Quest Password Manager - User Guide

4.7 Administrator Guide © 2010 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, please contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com e-mail: legal@quest.com Refer to our Web site for regional and international office information. TRADEMARKS Quest, Quest Software, the Quest Software logo, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, ChangeAuditor, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, GPOAdmin, I/Watch, Imceda, InLook, IntelliProfile, InTrust, Invertus, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, MessageStats, NBSpool, NetBase, Npulse, NetPro, PassGo, PerformaSure, Quest Central, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, vAnalyzer, vAutomator, vControl, vConverter, vEssentials, vFoglight, vMigrator, vOptimizer Pro, vPackager, vRanger, vRanger Pro, vReplicator, vSpotlight, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. Quest Password Manager - Administrator Guide Updated - October, 22 2010 Software Version - 4.7 CONTENTS ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 INTENDED AUDIENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 CONVENTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 ABOUT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 CONTACTING QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 CONTACTING QUEST SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 CHAPTER 1 WELCOME TO QUEST PASSWORD MANAGER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 QUEST PASSWORD MANAGER OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 DIFFERENT SITES FOR DIFFERENT ROLES. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 CHAPTER 2 ADMINISTRATION SITE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 CHECKLIST: CONFIGURING PASSWORD MANAGER . . . . . . . . . . . . . . . . . . . . . . . 14 SPECIFYING GLOBAL SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 ENABLING HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 CONFIGURING SELF-SERVICE SITE SETTINGS . . . . . . . . . . . . . . . . . . . . . 17 CONFIGURING ACCESS TO SELF-SERVICE SITE FROM WINDOWS LOGON SCREEN . . . . 28 INTRODUCING SECURE PASSWORD EXTENSION . . . . . . . . . . . . . . . . . . . . 28 DEPLOYING AND CONFIGURING SECURE PASSWORD EXTENSION . . . . . . . . . . 29 UNINSTALLING SECURE PASSWORD EXTENSION . . . . . . . . . . . . . . . . . . . . 38 TROUBLESHOOTING SECURE PASSWORD EXTENSION . . . . . . . . . . . . . . . . . 38 MANAGING DOMAINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 CONFIGURING PERMISSIONS TO ACCESS A MANAGED DOMAIN . . . . . . . . . . . 39 ADDING A MANAGED DOMAIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 MANAGING QUESTIONS AND ANSWERS PROFILES . . . . . . . . . . . . . . . . . . . 41 CONFIGURING PASSWORD POLICIES . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 CONFIGURING LOGON SECURITY OPTIONS . . . . . . . . . . . . . . . . . . . . . . . 57 CONFIGURING REGISTRATION NOTIFICATION AND ENFORCEMENT . . . . . . . . . 59 DELEGATING HELP DESK AND ADMINISTRATIVE TASKS . . . . . . . . . . . . . . . 62 CONFIGURING ACCESS TO SELF-SERVICE SITE . . . . . . . . . . . . . . . . . . . . 64 CHANGING ACCOUNT TO ACCESS A MANAGED DOMAIN . . . . . . . . . . . . . . . 65 REPORTING. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 DIAGNOSTIC LOGGING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 BEST PRACTICES FOR CONFIGURING REPORTING SERVICES . . . . . . . . . . . . . . . . . 73 REPORTING SERVICES DEFAULT CONFIGURATION . . . . . . . . . . . . . . . . . . . 73 REPORTING SERVICES FIREWALL ISSUES . . . . . . . . . . . . . . . . . . . . . . . . 75 THE PASSWORD MANAGER DATABASE IN SQL SERVER . . . . . . . . . . . . . . . . . . . 76 THE SCHEDULED TASKS IN PASSWORD MANAGER . . . . . . . . . . . . . . . . . . . . . . 77 iii Quest Password Manager CHAPTER 3 QUEST PASSWORD MANAGER INTEGRATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 ACTIVEROLES QUICK CONNECT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 CONFIGURING CROSS-PLATFORM PASSWORD SYNCHRONIZATION USING ACTIVEROLES QUICK CONNECT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 MICROSOFT IDENTITY INTEGRATION SERVER . . . . . . . . . . . . . . . . . . . . . . . . . . 82 CONFIGURING CROSS-PLATFORM PASSWORD SYNCHRONIZATION USING MIIS . 82 QUEST ACTIVEROLES SERVER WEB INTERFACE . . . . . . . . . . . . . . . . . . . . . . . . 85 BASIC INTEGRATION REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . 85 CUSTOMIZING ACTIVEROLES SERVER HOME PAGE . . . . . . . . . . . . . . . . . . 85 PASSWORD MANAGER SELF-SERVICE SITE INTEGRATION . . . . . . . . . . . . . . 85 PASSWORD MANAGER HELP DESK SITE INTEGRATION . . . . . . . . . . . . . . . . 86 QUEST DEFENDER. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 QUEST ENTERPRISE SINGLE SIGN-ON (QESSO) . . . . . . . . . . . . . . . . . . . . . . . 89 HP PROTECTTOOLS AUTHENTICATION SERVICES . . . . . . . . . . . . . . . . . . . . . . . 90 USING HP PROTECTTOOLS AUTHENTICATION SERVICES TO GENERATE PASSWORDS90 GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 iv About This Guide • Intended Audience • Conventions • About Quest Software • Contacting Quest Software • Contacting Quest Support Quest Password Manager Intended Audience This document has been prepared to assist you in becoming familiar with Quest Password Manager. Administrator Guide contains the information required to install and use Quest Password Manager. It is intended for network administrators, consultants, analysts, and any other professionals using the product. Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references. ELEMENT CONVENTION Select This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Bolded text Interface elements that appear in Quest Software products, such as menus and commands. Italic text Used for comments. Bold Italic text Used for emphasis. Blue text Indicates a cross-reference. When viewed in Adobe® Reader®, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. 6 + A plus sign between two keystrokes means that you must press them at the same time. | A pipe sign between elements means that you must select the elements in that particular sequence. Administrator Guide About Quest Software Quest Software simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest go to www.quest.com. Contacting Quest Software E-mail info@quest.com Mail Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Web site www.quest.com Refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/ From SupportLink, you can do the following: • Retrieve thousands of solutions from our online Knowledgebase • Download the latest releases and service packs • "Create, update and review Support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at http://support.quest.com/. 7 Quest Password Manager 8 1 Welcome to Quest Password Manager • Quest Password Manager Overview • Different Sites for Different Roles Quest Password Manager Quest Password Manager Overview Quest Password Manager is a Web-based application that provides an easy-to-implement and use, yet highly secure, password management solution. Users can connect to Password Manager by using their favorite browser and perform password self-management tasks, thus eliminating the need for assistance from high-level administrators and reducing help desk workload. The solution offers a powerful and flexible password policy control mechanism that allows the Password Manager administrator to ensure that all passwords in the organization comply with the established policies. Password Manager works with Windows domains, including domains operating in mixed mode. Integration with Microsoft Identity Integration Server facilitates cross-platform password synchronization that enables Password Manager to change user passwords across multiple connected data sources. The key features and benefits of Quest Password Manager include: 10 • Global access. Quest Password Manager provides 24x7x365 access to the Self-Service site from intranet computers as well as via Internet from any most common browser. The solution supports flexible access modes and logon options. • Strong data encryption and secure communication. The solution relies on industry-leading technologies for enhanced communication security and data encryption. • Cross-platform password synchronization. Quest Password Manager has been designed for use with Microsoft Identity Integration Server and Quest Quick Connect, which makes it possible to automatically synchronize users' passwords across multiple connected data sources. • Web interface for help desk service. Password Manager features Help Desk site which allows administrators to delegate help desk tasks to dedicated operators. These tasks include resetting user passwords, managing users' Questions and Answers profiles, and assigning temporary passcodes to users. • x64 version of Password Policy Manager. An x64 version of Password Policy Manager module has been designed for use on domain controllers running an x64 Microsoft Windows Server operating system. • E-mail event notifications. Administrators can configure event notifications which are sent by e-mail to designated personnel when specified events occur. • Seamless OS integration. Quest Password Manager relies on intrinsic security databases only and is capable of managing domains across trust boundaries (no trust relationship required). • Powerful password policies. Quest Password Manager ensures that only passwords that meet administrator-defined policies are accepted. Unsuccessful authentication attempts are logged and the corresponding accounts are locked if necessary. • Granular policy enforcement. Password policies are applied on a per-group or per OU basis. • Questions and Answers authentication mechanism. To reset passwords or unlock accounts, users are prompted to answer a series of questions for which users provide their secret answers when registering with Quest Password Manager. • Enhanced user name search options. Users can be allowed to view their account attributes, such as user logon name, first name, display name, and SMTP address, when searching for their forgotten user names. A more specific search query returns the most relevant search results. • Fault tolerance and scalability. Quest Password Manager is designed to work with network load balancing clusters and in a Web farm environment. Administrator Guide Different Sites for Different Roles The Web Interface allows multiple Web sites to be installed with individual, customizable configurations. The following is a list of configuration templates that are available out-of-the box. • Administration Site is for individuals who are responsible for implementing password self-management through performing administrative tasks, such as configuring site-specific settings and enforcing password policies, to suit the specific needs of their organization. • Help Desk Site handles typical tasks performed by Help Desk operators, such as resetting passwords, unlocking user accounts, assigning temporary passcodes, and managing users' Questions and Answers profiles. • Self-Service Site provides users with the ability to easily and securely manage their passwords, thus eliminating the need for assistance from high-level administrators and reducing helpdesk workload. 11 Quest Password Manager 12 2 Administration Site • Checklist: Configuring Password Manager • Changing User Interface Language • Specifying Global Settings • Configuring Access to Self-Service Site from Windows Logon Screen • Managing Domains • Reporting Quest Password Manager Checklist: Configuring Password Manager When you have installed Password Manager, follow this checklist to configure the solution to implement automated and secure password management in an Active Directory domain STEP REFERENCE It is strongly recommended that you enable HTTPS on the server where Password Manager is installed. “Enabling HTTPS” on page 16 Prepare the account under which Password Manager will access the managed domain. “Configuring Permissions to Access a Managed Domain” on page 39 Register the managed domain with Password Manager. “Adding a Managed Domain” on page 40 Create language-specific question lists, and configure the Questions and Answers Policy if required. “Managing Questions and Answers Profiles” on page 41 If you want to provide the access to the Self-Service site from the Windows logon screen, install the Secure Password Extension. “Configuring Access to Self-Service Site from Windows Logon Screen” on page 28 Configure settings that apply to all domains managed with Password Manager (such as site-specific defaults, notification settings, and profile update policy). “Specifying Global Settings” on page 15 Grant the access permissions for the Help Desk site to help desk operators. You can also delegate access for the Administrative site to trusted Password Manager administrators. “Delegating Help Desk and Administrative Tasks” on page 62 Ensure that the screen resolution on client-side computers used to access the Web sites of Password Manager is set to a minimum of 800x600 pixels. The recommended screen resolution is 1024x768 pixels. Ensure that all Password Manager users have JavaScript enabled in Microsoft Internet Explorer settings. Ensure that the users know the Self-Service site URL and can access the site to register and perform password self-management tasks. If required, configure options for user registration notification and enforcement by specifying a registration schedule and enabling registration notification. “Configuring Registration Notification and Enforcement” on page 59 To allow users access the Self-Service site, explicitly specify the groups which are granted access to the Self-Service site. By default, no managed domain user can access the Self-Service site. “Configuring Access to Self-Service Site” on page 64 If you want to use Password Manager to enforce password policies, you first install Password Policy Manager (PPM) on all domain controllers in the domain. Then, create password policies and configure password policy rules. “Installing Password Policy Manager” on page 45 If you want to use Password Manager for cross-platform password synchronization, install Quest Quick Connect and configure the product to integrate with Password Manager. “Configuring Cross-Platform Password Synchronization using ActiveRoles Quick Connect” on page 80 14 “Creating and Configuring a Password Policy” on page 46 “Configuring Password Policy Rules” on page 47 Administrator Guide Specifying Global Settings This section outlines the procedures required to configure site-specific settings that affect users and helpdesk operators in all domains registered with Password Manager. 15 Quest Password Manager Enabling HTTPS We strongly recommend that you use HTTPS with Quest Password Manager. The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to transfer encrypted information between computers over the World Wide Web. To enable HTTPS for your Web server you may need to obtain a Server Certificate. For step-by-step instructions on how to configure a Web server for SSL in order to support HTTPS connections from client applications, see the MSDN article "How To: Set Up SSL on a Web Server" at http://msdn2.microsoft.com/en-us/library/aa302411.aspx. 16 Administrator Guide Configuring Self-Service Site Settings You can customize the behavior of the Self-Service site by specifying what password management tasks are allowed to users and configuring user notification. Configuring Security Settings By configuring the security settings, you define whether you want to let users do the following: • Hide their security answers on the screen. • See the domain name on the Self-Service site pages. • See which of the personal questions users have answered incorrectly when authenticating. To configure security settings for the Self-Service site 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. On the menu bar, click Settings, and then click the Self-Service Site tab. 3. Under Security settings, configure the following options as required: OPTION DESCRIPTION Hide users’ answers by default Select this check box to have Password Manager display users' security answers as asterisks while they are typing in their answers. Allow users to hide their answers Select this check box to allow users to hide their answers on the screen, so that answer entry fields will look like a series of asterisks. Prevent users from seeing whether questions are answered correctly Select this check box to prevent users from seeing to which of their private questions they have provided incorrect answers when performing password self-management tasks using the Self-Service site. Hide tools not available for user Select this check box to prevent users from seeing the tools which are not available for them. Use a security CAPTCHA image to prevent bot attacks Select this check box to have the Self-Service site display a picture with characters and require the user to enter the characters on the picture. This feature provides enhanced protection against automated attacks. Domain display options Use this section to specify whether Self-Service Site should show the managed domain name to the user. If you select the "Show domain list" option, the Self-Service site user will be able to see the list of the managed domains registered with Password Manager. By selecting the "Hide domain list" option you will prevent users from seeing the list of domains. 17 Quest Password Manager OPTION DESCRIPTION Users must agree that Password Manager will store their personal information Depending on the legislation requirements, organizations may be required to explicitly obtain users’ consent to store their personal information which is available in Question and Answers profile. Select this check box to have the Self-Service site ask users to agree that Password Manager will store their personal information. 4. Click Save. Configuring Allowed Self-Service Site Tasks You can granularly configure the set of the tasks available for the Password Manager end-users on the Self-Service site. To configure the tasks available for the Self-Service site users: 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. On the menu bar, click Settings, and then click the Self-Service Site tab. 3. Click Allowed self-service tasks to expand this section, and then configure the following options as required: 4. 18 OPTION DESCRIPTION Allow users to register with Password Manager Select this check box to allow users to register with Password Manager by using the Self-Service site. Allow users to unlock their accounts Select this check box to allow users to unlock their domain accounts by using the Self-Service site. Allow users to reset their passwords Select this check box to allow users to reset passwords for their domain accounts by using the Self-Service site. Allow users to change their passwords Select this check box to allow users to manage passwords for their accounts in managed domains, and in connected data sources, by using the Self-Service site. Allow users to change Q&A profile Select this check box to allow users to manage Questions and Answers profiles for their accounts in managed domains by using the Self-Service site. Allow users to change their alert settings Select this check box to allow users to specify events upon which they want to receive alerts. Allow users to use passcode Select this check box to allow users to use passcode for creating Questions and Answers profile. Click Save. Administrator Guide Configuring Account Search Options To configure account search options: 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. On the menu bar, click Settings, and then click the Self-Service Site tab. 3. Click Account search options to expand this section, and then configure the following options as required: EVENT DESCRIPTION Allow users to locate their accounts Select the checkbox to allow users to perform account search by using the Locate Account functionality of the Self-Service site. By selecting this option, you can specify the number of user accounts that are displayed in search results. To do this, specify the required number in the "Number of users to display in search results in the Locate Account page" field. User properties to display in search results Select check boxes next to the user account attributes that you want users to view in search results. You can select any of the following attributes: • First name • Initials • Last name • Display name • Name • Full name • User logon name • E-mail 4. Click Save. Configuring User Notification You can configure a list of events upon which you want all registered users to receive notifications. For each of the events below, you can specify whether users may decide for themselves if they want to receive a specific notification of not. • User's Q&A profile is updated • User's Alert settings are updated • User's account is unlocked • User's password is reset • User's password is changed • User's Q&A profile requires update • User's Q&A profile is locked • User's password is expired 19 Quest Password Manager To configure user notification 1. 2. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. Ensure that you have configured the outgoing mail server settings. To specify the SMTP server settings, use the procedure outlined in “Configuring Outgoing Mail Servers Settings” on page 22. 3. On the menu bar, click Settings, and then click the Self-Service Site tab. 4. Click User notification settings to expand this area. 5. Specify events upon which you want users to receive notifications, and whether you want users to be able to change your settings for each of the events, by doing the following: • OPTION DESCRIPTION Disabled. Users can change this setting. Select this option to disable user notification for the relevant event while allowing users to override this setting on a per-user basis. Enabled. Users can change this setting. Select this option to have users notified about the relevant event, and allow to override this setting on a per-user basis. Permanently disabled. Select this option to disable user notification for the relevant event, and prevent users from changing this setting. Permanently enabled. Select this option to enable user notification for the relevant event, and prevent users from changing this setting. • 6. Click the link next to a notification event, and then select one of the following options: Under Days to notify a user before their password expires, optionally set the number of days during which you want users to receive password expiration notifications, before their passwords expire. Click Save. If you enable the password expiration notification, then Password Manager will send password expiration notifications only to those users from all managed domains, who have registered with Password Manager by creating their personal Questions and Answers profiles. Configuring Help Desk Site Settings You can define what password management tasks the help desk operators are allowed or required to perform. The settings described in this section are applied throughout all Active Directory domains managed by Password Manager. To specify settings for the Help Desk site 20 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. On the menu bar, click Settings, and then select the Help Desk Site tab. Administrator Guide 3. In the Allow helpdesk operators to section, configure the following options as required: OPTION DESCRIPTION verify user identity Select this option to allow helpdesk operators to verify user identity by using the Help Desk site. assign passcodes Select Yes to allow helpdesk operators to assign temporary passcodes for users who forgot their passwords while not being registered with Password Manager. Then, below this option you can specify the Passcode lifetime in minutes value, i.e. the period within which the passcode is valid. reset user passwords Select this option to allow helpdesk operators to reset user passwords by using the Help Desk site. Select the "only after user identity verification" option to force helpdesk operators to check user identity before resetting user’s password. unlock user accounts Select this option to allow helpdesk operators to unlock user accounts by using the Help Desk site. Select the "only after user identity verification" option to force helpdesk operators to check user identity before unlocking user account. require users to update their Q&A profiles Select this option to allow helpdesk operators to invalidate users' Questions and Answers profiles and to set a deadline for a user to update their Q&A profile. Passcode lifetime, in minutes Specify how long a passcode issued by helpdesk operators to users is valid for users to create their Questions and Answers profile. unlock users' Q&A profiles Select this option to allow helpdesk operators to unlock users' Question and Answers profiles that are locked as a result of a sequence of failed attempts to provide the correct answers. 21 Quest Password Manager 4. Configure the following options as required: OPTION DESCRIPTION Helpdesk operators must verify user identity by Defines that helpdesk operators must verify a user's identity before resetting the user's password, or unlocking their account. To configure this option, select how you want operators to authenticate users: • Answer to randomly selected mandatory question (user’s answer is hidden). In this mode, the operator will ask a user for their complete answer to one of the mandatory questions specified in the user's Q&A profile. • Answer to authentication question (user’s answer is hidden). In this mode, the operator will ask a user for their complete answers to the Help Desk authentication questions, and enter the answers on the identity verification page. • Answer to authentication question (user’s answer is visible). In this mode, the operator will ask a user for their complete answers to the Help Desk authentication questions, and then compare them to the answers displayed on the identity verification page. • Random characters of an answer to authentication question. In this mode, the operator will ask a user to tell the specified number of characters in the user's answers to the Help Desk authentication questions, and then type in those characters in the appropriate positions on the identity verification page. Allow helpdesk operators to require users to change their passwords at next logon 5. Select this option to allow helpdesk operators to force users to change their passwords at next logon. Click Save. Configuring Outgoing Mail Servers Settings You can configure one or more outgoing mail servers. If there are several servers, Password Manager will first attempt to use the top one in the list. To add outgoing mail servers (SMTP) 22 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. On the menu bar, click Settings, and then click the Notifications tab. 3. Select the Enable notifications option. 4. In the Mail Servers area, click Add. Administrator Guide 5. On the Add SMTP Server page, configure the following options: OPTION DESCRIPTION Server name Type the SMTP server name. If the SMTP server uses the port which is different from the default SMTP port 25, you may specify the port using the following format: <server name>:<port number> where <server name> is the server name and <port number> is the port number used for SMTP communication. 6. Sender address Type the sender's user name. This server requires authentication Select if the SMTP server requires authentication. User Name Type the user name under which Password Manager will access the SMTP server. Password Type the password for this account. Confirm password Re-type the password. The server requires an encrypted connection (SSL) Select if the SMTP server requires an encrypted connection (SSL). Click Add. 7. Follow steps 4-5 to add any additional SMTP servers. 8. Use the Move Up and Move Down buttons to change the order of the SMTP servers in the list. The order of the servers in the list specifies how Password Manager uses the servers to send notification mail messages. Password Manager will first attempt to use the servers at the top of the list. To remove a server from the list of outgoing SMTP mail servers 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. On the menu bar, click Settings, and then click the Notifications tab. 3. In the Mail Servers area select one o more SMTP servers to delete and click Remove. Configuring Alerts and Recipients You can configure Password Manager to send alert notifications to the specified administrators when the following actions are completed successfully or fail: • Users change their Questions and Answers profiles • Users unlock their accounts • Users reset their passwords • Users change their passwords • Users' Questions and Answers profiles are locked • Users change their personal alert settings 23 Quest Password Manager To specify alerts and recipients 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. Ensure that you have configured the outgoing mail (SMTP) server settings. 3. You can configure the SMTP server settings by using the procedure outlined in “Configuring Outgoing Mail Servers Settings” on page 22. 4. On the menu bar, click Settings, and then click the Notifications tab. 5. In the Recipients section, click Add and specify the e-mail address of the administrator you want to receive notifications. 6. Verify the changes you have made by selecting one o more recipients and sending a test message. 7. In the Events section, configure the following options: 8. OPTION DESCRIPTION Q&A Profile created Select to notify when a user has created and/or failed to create their personal alert settings. Q&A Profile changed Select to notify when a user has changed and/or failed to change their personal alert settings. Account unlocked Select to send notifications when a user has unlocked and/or failed to unlock their account. Password reset Select to send alerts when a user has reset and/or failed to reset their password. Password changed Select to send alerts when a user has changed and/or failed to change their password. Q&A profile locked Select to send alerts when a users' Question and Answers profile has become locked and/or has failed to lock. Preferred e-mail language Select and then choose your preferred language for e-mail notifications from the drop-down list below. Click Save. Customizing E-mail Templates for the Notifications Distributed by Password Manager You can customize the e-mail notification messages distributed by Password Manager to meet specific requirements in your organization. The notifications are sent either in plain text or as HTML. If you select the HTML, you can enhance the notifications by using HTML tags to add custom text formatting, hyperlinks, etc. To modify the e-mail notifications: 1. 24 Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. On the menu bar, click Settings, and then select the E-mail Templates tab. 3. In the Select language drop-down box, select the language for which you want to customize the notification templates. 4. In the Events column, click the event group you want to customize. Administrator Guide 5. In the E-mail Template column edit the subject and the body of notification templates as required. When editing the notification templates, you can use the following parameters in the notification templates: 6. PARAMETER DESCRIPTION %1 DNS domain name for managed domain. %2 User name (sAMACountName). %3 Error message. %4 Error code (HResult). %5 Reserved for internal use. %6 User IP address. %7 Current date in a user readable form. %8 Number of days until the deadline. %9 User display name. %10 User name of the Help Desk operator in the following format: <domain name>\<user name>. In the Message format box, select the format to use for the notifications. You can select from two options—either HTML or Plain Text. If you select HTML as the message format, you can add HTML markup tags to the templates to customize the e-mail notifications. 7. Click Save. Selecting the Languages for Invitation Notification You can specify one or more languages to use in the e-mail messages which invite users to register with Password Manager. If you select multiple languages, the invitation message will include several copies of the invitation—one copy for each of the selected languages. To select the language(s) to use in invitation notification: 1. Open the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain for which you want to create the language list, and then click the General tab. 3. On the General tab, in the User registration schedule section, click Specify notification language(s). 4. On the List of Languages for Invitation Notification page click Add. 5. In the Add Language(s) window, select one or more languages to use in the invitation notification message and click Add. 6. By clicking the Move Up and Move Down buttons specify the order of the languages in the invitation message. Note that the first language in the list will be used for the message subject. 7. Click Save. 25 Quest Password Manager Configuring Profile Update Policy You can specify when users must update their Q&A profiles. For example, you can require users to update their Q&A profiles, if the question list has been changed. The policy affects all users managed by the Password Manager instance. To configure profile update policy 1. On the menu bar, click Settings, and then click the Profile Update Policy tab. 2. Configure the following options: OPTION DESCRIPTION Question list or Q&A policy has changed since Q&A profile creation Select to have users update their Q&A profiles if the question list or the Q&A policy was modified, provided that users had already created or updated their Questions and Answers profile. The question user answered to register was modified or deleted Select to have users update their Q&A profiles if one or more questions which users answered to register was modified or deleted. User's Q&A profile contains fewer questions than required for registration Select to have users update their Q&A profiles if you have added one or more questions required for registration, thus making the list of such questions list longer than it was before users’ profiles were last updated. User's Q&A profile contains fewer questions than required for password reset Select to have users update their Q&A profiles if you have added one or more questions required to reset password, thus making the list of such questions longer than it was before users’ profiles were last updated. User's Q&A profile contains fewer questions than required for unlocking account Select to have users update their Q&A profiles if you have added one or more questions required to unlock account, thus making the list of such questions longer than it was before users’ profiles were last updated. User’s answers are shorter than required Select to have users update their Q&A profiles if any of users' answers contain fewer characters than the current settings require. User-defined questions are shorter than required Select to have users update their Q&A profiles if any of the user-defined questions contain fewer characters than the current settings require. User has specified the same answer for several questions Select to have users update their Q&A profiles if they contain the same answer for different questions if the current settings specify the opposite. User specified an answer which is a part of the corresponding question Select to have users update their Q&A profiles if they contain answers that are parts of the corresponding question if the current settings specify the opposite. Enabling this option will affect only those users whose answers are stored using reversible encryption. 26 Administrator Guide 3. OPTION DESCRIPTION User's answers are stored using reversible encryption Select to have users update their Q&A profiles if users’ answers are stored without reversible encryption if the current settings specify the opposite. Question list was made unavailable to users since Q&A profile creation Select to have users update their Q&A profiles if a question list which they used when registering was made unavailable to users. Click Save. Users, whose Q&A profiles were marked as noncompliant, still can use their profiles to reset passwords and unlock accounts, but they will start receiving alerts saying that Q&A profiles must be updated according to the current password management settings. 27 Quest Password Manager Configuring Access to Self-Service Site from Windows Logon Screen It is very common for business users to forget their password and be unable to log on to the system. Password Manager allows users to securely and conveniently reset their forgotten network passwords, or manage their passwords in multiple enterprise systems, before even logging on to the system. To enable user’s access to the Self-Service site from the Windows logon screen, Password Manager implements Secure Password Extension. Introducing Secure Password Extension The Quest Secure Password Extension is an application that provides one-click access to the complete functionality of the Self-Service site from the Windows logon screen. The Secure Password Extension also provides dialog boxes displayed on end-user computers, these dialog boxes notify users who must create or update their Questions and Answers profiles with Password Manager. The Secure Password Extension is included on the installation CD and is deployed through Group Policy. For information on how to deploy and configure the Secure Password Extension on end-user workstations in the managed domain, see “Deploying and Configuring Secure Password Extension” on page 29. The Secure Password Extension supports the authentication model in Windows Vista and Windows 7, and has been tested for compatibility with GINAs (Graphical Identification and Authentication DLLs) of the following systems: • Microsoft Windows 2000 • Microsoft Windows XP • Microsoft Windows 2003 • Novell Client 4.9 for Windows NT/2000/XP and Windows 95/98 • Identix BioLogon 3 • IBM ThinkVantage Access Connections 3.81 • Citrix MetaFrame Presentation Server 4.0 • HP ProtectTools In pre-Windows Vista operating systems, such as Microsoft Windows 2000 or XP, the Secure Password Extension uses the GINA-based authentication model, and adds the Forgot My Password and the Manage My Password buttons on the Windows logon screen. On workstations running Microsoft Windows 7, the Secure Password Extension adds the Forgot My Password link to the Windows logon screen. By clicking these buttons and the link, users open the Self-Service site. When users connect to the Self-Service site from the Windows logon screen, anonymous access is enabled and the functionality of Microsoft Internet Explorer is restricted, thereby preventing the actions that may pose a security threat. Once users open the Self-Service site home page from the Windows logon screen, they cannot access any other Web site, or open a new browser window or a context menu. 28 Administrator Guide Deploying and Configuring Secure Password Extension This section describes the prerequisites and steps for deploying and configuring Quest Secure Password Extension to provide access to the Self-Service site from the Windows logon screen on end-user computers. The Secure Password Extension also provides dialog boxes displayed on end-user computers, these dialog boxes notify users who must create or update their Questions and Answers profiles with Password Manager. The Secure Password Extension is deployed on client computers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with the Secure Password Extension for installing on the destination computers. The Secure Password Extension is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD: • Quest Secure Password Extension x86.msi - Installs the Secure Password Extension on computers running x86 versions of pre-Windows Vista, Windows Vista, and Windows 7 operating systems. • Quest Secure Password Extension x64.msi - Installs the Secure Password Extension on computers running x64 versions of Windows Vista and Windows 7. You can modify the behavior and on-screen appearance of the Secure Password Extension components by configuring the prm_gina.adm Administrative Template's settings, and then applying the template to the target computers through Group Policy. The prm_gina.adm administrative template file is located in the \Password Manager\Setup\Administrative Template\ folder of the installation CD. Before using the file, copy it from the installation CD. The recommended target location is the \inf subfolder of the Windows folder on a domain controller. Follow the steps below to configure and deploy the Secure Password Extension on end-user computers. To deploy and configure the Secure Password Extension 1. Copy the required installation package (Quest Secure Password Extension x86.msi or Quest Secure Password Extension x64.msi) from the installation CD to a network share accessible from all domain controllers where you want to install the Secure Password Extension. The MSI packages are located in the \Password Manager\Setup\ folder of the installation CD. 2. Create a GPO and link it to all computers, sites, domains, or organizational units where you want to use the Secure Password Extension. You may also choose an existing GPO to use with the Secure Password Extension. 3. Open the GPO in the Group Policy Object Editor, and then do the following: • • • • 4. Expand Computer Configuration/Software Settings, right-click Software installation, and then select New | Package. Browse for the MSI package you have copied in step 1, and then click Open. In the Deploy Software window, select a deployment method and click OK. Verify and configure the properties of the installation, if needed. To complete Secure Password Extension installation, you must reboot all the client computers affected by the Group policy. 