Defender 5.9.3 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Integration with Cloud Access Manager Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Import Wizard reference

Import Wizard reference

The table below provides information about the Import Wizard steps and options.

 

Table 8:

Import Wizard reference

Wizard step

Your action

File and Key

Browse for and select the file that contains the definitions of the token objects you want to import, and then specify the key for the file.

You can use the following options:

  • Filename  Click Browse to locate and select the file that contains the definitions of the token objects you want to import.
  • Key  Type or paste the key for the file selected in the Filename option.

Available Tokens

In the list, select the token objects you want to import into Active Directory.

You can use the following buttons:

  • Select All  Selects all token objects in the list.
  • Clear All  Clears currently selected tokens.

You can hold down CTRL and click in the list to select token objects.

If the token objects in the list support both synchronous and asynchronous modes, the following check boxes are available:

  • Response Only  When selected, causes the token objects to operate in the synchronous (response only) mode.
  • Challenge Response  When selected, causes the token objects to operate in the asynchronous (challenge-response) mode.

If the token objects in the list support both OTP1 and OTP2 applications, the following check boxes are available:

  • OTP1  When selected, causes the token to generate a first one-time password (OTP1).
  • OTP2  When selected, causes the token to generate a second one-time password (OTP2).

If you select only one of these check boxes, make sure to instruct the token users which button they should press on their hardware tokens for generating one-time passwords.

For example, when you import DIGIPASS 280 token objects and select the OTP1 check box while leaving the OTP2 check box cleared, then the token users should generate one-time passwords by pressing the OTP1 button on their DIGIPASS 280 tokens. In this scenario, pressing the OTP2 button will generate invalid one-time passwords.

Storage Location

Specify the Active Directory container in which you want to store the token objects being imported. Click the Select button to browse for and select the container.

The default container is Defender | Tokens.

If you change the default container, ensure that the Defender Security Server service account and the Defender administrator account have sufficient permissions on the new container you specify.

Import Progress

View the progress of the hardware token import.

Managing Defender Security Policies

Managing Defender Security Policies

You can use the Defender Administration Console to create and configure Defender Security Policies. A Defender Security Policy can be assigned to a user, group of users, Access Node, or Defender Security Server.

If a different Defender Security Policy is applied to each of the above elements, the policy assigned to the user takes the highest priority, followed by the policy assigned to the group, then the policy assigned to the Access Node and finally, the policy assigned to the Defender Security Server. Security Policies cannot be aggregated.

Logon attempts made by the user are rejected if the user belongs to two groups with conflicting security policies and both groups are assigned to the Access Node through which the user connects to the Defender Security Server.

If no Defender Security Policy has been assigned, the default Defender Security Policy is applied. For more information, see Default Defender Security Policy.

When you have defined the Defender Security Policy, you can use its property pages to:

  • Change the Defender Security Policy configuration.
  • Change user account lockout information.
  • Configure password and PIN expiration policies.
  • Specify permitted logon hours.
  • Configure settings for SMS tokens.
  • Configure settings for e-mail tokens.
  • Configure settings for GrIDsure tokens.

Creating a Defender Security Policy object

Creating a Defender Security Policy object

To create a Defender Security Policy

  1. On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
  2. In the left pane (console tree), expand the appropriate domain node, and then expand the Defender container.
  3. Right-click the Policies container, point to New, and then click Defender Policy.
  4. Complete the wizard that starts to create a new Defender Security Policy.

    For more information about the wizard steps and options, see New Object - Defender Policy Wizard reference.

New Object - Defender Policy Wizard reference

New Object - Defender Policy Wizard reference

 

Table 9:

New Object - Defender Policy Wizard reference

Wizard step

Options

Enter a name and description for this Policy

Provides the following text boxes:

  • Name  Type a name for the Defender Security Policy being created.
  • Description  Type a description for the Defender Security Policy being created.

Select an authentication method

Provides the following elements:

  • Method  Select a primary authentication method for the Defender Security Policy. An authentication method determines the passcode that the user must enter when attempting to authenticate. You can select one of the following authentication methods:
  • Token  The user must use a token response to authenticate.
  • Defender password  The user must enter a valid Defender password to authenticate.
  • Active Directory password  The user must enter a valid Active Directory password to authenticate.
  • Token with Defender password  The user must enter a token response followed by a valid Defender password to authenticate.
  • Defender password with token  The user must enter a valid Defender password followed by a token response to authenticate.
  • Token with Active Directory password  The user must enter a token response followed by a valid Active Directory password to authenticate.
  • Active Directory password with token  The user must enter a valid Active Directory password followed by a token response to authenticate.
  • Active Directory password (rollout mode)  The user can authenticate with the Active Directory password until a security token is assigned or registered to the user’s Active Directory account. After a security token has been assigned or registered for the user, the user must submit the token response to authenticate. For more information, see Defender Rollout Mode.
  • GrIDsure token (auto-enrollment mode)  The user must authenticate by using a GrIDsure Personal Identification Pattern (PIP). During the first authentication, the user is prompted to configure a GrIDsure PIP to be used for subsequent authentications.
  • Logon Attempts  Enter the number of times that the user can attempt to log on. If the number of unsuccessful logon attempts exceeds the specified limit, the violation count for the user’s account is incremented.
  • Use Synchronous tokens as event tokens  Enables the use of the same DIGIPASS GO token response for logon to more that one system without generating a new response, provided that the logon process takes less than 36 seconds which is the validity period for a DIGIPASS GO token response.

Select the second authentication method

Specify parameters for the additional authentication method you want the user to use. If you want to disable the additional authentication method, from the Method list, select None.

Other options in the Method list are identical to those available in the Select an authentication method step of the wizard.

Enter account lockout policy details

Provides the following options:

  • Enable Account Lockout  When this check box is selected, it causes the user’s Defender account to be locked out if the user has exceeded the number of violations (failed logon attempts) specified n the Lockout after n violations option.
  • If you select the Lockout Windows account after indicated violations check box, this causes the user’s Windows account to be locked out after the specified number of failed logon attempts has been exceeded by the user. This option requires the Windows account lockout option to be enabled in Domain Security Policy or Domain Controller Security Policy.
  • Locked accounts must be unlocked by an administrator  Specifies that locked accounts can only be unlocked by an administrator. Use the Lockout duration option to set the lockout duration in minutes. The lockout duration period is counted from the moment of most recent logon attempt. That is, if the user attempts to logon while the account is still locked, the lockout duration is recalculated from the moment of that last attempt. If you set the Lockout duration value to 0, the locked user accounts can only be unlocked by an administrator.
  • Automatically reset account after successful login  Resets the count of unsuccessful logon attempts to 0 after the user successfully logs on.

Enter Defender Password and PIN expiry details

Provides the following options:

  • Enable Defender Password Expiry  When this check box is selected, it causes the Defender password to expire after the number of days specified in the Expire after option.
  • Enable PIN Expiry  When this check box is selected, it causes the token PIN to expire after the number of days specified in the Expire after option. This check box is only available if the token selected for authentication has a PIN.
Documentos relacionados