Defender Token OU

To set control access rights on the OU containing the Defender tokens, perform the following steps:

1. Right-click the OU containing the Defender tokens.

2. From the dropdown list, select Properties.


4. Click Advanced.

5. Click Add.

6. Select the Defender Admins group, then click OK. The Permission Entry for Tokens dialog box is displayed.

7. In the Apply Onto field, select Token Objects.

Installation 2-61

8. In the Permissions list, check the boxes adjacent to the Defender Token properties that you want the Defender Admins group to administer.

Figure 2-13: Permission Entry for Tokens dialog box

9. Click OK. A warning message is displayed.

10. Click Yes.

11. On the Permissions tab, click OK. A warning message is displayed.

12. Click Yes.

2-62 Installation

After Setting Control Access Rights

When you have set the required control access rights, the token administration options that you delegated to the Defender Administrator are available in the username Properties - Defender dialog box:

Figure 2-14: username Properties - Defender dialog box

Installation 2-63

Removing Control Access Rights

To remove control access rights for a group:

1. Locate the permission entry in the Permission entries table in the Advanced Security Settings dialog box:

Figure 2-15: Advanced Security Settings for groupname dialog box

2. Click Remove.

3. Click OK.

2-64 Installation

Defender Desktop Login

The Defender Desktop Login is a thin wrapper around the Microsoft GINA that allows authentication to be performed to a Defender Security Server.

Supported Platforms

The Defender Desktop Login is supported on Windows NT / 2000 / 2003/2008/XP and Vista platforms, running the standard Microsoft GINA.

Installing the Defender Desktop Login

To install the Defender Desktop Login, run the appropriate install file (both .exe and .msi installation files are provided). As the Defender GINA is an integral part of Windows security, you must reboot your machine after installation.

The installation procedure installs two files, DefGINA.dll and uninstall.exe, and writes registry settings to HKEY_LOCAL_MACHINE\SOFTWARE\PassGo Technologies\Defender\Defender GINA

Uninstalling the Defender Desktop Login

To uninstall the Defender Desktop Login use Add / Remove Programs from the Control Panel.

Installation 2-65

Pluggable Authentication Module (PAM)

The Defender module for Pluggable Authentication Module (PAM) allows you to specify that services and users defined on your UNIX system will be authenticated by Defender.

Configuring Defender to use PAM

To configure Defender to use PAM, perform the following steps:

1. Copy the Defender module for PAM to the security library directory on your system, e.g. /lib/security on Linux.

2. Edit the PAM configuration file(s) to call the Defender PAM module for the required services. In the following example, the login service will be authenticated by Defender on a Linux system:

auth required /lib/security/pam_defender.so

account required /lib/security/pam_defender.so

session required /lib/security/pam_defender.so

For further information about configuring PAM, refer to the PAM documentation for your system.

2-66 Installation

Communicating with Defender

The Defender module for PAM communicates with Defender via the RADIUS server. To configure the RADIUS server, edit the /etc/defender.conf file as described below:

<hostname:portnumber> <sharedsecret> <timeout>

where:

hostname is the name of the RADIUS server. portnumber is the port number on which the RADIUS server will communicate with the Defender Security Server.More than one server can be included in the command. The RADIUS Server will attempt to contact the servers in the order they appear in the list. There must be no spaces between the host name and port number.sharedsecret is the shared secret known to both the RADIUS server and the Defender Security Servertimeout is the length of time, in seconds, after which the connection between the RADIUS server and the Defender Security Server will be lost if no activity is detected.

Access Control Lists

An access control list contains the names of the services and/or users that will be authenticated by Defender. The access control list is defined in the /etc/pam_radius_acl.conf file.

If the /etc/pam_radius_acl.conf file does not exist, all services and users will be authenticated by Defender.

Installation 2-67

If the /etc/pam_radius_acl.conf file exists, it must contain a list of service names and usernames that will be authenticated by Defender, as shown in the following example:

upm:*

telnet:

:john

*:sally

login: david

In this example:

• all users who access the upm or telnet services must authenticate to Defender

• users john and sally must authenticate to Defender for every service

• user david must authenticate to Defender for the login service only.

Any service or user name combination not listed in the /etc/pam_radius_acl.conf file will not be authenticated by Defender.

To authenticate all users and services, include the *:* or : string in the /etc/pam_radius_acl.conf file.

If the /etc/pam_radius_acl.conf file exists, but is empty, no services or users will be authenticated by Defender.

After Installation

After installation and configuration of the Defender components, perform the administration tasks described in Chapters 3 through 8 of this guide.

Administration 3-1

3 Administration

Administration

This chapter describes:

• the administration tasks you can perform via the Defender Management Console

• the role of each Defender component

• starting and stopping the Defender service.

3-2 Administration

After installation, an OU for Defender is included in the Active Directory Users and Computers tree. A Defender menu is also included on the menu bar.

Figure 3-1: Directory Users and Computers tree

Administration 3-3

Use the Defender Management Console to:

• create and configure Access Nodes

• create and configure Defender Security Servers

• specify the payload for a RADIUS server

• create and configure Defender Security Policies

• assign a Defender Security Policy to:

• a user or group of users• an Access Node• a Defender Security Server.

• assign users or groups of users to an Access Node

• import Tokens

• program Tokens

• assign Tokens to users

• create RADIUS Payload data

• assign RADIUS Payload to an Access Node, Security Server, User Group and/or User

• install your Defender License (refer to Installing a Defender User License on page 2-18)

• install your Desktop Token User License (Installing a Defender Desktop Token License on page 2-25)

• migrate token and/or user profile information from earlier versions of Defender to Defender 5.3.

3-4 Administration

Defender Access Node Overview

The Defender Management Console enables you to create and configure Defender Access Nodes. The access node is the point in your network where you need to challenge the user to verify their identity. The access node can be a:

• Radius Agent

• Radius Proxy

• Defender Agent

• NetScreen Agent

• NC-Pass Radius Agent.

Using the Access Node property pages, you can:

• assign one or more Defender Security Servers to the Access Node

• specify users and/or groups of users who can authenticate via this Access Node

• assign a Defender Security Policy to the Access Node

• configure the RADIUS payload for the Access Node.

For further information on configuring a Defender Access Node, refer to Chapter 4, Access Node Configuration.

Administration 3-5

Defender Security Server Overview

The Defender Management Console enables you to create and configure Defender Security Servers. The Defender Security Server is the point in your network where user authentication is performed. If authentication is successful, the user is allowed access to the network.

When you have defined the Defender Security Server, you can use the Security Server property pages to:

• change the configuration for the Defender Security Server

• assign a Defender Security Policy to this Security Server

• view and change the prompts displayed to the user during the authentication process

• configure the RADIUS Payload. When a user has successfully authenticated, the Defender Security Server returns the RADIUS Payload information to the Access Node that initiated the user authentication request

• add and remove groups/users and set administrative permissions.

For further information on configuring a Defender Security Server, refer to Chapter 6, Security Server Configuration.

3-6 Administration

Defender Security Policy Overview

The Defender Management Console enables you to create and configure Defender Security Policies. A Security Policy can be assigned to:

• a user • a user group• an Access Node• a Defender Security Server.

If a different Defender Security Policy is applied to each of the above elements, the policy assigned to the user will take the highest priority, followed by the policy assigned to the user group, then the policy assigned to the access node and finally, the policy assigned to the Defender Security Server. Security Policies are not aggregated.

Logon attempts made by the user are rejected if:

• the user belongs to two groups with conflicting security policies, and• both groups are assigned to the Access Node that the user uses to connect to the Defender

Security Server.

If no policy has been assigned, the default Token Only policy will be applied.

When you have defined the Defender Security Policy, you can use the Security Policy property pages to:

• change the Defender Security Policy configuration • change user account lockout information• specify the details of your mobile service provider• provide backward compatibility with Defender 4 and specify which Defender Agents a

user can access• add and remove groups/users and set administrative permissions• specify permitted logon hours• configure password and PIN expiration policies.

For further information on configuring a Defender Security Policy, refer to Chapter 5, Security Policy Configuration.

Administration 3-7

RADIUS Payload

The Defender Management Console enables you to create and configure the RADIUS Payload. The RADIUS Payload is information that is passed from the Defender Security Server to the Network Access Server where the user authentication attempt originated. This RADIUS Payload information can be assigned to:

• a user

• a user group

• an Access Node

• a Defender Security Server.

If a different RADIUS Payload is applied to each of the above elements, the payload assigned to the user will take the highest priority, followed by the payload assigned to the user group, then the payload assigned to the access node and finally, the payload assigned to the Defender Security Server. RADIUS Payloads can be aggregated if required.

Aggregating RADIUS Payloads

RADIUS Payloads can be aggregated. For example, if you define a payload for an access node and also define a payload for the Defender Security Server to which the access node is assigned, the RADIUS Payload defined for the Security Server can be aggregated with the RADIUS Payload defined for the Access Node.

A RADIUS Payload can be aggregated from the User, User Group(s), Access Node(s) and Defender Security Server(s).

To specify that RADIUS Payload must be aggregated, check the Inherit payload entries from parent checkbox in the RADIUS Payload dialog in the Properties for the User/User Group and/or Access Node.

The Inherit payload entries from parent checkbox is not available on the RADIUS Payload dialog in the Defender Security Server Properties.

For a child to inherit a payload from a parent, the Inherit payload entries from parent checkbox must be checked on the RADIUS Payload dialog in the Properties for both the child and parent.

3-8 Administration

If a RADIUS Payload has been defined for the child, the RADIUS Payload defined for the parent will be aggregated with the payload defined for the child.

If a RADIUS Payload has not been defined for the child, the RADIUS Payload defined for the parent will be inherited by the child.

For further information about the RADIUS Payload for:

• an Access Node, refer to Changing the RADIUS Payload on page 4-22

• a Security Server, refer to Changing the RADIUS Payload on page 6-15

• a User, refer to Changing the RADIUS Payload on page 7-35.

Administration 3-9

Stopping and Restarting the Defender Service

To stop and restart the Defender Security Server Service, select Start, Programs, Defender Active Directory Edition, Defender Security Server. The Defender Security Server Configuration dialog box is displayed:

Figure 3-2: Defender Security Server Configuration - Service dialog box

To restart the Defender Security Server Service, click Restart Service.

To stop the Defender Security Server Service, click Stop Service.

3-10 Administration

Defender Security Server User Account Attributes

The Defender Security Server runs as a service. The user account used by this service must be defined with write access over the attributes in the classes listed below:

defender-tokenClass

defender-tokenData

defender-dssClass

defender-objectActive

defender_dssVersion

User

defender-userTokenData

defender-violationCount

defender-resetCount

defender-lastLogon

defender-lockoutTime

UserAccountControl

For further information, refer to the Delegation of Administration Rights guide available from http://support.quest.com.


Administration 3-11

About Defender

For general information about Defender 5.3, click Defender on the menu bar, then select About. The About Defender 5.3 dialog box displays the version number of Defender and provides access to the User License tab and Defender Desktop Token License tab.

The User License tab displays information about the currently installed user license:

Figure 3-3: User License tab

• DN - the distinguished name of the Defender Security Server where the user license is installed

• License Type - either Permanent or Temporary

• Users - the number of users permitted by this license and the number of users assigned to date

• License Expires - if you have installed a temporary license, this is the date that the license will expire.

3-12 Administration

The Defender Desktop Token License tab displays information about the currently installed Defender Desktop Token license(s):

Figure 3-4: Defender Desktop Token License tab

• License - either Windows, Palm, Blackberry, Windows Mobile/iPaq or Defender Mobile

• Allocation - the number of tokens allocated to users and the total number of tokens permitted by this license

Any temporary licences for Defender Desktop Tokens that have expired will be shown in red.

Administration 4-1

4 Access Node Configuration

Creating a New Access Node

The access node is the point in your network where you need to challenge the user to verify their identity, for example, a firewall or VPN server. At the access node, the user will be prompted to enter their logon credentials. This may be a user ID, password and token authentication information. The access node sends the user’s logon credentials to the Defender Security Server for authentication. If authentication is successful, the user is granted access to the network.

You can define any number of access nodes in your Defender configuration. An access node can be a:

• RADIUS Agent

• RADIUS Proxy

• RADIUS Proxy (to non-negotiating server)

• Defender Agent

• NetScreen Agent

• NC-Pass Radius Agent.

To create a new Access Node, click the Defender OU and then right-click Access Nodes.

1. From the menu, select New.

2. From the submenu, select Defender Access Node.

4-2 Administration

3. The New Object - Defender Access Node dialog box is displayed:

Figure 4-1: New Object – Defender Access Node (name and description) dialog box

4. In the Name field, type a name for this Access Node.

5. In the Description field, type a description for this Access Node.

Administration 4-3

6. Click Next to continue. The New Object - Defender Access Node (node type) dialog box is displayed:

Figure 4-2: New Object - Defender Access Node (node type) dialog box

7. In the Node Type field, click the arrow and select the required node type from the list. The access node is the point in your network where you need to challenge the user to verify their identity. The options are:

• Radius Agent select this node type to allow a NAS device, including Cisco ACS devices and most firewalls, to connect to Defender 5.3 using the RADIUS protocol. RADIUS is transmitted over UDP and uses port 1645 or 1812.

4-4 Administration

• Radius Proxy select this node type to allow RADIUS requests received from a RADIUS Agent access node to be forwarded to another RADIUS Server. Typically, this option is used to pass authentication requests to an existing Defender 4 RADIUS Server during a migration phase from Defender 4.x to Defender 5.3. This node type is unlikely to be required in a fully migrated production environment.

• Radius Proxy (to non-negotiating server) in some cases, the user ID included in the request sent from the Access Node and proxied by the Defender Security Server to the RADIUS Server cannot be processed by the RADIUS Server, unless accompanied by a password. Select this node type to allow Defender to issue the response request on behalf of the RADIUS Server.

• Defender Agent select this node type to allow Defender 4 embedded agents to connect and process authentication requests. Typically, this node type is required for use with specific Cisco ACS devices and the Quest Webthority Agent. For further information about Quest Webthority, refer to Chapter 2, Total Web Security Solution in the Webthority Reference Guide. Defender Agents use a proprietary protocol to transmit data and use TCP (default port number 2626), instead of the UDP of RADIUS.

• NetScreen Agent select this node type if your Access Node is a NetScreen VPN.

• NC-PASS Radius Agent select this node type if you are using the Quest NC-Pass two-factor authentication product.

• Nortel VPN select this node type if you will authenticate using an SNK token in synchronous mode.

8. In the User ID field, click the arrow and select the required user ID type from the list. This is the user ID that will be used to locate the user in the Active Directory. The options are SAM Account Name, Defender ID, User Principal Name or Proper Name.

9. Click Next to continue. The New Object - Defender Access Node (connection details) dialog box is displayed:

Administration 4-5

Figure 4-3: New Object - Defender Access Node (connection details) dialog box

10. In the IP Address or DNS Name field, type the IP address or DNS name of this Access Node.

11. In the Port field, type the port number that this Access Node will use to establish a connection with the Defender Security Server. The default port number for the Defender Agent Access Node type is 2626. For all other Access Nodes types, the default port number is 1645.

12. If you want to define multiple Access Nodes to connect to the Defender Security Server, type the required subnet mask in the Subnet Mask field.

13. In the Shared Secret field, type the secret that will be used when this Access Node attempts to establish a connection with the Defender Security Server. For a Defender Agent Access Node, the shared secret can be 16 hex or 24 octal digits. For all other Access Node types, the shared secret can be up to 256 alphanumeric characters.

4-6 Administration

14. Click Next to continue. The New Object - Defender Access Node (summary) dialog box is displayed:

Figure 4-4: New Object - Defender Access Node (summary) dialog box

15. This dialog box displays a summary of your settings for this Access Node. Click Finish to save your settings.

Administration 4-7

Defender Access Node Properties

Defender Access Node Properties includes the following tabs:

• Access Node - allows you to display or edit the configuration information for this Access Node

• Members - allows you to specify users and/or groups of users who can authenticate via this Access Node

• Policy - allows you to add or remove a Defender Security Policy for this Access Node

• RADIUS Payload - allows you to configure the RADIUS payload for this Access Node

• Security - allows you to add and remove groups/users and set administrative permissions.

Changing Defender Access Node Configuration

To change Access Node configuration, perform the following steps:

1. In the Users and Computers tree, select the Defender OU and then Access Nodes.

2. Right-click the required Access Node.

4-8 Administration

3. From the menu, select Properties. The Access Node dialog box is displayed:

Figure 4-5: accessnodename Properties - Access Node dialog box

The fields in the Access Node dialog box are described in the following table:

Table 4-1: Fields in the Access Node dialog box

Field Name Description

Description displays the description for this Access Node.

To edit the description, click in the Description field and type the new description for this Access Node.

Administration 4-9

IP Address or DNS Name IP Address or DNS name of the NAS device.

To change the IP Address or DNS name, click in the IP Address or DNS Name field and type the new IP Address or DNS name for this Access Node.

Auth Port number of the port that this Access Node will use to establish a connection with the Defender Security Server.

To change the Port number, click in the Port field and type the new port number for this Access Node. The default port numbers are: Defender Agent - port number 2626Radius Agent - port number 1645 Radius Proxy - port number 1645

Subnet Mask subnet mask address.

If multiple Access Nodes within the same subnet will connect to the Defender Security Server, the subnet mask for the Access Nodes is displayed in this field.

To change the Subnet mask, click in the Subnet mask field and type the new Subnet mask address.

Acct Port number of the port to which the network access server will send accounting packets received from the RADIUS access node.


4-10 Administration

Node Type type of node.

To change the type of node, click the arrow in the Node Type field and select the required node type from the list. The access node is the point where you need to challenge the user to verify their identity. The available node types are Radius Agent, Radius Proxy, Radius Proxy (to non-negotiating server), Defender Agent, NetScreen Agent, NC-Pass Radius Agent or Nortel VPN. For a description of each node type, refer to Creating a New Access Node on page 4-1.

Shared Secret contains the secret that this Access Node will share when it attempts to establish a connection with the Defender Security Server.To display the shared secret in clear text, click Reveal.To hide the shared secret (display as asterisks), click Hide.

User ID type of user ID that will be used by the Defender Security Server to search for users in Active Directory. The options are Defender ID, User Principle Name, SAM Account Name or Proper Name.


Administration 4-11

4. If you have made any changes in the Access Node dialog box, click OK to save your settings.

Assigned To displays the name and location of the Defender Security Server(s) to which this Access Node is assigned. To assign this Access Node to a Defender Security Server:

1. Click Assign. The Select Defender Security Servers dialog box is displayed:

Figure 4-6: Select Defender Security Servers dialog box

2. Double-click the required Defender Security Server. The selected Security Server is displayed in the lower window.

3. Click OK to return to the Defender Access Node dialog box. The Defender Security Server is displayed in the Assigned To table.

To remove a Defender Security Server from the Assigned To table in the Access Node dialog box, click on the required Security Server in the Assigned To table, then click Unassign. The Security Server is removed from the Assigned To table.


4-12 Administration

Adding Users or User Groups

To specify the users and/or groups of users who will be authenticated by the Defender Security Server via this Access Node, perform the following steps:

1. Click the Defender OU, then click Access Nodes.

2. Right-click the required Access Node.

3. From the menu, select Properties. The Access Node dialog box is displayed.

4. Select the Members tab. The nodename Properties - Members dialog box is displayed:

Figure 4-7: nodename Properties - Members dialog box

Administration 4-13

5. Click Add to select a user or group of users. The Select Users or Groups dialog box is displayed.

Figure 4-8: Select Users or Groups dialog box

6. To specify the object type(s) to be included in the search, click Object Types. The Object Types dialog is displayed. Check the box adjacent to the required object types, then click OK. The Select Users dialog box is displayed.

7. To specify the directory location that will be searched, click Locations. The Locations dialog box is displayed. Select the required directory location, then click OK. The Select Users dialog box is displayed.

8. In the Enter the object names to select field, type the object name(s) that will be used to match with users and/or groups. For more specific search options, click Advanced.

9. Click OK to save your settings and return to the Members dialog box. Selected users/groups are displayed in the Members table.

10. Click OK to return to the AD Users and Computers tree.

4-14 Administration

Removing a User or Group

To remove a user or group of users from the Members table in the Members dialog box:

1. Select the required user or group, then click Remove.

2. Click OK to save your settings and return to the AD Users and Computers tree.

Assigning a Defender Security Policy to an Access Node

This section describes how to assign a Defender Security Policy to an Access Node.

For a description of the Security Policy, refer to Defender Security Policy Overview on page 3-6.

For information on creating a new Defender Security Policy, refer to Chapter 5, Security Policy Configuration.

Perform the following steps:

1. Select the Defender OU from the AD Users and Computers tree.

2. Select Access Nodes.

3. In the right-hand window, right-click the required Access Node.

4. Select Properties from the menu.

Administration 4-15

5. The nodename Properties – Access Node dialog box is displayed. Select the Policy tab.

6. The nodename Properties – Policy dialog box is displayed.

Figure 4-9: accessnodename Properties - Policy dialog box

4-16 Administration

7. Click Select. The Select Defender Policies dialog box is displayed:

Figure 4-10: Select Defender Policies dialog box

8. Double-click the required policy in the list. The selected policy is displayed in the lower window. Alternatively, type the name of the required policy, either in full or in part, in the lower window. Click Check Names.

Administration 4-17

The matching policy is displayed. If more than one policy is found, the Multiple Objects Found dialog box is displayed:

Figure 4-11: Check Names - Multiple Objects Found dialog box

9. Click the required policy in the list.

10. Click OK to save your settings and return to the Policy dialog box.

4-18 Administration

11. The selected policy is displayed in the Policy field. All other fields in the Policy dialog box are display fields only. The information in these fields is described in the following table:

Table 4-2: Fields in the Policy dialog box

12. Click OK to save your settings.

Field Name displays

Authentication

First the first method of authentication that the user is required to enter when he attempts to access the network via the access node. The authentication methods are Token, Defender Password or Active Directory Password.

Second the second method of authentication that the user is required to enter when he attempts to access the network via the access node. The authentication methods are None, Token, Defender Password or Active Directory Password.

Account

Lockout Threshold the number of invalid authentication attempts the user can make before his account is locked.

Lockout Duration the length of time that the account will remain locked when the specified number of failed authentication attempts is reached.

Auto Reset whether the user’s account will be automatically reset when the lockout duration has lapsed.

Administration 4-19

13. To establish which security policy will be effective when a specific user attempts to authenticate, click Effective. The Effective Policy dialog box is displayed:

Figure 4-12: Effective Policy dialog box

14. The currently selected Security Server is displayed in the DSS field. This is the Security Server that will process the user’s authentication request. You can, if required, select a different Security Server.

15. In the DAN field, select the Access Node in your network where the user will be prompted to enter authentication credentials.

4-20 Administration

16. To select a user, click Select. The Select Users dialog box is displayed:

Figure 4-13: Select Users dialog box



19. To search for a specific object name, in the Enter the object names to select field, type the required object name, either in full or in part. Click Check Names. All object names that match the search criteria are displayed. If more than one object name matched your search criteria, a list is displayed. To select an object name, double-click on the required object name. The object name is displayed in the Enter the object names to select field. For more extensive search options, click Advanced.

20. Click OK to return to the Effective Policy dialog box. The effective security policy for the selected user is displayed in the Policy field. The Defender component associated with the effective Security Policy, either Security Server, Access Node, User Group or User, is displayed in the From field.

21. Click Close to return to the Policy dialog box.

Administration 4-21

For an explanation of the fields in the Security Policy definition in the Effective Policy dialog box, refer to Table 4-2 on page 4-18.

If the effective Security Policy requires the user to authenticate with a token and/or a password, the Use field in the Effective Policy dialog box shows whether the user is in possession of a token and/or password. If the user is not in possession of a token and/or password, this is indicated in red. If the attempt to identify the effective Policy for a user results in the identification of two or more conflicting security policies, this is indicated in the Policy field in the Effective Policy dialog box.

4-22 Administration

Changing the RADIUS Payload

To change the RADIUS Payload specified for this Defender Access Node, perform the following steps:

1. From the Users and Computers tree, select Defender then select Access Nodes.

2. Right click on the required Access Node.


4. The accessnodename Properties - Access Node dialog box is displayed.

5. Click the RADIUS Payload tab. The RADIUS Payload dialog box is displayed:

Figure 4-14: servername Properties - RADIUS Payload dialog box

6. Click Select. The RADIUS Payload definitions are displayed.

7. Double-click on the required RADIUS Payload.

Administration 4-23

8. Click OK. The selected payload is displayed in the Payload field on the accessnodename Properties - RADIUS Payload dialog box:

Figure 4-15: accessnodename Properties - RADIUS Payload dialog box

9. To inherit a RADIUS Payload from the Defender Security Server(s) to which this Access Node is assigned, check the Inherit payload entries from parent checkbox. For further information, refer to RADIUS Payload on page 3-4.

4-24 Administration

10. To establish which RADIUS Payload definition will be effective when a specific user is authenticated, click Effective. The Effective Payload dialog is displayed:

Figure 4-16: Effective Payload dialog

11. The currently selected Security Server is displayed in the DSS field. This is the Security Server that will authenticate the user. You can, if required, select a different Security Server.

12. In the DAN field, select the Access Node through which the user will attempt to authenticate.

Administration 4-25






17. Click OK to return to the Effective Payload dialog. The effective payload for the selected user is displayed in the Payload field.

18. Click Close to return to the securityservername Properties- Radius Payload dialog.

Administration 5-1

5

Security Policy Configuration

Creating a New Defender Security Policy

To create a new Defender Security Policy, click the Defender OU and then right click Policies.


2. Select Defender Policy from the list.

3. The New Object - Defender Policy (name and description) dialog box is displayed.

Figure 5-1: New Object - Defender Policy (name and description) dialog box

4. In the Name field, type a name for this policy.

5. In the Description field, type a description for this policy.

5-2 Administration

6. Click Next to continue. The New Object - Defender Policy (authentication method) dialog box is displayed:

Figure 5-2: New Object - Defender Policy (authentication method) dialog box

7. In the Method field, click the arrow and select an authentication method from the list. The authentication method determines the credentials that the user must enter when he attempts to authenticate. If you select:

• Token - the user must use a challenge/response or response only token

• Defender Password - the user must enter a valid Defender password

• Active Directory Password - the user must enter a valid Active Directory password

• Token with Defender Password - the user must use a challenge/response or response only token and enter a valid Defender password

• Token with Active Directory Password - the user must use a challenge/response or response only token and enter a valid Active Directory password.

8. In the Logon Attempts field, select the number of times that the user can attempt to logon. If the number of unsuccessful logon attempts exceeds the specified limit, the violation count for the user’s account is incremented. For further information, refer to Step 15 on page 5-4.

Administration 5-3

9. If the user will use the token response more than once, check the Use Synchronous tokens as Event tokens checkbox. This option is for use with the Defender Go-1, Defender Go-3, Digipass Pro 260 and Digipass Pro 300 tokens. The response generated by these tokens changes every 36 seconds. If the Use Synchronous tokens as Event tokens checkbox is checked, the user can use a token response more than once to log on to more than one system, without generating a new response if the entire logon process takes less than 36 seconds. The time limit for multiple use of the token response is specified in the API.

10. Check the Allow logon with expired password checkbox if the user is allowed to logon using their Active Directory password, even if the password has expired. To use this option, you must select Active Directory Password or Token with Active Directory Password in the Method field, as described in Step 7 on page 5-2.

11. Click Next to continue. The New Object - Defender Policy (second authentication method) dialog box is displayed:

Figure 5-3: New Object - Defender Policy (second authentication method) dialog box

12. In the Method field, click the arrow and select an authentication method from the list. This is the second authentication method that the user must enter when he attempts to authenticate.

5-4 Administration

If you do not want to specify an additional authentication method, select None. For a description of the authentication methods and the fields in this dialog box, refer to Step 7 on page 5-2.

13. Click Next. The New Object - Defender Policy (account lockout) dialog box is displayed.

Figure 5-4: New Object - Defender Policy (account lockout) dialog box

14. To enable the user’s account to be locked out if the specified number of unsuccessful logon attempts is exceeded, check the Enable Account Lockout checkbox.

15. In the Lockout after n violations field, specify the maximum number of violations allowed before the user’s account is locked. The violation count is incremented each time the user performs the number of unsuccessful logon attempts specified in the Logon Attempts field in the New Object - Defender Policy dialog box described in Step 8 on page 5-2.

16. To lock the user’s Windows account if the specified number of violations is reached, check the Lockout Windows account after indicated violations checkbox.

Administration 5-5

Note: To use this option, you must ensure that Windows account lockout is enabled in Domain Security Policy and/or Domain Controller Security Policy.

17. To specify that a locked account can be unlocked by an Administrator only, check the Locked accounts must be unlocked by an Administrator checkbox.

18. In the Lockout duration field, specify the time in minutes that the user’s account will remain locked after exceeding the maximum number of unsuccessful authentication attempts. If this value is 0, the account must be unlocked by an administrator. The account lockout period starts from the time the maximum number of invalid logon attempts is exceeded. If the user attempts to logon while the account is locked, the account lockout period will be effective from the time of the most recent logon attempt.

19. To reset the count of unsuccessful logon attempts to zero when the user performs a successful logon, check the Automatically reset account after successful login checkbox.

20. Click Next to continue. The New Object - Defender Policy (password and PIN expiry) dialog box is displayed:

Figure 5-5: New Object - Defender Policy (password and PIN expiry) dialog box

5-6 Administration

21. If you want Defender passwords to expire after a specified period of time, check the Enable Defender Password Expiry checkbox. This checkbox is only available if you have chosen to authenticate using a Defender password.

22. In the Expire after field, select the number of days that the Defender password will remain valid. When the specified number of days has lapsed, the password will expire.

23. If you want PINs to expire after a specified period of time, check the Enable PIN Expiry checkbox. This checkbox is only available if you have chosen to authenticate with a token that is locked with a PIN.

24. In the Expire after field, select the number of days that the PIN will remain valid. When this period of days has lapsed, the PIN will expire.

25. Click Next. The New Object - Defender Policy (summary) dialog box is displayed:

Figure 5-6: New Object - Defender Policy (summary) dialog box

26. Click Finish to save your settings.

Administration 5-7

Changing Policy Properties

Policy Properties includes the following tabs:

• Policy - enables you to configure a Defender Security Policy

• Account - enables you to change user account lockout information

• Expiry - enables you to specify expiry details for the Defender password and token PIN

• Logon Hours - enables you to configure the times that a user is permitted to logon

• Mobile Provider - enables you to specify the details of your mobile service provider

• Access Categories - provides backward compatibility with Defender 4 and allows you to specify which Defender Agents a user can access


To change a Defender Security Policy, perform the following steps:

1. Select the Defender OU from the Active Directory tree.

2. Select Policies.

3. Right-click on the required policy.


5. The policyname -Properties Policy dialog box is displayed.

5-8 Administration

Figure 5-7: policyname Properties – Policy dialog box

The fields in the policyname Properties - Policy dialog box are described in the following table:

Table 5-1: Fields in the policyname Properties - Policy dialog box

Field Name Displays the:

Description description for this policy.

To change the description, click in the Description field and type the new description.

Administration 5-9

Authentication methods

Use first authentication method used with this policy.

To change the first authentication method, click the arrow in the Use field and select an authentication method from the list. The available authentication methods are Token, Defender Password, Active Directory Password, Token with Defender Password, Token with Active Directory Password, Active Directory Password (Rollout Mode). For further information on the Active Directory Password (Rollout Mode) option, contact Customer Support.

Logon Attempts the number of unsuccessful logon attempts that the user can make. If the number of unsuccessful logon attempts exceeds the specified limit, the violation count for the user’s account is incremented. For further information, refer to Account Settings on page 5-11.

To change the number of logon attempts, use the arrows or type the required number in the Logon Attempts field.

Use Synchronous tokens as Event tokens

if checked, enables the user to use the token response more than once.

This option is for use with Defender Go-1, Defender Go-3, Digipass Pro 260 and Digipass Pro 300 tokens. The response generated by these tokens changes every 36 seconds. If the Use Synchronous tokens as Event tokens checkbox is checked, the user can use a token response more than once to log on to more than one system, without generating a new response if the entire log on process takes less than 36 seconds. The time limit for multiple use of the token response is determined in the API.


5-10 Administration

6. If you have made any changes in the Policy dialog box, click OK to save your settings.

Followed By second authentication method used with this policy.

To change the second authentication method, click on the arrow in the Followed By field and select the required authentication method from the list. The available authentication methods are Token, Defender Password, Active Directory Password, Token with Defender Password, Token with Active Directory Password.

Logon Attempts the number of unsuccessful logon attempts that the user can make. If the number of unsuccessful logon attempts exceeds the specified limit, the violation count for the user’s account is incremented. For further information, refer to Account Settings on page 5-11.

To change the number of logon attempts, use the arrows or type the required number in the Logon Attempts field.

Use Synchronous tokens as Event tokens

if checked, enables the user to use the token response more than once.

This option is for use with Defender Go-1, Defender Go-3, Digipass Pro 260 and Digipass Pro 300 tokens. The response generated by these tokens changes every 36 seconds. If the Use Synchronous tokens as Event tokens checkbox is checked, the user can use a token response more than once to log on to more than one system, without generating a new response if the entire log on process takes more than 36 seconds. The time limit for multiple use of the token response is determined in the API.


Administration 5-11

Account Settings

The Account dialog box enables you to change the account lockout details for this Security Policy. Click the Account tab, to display the Account dialog box:

Figure 5-8: policyname Properties – Account dialog box

The fields in the policyname Properties - Account dialog box are described in the following table:

Table 5-2: Fields in the policyname Properties - Account dialog box

Field Name Description:

Enable Account Lockout if checked, the user’s Defender account is locked out after the number of violations specified in the Lockout after n violations field.

To disable account lockout, uncheck the checkbox.

5-12 Administration

If you have made any changes in the Account dialog box, click OK to save your settings.

Lockout after n violations if the number of violations incurred by the user reaches the number specified in this field, the user’s Defender account is locked.

Lockout Windows account after indicated violations

if checked, the user’s Windows account will be locked when the number of violations reaches the number specified in the Lockout after n violations field.

If the Windows account is locked, the user is unable to logon to their Windows account locally or remotely via Defender.

Locked accounts must be unlocked by an Administrator

if checked, a locked account can be unlocked by an Administrator only.

Lockout duration n minutes the number of minutes that a locked account will remain locked. To change the lockout duration, use the arrows or type the required number of minutes in the Lockout duration n minutes field.

Automatically reset account after successful login.

the violations count is reset to zero when the user performs a successful logon.


Administration 5-13

Expiry Settings

The Expiry dialog box enables you to specify the expiry details for the Defender password and token PIN. These settings only apply if authentication requires a Defender password and/or a PIN protected token. Click the Expiry tab to display the Expiry dialog box:

Figure 5-9: policyname Properties – Expiry dialog box

1. To specify that the Defender password will expire after a specified number of days, check the Enable Defender Password Expiry checkbox.

2. In the Expire after nn days field, specify the number of days that will lapse before the password expires.

3. To specify that the PIN for the token will expire after a specified number of days, check the Enable PIN Expiry checkbox.

4. In the Expire after nn days checkbox, specify the number of days that will lapse before the PIN expires.

5-14 Administration

5. To allow the user to authenticate to Defender, even if their Active Directory password has expired, check the Allow authentication with expired Active Directory password checkbox. To use this option, you must select Active Directory Password or Token with Active Directory Password in the Use field on the Policy tab. Refer to Table 5-1 for further information.

6. To enable the user to change an expired Active Directory password, check the Allow expired Active Directory password to be changed checkbox. This setting can only be used if the method used by the user to communicate with Defender also supports the password change option.


Administration 5-15

Mobile Provider Settings

Defender SMS enables you to use your cell phone to receive a token response from Defender. The Mobile Provider dialog box enables you to specify mobile provider information.

The policyname Properties – Mobile Provider dialog box is displayed:

Figure 5-10: policyname Properties – Mobile Provider dialog box

Table 5-3: Fields in the policyname Properties - Mobile Provider dialog box


Provider Type click the arrow in this field to select the required mobile provider.

URL type the URL of the Service Provider.

[USERID] type the user ID required to access the Service Provider’s web site.

[PASSWORD] type the password required to access the Service Provider’s web site.

5-16 Administration

If you have made any changes in the Mobile Provider dialog box, click OK to save your settings.

Access Category Settings

Access Categories provide backward compatibility with Defender 4. Access Categories are used by Defender 4 to determine which agents a user can access. When an agent is installed, it is assigned an access category. Before a user can access that agent, you must give the user the same access category as the agent. An agent can belong to only one access category; while an access category can contain more than one agent. You can select from 26 (A-Z) access categories.

Keyword type the keyword that the user will enter during the authentication procedure. During authentication, the mobile token user is prompted to enter the keyword. The user will receive a token response on their mobile phone only if the keyword is provided during the authentication procedure.

POST Data enter the information that will be sent to the Service Provider at the URL specified in the URL field above. If you require assistance with the POST data configuration for your Service Provider, contact Customer Support.


Administration 5-17

To configure Access Categories, click the Access Categories tab. The Access Categories dialog box is displayed:

Figure 5-11: Access Categories dialog box

1. To select a category, check the box adjacent to the required category letter. To select all categories, click Select All. To de-select a category, uncheck the box adjacent to the required category letter. To de-select all currently selected categories, click Clear All. To invert your selections, i.e. to switch off all settings currently set to on, click Invert.

2. To save your settings, click OK.

5-18 Administration

Security Settings

The Security dialog box enables you to specify Active Directory access rights and permissions for groups or individual users. This dialog box is only displayed if the Advanced option is selected in Active Directory. To select the Advanced option, click View on the Active Directory menu bar and then click Advanced in the list.

Figure 5-12: policyname Properties - Security dialog box

Administration 5-19

Logon Hours Settings

The Logon Hours dialog box enables you to specify the time of day and day(s) of the week that the user is allowed to logon. The default setting permits logon at all times.

Figure 5-13: policyname Properties - Logon Hours dialog box

Denied Logon Hours

To specify the hours when logon is not permitted, follow the steps below:

1. Select the time slot during which you want to deny logon.

2. Select the Logon denied option button. The time slot you selected is shown in white. To deny logon across a range of time slots, click the earliest time slot, then you can drag the pointer across to the latest time slot in the range. Select the Logon denied option button. All time slots in the range are shown in white.

3. Click Apply to save your settings and remain in the Logon Hours tab. Alternatively, click OK to save your settings and return to Active Directory.

5-20 Administration

Additional Options

To permit logon at anytime, click Permit all.

To deny logon at all times, click Deny all.

To invert your selected time slots for logon permitted and logon denied, click Invert.

Defining the RADIUS Payload

To define the RADIUS payload:

1. Open the Defender OU.

2. Right click RADIUS Payload.

3. Select New.

4. The New Object - Defender RADIUS Payload (name and description) dialog box is displayed:

Figure 5-14: RADIUS Payload (name and description) dialog box

5. In the Name field, type a name for this RADIUS Payload.

Administration 5-21

6. In the Description field, type a description for this RADIUS Payload.

7. Click Next to continue. The New Object - Defender RADIUS Payload (attributes) dialog box is displayed:

Figure 5-15: New Object - Defender RADIUS Payload (attributes) dialog box

8. To apply attributes to this RADIUS payload, click Add. The RADIUS Payload Attributes dialog box is displayed.

9. In the Attribute Id field, click the arrow to display a list of attribute Ids. Select the required attribute Id from the list. The attribute Ids and their values are described in Table 5-4, Radius Payload Attributes on page 5-22.

5-22 Administration

Table 5-4: Radius Payload Attributes

Attribute Value

6:Service Type indicates the framing to be used for framed access

1 - Login2 - Framed3 - Callback Login4 - Callback Framed5 - Outbound6 - Administrative7 - NAS Prompt8 - Authenticate only9 - Callback NAS Prompt10 - Call Check11 - Callback Administrative12 - Voice13 - Fax14 - Modem Replay15 - IAPP-Register16 - IAPP-AP-Check17 - Authorize Only

7:Framed-Protocol indicates the framing to be used for framed access

1 - PPP2 - SLIP3 - Apple Talk Remote Access Protocol (ARAP)4 - Gandalf proprietary SingleLink/MultiLink protocol5 - Xylogics proprietary IPX/SLIP6 - X.75 Synchronous7 - GPRS PDP Context

8:Framed-IP-Address indicates the address to be configured for the user

0xFFFFFFFF - NAS should allow the user to select an address0xFFFFFFFE - NAS should select an address for the userEnter specific value for user to use as user’s IP address

9:Framed-IP-Netmask indicates the IP Netmask address to be configured for the user when the user is a router to a network

Specify the Netmask IP Address in the Address field.

Administration 5-23

10:Framed-Routing indicates the routing method for the user when the user is a router to a network

0 - None1 - Send routing packets2 - Listen for routing packets3 - Send and Listen

11:Filter-Id indicates the name of the filter list for this user

Specify that the Filter-Id will include:• individual groups, or• all groups

of which the user is a member. The default is all groups.

When the user has been successfully authenticated by the Defender Security Server, groups that include the authenticated user’s ID are returned to the NAS.

12:Framed-MTU indicates the maximum transmission unit to be configured for the user when it is not negotiated by some other means, (such as PPP)

Specify the required transmission unit in the Value field.

13:Framed-Compression indicates a compression protocol to be used for the link

0 - None1 - VJ TCP/IP header compression2 - IPX header compression3 - Stac-LZS compression

14:Login-IP-Host indicates the system with which to connect the user, when the Login-Service attribute is included

0xFFFFFFFF - NAS should allow the user to select an address0 - NAS should select a host to connect the user toEnter specific value for the address the NAS should connect the user to

Attribute Value

5-24 Administration

Note: For further information about RADIUS Payload attributes, go to:

www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=2865&type=ftp&file_format=txt

25:Class available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting- Request packet if accounting is supported

Specify that the Class will include:• individual groups, or• all groups

of which the user is a member. The default is all groups.

When the user has been successfully authenticated by the Defender Security Server, groups that include the authenticated user’s ID are returned to the NAS that initiated the authentication request.

26:Vendor Specific

a method for communicating vendor-specific information between Network Access Servers and RADIUS servers. Attribute 26 encapsulates vendor specific attributes, allowing vendors to support their own extended attributes otherwise not suitable for general use.

26:Vendor Specific (Groups)

Custom In the Attribute Id field, type an attribute Id for this customized attribute.In the Type field, click the arrow to select the attribute type, either:

Text Integer Hex IP Address

Attribute Value

Administration 5-25

10. Click OK to return to the Defender RADIUS Payload (attributes) dialog box. The selected attribute Id and value are displayed:

Figure 5-16: New Object - Defender RADIUS Payload (attributes) dialog box

11. Click OK. The New Object Defender RADIUS Payload (summary) dialog box is displayed:

5-26 Administration

Figure 5-17: RADIUS Payload Attributes (summary) dialog box

12. Click Finish to save your settings and return to the AD Users and Computers tree.

Administration 6-1

6 Security Server Configuration

Creating a New Defender Security Server

To create a new Defender Security Server object, click on the Defender OU, then right click on Security Servers.