29 Quest Password Manager Self-Service Site Location and Service Connection Points To enable users to open the Self-Service site by clicking the Forgot My Password or the Manage My Password links on the Windows logon screen, you do not need to configure the URL path that points to a specific server where the Self-Service site is deployed, because Secure Password Extension automatically locates the nearest Self-Service site. Secure Password Extension locates the Self-Service site using service connection points mechanism available in Active Directory. Service connection points are used in Active Directory to publish information that applications can use to bind to a service. To locate the server where the Self-Service site is deployed, Secure Password Extension uses the service connection points published by Password Manager Service instances in Active Directory. When an instance of Password Manager is installed, the Password Manager Service publishes its service connection points in Active Directory. Password Manager regularly updates its service connection points using the Quest Password Manager x86 Publisher or Quest Password Manager x64 Publisher scheduled task. Every 10 minutes, the task publishes the service connection points in all the domains managed by the underlying Password Manager instance. Password Manager Realm Affinity In some instances, you may want Secure Password Extension to contact only specific Password Manager Service instances when locating Self-Service site. You can force Secure Password Extension to use only Password Manager Service instances that belong to specific Password Manager realm. Password Manager realm is one or more Password Manager instances sharing common configuration and the same encryption key. Normally, you add a member to a Password Manager realm by installing a new Password Manager instance using the "A replica of an existing instance" option. To force Secure Password Extension to use only Password Manager Service from a specific realm, you must set the Secure Password Extension affinity for that realm. To set Secure Password Extension affinity for a Password Manager realm: 1. Open the Administration site of the Password Manager Service instance that belongs to the target realm. 2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain, to which belongs the computer running the Secure Password Extension instance you want to bind. 3. On the General tab, select the contents of the Password Manager Realm Affinity ID box, right-click the selection and select Copy. 4. Open Administrative Tools (located at Start Menu | Settings | Control Panel). 5. Open Active Directory Users and Computers. 6. Right-click the managed domain name on the left pane and select Properties. 7. Select the domain policy that is configured to work with Secure Password Extension on the Group Policy tab and click Edit. 8. Expand Default Domain Policy | Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add / Remove Templates. 9. Click Add, browse for the prm_gina.adm file, select it, and then click Open. 10. Click Close to close the Add/Remove Templates dialog box. 11. Select Administrative Templates node, and then double-click the Quest Password Manager template on the right pane. 30 Administrator Guide 12. Click Generic Settings in the left pane. 13. In the right pane, double-click Password Manager Realm Affinity. 14. Select the Enabled option on the Settings tab, and then right-click the Realm Affinity ID text box and select Paste. 15. Click OK. 16. Apply the updated policy to the computers in the managed domain. Please note that application of the updated policy to the computers in the managed domain may take some time to complete. Overriding Automatic Self-Site Location In some instances, you may not want Secure Password Extension to automatically locate the nearest Self-Service site using the Password Manager Service connection points published in Active Directory. If you need to override the default behavior and force a Secure Password Extension to use specific Self-Service site, you must explicitly manually specify the URL path and override the default behavior of Secure Password extension by following the steps below. To override automatic Self-Service site location: 1. Open Administrative Tools (located at Start Menu | Settings | Control Panel). 2. Open Active Directory Users and Computers. 3. Right-click the managed domain name on the left pane and select Properties. 4. Select the domain policy that is configured to work with Secure Password Extension on the Group Policy tab and click Edit. 5. Expand Default Domain Policy | Computer Configuration on the Group Policy Object Editor left pane, then right click Administrative Templates node, and select Add / Remove Templates. 6. Click Add, browse for the prm_gina.adm file, select it, and then click Open. 7. Click Close to close the Add/Remove Templates dialog box. 8. Select Administrative Templates node, and then double-click the Quest Password Manager template on the right pane. 9. Double-click Generic Settings. 10. Double-click Specify URL path to the Self-Service site. 11. Select the Enabled option on the Settings tab and then enter the URL path to the Self-Service site into the entry field using the following format: https://COMPUTER_NAME/VIRTUAL_DIRECTORY_NAME/User/, where COMPUTER_NAME is the name of the server where Password Manager resides, and VIRTUAL_DIRECTORY_NAME is a virtual directory name that was configured during Quest Password Manager Setup (by default, the virtual directory name is QPM). Substitute https:// with http:// if you don’t use HTTPS. It is strongly recommended that you enable HTTPS on the Password Manager server. 12. Click OK. 13. Double-click Override URL path to Self-Service site. 14. Select the Enabled option on the Settings tab. 15. Click OK. 31 Quest Password Manager 16. Apply the updated policy to the computers in the managed domain. Please note that application of the updated policy to the computers in the managed domain may take some time to complete. Customizing the Logo for Secure Password Extension For pre-Windows Vista operating systems, you can replace the Secure Password Extension's default logo that is displayed on the Windows logon screen. The image must be a 417-by-58-pixel .bmp file. To deploy a custom logo for Secure Password Extension on end-user computers 1. Create a startup script to deploy your logo image. See a sample script below this procedure. 2. Create your logo image and place it on a network share accessible to all network hosts against which the script is run. 3. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template. 4. Expand Computer Configuration/Administrative Templates and then click Quest Password Manager. 5. Under Quest Password Manager, expand Pre-Windows Vista Settings/Secure Password Extension Logo, and enable the Set dialogue background image policy setting by specifying a local path to the logo image file on end-user computers. The local path you specify in these policy settings must be the same as in the startup script specified later in this section. 6. Expand Computer configuration/Windows Settings/Scripts (Startup/Shutdown) and double-click the Startup policy setting in the right pane. 7. In the Startup Properties window, click Add, then browse for the script file you have created in step 1, and specify the script parameters. The script file must be located in the directory opened by clicking Show Files in the Startup Properties window. 8. Click OK. The following startup script is a batch file that runs on end-user computers during system startup, and copies the custom logo image from the network share to a local folder: @echo off rem "SPE startup script" rem *Check target directory existence* if exist "c:\Program Files\Quest Software\Quest Secure Password Extension" goto :COPY_FILE md "c:\Program Files\Quest Software\Quest Secure Password Extension" rem *Copy BMP image - %1* :COPY_FILE copy [SharedDir]1 "c:\Program Files\Quest Software\Quest Secure Password Extension\*.*" rem pause :out Exit [SharedDir] is a shared domain directory that must be available during boot. The script lines containing target path should be typed as a single line. The lines are wrapped in this article only for readability purposes. You can modify the sample target path in the script as you need. 32 Administrator Guide Customizing Position of the Secure Password Extension Window You can specify the position of the Secure Password Extension window on the logon screen of user computers. To change the position of Secure Password Extension window on end-user computers 1. In the Group Policy Object Editor, open the GPO which includes the prm_gina.adm Administrative Template. 2. Expand Computer Configuration/Administrative Templates and then click Quest Password Manager. 3. Under Quest Password Manager, expand Pre-Windows Vista Settings/Secure Password Extension Window Settings, and enable the Set Secure Password Extension Window Position policy by specifying the position of the Secure Password Extension window on the Windows logon screen of user computers. 4. Click OK. Managing Secure Password Extension Using Administrative Templates The prm_gina.adm Administrative Template features a powerful set of options that allow you to customize the behavior and appearance of Secure Password Extension according to your requirements. The Administrative Template layout includes the following folders: • Generic Settings - includes policy settings that can be applied to computers running pre-Vista, Windows Vista, and Windows 7 Microsoft operating systems. • Pre-Windows Vista Settings - includes policy settings that can be applied to computers running only pre-Vista operating systems. Brief descriptions of the Administrative Template policy settings are outlined in the tables below. For more information about policy settings, see the Explain tab on the Properties page of each policy. Generic Settings The following table outlines generic Administrative Template policy settings you can use to customize the behavior of Secure Password Extension. POLICY NAME DESCRIPTION Generic Settings 33 Quest Password Manager POLICY NAME DESCRIPTION Specify URL path to the Self-Service site This policy lets you specify the link for the access to the Self-Service site from the Windows logon screen. This link is opened when users click the Forgot My Password or Manage My Password buttons on the Windows logon screen in pre-Vista operating systems, and the Forgot My Password command link in Windows Vista and Windows 7 operating systems. Use the following URL path format: https://COMPUTER_NAME/VIRTUAL_DIRECTORY/User/ , where COMPUTER_NAME is the name of the server where Password Manager resides, and VIRTUAL_DIRECTORY is a virtual directory name that was configured during Quest Password Manager Setup (by default, the virtual directory name is QPM). Substitute https:// with http:// if you don’t use HTTPS. Override URL path to Self-Service site By default, Secure Password Extension automatically locates the Self-Service site in its domain. This policy setting lets you override the default behavior and force Secure Password Extension to use the Self-Service site specified in the "Specify URL path to the Self-service site" setting. Password Manager Realm Affinity This policy setting lets you force Secure Password Extension to use only Password Manager Service instances that belong to specific Password Manager realm. Maximum number of attempts to connect to the Self-Service site This setting specifies the maximum number of attempts to connect to the Self-Service site from Secure Password Extension. If this setting is disabled or not configured, the default number of attempts is 5. Force HTTPS This policy setting lets you enforce HTTPS for connections with the Self-Service site established using the Secure Password Extension. Proxy Settings Enable proxy server access This policy setting determines whether connections to the Self-Service from the Windows logon screen are established through the specified proxy server. Configure required proxy settings Specifies the settings required to enable proxy server access to the Self-Service site from the Windows logon screen. Configure optional proxy settings Specifies optional settings for the proxy server access. Shortcut Policies Restore desktop shortcuts for the Self-Service site 34 This policy setting lets you define whether the desktop shortcut to the Self-Service site on a user's computer should be re-created by the Secure Password Extension if the user deletes the desktop shortcut. Administrator Guide POLICY NAME DESCRIPTION Do not create desktop shortcuts for the Self-Service site This policy setting lets you define whether the desktop shortcuts to the Self-Service site on users' computers should not be created by the Secure Password Extension. Do not create any shortcuts for the Self-Service site This policy setting lets you define whether any shortcuts to the Self-Service site on users' computers (on the desktop and in the Start menu) should not be created by the Secure Password Extension. Secure Password Extension Title Settings Display custom names for the Secure Password Extension window title This policy setting lets you define whether to replace the default language-specific names of the Secure Password Extension window title with the names that you specify for the required logon languages. Set custom name for the Secure Password Extension window title in <Language> This group of policy setting allows you to specify custom name for the Secure Password Extension window title. You can specify the title for each of the required logon languages. 36 language-specific policy settings are available out-of-the-box. Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of hieroglyph’s width. The URL length must not exceed 256 characters. Usage Policy Settings Display the usage policy button (command link) Defines whether to display the usage policy buttons and command links for which you have specified the logon language-specific names and URLs. The usage policy button on pre-Windows Vista operating systems, and the usage policy command link on Windows Vista and Windows 7 operating systems, are displayed on the Windows logon screen, and are intended to open a HTML document that describes the enterprise usage policy or contains any information that you may want to make available to end-users. Set default URL This policy lets you specify an URL referring to the usage policy document that will be opened by clicking the usage policy button (command link) if no logon language-specific URLs are set. The default URL may refer to a HTML file. Set name and URL for the usage policy button (command link) in <Language> This group of policy setting allows you to specify the name of the usage policy button (command link) and set the link to the usage policy document that will be opened by clicking the usage policy button or command link. You can specify the name and URL for each of the required logon languages. 36 language-specific policy settings are available. Note: The name you specify must not exceed 32 characters. If a hieroglyphic font is used, the name is limited by 14 characters because of hieroglyph’s width. The URL length must not exceed 256 characters. Forgot My Password Settings 35 Quest Password Manager POLICY NAME DESCRIPTION Display custom names for the Forgot My Password button (command link) This policy setting lets you define whether to replace the default language-specific names of the Forgot My Password button and command link with the names that you specify for the required logon languages. The Forgot My Password button (command link) is intended to open the Self-Service site from the Windows logon screen. On pre-Windows Vista operating systems, the Forgot My Password button is displayed if you are not logged on to the system. On Windows Vista and Windows 7 operating systems, the command link is displayed on the Windows logon screen irrespective of whether the user is logged on to the system or not. Set custom name for the Forgot My Password button (command link) in <Language> This group of policy settings allows you to specify names of the Forgot My Password button (command link) individually for each of the required logon languages. 36 language-specific policy settings are available. Notifications Customization Notification recurrence interval If the registration notification is turned on, users will be notified of the necessity to register with Password Manager through a dialog box displayed on the desktop screen. This setting lets you specify how often you want registration notifications to be displayed on the desktop of user computers where the Secure Password Extension is running. Set background image for registration notification dialog box This policy setting allows you to change the default background by specifying an image that will be used as a new background. Enable customization of registration notifications This policy setting allows you to define whether you want to replace the default text on language-specific registration notification dialog boxes with your custom text. Registration Notifications Customize registration notification in <Language> This group of policy settings allows you to customize texts in notification dialog boxes individually for each of the required logon languages. 36 language-specific policy settings are available. Q&A profile update notifications Customize Q&A profile update notification in <Language> 36 This group of policy settings allows you to customize notifications that request users to update their Q&A profiles individually for each of the required logon languages. 36 language-specific policy settings are available. Administrator Guide Pre-Windows Vista Settings The following table outlines Administrative Template policy settings for Secure Password Extension in pre-Windows Vista operating systems. POLICY NAME DESCRIPTION Registration and Q&A profile update enforcement Enforce registration and Q&A profile update This policy setting allows you to specify whether to enforce users to register with Password Manager or update their invalid Q&A profiles before they log on to their computers. If you enable this policy and select the "Prevent users from logging on after deadline" check box in the Setting tab of the Properties window, users will be denied logging on to their computers after the deadline until they create or update their Q&A profiles as required. Secure Password Extension Logo Set dialog background image This policy setting lets you choose a picture to replace the default background image on the Secure Password Extension dialog that appears on the Windows logon screen. Secure Password Extension Window Settings Set the Secure Password Extension Window Position This policy setting lets you specify the position of the Secure Password window on the Windows logon screen of user computers. Manage My Password Settings Display custom names for the Manage My Password button This policy setting lets you define whether to replace the default language-specific names of the Manage My Password button with the names that you specify for the required logon languages. The Manage My Password button is intended to open the Self-Service site on pre-Windows Vista operating systems, and is displayed on the Windows logon screen, provided that you are logged on to the system. Set custom name for the Manage My Password button in <Language> This group of policy settings allows you to specify the name of the Manage My Password button individually for each of the required logon languages. 36 language-specific policy settings are available. 37 Quest Password Manager Uninstalling Secure Password Extension You uninstall the Secure Password Extension from end-user computers by removing the appropriate installation packages assigned through Group Policy. Uninstalling the Secure Password Extension makes the Self-Service site no longer available from the Windows logon screen. To remove an assigned .MSI package 1. Start the Group Policy Management snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Group Policy Management. 2. In the console tree, click the group policy object with which you deployed the package, and then click Edit. 3. Expand the Software Settings container that contains the Software installation item with which you deployed the package. 4. Click the Software installation container that contains the package. 5. In the right pane of the Group Policy window, right-click the package name, point to All Tasks, and then click Remove. 6. Click Immediately uninstall the software from users and computers, and then click OK. 7. Quit the Group Policy Object Editor snap-in, and then quit the Group Policy Management snap-in. Troubleshooting Secure Password Extension If the user logon interface DLL prm_gina.dll fails to load at system startup, users will encounter the following system message: "The logon user interface DLL 'prm_gina.dll' failed to load. Contact your system administrator to replace the DLL, or restore the original DLL." This problem may occur when the prm_gina.dll file on the local computer is corrupt or missing. To resolve this behavior, follow these steps: 1. Run Windows in safe mode. 2. In the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key, replace the GinaDLL value data with the Original value data from the HKEY_LOCAL_MACHINE\SOFTWARE\Quest Software\PRM key, if the latter exists. – OR – If the HKEY_LOCAL_MACHINE\SOFTWARE\Quest Software\PRM key does not exist, then delete the GinaDLL value from the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. 38 3. Restart the computer in normal mode. 4. Uninstall Secure Password Extension, and then install it by running the appropriate .MSI package on the local computer. Administrator Guide Managing Domains This section describes how to configure Password Manager managed domains. A managed domain is a domain managed by Password Manager. To start using Password Manager, you must add one or more managed domains. Configuring Permissions to Access a Managed Domain When adding a managed domain, you must specify an account under which Password Manager will access the domain. Before adding a managed domain, ensure that this account has the following minimum set of permissions required to successfully perform password management tasks in the domain: • Membership in the Domain Users group • The Read permission for all attributes of user objects • The Write permission for the following attributes of user objects: pwdLastSet, comment, and userAccountControl • The right to reset user passwords • The Write permission to create user accounts in the Users container • The Read permission for attributes of the organizationalUnit object and domain objects • The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects • The Read permission for attributes of the groupPolicyContainer objects • The Write permission to create and delete the groupPolicyContainer objects in the System Policies container • The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects • The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers • The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers • The permission to create container objects in the System container • The permission to create the serviceConnectionPoint objects in the System container • The permission to delete the serviceConnectionPoint objects in the System container • The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container It is advisable to use the Password Manager Service account to add managed domains and manage domain-specific data. When you add a managed domain by using the Administration site, Password Manager creates Configuration Storage Account with the name '_QPM_svc_usr1' in the 'Users' container of the managed domain. Password Manager uses this account to store its configuration data. If you configure other Password Manager instances to manage the same domain, those instances will create Configuration Storage Accounts with names '_QPM_svc_usr2', '_QPM_svc_usr3', and so on, and use the corresponding accounts to store their configuration data. 39 Quest Password Manager Adding a Managed Domain To manage a domain by Password Manager you must add the domain to managed domains. Managed domain is a domain managed by Password Manager.You can add one or more managed domains. After adding a managed domain, you can manage the domain’s users by using Password Manager. To add a managed domain 1. On the home page of the Administration site, click Managed Domains. 2. On the Configure Managed Domains page, click Add. 3. On the Domain Name and User Account Details page, configure access to the domain by doing the following: • • • In the Domain name text box, type in the name of the domain that you want to register with Password Manager. In the Domain alias for the Self-Service Site text box, type in the alias for the domain which will be used to address the domain on the Self-Service Site. To have Password Manager access the managed domain using the Password Manager Service account, click Password Manager Service account. Otherwise, click Specified user name and password, and then enter user name and password of the user account you want Password Manager to use when accessing the domain. For information on how to prepare an account for accessing a managed domain, see “Configuring Permissions to Access a Managed Domain” on page 39. 4. Click OK. After you have added a managed domain, you must create a question list for users' Q&A profiles, and configure password management settings for this domain, so that users can create their personal profiles by using the Self-Service site. For more information, see "Managing Questions and Answers Profiles" and "Configuring Password Policies" sections. 40 Administrator Guide Managing Questions and Answers Profiles Password Manager uses personal Question and Answers profiles as an authentication method to allow users and helpdesk operators to manage user passwords in Active Directory domains and in multiple connected systems. A Questions and Answers profile, or personal profile, is a set of questions pre-designed by the Password Manager administrator, to which users must provide their secret answers that later can be used to authenticate the users. You can also require users to specify their own questions in their personal profiles. Then, users can securely reset their passwords or unlock their accounts by answering a series of questions from their personal profiles. Before users can register with Password Manager by creating their personal Questions and Answers profiles, you must configure a question list containing the questions that will be presented to users. You can create question lists in a specific language, so that users can select a preferred language of questions and answers. You can set requirements for answers that users specify in their Questions and Answers profiles. For example, you can prevent users from specifying the same answer for different questions, or set a minimum answer length. Password Manager allows you to specify criteria for recognizing users' Questions and Answers profiles as not compliant with the current password management settings. This is essential if you want users to update their profiles each time when password management settings are changed. You can have noncompliant user Q&A profiles manually invalidated by help desk operators, thus preventing users with invalidated profiles from resetting passwords and unlocking accounts. Such users are then required to update their Questions and Answers profiles. For information on how to configure Q&A profile compliance rules, see “Configuring Profile Update Policy” on page 26. Creating and Configuring Question Lists A question list is a series of questions to which users provides their own answers, thus creating a personal Questions and Answers profile. Later, the user has to answer the specified number of questions from the question list to be allowed to perform password self-management tasks, such as resetting password or unlocking account. You can create question lists in different languages. Then, users can select a preferred language for questions and answers in their personal profile. Every question list can contain the following types of questions: QUESTION TYPE DESCRIPTION Mandatory Questions of this type are an integral part of a user's Q&A profile. Users must provide an answer to each of these questions. You must specify at least one mandatory question if you want Help Desk operators to be able to unlock user accounts and reset user passwords. Thus, a user must answer a randomly selected mandatory question before help desk operator can reset the user's password or unlock the user's account. Optional Users can decide for themselves whether they want to use any questions of this type in their Q&A profile. 41 Quest Password Manager QUESTION TYPE DESCRIPTION User-defined A question that must be composed by the user. Help Desk authentication Security question used by Help Desk to verify a user's identity when resetting the user's password or unlocking the user's account. This question is not configurable, and is included in users' Q&A profiles if you select the Operators must verify user identity option on the Help Desk site settings page. For more information about this option, see “Configuring Help Desk Site Settings” on page 20. User's answers to this type of questions are always stored using reversible encryption. For information about changing cryptographic and hashing algorithms for configuration data storage, see Quick Start Guide. For users to be able to create their personal Questions and Answers profiles, you must specify at least one question in a question list. To create and configure a question list 1. Open the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. On the Administration site home page, click Managed Domains, and on the Managed Domains page, click the domain for which you want to create a question list, and then click the Questions tab. 3. On the Questions tab, make the list of languages for which you want to create question lists by selecting one language at a time in the Add a language into the list and clicking Add. 4. On the Questions tab under Language, click the language for which you want to create a question list. 5. On the Configure Question List page, specify the following options as required: OPTION DESCRIPTION Make questions in this language unavailable to users Select this check box to temporarily prevent users from creating or updating their Q&A profiles using the question list language Mandatory questions Click the Add button under the Mandatory questions list box, and then type a question and press ENTER. Optional questions Click the Add button under the Optional questions list box, and then type a question and press ENTER. To add more optional questions, repeat this step. Under Users must answer this number of optional questions to register, set the number of optional questions that a user must answer to register. Users must answer this number of optional questions to register 42 Set the required number of optional questions that a user must answer to create his Questions and Answers profile. Administrator Guide OPTION DESCRIPTION Users must configure this number of user-defined questions Set the required number of user-defined questions that a user must specify to create their Questions and Answers profile. Number of questions that users must answer to register Set the required number of optional questions that a user must answer to create their Questions and Answers profile. Number of questions from user’s Q&A profile that a user must answer to reset his password or unlock his account Set the number of questions that are presented to users when they reset their password or unlock their account, by doing one of the following: Click All questions from user’s Q&A profile to have users answer all the questions from their profiles. Click Specified number of randomly selected questions, and then set the number of questions required to reset password and to unlock account. 6. Click Save. 7. Repeat steps 4—6 for each language in the language list. Modifying a question list does not affect existing personal Questions or Answers profiles unless the users have to update their profiles as a result of the settings that require users to update Q&A profiles when the question list is modified. Configuring Questions and Answers Policy This policy allows you to define settings and requirements for user’s questions and answers. For example, you can prevent users from using the same answer for multiple questions. Questions and answers that do not comply with the policy will not be accepted. To configure Questions and Answers policy 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. Click Manage Domains. 3. On the Managed Domains page, click a domain, and then click the Q&A Policy tab. 4. On the Q&A Policy tab, specify the following options: OPTION DESCRIPTION Minimum length of answer Set the least number of characters that users' answers can contain. Minimum length of user-defined questions Set the least number of characters that users' questions can contain. Reject the same answers for different questions Select to prevent users from specifying same answers for different questions. Reject answers that are parts of the corresponding questions Select to prevent users from specifying answers that are parts of the corresponding questions. Store answers using reversible encryption Select to store users' answers using reversible encryption. 43 Quest Password Manager 5. Click Save. Performing Bulk Profile Updates Password Manager stores a user's Questions and Answers profile data in an attribute of the user's account. You can perform a bulk update of Questions and Answers profiles by updating the proper attribute of each of the registered user's accounts. Upon request, Quest Software Support will provide you with the solutions that allow to perform the following tasks: • Change the attribute to store Questions and Answers profiles • Bulk creation of Questions and Answers profiles Changing the Attribute Used for Storing Questions and Answers Profiles By default, Quest Password Manager stores Questions and Answers Profile data in the comment attribute of each user's account. You can configure Quest Password Manager to use another attribute instead. You can change the Active Directory attribute in which the Questions and Answers Profiles are stored and move existing profiles to the newly specified attribute. For more information on how to change the default attribute please visit Quest Support link below https://support.quest.com/SUPPORT/index?page=solution&id=SOL11420 or contact Quest Software customer support. Bulk Creation of Questions and Answers Profiles Quest Password Manager stores users' Questions and Answers Profile data in an attribute of each user's account. You can pre-populate or create Questions and Answers profiles in bulk by writing new data to these attributes. Upon request, Quest Software Support will provide you with a solution that performs the bulk updating and automatic enrollment of users from an external data source. For more information on how to pre-populate or create Questions and Answers profiles in bulk please visit Quest Support link below https://support.quest.com/SUPPORT/index?page=solution&id=SOL32604 or contact Quest Software customer support. 44 Administrator Guide Configuring Password Policies About Password Policies You can use Quest Password Manager to create password policies that define which passwords to reject or accept. Password policy settings are stored in Group Policy objects (GPOs). A GPO is applied by linking the GPOs to a target container defined in Active Directory, such an organizational unit or a group. Group Policy objects from parent containers are inherited by default. When multiple Group Policy objects are applied, the policy settings are aggregated. For information on how to apply a password policy and change policy link order, see “Managing Password Policy Links” on page 55. Password Policy Manager Password Policy Manager (PPM) is an independently deployed component of Password Manager. Password Policy Manager is necessary to enforce password policies configured in Password Manager, when users change their passwords using means other than Password Manager. To enforce password policies that you define with Password Manager, you must deploy Password Policy Manager on all domain controllers in a managed domain. Depending on whether a domain controller is running an x86 or x64 version of Microsoft Windows Server operating system, the appropriate version of Password Policy Manager must be installed. The procedure for installing PPM is outlined in “Installing Password Policy Manager” on page 45. Password Policy Rules Password Manager uses a set of powerful and flexible rules to define requirements for domain passwords. Each password policy has rules that are configured independently of the rules in other policies. The following rules duplicate and extend system password policy rules: Password Age Rule, Length Rule, Complexity Rule, and User Properties rule. For information on how to create and configure a password policy, see “Installing Password Policy Manager” on page 45. To display the properties of a password policy 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Password Policies for the <DomainName> Domain page, click a policy whose properties you want to view or modify. Installing Password Policy Manager This section describes the steps for deploying Password Policy Manager in a managed domain. 45 Quest Password Manager Password Policy Manager is deployed on all domain controllers through Group Policy. You can create a new Group Policy object (GPO), or use an existing one, to assign the installation package with Password Policy Manager to the destination computers. Password Policy Manager is then installed on computers on which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD: • Quest Password Policy Manager x86.msi - Installs Password Policy Manager on domain controllers running an x86 Microsoft Windows Server operating system. • Quest Password Policy Manager x64.msi - Installs Password Policy Manager on domain controllers running an x64 Microsoft Windows Server operating system. The installation packages are located in the \Password Manager\Setup\Password Policy Manager\ folder on the installation CD. Depending on whether a domain controller is running an x86 or x64 version of Microsoft Windows Server operating system, the appropriate version of the Password Policy Manager must be installed. To install Password Policy Manager on a single domain controller 1. Run the appropriate Password Policy Manager .MSI package located in the \Password Manager\Setup\Password Policy Manager\ folder on the installation CD. 2. Restart the computer once the installation completes. To deploy Password Policy Manager on multiple domain controllers 1. Copy the appropriate Password Policy Manager .MSI package from the installation CD to a network share accessible from all domain controllers in a managed domain. 2. Create a GPO and link it to all domain controllers in a managed domain. You may also choose an existing GPO to deploy the Password Policy Manager. 3. Open the Computer Configuration folder under the selected GPO, and then open the Software Settings folder. 4. Right-click Software installation, and then select New | Package. 5. Select the .MSI package you have copied in step 1. 6. Click Open. 7. Select the deployment method and click OK. 8. Verify and configure the installation properties, if needed. Creating and Configuring a Password Policy When you have created a password policy, you can modify its default properties. To create a domain password policy 1. On the home page of the Administration site, click the Managed Domains box. 2. Under Password Policies, click the link next to a domain for which you want to add a policy. 3. On the Password Policies for the <DomainName> Domain page, click Add. 4. On the Enter Policy Name page, type a name for the new policy. 5. Click Finish, and then do one of the following: • • 46 Click the policy link to modify the default policy settings, and then follow steps 2-4 of the procedure outlined later in this section. Click Add to create a new password policy in the managed domain. Administrator Guide To configure settings for a password policy 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Password Policies for the <DomainName> Domain page, click a policy whose properties you want to view or modify. 4. On the Policy settings tab of the Settings for Password Policy page, view or modify the following options, and then click Save: OPTION DESCRIPTION Disable this policy Select this check box to temporarily turn off the policy. Domain View the name of the managed domain to which this policy is linked. Policy name View or modify the name of the password policy. 5. Click the Policy Rules tab to configure the password policy rules by using the procedure outlined in “Configuring Password Policy Rules” on page 47, and then click Save. 6. Click the Policy Scope tab to manage the password policy links by using the procedure outlined in “Managing Password Policy Links” on page 55, and then click Save. The password policies do not override domain security settings; both the Password Manager password policies and the domain security settings are applied. In case you are running Microsoft Windows Server 2008, Password Manager allows configuring and using not only Quest password policies but Native Windows 2008 password policies as well. For Native Windows 2008 password policies, among other options, you can configure policy precedence that defines Native Windows 2008 password policies application order. Configuring Password Policy Rules For each of the domain password policies, you can configure a set of policy rules that define what passwords to reject or accept in the domain to which a particular policy is applied. For each password policy, you can set up the following rules: • Password Age Rule. Ensures that users cannot use expired passwords or change their passwords too frequently. • Length Rule. Ensures that passwords contain the required number of characters. • Complexity Rule. Ensures that passwords meet minimum complexity requirements. • Required Characters Rule. Ensures that passwords contain certain character categories. • Disallowed Characters Rule. Rejects passwords that contain certain character categories. • Sequence Rule. Rejects passwords that contain more repeated characters than it is allowed. • User Properties Rule. Rejects passwords that contain part of a user account property value. • Dictionary Rule. Rejects passwords that match dictionary words or their parts. • Symmetry Rule. Ensures that password or its part does not read the same in both directions. 47 Quest Password Manager The following is a general procedure for configuring the password policy rules: To configure rules for a password policy 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Password Policies for the Domain page, click a policy, and then click the Policy rules tab. 4. On the Policy Rules tab, click the rule that you want to configure, and, under the rule's name, modify the appropriate rule settings. 5. Repeat step 4 for each of the rules that you want to configure for this password policy, and then click Save. For information about how to configure each of the policy rules, see the sections below. Password Age Rule The Password Age rule ensures that users cannot use expired passwords or change their passwords too frequently. Specify Minimum password age so that passwords cannot be changed until they are more than a certain number of days old. If a minimum password age is defined, users must wait the specified number of days to change their passwords. Specify Maximum password age so that passwords expire as often as necessary for your environment. To configure the Password Age rule 1. Follow the steps outlined in “Configuring Password Policy Rules” on page 47. 2. On the Policy Rules tab, click Password Age Rule to expand the rule settings. 3. Under Password Age Rule, select the Specify password age check box, and then specify the following options as required: OPTION DESCRIPTION Minimum password age Specifies how many days users must keep new passwords before they can change them. Maximum password age Specifies how many days a password can be used before the user is required to change it. Length Rule The Length rule ensures that passwords contain the required number of characters. Define a minimum length so that passwords must consist of at least a specified number of characters. Long passwords - seven or more characters - are usually stronger than short ones. With this setting, users cannot use blank passwords, and they have to create passwords that are a certain number of characters long. To configure the Length rule 48 1. Follow the steps outlined in “Configuring Password Policy Rules” on page 47. 2. On the Policy Rules tab, click Length Rule to expand the rule settings. Administrator Guide 3. Under Length Rule, select the Password must contain check box, and then specify the following options as required: OPTION DESCRIPTION Minimum characters Set the minimum number of characters that passwords must contain. Maximum characters Set the maximum number of characters allowed in a password. Complexity Rule The Complexity rule ensures that passwords meet the following minimum complexity requirements: • Not contain the user's account name or parts of the user's full name that exceed two consecutive characters • Be at least six characters in length • Contain characters from three of the following four categories • English uppercase characters (A through Z) • English lowercase characters (a through z) • Base 10 digits (0 through 9) • Non-alphabetic characters (for example, !, $, #, %) The Complexity rule imposes the same requirements as the standard Windows policy "Password must meet complexity requirements." To configure the Complexity rule 1. Follow the steps outlined in “Configuring Password Policy Rules” on page 47. 2. On the Policy Rules tab, click Complexity Rule to expand the rule settings. 3. Under Complexity Rule, select the Password must meet complexity requirements check box. Required Characters Rule The Required Characters rule ensures that passwords contain certain character categories. Required characters are necessary to make a password stronger. For example, if you set the minimum number of uppercase characters to 4, then the password "ElePHant" will be rejected. To configure the Required Characters rule 1. Follow the steps outlined in “Configuring Password Policy Rules” on page 47. 2. On the Policy Rules tab, click Required Characters Rule to expand the rule settings. 3. Under Required Characters Rule, select the Password must contain at least check box, and then specify the following options as required: OPTION DESCRIPTION Alphabetic characters Set the minimum number of alphabetic characters (A-z) that must appear in a password. 49 Quest Password Manager OPTION DESCRIPTION Lowercase characters Set the minimum number of lowercase characters that must appear in a password. Uppercase characters Set the minimum number of uppercase characters that must appear in a password. Unique characters Set the number of characters that must be unique within a password. To require case sensitivity for this setting, select the Case sensitive check box. Digits (0-9) Specify whether passwords must contain digits: Set the minimum number of digits that must appear in a password by selecting the Minimum check box, and then typing the required number. In the In positions text box, type the numbers of positions within a password where digits must appear. For example, 1,3,5-10. Use Number of ending characters to specify how many digits must be in the end of a password. Special characters Specify whether passwords must contain special characters: Set the minimum number of special characters that must appear in a password by selecting the Minimum check box, and then typing the required number. In the In positions text box, type the numbers of positions within a password where special characters must appear. For example, 1,3,5-10. Use Number of ending characters to specify how many special characters there must be in the end of a password. Special characters include the following characters: !"#$%&'()*+,-./:;<=>?@[\\]^_`{}~ By default, the table of lowercase, uppercase, and special characters is taken from the locale settings of the domain controller where the Password Policy Manager is installed. To view the locale settings, select Start | Settings | Control Panel | Regional Options and click the General tab. Disallowed Characters Rule The Disallowed Characters rule rejects passwords that contain certain character categories. The categories include digits from 0-9 and special characters such as "#$%" . If you specify that special characters must not appear in the begining of a password, then the password "@work" will be rejected. To configure the Disallowed Characters rule 50 1. Follow the steps outlined in “Configuring Password Policy Rules” on page 47. 2. On the Policy Rules tab, click Disallowed Characters Rule to expand the rule settings. Administrator Guide 3. Under Disallowed Characters Rule, select the Password must not contain check box, and then specify the following options as required: OPTION DESCRIPTION Digits (0-9) Specify whether the rule will reject passwords containing digits. First, select this check box, and then do any of the following: Select the In positions check box, and then type the numbers of positions within a password where digits must not appear. For example, 1,3,5-10. Select the Number of ending characters check box, and then specify how many digits there must not be in the end of a password. Special characters Specify whether the rule will reject passwords containing special characters. First, select this check box, and then do any of the following: Select the In positions check box, and then type the numbers of positions within a password where special characters must not appear. For example, 1,3,5-10. Select the Number of ending characters check box, and then specify how many special characters there must not be in the end of a password. Special characters include the following characters: !"#$%&'()*+,-./:;<=>?@[\\]^_`{}~ By default, the table of special characters is taken from the locale settings of the domain controller where the Password Policy Manager is installed. To view the locale settings, select Start | Settings | Control Panel | Regional Options and click the General tab. Sequence Rule The Sequence rule rejects passwords that contain more repeated characters than it is allowed. Repeated characters can appear in succession or in different positions in a password. This policy also includes characters typed in direct or inverse numerical or alphabetical order. For example, if you set the maximum number of same charaters that appear in succession to three, then the password "eeeegle" will be rejected. To configure the Sequence rule 1. Follow the steps outlined in “Configuring Password Policy Rules” on page 47. 2. On the Policy Rules tab, click Sequence Rule to expand the rule settings. 51 Quest Password Manager 3. Under Sequence Rule, select the Password must not contain more than check box, and then specify the following options: OPTION DESCRIPTION Number of characters repeated in succession (AAAB) Set the maximum number of same characters in a row that the policy will tolerate before rejecting a password. Number of identical characters (ABCA) Set the maximum number of same characters typed in different positions of password that the policy will tolerate before rejecting a password. Number of characters in direct or inverse numerical or alphabetical order (ABC_321) Set the maximum number of characters typed in direct or inverse numerical or alphabetical order that the policy will tolerate before rejecting a password. Case sensitive Select this check box to require case sensitivity for this rule. User Properties Rule The User Properties rule rejects passwords that contain part of a user account property value. This rule splits the user account property value by non-alphanumeric characters (for example, "_"), and then checks if any part of the value is available in the password. For example, if user’s name is "Peter_US", Password Manager splits the property into: "Peter" and "US", and checks if any part can be found in the password. For example, the password "US_US" will be rejected. To configure the User Properties rule 52 1. Follow the steps outlined in “Configuring Password Policy Rules” on page 47. 2. On the Policy Rules tab, click User Properties Rule to expand the rule settings. Administrator Guide 3. Under User Properties Rule, select the Prevent users from using account properties as part of passwords check box, and then specify the following options: OPTION DESCRIPTION Beginning characters of a user property value Set the maximum number of beginning characters from a user property value that users are allowed to use as part of their passwords. For example, if a user's full name is "Anna Fairweather", and the option value is set to 3, then the user is allowed to type the strings "Ann" and "Fai" as part of her password. The password will be rejected if it contains "Anna" or "Fair". You can select from the following user account properties: • displayNamePrintable • mailNickname • userPrincipalName • displayName • title • sn • samAccountName • personalTitle • middleName • mail • givenName • employeeID • cn The entire value of a user property Select to reject passwords containing the entire value of a user property. You can select any of the user account properties listed in the description of the Beginning characters of a user property value option above. Case sensitive Select this check box to require case sensitivity for this rule. Enable bi-directional analysis Select to reject passwords containing the entire value of a user property or its part (depending on which of the two previous options you have selected), if read backwards. Dictionary Rule The Dictionary rule rejects passwords that match dictionary words or their parts. The Dictionary rule compares user passwords against a list of words stored in the QPMDictionary.txt text file (in the Unicode format). Depending on how you configure the rule settings, user passwords that partially or fully match dictionary words are rejected by Password Manager. 53 Quest Password Manager The QPMDictionary.txt dictionary file is located on the Password Manager server, in the following folder: '<install location>\Password Policy Manager\', and is automatically deployed together with Password Policy Manager (PPM). To ensure consistency of the dictionary, make sure that QPMDictionary.txt is up-to-date on all servers where it is deployed. The dictionary file is never cached. During each password validity check, the dictionary file is read from the Password Manager server, or from the user's domain controller. To modify the QPMDictionary.txt file, such as by adding new words to the word list, you can use Notepad (or any text editor). When modifying the dictionary file, ensure that you begin every new word on a new line. We recommend that you maintain alphabetical order. The Dictionary rule is not case-sensitive which means that, on the one side, you can use either uppercase or lowercase when adding or modifying dictionary entries; and, on the other side, user input will undergo validity check irrespective of whether users use capitals or small letters in their passwords. To configure the Dictionary rule 1. Follow the steps outlined in “Configuring Password Policy Rules” on page 47. 2. On the Policy Rules tab, click Dictionary Rule to expand the rule settings. 3. Under Dictionary Rule, select the Enable dictionary lookup to reject passwords that contain check box, and then specify the following options: OPTION DESCRIPTION Beginning characters of a dictionary word Specify to reject passwords starting with this number of beginning characters of a dictionary word. A complete word from the dictionary Select this check box to reject passwords that represent an entire word from the dictionary. Detect inclusion of non-alpha characters (pas7swo%rd) Select this check box to remove non-alphabetic characters during analysis. Enable bi-directional analysis Select to reject passwords containing an entire dictionary word or its part (depending on which of the other three options you have selected), if read backwards. Symmetry Rule The Symmetry rule ensures that password or its part does not read the same in both directions. For example, if you enable the Reject passwords that read the same in both directions option, then the password "redivider" will be rejected. To configure the Symmetry rule 54 1. Follow the steps outlined in “Configuring Password Policy Rules” on page 47. 2. On the Policy Rules tab, click Symmetry Rule to expand the rule settings. Administrator Guide 3. Under Symmetry Rule, select the Password must comply with symmetry criteria check box, and then specify the following options: OPTION DESCRIPTION Reject passwords that read the same in both directions (pass8ssap) Select to reject passwords that are palindromes. Maximum number of beginning characters that match ending characters of password if read backwards (pas47sap) Specify the number of beginning characters matching the ending characters of password, if read backwards, which the policy will tolerate before rejecting a password. Maximum number of consecutive characters within a password, that read the same in both directions (pass4554word) Specify the number of password characters in a row that read the same in both directions, which the policy will tolerate before rejecting a password. Case sensitive Select to define this rule as case sensitive. Managing Password Policy Links Applying Password Policies A newly created password policy is linked to the managed domain for which it was created and applies to all authenticated users group by default. You can define granular password policies by linking them to certain Organizational Units and groups in a managed domain. To link a Password Policy to Organizational Units and Groups 1. Display properties of a password policy by using the procedure outlined in “About Password Policies” on page 45. 2. Click the Policy Scope tab. 3. Click the Add button under The following domains and OUs are linked to this policy, and then browse for an organizational unit. 4. Click the Add button under The settings in this policy can only apply to the following groups, and then browse for a group in the organizational unit that you have specified in step 3. 5. Click Save. Changing policy link order When multiple password policies affect an OU or a group, they are processed sequentially in order of precedence. Policies with the highest precedence are processed first. A newly created password policy is disabled by default. To change policy link order 1. On the home page of the Administration site, click the Managed Domains box. 2. Under Password policies, click the link next to a domain for which you want to change the policy link order. 3. On the Password Policies for the <DomainName> Domain page, click Policy Order. 55 Quest Password Manager 4. In the table below Policy Order, move policies up or down in the list by selecting them and clicking the Move Up or Move Down buttons. To have a password policy only affect users of a specific groups, remove the Authenticated Users group from the policy scope and specify the organizational units and the groups in those organizational units that you want the policy to affect. Deleting a Password Policy To delete a password policy from a domain 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Domain Password Policies page, select the check box next to the policy that you want to delete and click Remove. When you delete a password policy from a managed domain, the deleted policy becomes no longer valid for this domain. To restore a deleted password policy, create a new policy and manually configure its settings as required. 56 Administrator Guide Configuring Logon Security Options Using logon security options you can define logon conditions for end users. For example, you can allow Password Manager to treat users with disabled accounts as locked users, so that they could unlock their accounts and reset their passwords. You can also require users to change password at next logon after they have reset it using Password Manager. To configure logon security options 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain whose password management settings you want to configure. 3. Under Logon security options, specify the following options, and then click Save. OPTION DESCRIPTION Allow users to re-enable their disabled accounts If you select this check box, Password Manager will allow users whose accounts are disabled to unlock and re-enable their accounts, reset and manage passwords using their Q&A profiles. Allow users that are required to change password at next logon to use Password Manager Select this check box to provide access to the Self-Service Site to those users required to change their passwords at next logon. If you clear this check box, users will be denied any access to Password Manager functionality when their password is expired or required to be changed at the next logon. Force users to change passwords If you select this check box, Password Manager will require users to change their password. Users must change password after it was reset by Password Manager Defines that users are required to change their password at next logon after the password has been reset by using Password Manager. Enforce password history Password history determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. Password history is defined for a domain through Group Policy settings. Before selecting this option, you should consider the following by-design behavior of Password Manager when that the Enforce password history option is enabled: • Password Manager uses two slots from the password history every time a password is reset. For example, if the password history value defines that users cannot reuse any of the last 10 passwords, then Password Manager checks only the last five passwords. Therefore, it is advised that you double the password history value for all managed domains. • Having entered a new password that is not policy compliant, users may end up with a randomly generated password they don't know. 57 Quest Password Manager OPTION DESCRIPTION Q&A profile lockout conditions Select this check box to specify the following criteria for locking users' Question and Answer profiles: • Maximum number of failed attempts • Lockout period, in minutes • Time before failed attempts limit is reached, in minutes 58 Administrator Guide Configuring Registration Notification and Enforcement You can configure Password Manager to force users in the managed domain to register with Password Manager or to update their Questions and Answers profiles. Password Manager provides the following methods to implement registration notification and enforcement: • Configure a notification schedule to send e-mail notifications to those users who have not yet registered with Password Manager. To configure a notification schedule, see the procedure outlined later in this section. You can configure the scope of users you want to be notified. • Configure a notification that will be displayed as a dialog box on users’ desktop screens at specified time intervals. The dialog box will notify users who must register with Password Manager or update their Q&A profiles. This notification is customized through Group Policy by properly configuring Secure Password Extension. For more information see “Managing Secure Password Extension Using Administrative Templates” on page 33. To enable registration enforcement, you must configure notification schedule. The step-by-step instruction on how to configure notification schedule is outlined later in this section. By default, when you enable registration enforcement, no users in a managed domain will receive registration notifications through notification dialog boxes or e-mail messages. To define a list of users you want to be prompted to register with Password Manager, you must add a corresponding group of users to the Groups Allowed to Receive Registration Notifications list. To configure the list, see the procedure outlined later in this section. You can also specify whether users who have not registered with Password Manager, or have invalid Questions and Answers profiles, must create or update their Q&A profiles before they can log on to the network. If you enable this policy, users will be denied logging on to their computers after the deadline until they create or update their Q&A profiles as required. This type of registration enforcement can be configured only for pre-Windows Vista operating systems, and is enabled through Group Policy by properly configuring Secure Password Extension. Password Manager provides two registration enforcement options: Apply immediately and Schedule enforcement. If you select the Apply immediately option, all users in the managed domain who are not registered with Password Manager will be immediately notified through a dialog box displayed on their desktop screens. Use this option with caution when the number of users managed by Password Manager is large. Immediate enforcement of a large number of users may drastically decrease the performance of your production environment. Note, that you must select the Notify users using notification dialog box check box to have users notified through a dialog box displayed on their desktop screens. You can cancel immediate user notification at any time. To cancel the immediate notification, clear the Enforce creation and update of users’ Questions and Answers profiles check box or select the Schedule enforcement option. If you select the Schedule enforcement option, users will be required to register with Password Manager within the number of days that you specify. You can choose whether to notify users by e-mail or dialog box, or both. You can also specify the number of users you want to be scheduled to be notified a day. Use this option to reduce server load and enhance performance. Note, that scheduled notification starts only after the Quest Password Manager task has run. For more information on the scheduled tasks 59 Quest Password Manager in Password Manager, see “The Scheduled Tasks in Password Manager” on page 77. Once the task has set deadline for creating users’ Questions and Answers profiles, you cannot remove the deadline, but you can change it by configuring the Once forced to create Questions and Answers profiles, users must create their profiles within <%> days option. To enforce users to update their Questions and Answers profiles, configure the notification schedule using the options described in the Force users to update their Questions and Answers profiles section of the table below. To configure notification schedule Specify an outgoing mail server (SMTP). For more information, see “Configuring Outgoing Mail Servers Settings” on page 22. 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the User Enforcement tab, specify the following options, and then click Save. OPTION DESCRIPTION Enforce creation and update of users’ Questions and Answers profiles Select this check box to configure user enforcement options. Notify users using notification dialog box If you select this check box, users who must create or update their Questions and Answers profiles will be notified through a dialog box displayed on their desktop screens. Force users to create their Questions and Answers profiles Apply immediately Forces all users to immediately create their Questions and Answers profiles. Schedule enforcement Requires users to create their Questions and Answers profiles within specific number of days after they are scheduled to register. Once forced to create Questions and Answers profiles, users must create their profiles within <%> days Specify the deadline within which users must create their Questions and Answers profiles with Password Manager after the first registration notification. Start notifying users by notification dialog box and e-mail <%> days before registration term Select this check box to remind those users who already received the first registration notification but have not created their Questions and Answers profiles of the necessity to complete the registration procedure. Such users will receive a notification every day during the specified number of days before the registration term. Notify users by e-mail Select this option, if you want to have users notified using e-mail. By clicking the Specify notification language(s) link you can specify the language to be used for sending notifications. Schedule to force to create their Questions and Answers profiles the following number of users: 60 Set the daily number of new users who will be notified to create their Questions and Answers profiles. Administrator Guide OPTION DESCRIPTION Force users to update their Questions and Answers profiles Once forced to update Questions and Answers profiles, users must update their profiles within <%> days Specify the deadline within which users must update their Questions and Answers profiles with Password Manager after the first notification. Start notifying users by notification dialog box and e-mail <%> days before update term Select this check box to remind those users who already received the first notification but have not updated their Questions and Answers profiles of the necessity update profiles. Such users will receive a notification every day during the specified number of days before the update term. Notify users by e-mail Select this option, if you want to have users notified using e-mail. By clicking the Specify notification language(s) link you can specify the language to be used for sending notifications. Schedule to force to update their Questions and Answers profiles the following number of users: Set the daily number of new users who will be notified to update their Questions and Answers profiles. To specify an explicit list of groups to receive registration notifications 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Allowed to Receive Registration Notifications. 4. Click Add. 5. In the object selection window, select the groups whose members you want to receive registration notifications and click Save. Only members of the groups in this list will be prompted to register. To exclude a group from registration notification recipients 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Denied Receiving Registration Notifications. 4. Click Add. 5. In the object selection window, select the groups whose members you want to never receive registration notifications and click Save. Members of the groups in this list will never be prompted to register with Password Manager. If you add a group in both the Groups Allowed to Receive Registration Notifications and Groups Denied Receiving Registration Notifications lists, the members of this group will never be prompted to register with Password Manager. To specify criteria that define when users must update their Questions and Answers profiles, you can configure profile update policies. For more information, see the "Configuring Profile Update Policy" section. You can configure which groups will receive password expiration notifications and which will not. To specify an explicit list of groups to receive password expiration notifications 1. On the home page of the Administration site, click the Managed Domains box. 61 Quest Password Manager 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Allowed to Receive Password Expiration Notifications. 4. Click Add. 5. In the object selection window, select the groups whose members you want to receive password expiration notifications and click Save. Only members of the groups in this list will receive password expiration notifications. To exclude a group from password expiration notification recipients 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Denied Receiving Password Expiration Notification. 4. Click Add. 5. In the object selection window, select the groups whose members you want to never receive password expiration registration notifications and click Save. Members of the groups in this list will never receive password expiration notifications. If you add a group in both the Groups Allowed to Receive Password Expiration Notifications and the Groups Denied Receiving Password Expiration Notification groups, the members of this group will never receive password expiration notifications. Delegating Help Desk and Administrative Tasks You can assign help desk tasks to dedicated help desk operators, and delegate Password Manager configuration management to lower-level administrators by simply adding the trusted individuals' accounts to pre-created security groups. Delegating Help Desk Tasks The Help Desk site handles typical tasks performed by Help Desk operators, such as resetting passwords, unlocking user accounts, assigning temporary passcodes, and managing users' Questions and Answers profiles. By default, only members of the local Administrators group on the Password Manager server can access the Help Desk site Web interface. To delegate help desk tasks to dedicated personnel, add the operators' accounts to the QPMHelpDesk group. This group is created during setup, on the computer where you install Password Manager, and has the Read and Execute permission on the \HelpDesk folder at the following default location: C:\Program Files\Quest Software\Quest Password Manager\web\QPM\. Members of the QPMHelpDesk group have access to the complete functionality of the Help Desk site, and can perform help desk tasks. Delegating Administrative Tasks Delegation of access to the Administration site provides the ability to distribute Password Manager configuration management tasks among trusted persons. 62 Administrator Guide By default, the access to the Administration site is granted to the local Administrators group and to the account under which you have installed Password Manager. To provide access to the Administration site, add the delegated administrators' accounts to the pre-created QPMAdmin group, on the computer where Password Manager is installed. Members of the QPMAdmin group have access to the complete functionality of the Administration site. Make sure you add only the most highly trustworthy persons to the QPMAdmin group, since changing Password Manager configuration involves dealing with user-sensitive information. 63 Quest Password Manager Configuring Access to Self-Service Site By default, no user in a managed domain can access the Self-Service site. To allow users access the Self-Service site, you must explicitly specify the groups which can use the Self-Service site. You can also explicitly deny specific groups the access to the Self-Service site. To specify a list of groups which are explicitly allowed to access the Self-Service site 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Allowed to Access the Password Manager Self-Service Site. 4. Click Add. 5. In the object selection window, select the groups whose members you want to be able to access the Self-Service site and click Save. Only members of the groups in this list will be granted access the Self-Service site. To specify a list of groups which are explicitly denied access the Self-Service site 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain you want to manage. 3. On the Groups tab, click Groups Denied Access to the Password Manager Self-Service Site. 4. Click Add. 5. In the object selection window, select the groups whose members you want to never be able to access Self-Service site and click Save. Members of the groups in this list will be denied access the Self-Service site. If you add a group in both the Groups Allowed to Access the Password Manager Self-Service Site and the Groups Denied Access to the Password Manager Self-Service Site lists, the members of the group will be denied access to the self-Service site. 64 Administrator Guide Changing Account to Access a Managed Domain To access a managed domain you can use either Password Manager Service account or specify another account. Password Manager Service account is the default account that was configured during Password Manager installation. If you want to use another account, specify username and password for the new account. To modify credentials used to access a domain 1. On the home page of the Administration site, click the Managed Domains box. 2. On the Configure Managed Domains page, click the domain whose password management settings you want to configure. 3. Click the General tab, and then click the Access credentials link. 4. On the Specify Access Credentials page, specify the following information, and then click OK. OPTION DESCRIPTION Password Manager Service account Select this option to have Password Manager access the domain with the user account supplied during Password Manager installation (default account). Specified user name and password Select this option to have Password Manager access the domain using specific user logon name and password. User name Supply user logon name that Password Manager will use to access the domain. For more information, see “Configuring Permissions to Access a Managed Domain” on page 39 Password Supply user password that Password Manager will use to access the domain. You may need to modify the user name and password used to access a managed domain, for example if you receive the following error message: "The account used to access the domain is invalid. Please reset this account." This may occur if the password for this account has been changed or the account was locked and so on. Deleting a Managed Domain To delete a managed domain 1. On the home page of the Administration site, click Managed Domains. 2. Select one or more managed domain that you want to delete and click the Remove button. When you delete a managed domain from Password Manager, then password policies, question lists, and users' Questions and Answers profiles are not deleted. Policy objects, which were created with Password Manager, can be deleted from all domain controllers manually. 65 Quest Password Manager Reporting Quest Password Manager provides a simple and convenient way to view, print, and save reports and charts allowing you to analyze information on how the application is being used. The reporting functionality within the solution is based on Microsoft SQL Server Reporting Services as a common reporting environment. The Reports section of the Administrator site includes a number of pre-defined reports that help you perform the following tasks: • Track user registration activity • Analyze information about what actions are performed by users in Password Manager • Check users’ registration status • View a list of users whose Questions and Answers profiles must be updated to comply with the current administrator-defined settings • Track Help Desk operators activity Setting Up Reporting Environment To enable the reporting functionality of Password Manager, ensure that the following requirements are met: • A SQL Server is deployed in your environment and the Password Manager database is configured on that server. • A SQL Server Reporting Services report server is installed in your working environment. • You have configured a connection to the report server through the Administration site. The interactive Web-based reports are built on data that the report server retrieves from the Password Manager SQL database, and can be either viewed online or exported into multiple file formats. Using Reports You can create and view reports interactively using the Administration site, and save them to multiple file formats. To use the reporting functionality, you have to specify the SQL Server to store the Password Manager database and connect to the Report Server that is capable of building reports using the data stored in the Password Manager database. When specifying the SQL Server and the database to store the log data, ensure that the account under which Password Manager will access the server has the appropriate permissions to create and write to a database on the server. When connecting to a report server for the first time, Password Manager publishes the reports included with the solution to the server, and populates the list of reports on the Administration site. Before connecting to a report server, ensure that the account under which Password Manager will access the server has the appropriate permissions to publish the Password Manager reports. The administrative rights on the report server will be sufficient for this account to publish reports. To specify the SQL Server and the Password Manager database 1. 66 On the home page of the Password Manager Administration site, click Settings. Administrator Guide 2. Click the Reporting and Logging tab. 3. On the Reporting and Logging tab, expand the Reporting Settings section. 4. Click Connect to SQL Server. 5. In the Reporting Settings section, specify the following settings. SETTING DESCRIPTION SQL Server Type in the name of the SQL Server to use for storing the Password Manager database. Database name Specify the name for the database where Password Manager will log information used for building reports. If the database you specified does not yet exist, you will be prompted to confirm creation of the database. Delete log records older than 6. Select this checkbox to have SQL Server purge old records to prevent the logging database from growing indefinitely. Specify the age for the log records to be eligible for deletion. To have Password Manager access the SQL Server under the Password Manager Service account, select Password Manager Service account. Otherwise, select Specific SQL Server account, and then enter user name and password of the user account you want Password Manager to use when accessing the SQL Server. To specify a report server 1. On the home page of the Password Manager Administration site, click Settings. 2. Click the Reporting and Logging tab. 3. On the Reporting and Logging tab, expand the Reporting Settings section. 4. Click Connect to Report Server. 5. In the Report Server section, specify the following settings. SETTING DESCRIPTION Report Server URL Type in the URL address of the Report Server in the following format: http://<server_name>/<report_server>), where <server_name> is the name of the server where Report Server resides, <report_server> is the name of the report server instance Report Manager URL Type in the URL address of the Report Manager in the following format: http://<server_name>/<report_server>), where <server_name> is the name of the server where Report Server resides, <report_server> is the name of the Report Manager instance This is an optional setting. Password Manager Service account If you select this option, Password Manager will use its Service account to access the Report server. 67 Quest Password Manager SETTING DESCRIPTION Specified user name and password Select this option to specify the account which Password Manager will use to access the Report Server. Override the reports on the Report Server Select this option if you want Password Manager to overwrite any Password Manager reports which were previously installed on the Report Server. By default this option is not selected and Password Manager installs on the Report Server only the reports which are not available on the Report Server. Disconnect the Report Server 6. Click this option to disconnect previously connected Report Server. Click Save. To create and preview a report 1. On the home page of the Administration site, click Reports, and on the List of Reports page, click the report you want to preview. The following table lists the reports included with Password Manager. REPORT NAME DESCRIPTION Profile states (table) This is a table report displaying a list of users in the managed domains, and the states of the users’ Questions and Answers profiles in Password Manager. You can see who of the users has registered with Password Manager and who has not, who of the users must re-create their profiles, and who is scheduled to update their profiles. 