Defender 5.9.3 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Integration with Cloud Access Manager Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Full control

Full control

You can delegate permissions to manage specific Defender objects, including the permissions to view or modify any of the object properties and the permissions to create, delete, rename or move objects on a user or group.

The available options are:

  • Defender access node full control
  • Defender Security Server full control
  • Defender License full control
  • Defender Security Policy full control
  • Defender RADIUS Payload full control
  • Defender Token full Control

Using control access rights

Using control access rights

Control access rights are provided as an optional setting during the installation of the Defender Administration Console. Control access rights can be combined with the delegated administration privileges assigned to security groups or users.

The Defender control access rights act as an additional layer of administration security, allowing you to enable or disable the token-related buttons provided below the Tokens list on the Defender tab in the Properties dialog for a Defender user:

 

With control access rights, you can enable or disable the following buttons:

  • Program  Allows you to program the selected token for the user.
  • Recover  Unlocks the selected token.
  • Test  Starts a non-intrusive test to verify the token’s response.
  • Helpdesk  Allows you to reset the token or assign a temporary token response to the user.
  • Unassign  Unassigns the selected token from the user.
  • Add  Assigns a new token to the user.
  • Set PIN  Sets a PIN for the selected token.
  • Password  Allows you set up a new or change the existing Defender password for the user.

To assign control access rights to users

  1. Use the Defender Administration Console to enable the Security tab for the Defender users. By default, the Security tab is disabled.

    Do the following:

    1. On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
    2. In the left pane, expand the appropriate domain node, and then click to select the Defender container.
    3. On the menu bar, click View, and then click Advanced Features.
  2. In the left pane (console), locate the organizational unit that holds the Defender users to whom you want to assign control access rights.
  3. Right-click the OU, and then on the shortcut menu click Properties.
  4. In the dialog box that opens, click the Security tab, and then click Advanced.
  5. Click Add to add the security group or user account.
  6. In the Permission Entry for Users dialog box, use the following elements:
    • Apply on  Select the target for the permissions you are going to select (user objects or descendant user objects).
    • Permissions list  Select the check boxes next to the permissions you want to assign.
  7. Click OK to apply your changes.

To remove control access rights from a group of users

  1. In the Advanced Security Settings dialog box, click to select the appropriate entry in the Permission entries list.
  2. Click the Remove button below the list, and then click OK.

Automating administrative tasks

Defender Management Shell, built on Microsoft Windows PowerShell technology, provides a command-line interface that enables automation of Defender administrative tasks. With the Defender Management Shell, administrators can perform token-related tasks such as assigning tokens to users, assigning PINs, or checking for expired tokens.

The Defender Management Shell command-line tools (cmdlets), like Windows PowerShell cmdlets, are designed to deal with objects—structured information that is more than just a string of characters appearing on the screen. The cmdlets do not use text as the basis for interaction with the system, but use an object model that is based on the Microsoft .NET platform. In contrast to traditional, text-based commands, the cmdlets do not require the use of text-processing tools to extract specific information. Rather, you can access required data directly by using standard Windows PowerShell object manipulation commands.

Before installing the Defender Management Shell feature, make sure your computer meets the system requirements described in the Defender Release Notes.

All cmdlets are presented in verb-noun pairs. The verb-noun pair is separated by a hyphen (-) without spaces, and the cmdlet nouns are always singular. The verb refers to the action that the cmdlet performs. The noun identifies the entity on which the action is performed. For example, in the Add-TokenToUser cmdlet name, the verb is Add and the noun is TokenToUser.

Installing Defender Management Shell

Installing Defender Management Shell

To install the Defender Management Shell

  1. In the Defender distribution package, open the Setup folder, and run the Defender.exe file.
  2. Complete the Defender Setup Wizard.

    When stepping through the wizard, make sure to select the Defender Management Shell feature for installation. For more information about the wizard steps and options, see Defender Setup Wizard reference.

Documentos relacionados