2. Select Defender Security Server from the list.

3. The New Object – Defender Security Server (name and description) dialog box is displayed:

Figure 6-1: New Object – Security Server (name and description) dialog box

4. In the Name field, type the name for this Defender Security Server.

6-2 Administration

5. In the IP Address field, type the IP Address of the machine where this Defender Security Server is located.

6. In the Description field, type a description of this Defender Security Server.

7. Click Next to continue. The New Object – Defender Security Server (prompts) dialog box is displayed:

Figure 6-2: New Object – Defender Security Server (prompts) dialog box

This dialog box lists the prompts that will be displayed to the user as appropriate during the authentication process. The prompts cannot be changed in this dialog box. If you want to change the prompts, refer to Changing the Prompts on page 6-13.

8. Click Next to continue. The New Object – Defender Security Server (summary) dialog box is displayed:

Administration 6-3

Figure 6-3: New Object – Defender Security Server (summary) dialog box

9. Click Finish to save your settings.

Changing Defender Security Server

Defender Security Server Properties includes the following tabs:

• Security Server - enables you to configure a Defender Security Server

• Prompts - enables you to view and change the prompts displayed to the user during the authentication process

• Policy - enables you to configure a Defender Security Policy

• RADIUS Payload - enables you to configure the RADIUS Payload. When a user has successfully authenticated, the Defender Security Server returns the RADIUS Payload information to the Access Node that initiated the user authentication request


6-4 Administration

To configure a Defender Security Server, perform the following steps:

1. Select the Defender OU from the Active Directory tree.

2. Select Security Servers.

3. Right-click the required Defender Security Server.


5. The securityservername Properties - Security Server dialog box is displayed:

Figure 6-4: securityservername Properties - Security Server dialog box

Administration 6-5

Note: For any changes you make to the Defender Security Server configuration to take effect, you must click Apply. The Security Server will automatically refresh the data. The indicator lamp located in the top lefthand corner of the Defender Security Server dialog box is red while the Defender Security Server is refreshing the data. When the data has been refreshed, a green lamp is displayed.

The fields in the securityservername Properties - Security Server dialog box are described in the following table:

Table 6-1: Fields in the securityserver Properties - Security Server dialog box

Field Name Displays the

Address IP address of the machine where the Defender Security Server is located.

To change the IP address, click in the Address field and type the new IP address.

Description description for this Defender Security Server.To change the description, click in the Description field and type the new description for this Defender Security Server.

Version version number of the Defender Security Server.

6-6 Administration

Assigned Access Nodes names of the Access Nodes through which users will be allowed to authenticate to this Defender Security Server. To assign an Access Node:

1. Click Assign. The Select Defender Access Nodes dialog box is displayed:

Figure 6-5: Select Defender Access Nodes dialog box

2. Double-click the required Access Node in the list. The selected Access Node is displayed in the lower window.

3. Click OK to return to the securityservername Properties - Security Server dialog box.

To remove an Access Node:1. In the securityservername Properties - Security

Server dialog box, click on the required Access Node in the Assigned Access Nodes table.

2. Click Unassign. The selected Access Node is removed from the Assigned Access Nodes table. Click OK to save your settings and return to the Users and Computers tree.

Field Name Displays the

Administration 6-7

If you have made any changes in the securityservername Properties - Security Server dialog box, click OK to save your settings and return to the Users and Computers tree.

Assigning a Defender Policy

To assign a Defender Security Policy to a Defender Security Server, perform the following steps:

1. Select the Defender OU from the Users and Computers tree.

2. Select Security Servers.

3. Right-click on the required Defender Security Server.


5. The securityservername Properties - Security Server dialog box is displayed:

Figure 6-6: securityservername Properties - Security Server dialog box

6-8 Administration

6. Select the Policy tab. The defendersecurityservername Properties - Policy dialog box is displayed:

Figure 6-7: securityservername Properties - Policy dialog box


Administration 6-9


8. Double-click the required policy. The selected policy is displayed in the lower window.

9. Click OK to save your settings and return to the securityservername Properties - Policy dialog box.

10. To establish which security policy will be effective when a specific user attempts to authenticate, click Effective. For further information about the effective policy, refer to Defender Access Node Overview on page 3-4. The Effective Policy dialog is displayed:

6-10 Administration

Figure 6-9: Effective Policy dialog



Administration 6-11






17. Click OK to return to the Effective Policy dialog. The effective security policy for the selected user is displayed in the Policy field. The Defender element associated with the effective security policy, either Security Server, Access Node, User Group or User, is displayed in the From field.

18. Click Close to return to the Policy dialog.

6-12 Administration

Note: If the effective security policy requires the user to authenticate with a token and/or a password, the Use field on the Effective Policy dialog shows whether the user is in possession of a token and/or password. If the user is not in possession of a token and/or password, this is indicated in red. If the attempt to identify the effective policy for a user results in the identification of two or more conflicting security policies, this is indicated in the Policy field on the Effective Policy dialog.

Administration 6-13

Changing the Prompts

To change the prompts displayed to the user during the authentication process, perform the following steps:

1. From the Users and Computers tree, select Defender and then select Security Servers.

2. Right click the required Defender Security Server.


4. The securityservername Properties - Security Server dialog box is displayed.

6-14 Administration

5. Select the Prompts tab. The defendersecurityservername Properties - Prompts dialog box is displayed.

Figure 6-11: servername Properties - Prompts dialog box

6. Click on the prompt you want to change. The prompt is displayed in the lower window.

7. In the lower window, click in the prompt and type the required text.

8. Click Update to save the prompt.

9. Click OK to return to the Users and Computers tree.

Administration 6-15


To change the RADIUS Payload information specified for this Defender Security Server, perform the following steps:

1. From the Users and Computers tree, select Defender then select Security Servers.

2. Right click on the required Defender Security Server.


4. The securityservername Properties - Security Server dialog box is displayed.


Figure 6-12: servername Properties - RADIUS Payload dialog box


6-16 Administration


8. Click OK. The selected payload is displayed in the Payload field on the securityservername Properties - Security Server dialog box:

Figure 6-13: securityservername Properties - RADIUS Payload dialog box

Administration 6-17

9. To establish which RADIUS Payload definition will be effective when a specific user attempts to authenticate, click Effective. For further information about the effective Payload, refer to RADIUS Payload on page 3-7. The Effective Payload dialog is displayed:

Figure 6-14: Effective Payload dialog



6-18 Administration






16. Click OK to return to the Effective Payload dialog. The effective payload for the selected user is displayed in the Payload field.

17. Click Close to return to the securityservername Properties- Radius Payload dialog.

Administration 7-1

7 Token Configuration

Tokens

This section describes how to:

• import token serial numbers

• display token properties

• assign a token to a user.

For information on the types of token available for use with Defender, refer to Defender Tokens on page 1-4.

Before you can generate and assign Defender Desktop Tokens, you must ensure that your Defender Desktop Token license is installed. For further information, refer to Installing a Defender Desktop Token License on page 2-25.

Importing Defender Token Serial Numbers

The Defender token serial number is used to associate the token with a user and can be used for later reference or for tracking purposes. A list of serial numbers for the tokens that you have purchased is supplied as part of your Defender package. The serial number is also located on the back of hardware tokens.

To import the Defender token serial numbers into the Active Directory:

1. In the Users and Computers tree, click Defender on the menu bar.

7-2 Administration

2. Select Import Tokens from the menu.

Figure 7-1: Import Tokens option

3. The Welcome to the Defender Token Import Wizard dialog box is displayed:

Figure 7-2: Defender Token Import Wizard Welcome dialog box

Administration 7-3



5. Click Browse to navigate to the directory where the file containing the Defender token definitions is located.

7-4 Administration

6. Click Paste to paste the key into the Key field in the File and Key dialog box:

Figure 7-4: Import Defender Token Definitions (File and Key) dialog box

7. Click Next. The Defender Import Wizard (Available Tokens) dialog box is displayed:

Figure 7-5: Defender Import Wizard (Available Tokens) dialog box

Administration 7-5

Token types that can be configured to operate in synchronous (response only) or asynchronous (challenge/response) mode are supplied with two records in the .dpx file, one for each mode. To specify the mode that you want the tokens you are importing to operate in, use the Response Only and Challenge Response checkboxes. If required, you can check both boxes to import the response only and challenge/response records for each token.If you are importing a token type that can be used in synchronous mode only, the Response Only and Challenge Response checkboxes are not displayed. After you have imported the tokens, refer to Token Details on page 7-13 for specific configuration information for each token. Further information about tokens is available in the Defender Token User Guide.

8. Click Select All to import all available tokens.

9. Click Next. The Defender Import Wizard (Storage Location) dialog box is displayed:

Figure 7-6: Defender Import Wizard (Storage Location) dialog box

7-6 Administration

10. Click Select to navigate to the location where the imported tokens will be stored. Alternatively, click Next to accept the default location and continue. The Defender Import Wizard (Import Progress) dialog box is displayed:

Figure 7-7: Defender Import Wizard (Import Progress) dialog box11. Click Next. The Defender Import Wizard (Import Complete) dialog box is displayed:

Figure 7-8: Defender Import Wizard (Defender Import Complete) dialog box12. Click Finish.

Administration 7-7

Token Properties

To display token properties, from the Users and Computers tree, click Defender, Tokens, then click the required token type. A list of token serial numbers is displayed in the right-hand window. Select the required token serial number. The Token dialog box is displayed:

Figure 7-9: token Properties (Token) dialog box

7-8 Administration

The fields in the Token dialog box are described in the following table:

Token Type displays the type of token selected

Token Date For Defender Go-1, Defender Go-3, Digipass Pro 260 and Digipass Pro 300 tokens this field displays the manufacture date of the token. This date enables you to calculate the approximate expiry of the token’s battery.For the Defender Desktop Token, this field displays the activation code expiry date, or indicates that the token has been activated.

Program click to program the token. The following token types can be programmed:

• ActivIdentity Series

• Defender Handheld Token

• Defender Handheld Token (Manual)

• Defender Handheld Token Plus

• Defender One token

• Defender USB

• Defender Desktop Token


For further information, refer to Programming Defender Tokens on page 8-1.

Administration 7-9

Reset click to synchronize the token with the Defender Security Server.

The token generates a one-time password that is based on an internal time clock and DES keys. For successful authentication, the Defender Security Server must agree with the token's time clock and DES keys.

The token's time clock can become out-of-sync with the Defender Security Server. If this value is out-of-sync, the user will not be able to use the token for authentication. If access is denied, the token clock must be synchronized with the Defender Security Server clock.

To synchronize the Defender Security Server with a Defender token:

1. Click Reset. You are asked to confirm that you want to reset the token.

2. Click Yes in the message box.

3. Instruct the user to use their token to generate a one-time password and use it for Defender authentication.

7-10 Administration

Test click to verify that the token is programmed correctly and that it is valid for the user. The use of this option requires a dialog between the Defender administrator and the token user.

To test that a Defender token is functioning correctly:

1. Click Test in the Token dialog box. The Test Token dialog box is displayed:

Figure 7-10: Test Token dialog box

2. Ask the user to provide you with the one-time password displayed on the token, type the one-time password in the Response field in the Test Token dialog, and then click Verify. A message indicates whether the token tested successfully. Click OK.

If the token test failed, it is possible that either:

• you entered the response incorrectly

• the token is out of sync.

Administration 7-11

Recover enables you to remotely recover an Defender One Token or Defender Handheld Token Plus after it has:

• reached its preset use limit

• been invalidated because the user exceeded the preset number of bad PIN attempts

• reset a passphrase for a Defender Desktop Token.

These values are defined in the token profile assigned to the user.

To recover the token:1. Select the token you want to recover in the Token

Management table.

2. Click Recover. The Recover Token dialog box is displayed.

3. The Unlock Synchronous Token dialog box is displayed.

4. Type the Unlock Challenge obtained from the token, and then click Get Response.

5. Enter the response into the token to complete the unlock procedure.

7-12 Administration

Assigning Tokens

All supported token types can be assigned to one or more users. A user can be assigned one or more tokens.

Assign click to assign a Defender token to one or more users. Click Assign. The Select Users dialog box is displayed:

1. In the Enter the object names to select field, type the name of the user that you want to assign the token to. Alternatively, type part of the name, then click Check Names to display a list of matching user names. Select the required user name. The selected user is displayed in the Assigned Users table. Repeat Step 1 to assign the token to more than one user.


Unassign click to unassign a Defender token from a user or group.

To unassign a token:

1. Select the required token from the Assigned Tokens table.

2. Click Unassign. The details for the token you selected are removed from the Assigned Tokens table.

Note: After you have clicked Unassign, the action cannot be cancelled using the Cancel button.

Administration 7-13

Token Details

To display token details, from the Users and Computers tree, click Defender, Tokens, then select the required token type. A list of token serial numbers is displayed in the right-hand window. Select the required token serial number. The Token dialog box is displayed. Click the Details tab to display the Details dialog box. The fields on the Details dialog box will vary depending on the type of token selected. The Details dialog box for a Go-1 token is shown below:

Figure 7-11: token Properties (Details) dialog box

7-14 Administration

The fields on the Details dialog box for Defender Go-1, Defender Go-3, Digipass Pro 260 and Digipass Pro 300 tokens are described in the following table:

The Details dialog box for the Defender Software Token is shown below:

Setting Value

Token Type the type of token. For a list of supported token types, refer to Defender Tokens on page 1-4.

Usage Count number of times this token has been used for successful authentication.

Last Token Time Used time of the most recent successful authentication

Last Token Time Shift time difference between the token clock and the Defender Security Server clock.

Current Error Count n/a

Binary Codeword n/a

Triple DES flag indicates whether Triple DES is enabled or disabled for this token

Challenge/Data fields nbr n/a

Response Length number of digits included in a response

Output Type decimal or hexadecimal

Checksum Requested Flag n/a

Time Step used if any the time interval at which new responses are generated by the token.

Administration 7-15

Figure 7-12: Defender Software Token token Properties (Details) dialog box

The fields on the Details dialog box for the Defender Software Token are described in the following table:

7-16 Administration

The Details dialog box for the Defender HandHeld Token is shown below:

Setting Value


Type AES, DES or TripleDES


Response Type challenge/response or response only

Response Format decimal or hexadecimal

Platform Windows, Palm, Blackberry, iPaq or Windows Mobile

Activation Key the key required to activate this token

Status indicates whether this token has been activated

Administration 7-17

Figure 7-13: Defender HandHeld Token token Properties (Details) dialog box

The fields on the Details dialog box for the Defender HandHeld Token are described in the following table:

7-18 Administration

Setting Value


Encryption Type AES, DES or TripleDES


Response Type challenge/response or response only

Response Format decimal or hexadecimal

Status indicates whether this token has been registered

Administration 7-19

User Properties

This section describes how to:

• configure a token profile for a user

• assign a security policy to a user.

Defining a Token Profile

To define a token profile, perform the following steps:

1. From the Users and Computer tree, select Defender.

2. Click Users.

3. In the right-hand window, right-click the required user or group.


5. The username Properties - General dialog box is displayed.

7-20 Administration

6. Select the Defender tab. The username Properties - Defender dialog box is displayed:

Figure 7-14: username Properties - Defender dialog box

Administration 7-21

7. To assign a token to this user or group, click Add. The Assign Token To User dialog box is displayed:

Figure 7-15: Assign Token To User dialog box

8. In the Token Serial Number field, type the serial number of the token you want to assign to the user, in full or in part.

9. To restrict the search to tokens that are not assigned to users, check the Show unassigned tokens only checkbox.

10. To search for a specific type of token, click the arrow in the Token Type field and select the token type from the list.

7-22 Administration

11. Click OK. The Select Defender Tokens dialog box is displayed:

Figure 7-16: Select Defender Tokens dialog box

12. Double-click the required token in the list. The selected token is displayed in the lower window.

13. Click OK to save your selection and return to the Defender dialog box. The selected token is displayed in the Token Management table.


Administration 7-23

The fields and buttons in the Defender dialog box are described in the following table:

Table 7-1: Fields and buttons in the Defender dialog box

Field or Button Description

Token Management displays the type, serial number and whether the PIN is enabled for the token(s) assigned to this user or group.

Program click to program the Defender Token for the selected user.

Recover enables you to remotely reset:

• a Defender One Token or Defender Handheld Token Plus after it has:

• reached its preset use limit

• been invalidated because the user exceeded the preset number of bad PIN attempts.

Both of these values are defined in the token profile assigned to the user.

• a Defender Desktop Token passphrase.

To reset the token/passphrase:1. Select the token you want to recover in the Token

Management table.

2. Click Recover.

3. The Unlock Synchronous Token dialog box is displayed.

4. Type the Unlock Challenge supplied by the user, then click Get Response.

5. Give the unlock response to the user and instruct them to enter it on their token/dialog box.

7-24 Administration

Test click to verify that the token is programmed correctly and that it is valid for the user. The use of this option requires a dialog between the Defender administrator and the token user.

To test that a Defender token is functioning correctly:

1. Click Test in the Tokens dialog box. The Test Token dialog box is displayed:

Figure 7-17: Test Token dialog box

2. Ask the user to provide you with the one-time password displayed on the token, type the one-time password in the Response field in the Test Token dialog, and then click Verify. A message indicates whether the token tested successfully. Click OK.

If the token test failed, it is possible that either:

• you entered the response incorrectly

• the token is out of sync.


Administration 7-25

Helpdesk click to:• re-synchronize the user’s token

• allocate a temporary password to this user.

Figure 7-18: Helpdesk dialog box

Resetting a Token

The Reset button is used to synchronize the Defender Security Server with the Defender Token.

The Defender Token generates a one-time password that is based on an internal time clock and DES keys. For successful authentication, the Defender Security Server must agree with the token's time clock and DES keys.

The token's time clock can become out-of-sync with the Defender Security Server. If this value is out-of-sync, the user will not be able to use the token for authentication. If access is denied, the Defender Token clock must be synchronized with the Defender Security Server clock.


7-26 Administration

Helpdesk (cont’d) To synchronize the Defender Security Server with a Defender token:

1. Click Reset. You are asked to confirm that you want to reset the token.

2. Click Yes in the message box.

3. Instruct the user to use their token to generate a one-time password and use it for Defender authentication.

Assigning a temporary password

A temporary password can be assigned to a user for a limited period of time. This may be necessary if the user requires access to the system, but does not have their token with them.

To assign a temporary password:

1. Click the arrow in the Expires field and select the period of time that the temporary password will be valid. The default value is 5 hours.

2. To allow the password to be used more than once for authentication, check the Allow password to be used multiple times box. If this box is unchecked, the password can be used only once for authentication.

3. The temporary password is displayed in the Password field. Click Assign to assign the password to the user.

To remove the temporary password settings for this user, click Clear.


Administration 7-27

Unassign click to unassign a Defender token from a user or group.

To unassign a token:

1. Select the required token from the Assigned Tokens table.

2. Click Unassign.

3. If required, you can delete the token profile and the token assignment for this user. Click Yes, to delete the token profile and the token assignment for this user. Click No, to delete the token assignment for this user. The token profile remains in the Defender system and can be re-assigned as required.

Note: After you have clicked Unassign, the action cannot be cancelled using the Cancel button.


7-28 Administration

Add click to assign a Defender token to one or more users.

To assign a token:

1. Click Add. The Select Defender Tokens dialog box is displayed:

Figure 7-19: Select Defender Tokens dialog box

2. Double-click the required token. The selected token is displayed in the lower window.

3. Click OK to save your settings and return to the Defender dialog box. The selected token is displayed in the Token Management window.


Administration 7-29

Set PIN click to set the PIN for this Defender token.

The Set PIN dialog box is displayed:

Figure 7-20: Set PIN dialog box

1. Check the Enable PINs checkbox to enable PINs to be set for this user’s tokens.

2. In the New PIN field, type the new 1 - 8 character PIN.

3. In the Confirm PIN field, type the new 1 - 8 character PIN again to confirm that it is correct.

4. If you want this PIN to expire, check the Expire checkbox.

5. Click OK.

Note: The Set PIN option is available for all supported hardware and software tokens, except the Defender Windows Desktop Token.


7-30 Administration

Password Enables you to specify the Defender password that the user will enter during the authentication process.

The password is only required if Defender Password is selected as the authentication method in either the First or Second field on the Defender Policy dialog box for the Defender Security Policy assigned to this user.

To specify the password:

1. Click Password. The Set Defender Password dialog box is displayed:

Figure 7-21: Set Defender Password dialog box

2. In the Password field, type the password that the user will enter during the authentication process.

3. In the Confirm field, type the password again to confirm it.

4. Click OK to save your settings and return to the Defender dialog box.


Administration 7-31

Assigning a Defender Security Policy to a User

To assign a Defender Security Policy to a user or group of users, perform the following steps:

1. From the Users and Computers tree, select Defender and then Users.

2. Right-click the required user or group of users.



Authentication Details

Defender ID type the Defender ID that will be used by the Defender Security Server to identify the user. This entry is only required if Defender ID is selected in the User ID field for the Access Node assigned to this user. For further information, refer to Creating a New Access Node on page 4-1.

Violation Count displays the number of violations accumulated by this user. The violation count is incremented each time the user exceeds the specified number of invalid logon attempts. For further information, refer to Creating a New Defender Security Policy on page 5-1.

Reset Count displays the number of times this account has been reset following an account lockout.

Last Logon displays the time and date of the last successful logon.

Reset click to reset the Violation Count to zero and increment the Reset Count.


7-32 Administration

5. Select the Policy tab. The Policy dialog box is displayed:

Figure 7-22: username Properties - Policy dialog box

Administration 7-33



7. Double-click the required Defender Security Policy in the list. The selected policy is displayed in the lower window. Alternatively, type the required policy name, in full or in part, in the lower window. Click Check Names. A list of all matching policy names is displayed. Double-click the required policy in the list.

8. Click OK to return to the Policy dialog box. The selected policy is displayed in the Policy field.

Note: To remove a policy from this user profile, click Clear.

9. To establish which security policy will be effective when a specific user attempts to authenticate, click Effective. For further information about the effective policy, refer to Defender Access Node Overview on page 3-4. The Effective Policy dialog is displayed:

7-34 Administration

Figure 7-24: Effective Policy dialog

10. In the DSS field, select the Defender Security Server that will be used to authenticate the user.

11. The currently selected Access Node is displayed in the DAN field. This is the Access Node through which the user will attempt to authenticate. You can, if required, select a different Access Node.

Administration 7-35


To change the RADIUS Payload information specified for this user, perform the following steps:

1. From the Users and Computers tree, double-click Users.

2. In the right-hand window, right click the required user.




Figure 7-25: username Properties - RADIUS Payload dialog box



7-36 Administration

8. Click OK. The selected payload is displayed in the Payload field on the username Properties - RADIUS Payload dialog box:

Figure 7-26: username Properties - RADIUS Payload dialog box

9. To inherit RADIUS Payload information from the Access Node(s) to which this user is assigned, check the Inherit payload entries from parent checkbox. For further information, refer to RADIUS Payload on page 3-7.

10. To establish which RADIUS Payload definition will be effective when this user is authenticated, click Effective. For further information about the effective payload, refer to RADIUS Payload on page 3-7.

Administration 7-37

11. The Effective Payload dialog box is displayed:

Figure 7-27: Effective Payload dialog box



Installation 8-1

8 Token Programming

Programming Defender Tokens

The Defender Token Programming Wizard enables you to program the:

• Defender Handheld Token

• Defender Handheld Token (manual)

• Defender Handheld Token Plus

• Defender One Token

• Defender Desktop Token (Defender Desktop, Blackberry, Palm, Windows Mobile/iPaq)


Defender Token Programming Wizard

1. To start the Defender Token Programming Wizard, from the Users and Computers tree, click Defender on the menu bar.

8-2 Installation

2. Select Program Tokens from the menu.

Figure 8-1: Program Tokens option

Alternatively, from the AD Users and Computers page, select Tokens. In the righthand window, right-click the required token. From the menu, select Properties, then Program.

3. The Defender Token Programming Wizard (Welcome) dialog box is displayed:

Figure 8-2: Defender Token Programming Wizard (Welcome) dialog box

Installation 8-3

4. Click Next. The Defender Token Programming Wizard (Token Types) dialog box is displayed:

Figure 8-3: Token Programming Wizard (Token Types) dialog box

5. Select the option button for the token type that you want to program, then click Next. For information on the programming procedure for the:

• ActivIdentity Series. If you require information on using the ActivIdentity Series Token with Defender, please contact Customer Support.

• Defender Handheld Token (manual), refer to Manually Programming a Defender Handheld Token on page 8-10

• Defender Handheld Token Plus, refer to Programming a Defender Handheld Token Plus on page 8-16

• Defender One Token, refer to Programming a Defender One Token on page 8-26• Defender Desktop Token, refer to Programming a Defender Desktop Token on page 8-33 • Defender SMS, refer to Programming a Defender SMS Token on page 8-41.

8-4 Installation

Programming a Defender Handheld Token

To program the Defender Handheld token:

1. The Defender Token Programming Wizard (Serial Number) dialog box is displayed:

Figure 8-4: Token Programming Wizard (Serial Number) dialog box

2. In the Serial Number field, type the serial number of the Defender Handheld token you want to program. The serial number is found on the back of the token. If you have reached this dialog box via the Defender, Tokens, HandHeld, tokenserialnumber, Program options, the serial number of your token is automatically displayed in the Serial Number field.

Installation 8-5

3. Click Next. The Defender Token Programming Wizard (Communications Port) dialog box is displayed:

Figure 8-5: Token Programming Wizard (Communications Port) dialog box

4. In the Programming port field, click the arrow to select the port on which the token programming device is connected.

8-6 Installation

5. Click Next. The Defender Token Programming Wizard (Enhanced Security) dialog box is displayed:

Figure 8-6: Token Programming Wizard (Token Options) dialog box

6. To increase token security, click the arrow in the Erase enabled field and select True. Each time the PIN is incorrectly entered, Error appears in the token’s display. Five consecutive incorrect PIN entries will cause all information stored in the token to be erased. The token must then be re-programmed before it can be used. The default setting is False.

7. In the Response Mode field, click the arrow to select the format that token responses must be typed in, either decimal or hexadecimal. The default setting is decimal.

Installation 8-7

8. Click Next. The Defender Token Programming Wizard (Confirmation) dialog box is displayed:

Figure 8-7: Token Programming Wizard (Confirmation) dialog box

9. Click Next. The Defender Token Programming Wizard (Programming Progress) dialog box is displayed:

Figure 8-8: Defender Token Programming Wizard (Programming Progress) dialog box

8-8 Installation

To ensure that the Defender Handheld token is in EO mode, follow the on-screen instructions. An example dialog is shown below:

Make sure the token is in E0 mode

To do this press the following keys on the tokenON

0 0 0 0 ENT

0 0 0 0 0 0 0 0 ENTENT 0 0 0 0 ENT

0 0 0 0 0 0 0 0 ENT

The token should now be in E0 mode. Press the 'Continue' button on this dialog to program the token.

The token should now be displaying the following checksumAEFE8D

If programming failed then press the following keys on the token

0 ENT 314 065 113 206 020 264 061 354 ENT

Press ENT on the token then enter a four digit PIN.

Press ENT again and confirm your PIN.The token is now programmed.

Press the 'Continue' button.

The token details have been written successfully to Active Directory. Press the 'Continue' button on this dialog to finish.

Installation 8-9

10. Click Continue. The Defender Token Programming Wizard (Programming Complete) dialog box is displayed:

Figure 8-9: Token Programming Wizard (Programming Complete) dialog box

11. Click Finish to return to the Users and Computers tree.

8-10 Installation

Manually Programming a Defender Handheld Token

To manually program the Defender Handheld token:

1. The Defender Token Programming Wizard (Serial Number) dialog box is displayed:

Figure 8-10: Token Programming Wizard (Serial Number) dialog box

2. In the Serial Number field, type the serial number of the Defender Handheld token you want to program. The serial number is found on the back of the token. If you are programming a token that is already defined in the Active Directory, the serial number of the selected token is automatically displayed in the Serial Number field.

Installation 8-11

3. Click Next. The Defender Token Programming Wizard (Token Options) dialog box is displayed:

Figure 8-11: Token Programming Wizard (Token Options) dialog box

4. If you want to increase the token security, click the arrow in the Erase enabled field and select True. Each time the PIN is incorrectly entered, Error appears in the token’s display. Five consecutive incorrect PIN entries will cause all information stored in the token to be erased. The token must then be re-programmed before it can be used.

5. In the Response Mode field, click the arrow to select the format that token responses must be typed in, either decimal or hexadecimal. The default setting is decimal.

8-12 Installation



7. Click Next. The Defender Token Programming Wizard (Programming Progress) dialog box is displayed:

Figure 8-13: Token Programming Wizard (Programming Progress) dialog box

Installation 8-13

8. Click Continue. The next dialog displays the DES key that you must enter into the Defender Handheld token:

Figure 8-14: Token Programming Wizard (Programming Progress) dialog box

9. Click Continue.

8-14 Installation

10. Click Continue. The Defender Token Programming Wizard (Checksum) dialog box is displayed:

Figure 8-15: Token Programming Wizard (Checksum) dialog box

11. In the Checksum field, type the checksum displayed on the Defender Handheld token.

12. Click Continue.

13. On the Defender Handheld token’s keypad, type your PIN. Press ENT.

14. Type your PIN again to confirm that it is correct. Press ENT.

Installation 8-15




8-16 Installation

Programming a Defender Handheld Token Plus

To program the Defender Handheld Token Plus:

1. The Defender Token Programming Wizard (Communications Port) dialog box is displayed:


2. In the Programming Port field, click the arrow to select the port number to which the token programming device is connected during the token programming procedure.

Installation 8-17

3. Click Next. The Defender Token Programming Wizard (PIN) dialog box is displayed:

Figure 8-18: Token Programming Wizard (PIN) dialog box

4. In the Initial PIN field, type the PIN that will be entered the first time this token is used.

5. In the Minimum Length field, click the arrow and select the minimum number of digits that the PIN can contain. The PIN must contain between 4 and 8 digits.

6. In the Maximum Length field, click the arrow and select the maximum number of digits that the PIN can contain. The PIN must contain between 4 and 8 digits.

7. In the Weak PIN field, accept the default setting of False if you do not want to allow a weak PIN to be specified. If you want to allow a weak PIN to be specified, click the arrow and select True. Your Defender HandHeld Token Plus is configured to check for weak (easy to guess) PIN codes and reject such PIN codes. A PIN code is considered weak if the distance between subsequent digits is a constant value. For example, 0000, 1234 and 9753 are weak PIN codes. If you entered a weak PIN code, the Defender HandHeld Token Plus displays the ERROR message and then re-displays the NEW PIN message so you can try a different new PIN code.

8-18 Installation

8. In the Bad PIN attempts field, select the maximum number of times a user can enter an invalid PIN before the token is disabled on the Defender Security Server. Valid entries are 1 through 10, or No limit. If you select No limit, the user can enter a PIN as many times as needed. However, choosing not to have a limit increases the vulnerability of the token to attack.

9. Click Next. The Defender Token Programming Wizard (Display Options) dialog box is displayed:

Figure 8-19: Token Programming Wizard (Display Options) dialog box

10. In the Slot Name field, type the name that will uniquely identify this token to this application. The slot name is only required if this token is used for more than one application.

11. In the Response Format field, click the arrow and select the display format for token responses. The options are Decimal or Hexadecimal.

Installation 8-19

12. Click Next. The Defender Token Programming Wizard (Token Mode) dialog box is displayed:

Figure 8-20: Token Programming (Token Mode) dialog box

13. In the Token field, click the arrow and select the authentication method for this token, either Synchronous or Challenge/Response.

14. In the Response Length field, click the arrow and select the length of the response for this token, either 24 Bit (8 characters synchronous) or 32 Bit (10 characters synchronous).

15. In the Time window field, click the arrow and select the time difference that is allowed between the time clock in the Defender Security Server and the time clock in the token. The time difference can range from 0 seconds to 24,855.13 days.

8-20 Installation



Installation 8-21

17. Click Continue. The Defender Token Programming Wizard (Programming Progress -1) dialog box is displayed:

Figure 8-22: Token Programming Wizard (Programming Progress - 1) dialog box

18. Ensure that the token is inserted into the programmer and switched on. Click Continue to start programming the token.

in the token’s display indicates that communication through the ActivCoupler is occurring.

8-22 Installation

19. To ensure that the Defender Handheld Token Plus is in EO mode, follow the on-screen instructions. An example dialog is shown below:

Make sure the token is in E0 mode

To do this press the following keys on the token

ON0 0 0 0 ENT

0 0 0 0 0 0 0 0 ENT

ENT 0 0 0 0 ENT0 0 0 0 0 0 0 0 ENT

The token should now be in E0 mode. Press the 'Continue' button on this dialog to program the token.

The token should now be displaying the following checksum

AEFE8DIf programming failed then press the following keys on the token

0 ENT 314 065 113 206 020 264 061 354 ENTPress ENT on the token then enter a four digit PIN.

Press ENT again and confirm your PIN.

The token is now programmed.Press the 'Continue' button.

The token details have been written successfully to Active Directory. Press the 'Continue' button on this dialog to finish.

Installation 8-23

20. Click Continue. The Defender Token Programming Wizard (Programming Progress - 2) dialog box is displayed:


8-24 Installation



Installation 8-25




8-26 Installation

Programming a Defender One Token

To program a Defender One token:

1. The Defender Token Programming Wizard (Communications Port) dialog box is displayed:


2. In the Programming port field, click the arrow and select the port to which the ActivCoupler is connected.

Installation 8-27

3. Click Next. The Defender Token Programming Wizard (PIN) dialog box is displayed:

Figure 8-27: Token Programming Wizard (PIN) dialog box

4. In the Initial PIN field, type the PIN that the user will enter the first time this token is used.

5. In the Minimum PIN length field, click the arrow and select the minimum number of digits that can be included in a PIN. The PIN can include a minimum of 1 and a maximum of 8 characters. The default is 4 characters.

6. In the Maximum PIN length field, click the arrow and select the maximum number of digits that can be included in a PIN. The PIN can include a minimum of 1 and a maximum of 8 characters. The default is 8 characters.

7. In the Weak PIN field, select False if you do not want to allow a weak PIN to be specified, for example, a PIN that includes repeated characters which make it easy to guess. To allow a weak PIN to be specified, select True.

8. In the Bad PIN attempts field, click the arrow and select the number of unsuccessful attempts that the user can make when entering the PIN, before the Defender One token is locked.

8-28 Installation

9. Click Next. The Defender Token Programming Wizard (Token Mode) dialog box is displayed:

Figure 8-28: Token Programming Wizard (Token Mode) dialog box

10. In the Token field, click the arrow and select the authentication method for this token, either Synchronous or Challenge/Response.

11. In the Response Length field, click the arrow and select the length of the response for this token, either 24 Bit (8 characters synchronous) or 32 Bit (10 characters synchronous).

12. In the Time window field, click the arrow and select the time difference that is allowed between the time clock in the Defender Security Server and the time clock in the token. The time difference can range from 0 seconds to 24,855.13 days.

Installation 8-29



14. Click Next. The Defender Token Programming Wizard (Programming Progress - 1) dialog box is displayed:


8-30 Installation

15. Ensure that the token is inserted into the programmer and switched off. Click Continue to start programming the token.

in the token’s display indicates that communication through the ActivCoupler is occurring.



Installation 8-31



8-32 Installation




Installation 8-33

Programming a Defender Desktop Token

To program the Defender Desktop Token:

1. The Defender Token Programming Wizard (Defender Desktop Token Types) dialog box is displayed:

Figure 8-34: Token Programming Wizard (Defender Desktop Token Types) dialog box

2. Select the option button adjacent to the required platform. Note: Only the platforms for which you have a valid user license installed are available in this dialog. The token programming instructions provided in this section apply to all platforms. If you selected either Palm, Blackberry or Windows Mobile/iPaq as the desktop token type, refer to Chapter 8- Defender Desktop Token in the Defender Token User Guide for further information.

8-34 Installation

3. The Defender Token Programming Wizard (Token Options) dialog is displayed:

Figure 8-35: Token Programming Wizard (Token Options) dialog

4. The Configure field includes the following options:

• For Old Desktop Token Software (5.2.0.10 or older) Select this option if your Desktop Token Software is version 5.2.0.10 or older. Go to Step 11 on page 8-35

• For Desktop Token Software version 5.2.0.11 Select this option if your Desktop Token Software is version 5.2.0.11

• All Settings manually Select this option if your Desktop Token Software is the current version.

Click Next.

5. If you want to specify the number of days within which the user must activate the token, check the Enable time limited token activation box, then specify the number of days within which the user must activate the token. If the user does not activate the token within this time period, the token is invalidated and a new token must be generated.

Installation 8-35

If you selected For Desktop Token Software version 5.2.0.11 in Step 4 on page 8-34, go to Step 11 on page 8-35.

6. To ensure the user is aware that he has entered an incorrect passphrase, check the Alert user when incorrect passphrase entered box. For this option to be effective, you must also check the User is required to have passphrase box, described in Step 9 on page 8-35.

7. To lock the user’s token after a specified number of incorrect passcode entries, check the Enable passphrase locking box.

8. In the Lock passphrase after n incorrect attempts box, specify the number of incorrect passphrase entries the user can make before the token is locked.

9. To specify that the user must have a passphrase, check the User is required to have passphrase box.

10. To ensure that the user chooses a passphrase that is difficult for others to guess, check the User must use ‘strong’ passphrase box.

11. Click Next.

8-36 Installation

12. The Defender Token Programming Wizard (Select Token Mode) dialog box is displayed:

Figure 8-36: Token Programming Wizard (Select Token Mode) dialog box

13. In the Token Mode box, select an option button to select the required token mode, either Synchronous (response only) or Challenge/Response.

14. In the Encryption Strength box, select an option button to select the encryption strength for the Defender Desktop Token, either Defender SNK Encryption, AES Encryption, Triple DES Encryption or OATH Compliant HMAC/SHA1.

15. In the Response Length box, select an option button to select the length of the response that will be issued by the Defender Desktop Token.

Installation 8-37

16. Click Next. The Defender Token Programming Wizard (Select Users) dialog box is displayed:

Figure 8-37: Token Programming Wizard (Select Users) dialog box

Note: This dialog is not displayed if you use the Program button on the username Properties, Defender page.

To add a user to the Selected Users box, click Add Users. The Select Users dialog box is displayed:


8-38 Installation

To specify the directory location that will be searched, click Locations. The Locations dialog box is displayed. Select the required directory location, then click OK. The Select Users dialog box is displayed.To search for a specific object name, in the Enter the object names to select field, type the required object name, either in full or in part. Click Check Names. All object names that match the search criteria are displayed. If more than one object name matched your search criteria, a list is displayed. To select an object name, double-click the required object name. The object name is displayed in the Enter the object names to select field. For more extensive search options, click Advanced.

17. Click Next. The Defender Token Programming Wizard (Checking User License) dialog box is displayed:

Figure 8-39: Token Programming Wizard (Checking User License) dialog box

Installation 8-39

18. In the Licensing Information box, the Allocated field, Maximum Allocation field and Licenses required field are display only fields:

• Allocated - number of licenses currently allocated to users

• Maximum Allocation - maximum number of user licenses available, including licenses already allocated to users

• Licenses required - number of additional user licenses you will need in order to allocate a license to each selected user.

Click Next. The Defender Token Programming Wizard (Save Activation Codes) dialog box is displayed:

Figure 8-40: Token Programming Wizard (Save Activation Codes) dialog box

When the Defender Desktop Token is used for the first time, the user is required to enter an activation code. You can specify in the Save Activation Codes dialog, how the activation code will be saved and then distributed to the user. To save the Defender Desktop Token activation code to a file, select either:

• Single File - all activation codes are saved to a single file• File per user - separate files are created for each user.

8-40 Installation

You can either accept the default location in which to save the file, or click Browse to choose a different location.To append the activation code to the end of any existing information in the selected file, check the Append activation codes to existing file checkbox. If the Append activation codes to existing file checkbox is not checked, the contents of the selected file will be overwritten.

19. Click Next. The Defender Token Programming Wizard (Complete) dialog box is displayed:

Figure 8-41: Token Programming Wizard (Complete) dialog box

Defender Desktop Token Activation

Defender Desktop Tokens must be activated by the user before they can be used for authentication. To enable the user to activate the token, you must make available:

• the Defender Desktop Token software (available from the Quest download site and usually installed on the user’s desktop)

• the location of the file containing the activation key for the user’s Defender Desktop Token.

For further information, refer to Chapter 8 -Defender Desktop Token of the Defender Token User Guide.

Installation 8-41

Programming a Defender SMS Token

To program the Defender SMS Token:

1. The Defender Token Programming Wizard (Select Token Mode) dialog box is displayed:

Figure 8-42: Token Programming Wizard (Select Token Mode) dialog box

2. In the Token Mode box, select an option button to select the token mode, either Synchronous.

3. In the Encryption Strength box, select an option button to select the encryption strength for the Defender Desktop Token, either Defender SNK Encryption, AES Encryption or Triple DES Encryption.

4. In the Response Length box, select an option button to select the length of the response that will be issued by the Defender Desktop Token.

8-42 Installation

5. Click Next. The Defender Token Programming Wizard (Select Users) dialog box is displayed:


6. To add a user to the Selected Users box, click Add Users. The Select Users dialog box is displayed:


To specify the object type(s) to be included in the search, click Object Types. The Object Types dialog box is displayed. Check the box adjacent to the required object types, then click OK. The Select Users dialog box is displayed.

Installation 8-43

To specify the directory location that will be searched, click Locations. The Locations dialog box is displayed. Select the required directory location, then click OK. The Select Users dialog box is displayed.To search for a specific object name, in the Enter the object names to select field, type the required object name, either in full or in part. Click Check Names. All object names that match the search criteria are displayed. If more than one object name matched your search criteria, a list is displayed. To select an object name, double-click on the required object name. The object name is displayed in the Enter the object names to select field.For more extensive search options, click Advanced.

7. Click Next. The Defender Token Programming Wizard (Checking User License) dialog box is displayed:

Figure 8-45: Token Programming Wizard (Checking User License) dialog box

8. In the Licensing Information box, the Allocated field, Maximum Allocation field and Licenses required field are display only fields:

• Allocated - number of licenses currently allocated to users

• Maximum Allocation - maximum number of user licenses available, including licenses already allocated to users

• Licenses required - number of additional user licenses you will need in order to allocate a license to each selected user.

8-44 Installation

9. Click Next. The Defender Token Programming Wizard (Complete) dialog box is displayed:

Figure 8-46: Token Programming Wizard (Complete) dialog box

Distributing Defender Tokens

Before using the Defender token, the user needs the following information from you:

• user ID

• initial PIN (this is only required if you have set PINs for some or all of the Defender tokens).

Installation 8-45

Defender Desktop Token Activation

Defender Desktop Tokens must be activated by the user before they can be used for authentication.

For further information, refer to Chapter 8 - Defender Desktop Token in the Defender Token User Guide.

8-46 Installation


This section describes how you can use the Defender Self-Registration Service to tell Defender which Defender token you will use to identify yourself when you log on.

This Service can be used to register Defender Go-x tokens. The token type is specified during installation of the Self-Registration Service.

Registering a Defender Token

To register a Defender Go-x token, perform the following steps:

1. If you are authorized to use this Service and have a new Defender Go-x token, point your browser at the location where the Self-Registration Service is installed. The Defender token Self-Registration Wizard starts.

2. Click Next. The Defender Self-Registration Service - Step 1 dialog box is displayed.

3. In the Serial number field, type the serial number of the Defender token you want to register. The serial number is located on the back of the token.


5. Open your Defender token to display the 6-digit dynamic password. Type the dynamic password into the Value displayed field.


7. If you are using a PIN, type your new PIN into the PIN field. The length of the PIN depends upon your Defender configuration. Contact your administrator for assistance.

8. Click Next. The Defender Self-Registration Service - Step 4 dialog box is displayed to confirm that your have successfully registered your token. The Defender token registration procedure is now complete.

Installation 8-47

Token Event Logging

Token events performed by the Defender Administrator, such as assigning a token to a user, assigning a Defender password to a user, setting a token PIN, etc, can be logged to the Defender event log for auditing purposes if required.

The Defender event log can be viewed using the Windows Event Viewer.

The Defender event log may include the messages shown in the table below:

Table 8-1: Defender Event Log Messages

ID Message

1000 Token tokenname assigned to user username

1001 Failed to assign token tokenname to user username, error (messageID) messagetext

1002 Defender Password assigned to user username

1003 Failed to assign Defender Password to user username, error (messageID) messagetext

1004 Set PIN on token tokenname assigned to user username

1005 Failed to set PIN on token tokenname assigned to user username, error (messageID) messagetext

1006 Set temporary response on token tokenname assigned to user username

1007 Failed to set temporary response on token tokenname assigned to user username, error (messageID) messagetext

1008 Cleared temporary response on token tokenname assigned to user username

1009 Failed to clear temporary response on token tokenname assigned to user username, error (messageID) messagetext

1010 Modified data of token tokenname assigned to user username

8-48 Installation

where:

tokenname is the distinguished name of the token.username is the distinguished name of the user.messageID is the message ID.messagetext is the descriptive text of the message.

Enabling Defender Event Logging

To enable logging to the Defender event log, create the Registry key shown below:

Log messages are written to the local event log and the event log on the PDC emulator. To allow all authenticated users to write to the PDC’s event log, you must edit the existing Registry key as shown below:

1011 Failed to modify data of token tokenname assigned to user username, error (messageID) messagetext

1012 Token tokenname unassigned from user username

1013 Failed to unassign token tokenname from user username, error (messageID) messagetext

1014 Defender Password unassigned from user username

1015 Failed to unassign Defender Password from user username, error (messageID) messagetext

HKEY_LOCAL_MACHINE:SOFTWARE\PassGo Technologies\Defender\Defender AD MMC:LoggingEnabled:1:REG_DWORD:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Defender:CustomSD:(A;;0x3;;;NU)

Installation 9-1

9 Migration

Migration

This section describes how to migrate users from earlier versions of Defender to Defender 5.3.

What is Migrated?

The migration procedure attempts to match all active user accounts in your existing Defender database with Defender 5.3 user accounts in the Microsoft Active Directory. If a matching Defender 5.3 user account is found in the Active Directory, the token and policy details from your existing Defender user accounts will be imported.

Defender Versions

Defender token information can be migrated from Defender versions 3.x and 4.x to Defender 5.3.

9-2 Installation

Migration Options

The migration service allows you to:

• simulate user migration perform a simulated user migration, before you perform the actual migration.

• migrate users perform an actual migration procedure, updating the Defender 5.3 user accounts in the Active Directory as appropriate.

• produce a detailed migration report.

Installation 9-3

Migrating User Accounts

To perform the migration procedure:

1. From the Active Directory Users and Computers page, click Defender on the menu bar.

Figure 9-1: AD Users and Computer page -Migrate Defender 4 Users

9-4 Installation

2. From the dropdown menu, select Migrate Defender 4 Users. The Defender Migration Wizard (Welcome) page is displayed:

Figure 9-2: Defender Migration Wizard (Welcome) page

3. Click Next. The Defender Migration Wizard (Search Options) dialog box is displayed:

Figure 9-3: Defender Migration Wizard (Search Options) dialog box

Installation 9-5

4. Click Locations to choose the location in the Active Directory to be searched for matching user names.

5. In the User ID field, click the arrow to select the attribute to match user IDs against. The options are Defender ID, User Principal Name, SAM Account Name or Proper Name.

6. Click Next. The Defender Migration Wizard (DSS Connection Settings) dialog box is displayed:

Figure 9-4: Defender Migration Wizard (DSS Connection Settings) dialog box

7. In the DSS IP Address or DNS Name field, type the IP address of the Defender Security Server from which the Defender user account information will be migrated.

8. In the DSS port number field, type the port number assigned to the Defender Security Server. The default is 2626.

9. In the Management DES Key field, enter the Management DES key for the Defender Security Server. A Management DES (Data Encryption Standard) key is associated with the Defender Security Server and is used to ensure that communications are secure.

9-6 Installation

10. Click Next. The Defender Migration Wizard (Database Connection) dialog box is displayed:

Figure 9-5: Defender Migration Wizard (Database Connection) dialog box

If you are not migrating SNK type tokens from Defender 4 into Defender 5, or do not want to include the specific token description for each token, click Next, then go to Step 11 on page 9-7. If you click Next, any SNK tokens migrated from Defender 4 into Defender 5 are described as Defender Handheld. If you are migrating SNK type tokens from Defender 4 into Defender 5 and want the token description, either Software Token or Defender Handheld Token as appropriate, included in the list of migrated tokens in Defender 5, ensure that you have configured the connection to the Defender 4 SQL database in the ODBC Data Source Administrator, then click Connect. You must now specify the File Data Source and Machine Data Source information. For further information, refer to Chapter 13 - Migration in the Defender Installation Guide for version 4.The Defender Migration Wizard will now connect to the Defender 4 SQL database.

Installation 9-7

11. The Defender Migration Wizard (Search for user records) dialog box is displayed:

Figure 9-6: Defender Migration Wizard (Search for user records) dialog box

12. Click Next. The Defender Migration Wizard (Options) dialog box is displayed:

Figure 9-7: Defender Migration Wizard (Options) dialog box

9-8 Installation

13. If you want to perform a simulated migration, click Next. If you want to perform an actual user migration, click the Migrate users radio button.

14. Click Next. The Defender Migration Wizard (Reimport) dialog box is displayed:

Figure 9-8: Defender Migration Wizard (Reimport) dialog box

15. If you have performed the migration procedure previously and do not want to overwrite the token and profile details for matching Defender 5.3 user accounts, click Next. If you have performed the migration procedure previously and want to overwrite the token details for matching Defender 5.3 user accounts, click the Yes radio button. Then click Next.

Installation 9-9

16. If you have chosen to perform the actual migration procedure, go to Step 18 on page 9-11. If you have chosen to simulate the migration procedure, the Defender Migration Wizard (Migrating Records (Simulated)) dialog box is displayed:

Figure 9-9: Defender Migration Wizard (Migrating Records (Simulated)) dialog box

9-10 Installation

17. On completion of the simulated migration procedure, the Defender Migration Wizard (Migration Complete) dialog box is displayed:

Figure 9-10: Defender Migration Wizard (Migration Complete) dialog box

Go to Step 20 on page 9-13.

Installation 9-11

18. If you have chosen to perform the actual migration procedure, the Defender Migration Wizard (Migrating Records) dialog box is displayed:

Figure 9-11: Defender Migration Wizard (Migrating Records) dialog box

9-12 Installation

19. On completion of the actual migration procedure, the Defender Migration Wizard (Migration Complete) dialog box is displayed:

Figure 9-12: Defender Migration Wizard (Migration Complete) dialog box

Installation 9-13

20. To view the Migration report, click View Report. The migration report is displayed:

Figure 9-13: Defender 4 - 5 Migration (Simulated) Report

21. To save the report, click Save Report.

Installation 10-1

10 Defender Report Service

Report Service

This section describes the reports available from the Defender Report Service. For installation information, refer to Installing the Defender Report Console on page 2-29.

Report Types

The Defender Report Console provides access to the following reports:

• Authentication Violation

• User Activity

• Authentication Log

• Audit Trail

• Authentication Statistics

• Tokens

• DSS Configuration

• License Information

• User Information

• RADIUS Payload Report

• Proxied Users Report.

10-2 Installation

These reports can be extracted for viewing or printing, based on specific selection criteria.

To save a report in HTML or XML format click

To display a print preview of your report, click

Additionally, you can schedule and generate reports from the Defender Reports page using the Scheduled Tasks icon and view reports that have already been generated using the Generated Reports icon.

Installation 10-3

Defender Report Console

To access Defender reports, point your browser at the location of the Defender Report Console. The Defender Report Console home page is displayed:

Figure 10-1: Defender Report Console - Home page

Click the icon for the required report.

10-4 Installation

The Defender Report Console icons are available as menu options on the left-hand side of the page after you have clicked the required icon.

Figure 10-2: Defender Report Console options

Installation 10-5

Scheduling Reports

Defender reports can be scheduled to automatically generate at a specific time interval. Scheduling is available for all Defender reports. After generation, scheduled reports can be viewed using the Generated Reports option.

Reports can be scheduled to generate either daily, weekly, monthly or for one time only.

Scheduling Daily Reports

To schedule a report to generate daily, perform the following steps:

1. From the Defender Reports home page, select the required report.

2. From the report page, click Schedule. The Schedule Report Generation dialog box is displayed:

Figure 10-3: Schedule Report Generation dialog box

3. Click the option button adjacent to the Daily time interval.

10-6 Installation

4. Click Next. The Schedule Report Generation dialog box is displayed:

Figure 10-4: Schedule Report Generation (Daily) dialog box

5. In the Time field, select the required hours and minutes settings, then click the A.M. or P.M. option button to specify the time of day that the report will generate.

6. Click the required option button to specify that the report will be generated:

• Daily - every day of the week

• Weekdays - Monday through Friday only

• Every n days - at an interval of a specified number of days.

If the time and day(s) selected for generating this report are still valid for the current date, the report will be generated for the first time on the current date.

7. Click Finish.

Installation 10-7

Scheduling Weekly Reports

To schedule a report to generate weekly, perform the following steps:


2. From the report page, click Schedule. The Schedule Report Generation dialog box is displayed, see Figure 10-3, on page 10-5.

3. Click the option button adjacent to Weekly.

4. Click Next. The weekly Schedule Report Generation dialog box is displayed

Figure 10-5: Schedule Report Generation (Weekly) dialog box

5. In the Time field, select the hours and minutes, then click the A.M. or P.M. option button to specify the time of day that the report will generate.

6. In the Every n weeks field, type a number to indicate the interval in weeks that the report will generate.

7. In the Select the day(s) of the week table, check the box adjacent to each day of the week that the report will generate.

8. Click Finish.

10-8 Installation

Scheduling Monthly Reports

To set up a monthly schedule for a report, perform the following steps:



3. Click the option button adjacent to Monthly.

4. Click Next. The monthly Schedule Report Generation dialog box is displayed:

Figure 10-6: Schedule Report Generation (Monthly) dialog box

5. In the Time field, select the hours and minutes, then click the A.M. or P.M. option button to specify the time of day that the report will generate.

6. In the On day n of the month field, type the day of the month that the report will generate.

7. Ensure that the box is checked for each month of the year that the report will generate. By default, all months of the year are selected. To de-select a month, click in the box to remove the tick.

8. Click Finish.

Installation 10-9

Scheduling One Time Reports

To schedule a report to generate at a specified time and on a specified date for one time only, perform the following steps:



3. Click the option button adjacent to One Time Only.

4. Click Next. The Schedule Report Generation (One Time Only) dialog box is displayed:

Figure 10-7: Schedule Report Generation (One Time Only) dialog box

If you want the report to generate immediately, go to Step 5 on page 10-9.If you want to specify a time and date that the report with generate, go to Step 7 on page 10-10.

5. Click the option button adjacent to Immediately.

6. Click Finish. The report is generated and the Defender Reports Console home page is displayed. Select Generated Reports to view your report.

10-10 Installation

7. To specify a time and date that the report will generate, in the Time field, select the hours and minutes, then click the A.M. or P.M. option button to specify the time of day that the report will generate.

8. In the Date field, select the month, day and year that the report will generate.

9. Click Finish.

Installation 10-11

Generated Reports

Generated Reports enables you to view reports that have been generated and saved. This includes reports generated immediately and scheduled reports. For further information on scheduling reports, refer to Scheduling Reports on page 10-5.

To view the generated reports:

1. From the Defender Reports home page, select Generated Reports. The Generated Reports dialog box is displayed:

Figure 10-8: Generated Reports dialog box

2. The Generated Reports dialog box displays:

• the type of report generated

• a description of the criteria used to generate the report

• the frequency with which the report is generated

• the date that the report was generated.

3. Click Open adjacent to the required report to display the report in full. To delete a report, click Delete adjacent to the report you want to delete.

10-12 Installation

4. To display a list of reports that are scheduled to run, click View Scheduled Tasks. The Scheduled Tasks dialog box is displayed:

Figure 10-9: Scheduled Tasks dialog box

5. The Scheduled Tasks dialog box displays:

• the type of report that will be generated

• a description of the criteria used to generate the report

• the frequency with which the report will be generated

• the date that the report is scheduled to be generated.

6. To override the scheduling information and generate the report immediately, click Run Now adjacent to the required task. The report is generated and the Defender Home page is displayed.

7. Click Generated Reports, then click Open adjacent to the report that you want to view.

Installation 10-13

Authentication Violation Log

The Authentication Violation Log report displays a summary of each authentication violation reported by a specific Defender Security Server over a period of time. Click the Authentication Violation Log link or icon. The following dialog box is displayed:

Figure 10-10: Authentication Violation Log - Specify Selection Criteria dialog box

1. In the DSS Name field, click the arrow and select the required Defender Security Server from the list.

2. In the DAN Name field, click the arrow to select the required Access Node from the list.

3. In the Users beginning with field, type the characters(s) that user names must begin with to be selected for this report.

4. In the Users In Group field, type the name of the group that selected users must belong to.

5. In the Domain field, type the name of the domain to be searched.

6. In the Period field, click the arrow and select the required reporting period from the list.

10-14 Installation

7. To specify scheduling information for this report, click Schedule. For a description of the scheduling options, refer to Scheduling Reports on page 10-5.

8. Click Generate. While the report is generating, a message is displayed and the fields in the selection criteria dialog box are unavailable. The Authentication Violations Log report is displayed:

Figure 10-11: Authentication Violation Log Report

Installation 10-15

The fields on the Authentication Violation Log report are described below:

Table 10-1: Fields on the Authentication Violation Log Report

Field Description

Selected DSS name of the selected Defender Security Server.

Selected DAN name of the selected Access Node.

Reporting period period of time during which the reported authentication violations occurred.

Total violations total number of violations that occurred on the specified Defender Security Server during the specified time period.

Date/Time date and time that the authentication violation occurred.

UserID name of the user associated with the authentication violation.

Source Address IP address of the machine where the authentication attempt originated.

Access Node name of the Access Node through which the authentication attempt was made.

Reason reason that the authentication attempt was unsuccessful.

10-16 Installation

User Activity

The User Activity reports provide a summary of user activity over a specific period of time. Click the User Activity link or icon. The following dialog box is displayed:

Figure 10-12: User Activity Reports - Specify Selection Criteria dialog box

1. In the Show field, click the arrow and select either Active users, Inactive users, Locked users or All users from the list.

2. In the Period field, click the arrow and select the required reporting period from the list. The reporting period is not applicable to the Locked users report.

3. In the Users beginning with field, type the characters(s) that selected user names must begin with to be selected for this report.




Installation 10-17

7. Click Generate. While the report is generating, a message is displayed and the fields in the selection criteria dialog box are unavailable. The selected report is displayed:

Figure 10-13: User Activity Report

10-18 Installation

Authentication Log

The Authentication Log report provides a summary of authentication requests handled by a specific Defender Security Server, for either a single user or all users, over a specific period of time. Click the Authentication Log link or icon. The following dialog box is displayed:

Figure 10-14: Authentication Log - Specify Selection Criteria dialog box


2. In the DAN Name field, click the arrow to select the required Access Node from the list.

3. In the Users beginning with field, type the characters(s) that selected user names must begin with to be selected for this report.



Installation 10-19


7. The source address and access node details are included in the Authentication Log report. If you do not want these details included, uncheck the Show Source Address and Access Node checkbox.


9. Click Generate. While the report is generating, a message is displayed and the fields in the selection criteria dialog box are unavailable. The Authentication Log report is displayed:

Figure 10-15: Authentication Log Report

10-20 Installation

Table 10-2: Fields on the Authentication Log Report

Field Description

Selected DSS name of the selected Defender Security Server.

Selected DAN name of the selected Access Node.

Reporting period period of time during which the reported authentications occurred.

Total events total number of events that occurred on the specified Defender Security Server/Access Node during the specified time period.

Date/Time date and time that the authentication occurred.

UserID name of the user associated with the authentication.

Result indicates whether the authentication attempt was accepted or rejected

Source Address IP address of the machine where the authentication attempt originated.

Access Node name of the Access Node through which the authentication attempt was made.

Installation 10-21

Audit Trail

The Audit Trail report provides details of all user authentication requests for a specific Defender Security Server over a specific period of time. Click the Audit Trail link or icon. The following dialog box is displayed:

Figure 10-16: Audit Trail - Specify Selection Criteria dialog box

To specify your selection criteria:




4. Click Generate. While the report is generating, a message is displayed and the fields in the selection criteria dialog box are unavailable. The Audit Trail report is displayed:

10-22 Installation

Figure 10-17: Audit Trail Report

Installation 10-23

Authentication Statistics

The Authentication Statistics report provides the success and failure statistics for authentication requests handled by a specific Defender Security Server, over a specific period of time. Click the Authentication Statistics link or icon. The following dialog box is displayed:

Figure 10-18: Authentication Statistics - Specify Selection Criteria dialog box

1. In the Server field, click the arrow and select the required Defender Security Server from the list.

2. In the DAN Name field, click the arrow and select the required access node(s).



10-24 Installation

5. Click Generate. While the report is generating, a message is displayed and the fields in the selection criteria dialog box are unavailable. The Authentication Statistics report is displayed:

Figure 10-19: Authentication Statistics Report

Installation 10-25

Tokens

The Tokens report provides information about Defender tokens. Click the Tokens link or icon. The following dialog box is displayed:

Figure 10-20: Tokens - Specify Selection Criteria dialog box

1. In the Show field, click the arrow and select from the list displayed:

2. In the Users beginning with field, type the character(s) that appear at the beginning of the selected user name(s).


10-26 Installation

4. Click Generate. While the report is generating, a message is displayed and the fields in the selection criteria dialog box are unavailable. The Tokens report is displayed:

Figure 10-21: Token Report

Installation 10-27

DSS Configuration

The DSS Configuration report displays information about the Defender Security Servers defined in your system. Click the DSS Configuration Report link or icon. The following dialog box is displayed:

Figure 10-22: DSS Configuration Report - Specify Selection Criteria dialog box



3. Click Generate. While the report is generating, a message is displayed and the fields in the selection criteria dialog box are unavailable. The DSS Configuration Report is displayed:

10-28 Installation

Figure 10-23: Defender Security Server Configuration Report

Installation 10-29

The fields on the DSS Configuration Report are described below:

Table 10-3: Fields on the DSS Configuration Report

Field Description

Name: name of this Defender Security Server.

Description: description of this Defender Security Server.

IP Address: IP address of the machine where the Defender Security Server is installed.

Number of Access Nodes Assigned: number of Access Nodes from which user authentication requests will be handled by this Defender Security Server.

Authentication Policy:

Name name of the Authentication Policy assigned to this Defender Security Server.

Description description of the Authentication Policy assigned to this Defender Security Server.

Authentication Challenge Sequence

primary authentication method and, if defined, secondary authentication method.

Lockout threshold number of invalid authentication attempts the user can make before the account is locked.

Lockout duration length of time that the account will remain locked following the specified number of failed authentication attempts.

Access Nodes:

Access Node Access Node(s) assigned to this Defender Security Server.

Authentication Policy Authentication Policy assigned to the Access Node.

10-30 Installation

License Information

The License Information report displays information about the currently installed Defender license. To display the report, click the License Information link or icon.

Figure 10-24: License Information Report

Installation 10-31

The fields on the License Information report are described below:

Table 10-4: Fields on the License Information Report

To specify scheduling information for this report, click Schedule. For a description of the scheduling options, refer to Scheduling Reports on page 10-5.

Field Description

License type: type of license, either Permanent or Temporary.

Number of user-token assignments permitted by license:

maximum number of users to whom tokens can be assigned.

Number of users currently assigned to tokens:

current number of users with token assignments.

License status: status of the installed license, either Valid or Invalid.

Date applied: date the license was installed.

Defender Desktop Token

Type the type of token, either Windows, Palm, Blackberry, Windows Mobile/iPaq or Defender SMS

Assigned number of tokens assigned to users.

Allocation number of tokens permitted by this license.

Note: If you have installed more than one license for a particular token type, the report shows the total Assigned and total Allocation from all installed licenses.

10-32 Installation

User Information

The User Information report displays information about Defender users. To specify selection criteria for the report, click the User Information link or icon.

Figure 10-25: User Information Reports -Specify Selection Criteria dialog box

Installation 10-33

The fields on the User Information report are described below:

Table 10-5: Fields on the User Information Report


Field Description

Users beginning with: user names beginning with the specified letter(s).

Users in Group: users included in the specified group.

Domain: users included in the specified domain.

Information to return: check the required box(es) to select user details to include in the Report:

User ID user’s ID.

Full name user’s full name.

E-Mail address user’s email address.

Department name of the user’s department.

Office name of the user’s office.

Logons since number of logons attempted by the user since the specified date.

on DSS logon attempts made on the Defender Security Server. Choose the required Defender Security Server from the dropdown list.

with access node logon attempts made via an access node. Choose the required access node from the dropdown list.

Last Logon date of the last attempted logon.

10-34 Installation

To display the report, click Generate. The User Information report is displayed:

Figure 10-26: User Information Report

Installation 10-35

RADIUS Payload

The RADIUS Payload report lists the Defender users associated with a specific RADIUS Payload. To specify selection criteria for the report, click the RADIUS Payload Report link or icon.

Figure 10-27: RADIUS Payload Report -Specify Selection Criteria dialog box

The fields on the RADIUS Payload report are described below:

Table 10-6: Fields on the User Information Report


Field Description

RADIUS Payload: select the required RADIUS Payload from the dropdown list


Users in Group: users included in the specified group.


10-36 Installation

To display the report, click Generate. The RADIUS Payload report is displayed:

Figure 10-28: RADIUS Payload Report

Installation 10-37

Proxied Users

The Proxied Users report provides either:

• a list of proxied users and logon times

• a filtered view of the Defender Security Server audit log, showing details of proxied packets:

Figure 10-29: Proxied User Report -Specify Selection Criteria dialog box

10-38 Installation

The fields on the Proxied User report are described below:

Table 10-7: Fields on the Proxied User Report


To display the report, click Generate. The Proxied User report is displayed:

Figure 10-30: Proxied User Report

Field Description

DSS: select the required Defender Security Server from the dropdown list.

Report Style: select whether the report should be formatted as a user list or an audit log.



Index Index-1

Index

A

Access CategoriesDefender 4 5-16

Access Nodeadding users 4-12assign security policy 4-14configuration 4-7creating 4-1properties 4-7removing a user 4-14

Accounts 9-3Administration

general 3-1tokens 7-1

Audience 1-1Authenex Token

Token 1-4Authentication

Defender ID 7-31last logon 7-31reset 7-31reset count 7-31violation count 7-31violation log 10-13

B

BlackBerrytoken

using the token 8-40

C

Communications protocol 1-4Components 1-7Configuring

access node 4-1Defender 4 Access Categories 5-16report service 2-36security server 6-1

Creatingaccess node 4-1security server 6-1token profile 7-19

D

Defendercomponents 1-7ID 9-2load balancing 1-2planning your installation 1-8reporting 1-2self-registration utility 8-45service

starting 3-9stopping 3-9

Index-2 Index

support forDefender 4 Agents 1-2GINA for Windows logon 1-2Microsoft Active Directory 1-2Webthority 1-2

WebMail 1-7What is 1-2

Defender Security ServerDSS configuration report 10-27effective payload 6-17effective policy 6-9

Defender Tokenimporting 7-1registering 8-46

Desktop Tokeninstall license 2-25license 1-9programming 8-33types 8-33

DigipassPro 260 1-4Pro 300 1-4

DualTok token 1-4

E

event logging 8-48enabling 8-48

G

GINAinstalling 2-64uninstalling 2-64

Go-1 and Go-3 tokens 1-6

I

Importingtoken definitions 7-1

Installingafter installation 2-67checklist 2-2desktop token license 2-25GINA 2-64management console 2-4planning 1-8prerequisites 2-1report service 2-29security server 2-9self-registration service 2-37sequence 2-3user license 2-18

L

LDAP 1-4License

license information report 10-30requirements 1-9user information report 10-32

loggingevent 8-48

enabling 8-48

M

Management Consoleuser requirements 1-1

Microsoft Active Directory 1-2Migration 9-1

actual 9-2simulated 9-2user accounts 9-3view report 9-13

Index Index-3

O

OATH CompliantToken 1-4

P

PAMaccess control 2-66communication 2-66configuration 2-65

Payload 5-20Pluggable Authentication Module 2-65Pocket PC

iPaqdeleting 8-40

Policycreating security policy 6-7priority 3-6properties 5-7

Prerequisiteschecklist 2-2installation 2-1

Printpreview 10-2reports 10-2

ProgrammingDefender HandHeld Token 8-4Defender HandHeld Token Plus 8-16Defender One Token 8-26Desktop Token 8-33manually, Defender HandHeld Token 8-

10mobile token 8-41token wizard 8-1tokens 8-1

Prompts 6-13

Propertiesaccess node 4-7security policy 5-7

access category 5-16account 5-11expiry 5-13mobile provider 5-13RADIUS payload 5-20security 5-18

security serverpolicy 6-7prompts 6-13RADIUS payload 6-15

R

RADIUSauthentication 1-3defining the payload 5-20payload attributes 5-22

radiusradius payload report 10-35

Registering a tokenself registration 8-46

Index-4 Index

Report Serviceaudit trail 10-21authentication log 10-16authentication statistics 10-23authentication violation log 10-13configuration 2-36DSS configuration 10-27generated 10-11html format 10-2installing 2-29license information 10-30migration 9-2radius payload 10-35, 10-37scheduling 10-5tokens 10-25types 10-1user activity 10-17user information 10-32viewing 10-2xml format 10-2

Requirementsinstallation 2-1license 1-9system 1-10

S

Security Policyaccount settings 5-11assign to user 7-31creating 5-1mobile provider 5-13priority 3-6properties 5-7security settings 5-18

Security Serverassigning security policy 6-7changing prompts 6-13changing RADIUS payload 4-22creating 6-1DSS Configuration Report 10-27DSS configuration report 10-27properties 6-3user account attributes 3-10

Serial numbersimporting 7-1

System requirements 1-10

T

TokenAuthenex Token 1-4Defender Desktop Token

programming 8-33Defender Go-1 1-4Defender Go-3 1-4Defender HandHeld 1-4Defender HandHeld Plus 1-4Defender Mobile 1-5Defender One 1-4details

Go Token 7-13Handheld Token 7-16Pro Token 7-13Software Token 7-15

distributing to users 8-1import wizard 7-2importing definitions 7-1importing serial numbers 7-1OATH Compliant 1-4Pro 260 1-4Pro 300 1-4properties 7-7self-registration service 8-46supported token types 1-5

Token Managementhelpdesk 7-25password 7-30program 7-8recover 7-11set PIN 7-29test 7-10, 7-24unassign 7-12

Token Profilecreating 7-19defining 7-19

Token Report 10-26

Index Index-5

U

Useractivity report 10-17assign security policy 7-31prompts 6-13properties 7-19requirements 1-1token profile 7-19

User accountmigration 9-2

V

Viewmigration report 9-13reports 10-2

W

WebMail 1-7What is Defender? 1-2

Defender Installation and Administration...

Documents

Transcript of Defender Installation and Administration...