68 Profile states distribution (chart) This is a pie chart report showing the percentage of the total number of users for each of the Q&A profiles states. Actions by user (table) This is a table report showing what actions each of the users performed in Password Manager, and whether the result of a user action was successful of not. You can view this report for a specified period of time. Actions distribution (chart) This is a pie chart report displaying the percentage of the total number of user actions for all types of user actions such as registration with Password Manager or password reset. You can view this report for a specified period of time. Registrations by month (chart) This is a column chart showing the monthly numbers of users registered with Password Manager. You can view this report for a specified month range. Actions by month (chart) This is a line chart showing the monthly numbers of user actions performed in Password Manager. You can view this report for a specified month range. Administrator Guide 2. REPORT NAME DESCRIPTION Actions by type (table) This is a table report showing a summary of user actions in Password Manager sorted by action type. You can view this report for a specified period of time. Help Desk usage by actions (table) This is a table report showing a summary of actions on the Help Desk site. You can view this report for a specified period of time. Actions by helpdesk operators (table) This is a table report showing what actions each of the helpdesk operators performed in Password Manager, and whether the result of an operator action was successful of not. You can view this report for a specified period of time. Help Desk activity by user (table) This table report shows what actions each helpdesk operator has performed for specific users. You can view this report for a specified period of time. E-mail notifications by user (table) This table report lists the e-mail notifications sent to specific users. You can view this report for a specified period of time. E-mail notifications by type (table) This is a table report showing a summary of e-mail notifications sent to users. The notifications are sorted by action type. You can view this report for a specified period of time. Once the report is generated, it is displayed in the Report Viewer, in a new browser window. 3. Select the zoom ratio in the drop-down list on the toolbar. 4. To go to a particular page, type in a page number in the leftmost text box on the toolbar and press ENTER, or use the navigation arrows beside this text box. 5. To modify report parameters, set the new parameter values by using the group of controls in the upper area of the Report Viewer, and then click the View Report button. 6. To close the Report Viewer and return to the List of Reports page, simply close the Report Viewer window. When previewing a report, you can easily locate specific records, or find certain values within the report. The Report Viewer finds each occurrence of the item you are looking for. To search a report 1. Enter the text you are looking for in the Find Text text box on the menu bar. 2. Click Find. 3. Click Next to find the next occurrence. In the Report Viewer, you can also save the report in a file, or print the report. To save a report, select the target file format from the Select a format drop-down list on the menu bar, and then click Export. The Report Viewer supports the following file formats: • XML file (.XML) • Microsoft Excel Comma Separated Values file (.CSV) • TIFF file (.TIFF) 69 Quest Password Manager • Portable Document Format (.PDF) • Web archive file (.MHTML) • Microsoft Excel Worksheet (.XLS) To print a report, click the printer icon on the menu bar, and in the Print window, click OK. You can modify properties of any of the Password Manager reports by using SQL Server Reporting Services Report Manager console. For example, you can edit report name and description, or the report parameters. To modify report properties 70 1. On the home page of the Administration site, click Reports, and on the List of Reports page, click the rightmost icon next to the report whose properties you want to modify. 2. In the Report Manager window, modify the report properties as needed, and click the Apply button. 3. For information about how to use the Report Manager, see the Report Manager Online Help. 4. To preview the report with modified properties, click the View tab. 5. To close the Report Manager, simply close the Report Manager window. Administrator Guide 71 Quest Password Manager Diagnostic Logging Quest Password Manager provides a simple and convenient way to collect the diagnostic information about activity of Password Manager. Diagnostic logging is mainly intended to be used by support personnel for troubleshooting purposes. To enable diagnostic logging in Password Manager 1. On the home page of the Administration site, click Settings, and then click the Reporting and Logging. 2. Under Diagnostic Logging, configure the following options as required: OPTION DESCRIPTION Log diagnostic information to a file Select this check box to have Password Manager collect the diagnostic information about Password Manager activity. Specify the path and file name of the log file: Type the name and path of the file to store the diagnostic information. Set log level The following log levels are available: • Log only errors - Select this options to log only errors. • Verbose logging - Select this options to log the most extended diagnostic information. Do not enable verbose logging tracing for long periods of time. Verbose logging creates log files that can accumulate quickly. Always monitor available disk space when verbose logging is enabled. 3. 72 Click Save. Administrator Guide Best Practices for Configuring Reporting Services This section provides instructions on how to configure the Reporting Services component. The following topics are covered: • Reporting Services default configuration. • Reporting Services authorization issues. • Reporting Services firewall issues. Reporting Services default configuration The SQL Server Reporting Services component and the Management Tools component must be installed in order to use the Password Manager Reporting functionality. Make sure you select the required features when running the Microsoft SQL Server Setup. Use the Reporting Services Configuration tool to configure SQL Server Reporting Services. If you installed a report server using the Install but do not configure the server option, you must use this tool to configure the server prior to using it. If you installed a report server using the Install the default configuration option, you can use this tool to verify or modify the settings that were specified during setup. It is recommended to select the Install the default configuration option during SQL Server and Reporting Services setup on the Report Server Installation Options page of the Setup Wizard. In most cases this will save you much time and effort as long as Reporting Services default configuration is concerned. Reporting Services Configuration tool can be used to configure a local or a remote report server instance. You must have local system administrator permissions on the computer that hosts the report server you want to configure. Please note that remote data sources are not supported by SQL Server Reporting Services included in Microsoft SQL Server Express Edition. To configure the Reporting Services default configuration: 1. Start the Reporting Services Configuration tool. 2. Enter the SQL Server machine name and the Report Server Instance name and then click Connect. Sequentially configure the Report Server options listed in the left pane of the Reporting Services Configuration tool. There must not be any Not configured options after the configuration is finished. 3. Open the Report Server Virtual Directory Settings section. 4. Click New to create a new virtual directory. This opens a dialog box with the default settings entered. To accept the default settings click OK. 5. Click Apply. 6. Check the Apply default settings checkbox and click Apply. 7. Open the Report Manager Virtual Directory Settings section. 73 Quest Password Manager 8. Click New to create a new virtual directory. This opens a dialog box with the default settings entered. To accept the default settings click OK. 9. Click Apply. 10. Open the Web Service Identity section. 11. Click Apply to accept the default application pool names for the Report Server and the Report Manager – OR – Click New to specify your own application pool names. 12. Click Apply. The Reporting Services feature requires a SQL Server database (different from the Password Manager database) to store report server service data. You can create the report server database in the following ways: • Automatically through Setup, if you choose the default configuration installation option in the SQL Server Installation Wizard, by selecting the Install the default configuration option in the Report Server Installation Options page. • Manually through Reporting Services Configuration tool. To create a report server database: 1. Start the Reporting Services Configuration tool and connect to the report server instance you want to configure (the default instance name is MSSQLSERVER for SQL Server and SQLEXPRESS for SQL Server Express Edition). 2. In the Database Setup page, click Connect. This opens a SQL Server Connection dialog box. 3. Type the name of the SQL Server database engine you want to use. 4. Select the type of credentials used to connect to the SQL Server. You can specify a SQL Server login or use your credentials. The credentials you specify must have permission to log on to the server. Click OK. 5. In the Database Setup page, click New. This reopens the SQL Server Connection dialog box. 6. Type the name of the SQL Server database engine and select credentials. The credentials you specify must have permission to create a database. 7. Type the name of the report server database. A temporary database is created along with the primary database. 8. Choose the language to use, and then click OK. 9. In the Database Setup page, specify the credentials used by the report server to connect to the report server database. • • • Select the Service credentials option to use the Windows service account and Web service account to connect through integrated security. Select the Windows credentials option to specify a domain user account. A domain user account must be specified as <domain>\<user>. Select the SQL Server credentials option to specify a SQL Server login. 10. Click Apply. A report server database can be created on a local or on a remote SQL Server database engine instance. 74 Administrator Guide When you finish the Report Server configuration please restart the Report Server instance for the changes to take effect. You can restart the Report Server by sequential clicking the Stop button and then the Start button at the Server Status tab of the Reporting Services Configuration tool. If the configuration is performed correctly, the Initialization will be successfully passed for the Report Server instance. Follow this checklist to verify Password Manager reporting functionality configuration and settings. STEP REFERENCE Ensure that MS SQL Server with the Reporting Services component is installed and configured. Refer to MS SQL Server documentation and to the Quick Start Guide. Install Quest Password Manager and its components. Refer to the Quick Start Guide. Ensure that the DefaultAppPool, QPM, and ReportServer application pools are running in the IIS Manager on the QPM and the Report Services servers. If any of these pools are not running – start them manually. Ensure that the Default Web Site is running in the IIS Manager on the QPM and the Report Services servers. If the web site is not running – start it manually. Connect to the Reporting Services server through Password Manager Administration site. The interactive Web-based reports are built using the data that the report server retrieves from the Password Manager SQL database. For more information on Reporting Services setup and configuration please refer to SQL Server documentation. Reporting Services firewall issues If Password Manager fails to operate properly in a network environment protected by a firewall, please configure the firewall to allow Password Manager communicate with all the required application and services. To get the complete list of Password Manager server port numbers, that have to be open for the application to function properly, please visit Quest Support link below: https://support.quest.com/SUPPORT/index?page=solution&id=SOL28974 75 Quest Password Manager The Password Manager Database in SQL Server This section provides instructions on how to perform administration and maintenance of the Password Manager SQL Server database. The following topics are covered: • Database Size. • Database Cleaning. • Database Backup and Database Restore. Database Size Password Manager SQL Server database is populated with the data from the following data sources: • The Password Manager instance activity. Password Manager instance populates the dbo.DomainUserAction table of the Password Manager database. The table logs every action performed by users, therefore its size increases relatively quickly. • The "Quest Password Manager" scheduled task. The "Quest Password Manager" scheduled task populates all the other tables of the Password Manager database with user statistic information. These tables grow relatively slowly. The only data stored in the Password Manager database is user action history and statistics, neither user profiles nor passwords are stored in this database. For more detailed information on how fast and how large the Password Manager SQL database grows, see the following Knowledge Base article: https://support.quest.com/SUPPORT/index?page=solution&id=SOL21284 Database Cleaning In the previous versions of Password Manager, to prevent the Password Manager database from growing indefinitely, administrators had to regularly clean data from the database. Now, you can configure Password Manager to automatically delete the log records older than the specific date. For more details, see the "Using Reports" section in this document. Database Backup and Restore To backup and restore the database, which may be needed for database backup purposes or for moving the database to a different server, you can use the standard SQL Server management tools, for instance SQL Server Management Studio. For the information on how to perform MS SQL database backup and restore operations please refer to MS SQL Server documentation. 76 Administrator Guide The Scheduled Tasks in Password Manager When installing Password Manager, the Password Manager setup adds two scheduled tasks on the computer where Password Manager is installed: "Quest Password Manager" and "Quest Password Manager Publisher". By default, the "Quest Password Manager" task runs every day at 1:00 AM. Normally, it not recommended to change the schedule, although if you have other heavy-duty tasks (for instance, an Active Directory backup task) running at that time, we recommend that you reschedule the "Quest Password Manager" task to run in off-peak hours. The "Quest Password Manager" task is used to do the following: • Enumerating users for licensing purposes Password Manager is licensed for specific number of user accounts enabled for management by Password Manager in all managed domains. The "Quest Password Manager" task checks whether the managed user count is within the license limit. • Sending notifications and setting deadlines for user registration If you configure notification schedule, the task will enumerate all enabled users in the managed domains, set the registration deadlines if required, and send registration enforcement messages. Once you configure notification schedule, the changes affect users only after the "Quest Password Manager" task runs. Thus, to immediately enforce any registration enforcement or notification messages distribution, you can run the task manually. Note, though, that depending on the number of users in managed domain, this operation may overload domain controllers and the server running Password Manager. • Collecting statistic information about users including the total user count, the number of users registered and the users not-registered with Password Manager, number of users required to register with Password Manager, and the number of users required to update profile. This information is collected for all the domains managed by specific Password Manager instance and displayed on the home page of the Administration site. The "Quest Password Manager Publisher" task publishes the Password Manager Service connection points in all the domains managed by the underlying Password Manager instance. Secure Password Extension relies on this service connection points for locating Password Manager Service that hosts Self-Service site. For more information on Password Manager Service connection points, see “Self-Service Site Location and Service Connection Points” on page 30. 77 Quest Password Manager 78 3 Quest Password Manager Integration • ActiveRoles Quick Connect • Microsoft Identity Integration Server • Quest ActiveRoles Server Web Interface • Quest Defender • Quest Enterprise Single Sign-On (QESSO) • HP ProtectTools Authentication Services Quest Password Manager ActiveRoles Quick Connect This section describes how to configure Quest Password Manager for use with Quest ActiveRoles Quick Connect. To be able to integrate Password Manager with ActiveRoles Quick Connect, you must have a working knowledge of ActiveRoles Quick Connect. Configuring Cross-Platform Password Synchronization using ActiveRoles Quick Connect If used in conjunction with ActiveRoles Quick Connect, Quest Password Manager allows you to enable users and helpdesk operators to manage their passwords across different connected data sources, including: • Active Directory • AD LDS (ADAM) • Delimited text files • Microsoft SQL Server • LDAP Directory service • OLE DB • Sun One Directory Server • Oracle database • Novell directory service • IBM RACF • Lotus Domino Server • Google Apps Service To enable Password Manager to connect to Quick Connect and set passwords in connected data sources through Quick Connect server, the account used to access Quick Connect must be a member of the local administrators group on the Quick Connect server. Before you can configure Quest Password Manager to use a Quick Connect server for cross-platform password synchronization, you must do the following: • The Managed Domain for which you want to configure password synchronization in Password Manager must be added as Managed Domain in Quest ActiveRoles Server. • Configure the connections with the systems which you want to synchronize passwords with Password Manager. • Configure Quick Connect map the Managed Domain users to the users in the connected systems. For more information on how to configure Quick Connect to set passwords in connected data sources, please refer to Quest ActiveRoles Quick Connect documentation. To enable Password Manager for cross-platform password synchronization: 80 1. Register an Active Directory domain with Password Manager. 2. On the home page of the Administration site, click Managed Domains. Administrator Guide 3. On the Managed Domains page, click the managed domain you want to enable for cross-platform password synchronization. 4. On the Connected Systems tab, in the Quick Connect server section, click the Click to specify link, and then enter the Quick Connect server URL and the account to be used to access the server. Connected data sources available on the Quick Connect server will be listed in the "Quick Connect" section. 5. You can use either pre-Windows 2000 logon name (such as DomainName\UserName) or User Principal Name (such as UserName@DomainName.com) to specify the User name. 6. Specify how you want users' passwords to be synchronized across the different data sources. To do it, click the link next to a connected data source, and then do one of the following: • • • To have users' passwords synchronized with their domain passwords, select Synchronize passwords in Connected System after they are reset or changed in Active Directory. To allow users to manage their passwords in connected systems independently from Active Directory, select Allow users to reset and change passwords in Connected System independently of Active Directory. To prevent users from managing their passwords in a connected data source, select Never synchronize passwords between Active Directory and Connected System. The Never synchronize passwords between Active Directory and Connected System option must be selected for the managed Active Directory domain. 