A Defender Security Policy object defines a number of authentication settings for Defender users, such as primary and secondary authentication methods, number of allowed failed authentication attempts, lockout and unlock conditions for the user accounts, and allowed logon hours. You can also use a Defender Security Policy object to enable and configure built-in security tokens, such as SMS token, e-mail token, and GrIDsure token.
After creating a Defender Security Policy object, you need to assign it to the appropriate user objects in Active Directory. You can assign a Defender Security Policy in one of the following ways:
- Explicitly Assign a policy directly to a user object in Active Directory.
- Implicitly Apply a policy to a user by assigning it to the Defender Security Server or Access Node to which the user belongs.
If you assign a Defender Security Policy to a Defender Security Server, that policy is applied to the users who authenticate through that Defender Security Server.
If you assign a Defender Security Policy to an Access Node object, that policy is applied to the users who are listed as members of that Access Node.
When a user is a member of an Access Node and no Defender Security Policy is defined for the user explicitly or implicitly, then a default Defender Security Policy applies to the user. For more information, see “Default Defender Security Policy” in the Defender Administration Guide.
To create a Defender Security Policy object
- On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
- In the left pane, expand the node representing the domain where you installed Defender.
- Expand the Defender container, right-click the Policies container, and then from the shortcut menu select New | Defender Policy.
For detailed instructions on how to create and configure a Defender Security Policy object, see “Managing Defender Security Policy objects” in the Defender Administration Guide.
A Defender Security Server object represents a computer on which the Defender Security Server component is installed. Therefore, when creating or configuring a Defender Security Policy object, make sure you specify the correct IP address of the corresponding computer in the object properties.
To create a Defender Security Server object
- On the computer where the Defender Administration Console is installed, start the Active Directory Users and Computers tool (dsa.msc).
- In the left pane, expand the node representing the domain where you installed Defender.
- Expand the Defender container, right-click the Security Servers container, and then select New | Defender Security Server.
For detailed instructions on how to create and configure a Defender Security Server object, see “Managing Security Server objects” in the Defender Administration Guide.
An Access Node object defines an IP address or a range of IP addresses from which the Defender Security Server accepts authentication requests. If Access Node is misconfigured, authentication requests may not reach the Defender Security Server and the user cannot get access to the required resources.
To create an Access Node object
- On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
- In the left pane, expand the node representing the domain where you installed Defender.
- Expand the Defender container, right-click the Access Nodes container, and then from the shortcut menu select New | Defender Access Node.
After creating an Access Node object, use its properties to assign the Access Node to a Defender Security Server, specify Access Node members (users or groups that will be authenticating through the Access Node), and assign a Defender Security Policy object to the Access Node.
For detailed instructions on how to create and configure an Access Node object, see “Managing Access Node objects” in the Defender Administration Guide.
To assign a security token to a user
- On the computer on which the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
- In the left pane, expand the node representing the domain where you installed Defender, and then click to select the Users container.
- In the right pane, double-click the user for whom you want to program and assign a security token.
- In the dialog box that opens, on the Defender tab, do one of the following:
- To assign a software token, click the Program button, and then complete the wizard. If necessary, install the token software on the user’s computer and activate the token by entering the activation code.
- To assign a hardware token, click the Add button, and then follow the on-screen instructions.
Before assigning a hardware token to a user, you may need to import the corresponding hardware token object into Active Directory. For more information about importing and assigning hardware token objects, see “Managing security token objects” in the Defender Administration Guide.