Chat now with support
Chat with Support

Defender 6.6 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Manually switching to token authentication

  1. Create two Active Directory security groups. One group with users who are token authenticated, for example, Defender Auth, and the other group with users who require Active Directory password, for example, Defender AD Password.
  2. Assign the Token policy to the Defender Auth group.
  3. Assign the Active Directory password policy to the Defender AD Password group.
  4. Configure an access node for your access device (NAS), adding both AD groups to the members tab without assigning any policy on the access node.

    Users in the Defender Auth security group authenticate with tokens and users in the Defender AD Password group authenticate with Active Directory Passwords.

    When the users of Defender AD Password group are assigned a token, the administrator has to move users to the Defender Auth group and ensure they are removed from the Defender AD Password group.

Modifying Defender Security Policy object properties

To modify Defender Security Policy object properties

  1. On the computer where the Defender Administration Console is installed, open the Active Directory Users and Computers tool (dsa.msc).
  2. In the left pane (console tree), expand the appropriate domain node, and then expand the Defender container.
  3. Click to select the Policies container.
  4. In the right pane, double-click the Defender Security Policy whose properties you want to modify.
  5. Use the dialog box that opens to modify the Defender Security Policy properties as necessary.

    The dialog box has the following tabs:

    • General tab  Allows you to configure the Defender Security Policy.
    • Account tab  Allows you to configure the Defender Security Policy settings related to the lockout of user accounts.
    • Expiry tab  Allows you to configure expiry settings for Defender passwords and token PINs.
    • Logon Hours tab  Allows you to configure a time slot when authentication via Defender is permitted or denied to the user.
    • SMS Token tab  Allows you to configure settings for sending SMS messages containing one-time passwords to users’ SMS-capable devices.
    • E-mail Token tab  Allows you to configure settings for sending e-mail messages containing one-time passwords to the users.
    • GrIDsure Token tab  Allows you to enable the use of GrIDsure Personal Identification Pattern (PIP) for authentication via Defender.
  6. When you are finished, click OK to apply your changes.

General tab

This tab allows you to configure the Defender Security Policy. On this tab, you can use the following options:

  • Description  View or change the Defender Security Policy description.
  • Use  Select a primary authentication method for the Defender Security Policy. An authentication method determines the credentials that the user must enter when authenticating. For available authentication methods and their descriptions, see New Object - Defender Policy Wizard reference.

    Logon Attempts  Enter the number of times that the user can attempt to log on. If the number of unsuccessful logon attempts exceeds the specified limit, the violation count for the user’s account is incremented.

    Use Synchronous tokens as Event tokens  Select this check box to enable the use of the same DIGIPASS GO token response for logon to more that one system without generating a new response, provided that the logon process takes less than 36 seconds which is the validity period for a DIGIPASS GO token response.

  • Followed By  Select an additional authentication method for the Defender Security Policy. To disable the use of additional authentication method, select None.

    Logon Attempts  Enter the number of times that the user can attempt to log on. If the number of unsuccessful logon attempts exceeds the specified limit, the violation count for the user’s account is incremented.

    Use Synchronous tokens as Event tokens  Select this check box to enable the use of the same DIGIPASS GO token response for logon to more that one system without generating a new response, provided that the logon process takes less than 36 seconds which is the validity period for a DIGIPASS GO token response.

Account tab

This tab allows you to configure the Defender Security Policy settings related to the lockout of user accounts. On this tab, you can use the following options:

  • Enable Account Lockout  Select this check box to enable the user’s Defender account lockout after the number of violations (unsuccessful logon attempts) specified in the Lockout after n violations option. Clear this check box to disable account lockout.
  • Lockout Windows account after indicated violations  Select this check box to lock out the user’s Windows account after the user has exceeded the specified number of unsuccessful logon attempts. This option requires the Windows account lockout option to be enabled in Domain Security Policy or Domain Controller Security Policy. If the Windows account is locked, the user is unable to logon to their Windows account locally or remotely via Defender.
  • Locked accounts must be unlocked by an administrator  Specifies that locked accounts can only be unlocked by an administrator. Use the Lockout duration option to set the lockout duration in minutes. The lockout duration period is counted from the moment of most recent logon attempt. That is, if the user attempts to logon while the account is still locked, the lockout duration is recalculated from the moment of that attempt. If you set the Lockout duration value to 0, the locked user accounts can only be unlocked by an administrator.
  • Automatically reset account after successful login  Resets the count of unsuccessful logon attempts to 0 after the user successfully logs on.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating