SMS Token tab
This tab allows you to configure settings for sending SMS messages containing one-time passwords to users’ SMS-capable devices. On this tab, you can use the following options:
- Enable SMS token Enables the SMS token for the users to whom this Defender Security Policy applies.
- Send SMS to user as required Enables Defender to send an SMS message containing new one-time passwords to the user when the user is about to expend the one-time passwords provided in the previous SMS message.
- Only send SMS when user enters keyword Causes the Defender Security Server to send an SMS message containing one-time passwords only when the user enters the specified trigger keyword during authentication.
- Responses per SMS Allows you to specify the number of one-time passwords you want to include in each SMS message to be sent to the user. You can specify a value from 1 to 10.
- Keyword Specify the keyword that will trigger the sending of an SMS message containing one-time passwords to the user. The keyword works as a trigger when it is entered by the user during authentication. If the SMS token has a PIN assigned, you can specify that PIN as the trigger keyword as well.
You can select the Use AD Password check box to make the user’s Active Directory password act as the keyword that causes the Defender Security Server to send the SMS message.
If this check box is selected and an account lockout policy is enforced in the domain, then a number of unsuccessful authentication attempts may lock out the user’s Active Directory account. Use this check box with caution.
- Phone attribute Select the Active Directory attribute that stores user’s mobile phone number to which you want to send SMS messages containing one-time passwords.
- Mobile provider URL Type the URL of the mobile service provider through which you want to send SMS messages containing one-time passwords.
- [USERID] Type the user name of the account under which you want to access the mobile service provider’s Web site.
- [PASSWORD] Type the password that matches the user name in the [USERID] text box.
- POST Data Click this button to enter the information you want to send to the mobile service provider at the URL specified on this tab. The default POST data provided in this option is only applicable to the 2sms mobile service provider. Contact your mobile service provider for more information about the syntax you need to use in this option.
- Test Click to test the settings specified on this tab.
E-mail Token tab
This tab allows you to configure settings for sending e-mail messages containing one-time passwords to the users. On this tab, you can use the following options:
- Enable e-mail token Enables the e-mail token for the users to whom this Defender Security Policy applies.
- Send e-mail to user as required Enables Defender to send an e-mail message containing new one-time passwords to the user when the user is about to expend the one-time passwords provided in the previous e-mail message.
- Only send e-mail when user enters keyword Causes the Defender Security Server to send an e-mail message containing one-time passwords only when the user enters the specified trigger keyword during authentication.
- Responses per e-mail Specify the number of one-time passwords you want to include in each e-mail message. The one-time passwords must be used sequentially. The penultimate or last one-time password triggers the sending of a new e-mail containing one-time passwords.
- Keyword Specify the keyword that will trigger the sending of an e-mail message containing one-time passwords to the user. The keyword works as a trigger when it is entered by the user during authentication. If the e-mail token has a PIN assigned, you can specify that PIN as the trigger keyword as well.
You can select the Use AD Password check box to make the user’s Active Directory password act as the keyword that causes the Defender Security Server to send the SMS message.
If this check box is selected and an account lockout policy is enforced in the domain, then a number of unsuccessful authentication attempts may lock out the user’s Active Directory account. Use this check box with caution.
- E-mail attribute Select the Active Directory attribute that stores user’s e-mail address to which you want to send e-mail messages containing one-time passwords.
- Subject Type the subject line you want to display in the Subject field of the e-mail messages containing one-time passwords.
- From address Type the e-mail address you want to appear in the From field of the e-mail messages containing one-time passwords.
- Send copy to Type the e-mail address to which you want to send copies of the e-mail messages containing one-time passwords.
- Mail Content Click this button to view and edit the text that will be included in the body of each e-mail message containing one-time passwords. The [RESPONSES] variable indicates the position in the text at which the one-time passwords appear. If the [RESPONSES] variable is missing, the one-time passwords appear at the foot of the text.
- Mail Server Click this button to specify the SMTP server you want to use for sending e-mail messages containing one-time passwords. In the dialog box that opens, use the following options:
- Name Type the name or IP Address of the SMTP server.
- Port Type the port number used by the SMTP server. The default port is 25.
- Authentication Select the authentication method required by the SMTP server, and then type the user name and password of the access account you want to use.
- Test Click to test the settings on this tab by sending a test e-mail message to the address you specify.
GrIDsure Token tab
This tab allows you to enable the use of GrIDsure Personal Identification Pattern (PIP) for authentication via Defender. On this tab, you can use the following options:
- Enable GrIDsure token Enables the use of GrIDsure PIP for authentication via Defender.
- Pattern length between Allows you to set the minimum and maximum length for the GrIDsure PIP.
- Block consecutive patters (horizontal, vertial, and diagonal) Prevents the use of simple GrIDsure PIP.
- Expire pattern after Causes the GrIDsure PIP to expire after the specified number of days. Use the drop-down list to set the number of days upon which you want the GrIDsure PIP to expire.
- Use numbers in grid Enables the use of numbers in the GrIDsure PIP.
- Use letters in grid Enables the use of letters in the GrIDsure PIP.
- Grid Style Click to configure the size of the PIP grid and the colors used in the grid.
Default Defender Security Policy
If a user is a member of an Access Node and no Defender Security Policy is applied to the user explicitly or implicitly, then a default Defender Security Policy is effective for the user.
The default Defender Security Policy is configured as follows:
- Primary authentication method is security token.
- User’s violation count is incremented by one after each 3 unsuccessful authentication attempts.
- Violation count upon which the user’s account is locked is 4. Lockout duration is 3 minutes.
- Violation count is reset each time the user successfully authenticates.
- The user can log on 24 hours a day, 7 days a week.
- SMS token, e-mail token, and GrIDsure token are disabled for the user.