7. Repeat step 5 for all connected data sources in the list, and then click Save. To specify how to act when Quick Connect server is not accessible: 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. Open the home page of the Administration site, click the Manage Domains box. 3. On the Managed Domains page, click a domain, and then click the Connected Systems tab. 4. On the Connected Systems tab, specify the following options: OPTION SELF-SERVICE SITE BEHAVIOR Act as if no MIIS or Quick Connect server were specified Users can manage their passwords only in the Active Directory domain. No warnings are displayed to users if MIIS server or Quick Connect server is not available. Alert user and allow to reset or change password only in Active Directory Users are notified that other connected data sources are temporarily unavailable, and are allowed to continue managing their passwords only in the Active Directory domain. Do not allow users to reset or change passwords Users cannot perform any password management tasks in the Active Directory domain and in connected data sources, if the MIIS server or Quick Connect server is not available. Click Save. 81 Quest Password Manager Microsoft Identity Integration Server This section outlines the tasks that are required to configure Quest Password Manager for use with Microsoft Identity Integration Server. To complete the instructions of this section, you must have a working knowledge of MIIS. Configuring Cross-Platform Password Synchronization using MIIS If used in conjunction with Microsoft Identity Integration Server (MIIS), Quest Password Manager allows you to enable users and helpdesk operators to manage their passwords across different connected data sources, including: • Active Directory® directory service • Active Directory Application Mode (ADAM) • Microsoft Windows NT® 4.0 • Lotus Notes 4.6 and 5.0 • IBM Directory Server • Sun and Netscape directory servers (formerly iPlanet Directory Server) • Novell eDirectory 8.6.2 and 8.7 Before you can configure Quest Password Manager to use a MIIS server for cross-platform password synchronization, you must install MIIS 2003 Service Pack 1 and configure Management Agents for all connected data sources which you want to be available for password management. There are several operational considerations for creating an account for password management: • To enable Password Manager to connect to MIIS and set passwords in connected data sources through MIIS server, you must add the Password Manager service account to the MIISPasswordSet group, and to the MIISAdmins group. If Password Manager is configured to use Windows authentication to access MIIS, you must restart IIS after you have added the Password Manager service account to the MIISPasswordSet group. • If you plan to install MIIS and Quest Password Manager on the same server, you must configure Password Manager to use Windows authentication. You can do it when you specify the connected data sources in Password Manager by using the procedure outlined later in this section. Then, Password Manager will access MIIS under the same account which it uses to access the managed domain. To configure password management in MIIS: 1. 82 Create a Management Agent for the managed Active Directory domain, and then create and run a Full Import and Full Synchronization profile for this Management Agent. Password synchronization will be available only to those users who have been added to the Connector Space of the Active Directory Management Agent. Administrator Guide 2. When creating Management Agents for all connected data sources, select the Enable Password Management check box on the Configure Extensions page of the Management Agent Designer. If connection between Microsoft Identity Integration Server and the connected data source target server cannot be secure during password set operations using Secure Sockets Layer (SSL), click the Settings button on the Configure Extensions page of the Management Agent Designer, and then clear the Require secure connection for password synchronization operations check box. 3. Create Management Agents for those data sources which you want to be available for password synchronization. It is important to associate User objects of the Active Directory connector space with the corresponding objects in the connector spaces of all available connected data sources. To link the connector space objects with the objects that already exist in the metaverse, you can create join rules or use the Joiner tool. To enable Password Manager for cross-platform password synchronization: 1. Register an Active Directory domain with Password Manager. 2. On the home page of the Administration site, click Managed Domains. 3. On the Managed Domains page, click the managed domain you want to enable for cross-platform password synchronization. 4. On the Connected Systems tab, click the Click to specify button, and then enter the MIIS server name and account details to access the server. Connected data sources available on the MIIS server will be listed in the "Microsoft Identity Integration Server" section. 5. You can use either pre-Windows 2000 logon name (such as DomainName\UserName) or User Principal Name (such as UserName@DomainName.com) to specify the User name. 6. Specify how you want users' passwords to be synchronized across the different data sources. To do it, click the link next to a connected data source, and then do one of the following: • • • To have users' passwords synchronized with their domain passwords, select Synchronize passwords in Connected System after they are reset or changed in Active Directory. To allow users to manage their passwords in connected systems independently from Active Directory, select Allow users to reset and change passwords in Connected System independently of Active Directory. To prevent users from managing their passwords in a connected data source, select Never synchronize passwords between Active Directory and Connected System. The Never synchronize passwords between Active Directory and Connected System option must be selected for the managed Active Directory domain. 7. Repeat step 5 for all connected data sources in the list, and then click Save. To verify that a user can set and change their passwords in connected data sources by using Password Manager: 1. Open the MIIS Identity Manager console. 2. On the Tools menu, click Metaverse Search. 3. In Scope by Object Type, select the person object type. 4. Click Search. 5. In Search Results, click a metaverse object for the user that you want to verify. 6. On the Actions menu, click Properties. 7. In the Metaverse Object Properties window, click the Connectors tab. Ensure that there is a management agent for the managed Active Directory domain in the list of connected data sources. 8. Register the user with Password Manager and attempt to set and change the user’s passwords by using the Self-Service site. 83 Quest Password Manager When you have specified a connection to a MIIS server, you can define the behavior of the Self-Service site for situations when Password Manager cannot contact the MIIS server. To specify how to act when MIIS server is not accessible: 1. Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/QPM/Admin/. 2. Open the home page of the Administration site, click the Manage Domains box. 3. On the Managed Domains page, click a domain, and then click the Connected Systems tab. 4. On the Connected Systems tab, specify the following options: 5. 84 OPTION SELF-SERVICE SITE BEHAVIOR Act as if no MIIS or Quick Connect server were specified Users can manage their passwords only in the Active Directory domain. No warnings are displayed to users if MIIS server or Quick Connect server is not available. Alert user and allow to reset or change password only in Active Directory Users are notified that other connected data sources are temporarily unavailable, and are allowed to continue managing their passwords only in the Active Directory domain. Do not allow users to reset or change passwords Users cannot perform any password management tasks in the Active Directory domain and in connected data sources, if the MIIS server or Quick Connect server is not available. Click Save. Administrator Guide Quest ActiveRoles Server Web Interface The section provides instructions on how to integrate Quest Password Manager Self-Service Site into Quest ActiveRoles Server Web UI. Integration allows an ActiveRoles Server user to access the functionality of Password Manager Self-Service Site directly from Quest ActiveRoles Server Web Interface. To implement the guidance in this section, you must have a working knowledge of Quest ActiveRoles Server. Quest ActiveRoles Server Web Interface is a highly customizable, easy-to-use Web-based application that facilitates the data administration and provisioning in Active Directory. Via the Web Interface, an intranet user can connect to ActiveRoles Server using Microsoft Internet Explorer and perform day-to-day administrative tasks and view or modify directory data. Basic Integration Requirements You must have Quest Password Manager and Quest ActiveRoles Server Web Interface installed and functioning. Quest Password Manager site that you are going to integrate into Quest ActiveRoles Server Web Interface must be accessible from ActiveRoles Server though HTTPS (or HTTP) connection. Customizing ActiveRoles Server Home Page The Home page of the ActiveRoles Server Web Interface includes a number of items that serve as entry points to individual sections of the Web Interface. Each item occupies a clickable area on the Home page, and includes the caption (name of the item), text describing the item and a picture providing a graphical illustration of the item. Clicking an item displays a page that is identified by a certain property of the item. You can add, modify, re-arrange, and remove items on the Home page. A point-and-click interface helps you manage the items, providing flexible options to customize the Home page. The changes you make to the Home page have effect on every user of the Web Interface site. Thus, when you remove an item from the Home Page, the item is not displayed to any user of the Web Interface site. By adding a home page item, you can customize the Web Interface to seamlessly integrate custom applications together with the Web Interface pages. This option is used to integrate the Quest Password Manager application into the Web Interface. Password Manager Self-Service Site Integration Follow the steps below to integrate Quest Password Manager Self-Service site within ActiveRoles Server Web Interface. To integrate QPM Self-Service Site with ActiveRoles Server Web Interface: 1. On the Home page of the Web Interface site, click Customization. 2. Click Customization Tasks, and then, click Customize Home Page on the left pane. 3. Click Add. 4. Type a name for the new item and the URL of the page you want the new item to open. Type any text to display in the item area, and change the picture for the item. 85 Quest Password Manager The URL must be entered in the following format: https://COMPUTER_NAME/VIRTUAL_DIRECTORY_NAME /user/EntryPoint/?GUILayout=Integrated&ActionName=<ActionName>, where COMPUTER_NAME is the name of the server where Password Manager resides, and VIRTUAL_DIRECTORY_NAME is a virtual directory name that was configured during Quest Password Manager Setup (by default, the virtual directory name is QPM), and <ActionName> is one of the following: • • • • • • • Register - specify this action to enable ActiveRoles Server Web Interface users to create their Questions and Answers profiles. ResetPassword - specify this action to enable ActiveRoles Server Web Interface users to reset their passwords. ChangePassword - specify this action to enable ActiveRoles Server Web Interface users to change their passwords. SetQAProfile - specify this action to enable ActiveRoles Server Web Interface users to configure their Questions and Answers profiles in Password Manager. UsePasscode - specify this action to enable ActiveRoles Server Web Interface users to use passcodes to create their Questions and Answers profiles. UnlockAccount - specify this action to enable ActiveRoles Server Web Interface users to unlock their accounts. ChangeSettings- specify this action to enable ActiveRoles Server Web Interface users to select events that they want to be notified about. Replace https:// with http:// if you do not use HTTPS. It is strongly recommended that you enable HTTPS on the Password Manager server. 5. Click Advanced Properties. 6. Append the following parameters: IdentificationDomain, IdentificationAccount, CurrentLanguage, and PortalHomePage. 7. Make sure the checkbox Open the URL in a frame is selected. 8. Click Save to close Add Item window. 9. Click Save to save the changes to ARS Web Interface. 10. Click Reload link that appears in the upper part of the window, to publish the customization changes to the Web Interface site. 11. Return to the Home page of the Web Interface site. The item you have created is now shown in the list. Password Manager Help Desk Site Integration Follow the steps below to integrate Quest Password Manager Help Desk Site within ActiveRoles Server Web Interface. To integrate QPM Help Desk Site with ActiveRoles Server Web Interface: 86 1. On the Home page of the Web Interface site, click Customization. 2. Click Customization Tasks, and then, click List Existing Menus on the left pane. 3. In the right pane, click User. 4. Click Create New Command. 5. In the right pane, select Page View Task and then click Next. 6. Type a name for the new item and the URL of the page you want the new item to open. Type any text to display in the item area, and change the picture for the item. Administrator Guide The URL must be entered in the following format: https://COMPUTER_NAME/VIRTUAL_DIRECTORY_NAME /helpdesk/EntryPoint/?GUILayout=Integrated&ActionName=<ActionName>, where COMPUTER_NAME is the name of the server where Password Manager resides, VIRTUAL_DIRECTORY_NAME is a virtual directory name that was configured during Quest Password Manager Setup (by default, the virtual directory name is QPM), and <ActionName> is one of the following: • • • • • ResetPassword - specify this action to enable ActiveRoles Server Web Interface operators to reset user passwords. ManageQAProfile - specify this action to enable ActiveRoles Server Web Interface operators to manage user Questions and Answers profile in Password Manager. AssignPasscode - specify this action to enable ActiveRoles Server Web Interface operators to generate passcodes for users. UnlockAccount - specify this action to enable ActiveRoles Server Web Interface operators to unlock user’s accounts. Authentication - specify this action to enable ActiveRoles Server Web Interface operators to authenticate users. Replace https:// with http:// if you do not use HTTPS. It is strongly recommended that you enable HTTPS on the Password Manager server. 7. Click Finish. 8. Click Save to save the changes to ARS Web Interface. 9. Click Reload link that appears in the upper part of the window, to publish the customization changes to the Web Interface site. 10. Return to the Home page of the Web Interface site. The item you have created is now shown in the list. For more information on how to customize Quest ActiveRoles Server Web Interface please refer to Quest ActiveRoles Server documentation. 87 Quest Password Manager Quest Defender This section describes how to configure Quest Password Manager for use with Quest Defender. To understand the steps described in this section, you need to have a working knowledge of Quest Defender. Quest Defender is a Two-Factor Authentication solution that authenticates users without forcing them to remember another new password. Defender uses one-time passwords (OTP) generated by special hardware tokens. Even if attacker captures the password, there will be no security violation, since the password is valid only for one-time-use and can never be re-used. You can use the Defender authentication to authenticate users before allowing them to reset or change their passwords, to unlock accounts, or manage Questions and Answers profiles. To make Password Manager use Defender authentication, you must install the Defender .NET Authentication Agent on the server running Password Manager. This makes Password Manager to show the Defender tab on the Domain Settings page. To enable Defender authentication: 1. Install and configure Defender and the Defender .NET Authentication Agent as described in the Defender documentation. Defender .NET Authentication Agent Setup stops all running Application Pools and Web Sites in Internet Information Services on the server where it is installed. Make sure that after the installation of the Defender .NET Authentication Agent is complete you manually restart the required Application Pools and Web Sites in the IIS Manager. 2. Open the Password Manager Domain Settings page for the desired domain and click the Defender tab. 3. On the Defender tab, select the Enable Defender Authentication checkbox. 4. Specify Defender Server IP or DNS name. 5. Specify Defender Server port number. 6. Specify Defender Server time-out (in seconds). 7. Provide the Defender Shared Secret word that should be configured on Defender Server. 8. Specify how to use Defender to authenticate users before allowing them to manage their passwords. The following options are available: • • • 9. Defender Authentication is used before Password Manager authentication, i.e. when users attempt to manage their passwords, they first will be prompted to authenticate using the Defender two-factor authentication before answering the Password Manager questions from their Questions and Answers profile. Defender Authentication is used instead of Password Manager standard authentication. Password Manager will not be used for managing passwords, only Defender authentication will be used. Defender Authentication is used after Password Manager authentication. The user will be required answer the questions presented by Password Manager, and then authenticate using the Defender two-factor authentication. Click Save. Please, note that the user authentication will be impossible, if Defender Server is not available (for any reason), even if Defender .NET Authentication Agent is installed on the Password Manager server and the Defender authentication is enabled in Password Manager. 88 Administrator Guide For the complete information about installing and using Defender, please refer to the documentation for Quest Defender. Quest Enterprise Single Sign-On (QESSO) This section includes the information on how to configure Quest Password Manager for use with Quest Enterprise Single Sign-On (QESSO). To implement the guidance in this section, you must have a working knowledge of Quest Enterprise Single Sign-On (QESSO). Quest Enterprise Single Sign-on is a solution that provides users with the ability to access all applications on their desktop using a single user ID and password. After users have logged in, they can access password-protected applications on their desktop without the need to enter any further account details. If an application requires login name and password to be entered, QESSO will remember the entered details. When the application is next started, QESSO will automatically enter the required login name and password. The account details for password-protected applications are encrypted by using user logon password. When user resets or changes this password, the encrypted data is lost. To prevent data loss, Password Manager should be configured to notify QESSO about password changes and QESSO will re-encrypt the data using new password. To enable QESSO integration: 1. Run the Configure Workstation wizard on the server where Password Manager resides. The wizard is located under the Software Installation section of QESSO Administration Tools. The Administration Tools section can be found in the Access Management section of QESSO CD Autorun. 2. Follow the wizard instructions. 3. Install at least one of the following QESSO components on the server running a Password Manager instance: • • • SSOWatch Advanced Login Enterprise SSO Console 4. Open the Password Manager Domain Settings page for the desired domain and select the QESSO tab. 5. Select the Enable QESSO integration checkbox. 6. Provide the account details for the QESSO administrator to be used for password resets. 7. Click Save. For the complete information about installing and using QUESSO, please refer to the documentation for QUESSO. 89 Quest Password Manager HP ProtectTools Authentication Services HP ProtectTools (HPPT) Authentication Services is a security solution which mitigates security risks featuring a customer-unique password hashing and generation system. If you have HP ProtectTools Authentication Services deployed in you environment, you can configure Password Manager to generate user passwords by using HP ProtectTools. The solution modifies the password-setting mechanism available in Password Manager so that it employs the Password Generation Utility, which is a component of HP ProtectTools Authentication Services, to generate user passwords. Once generated, the password is assigned to the user account by means of the password hashing system that is part of HP ProtectTools Authentication Services. Using HP ProtectTools Authentication Services to Generate Passwords To facilitate different lengths of generated password for different account types, Password Manager allows you to set specific lengths of passwords generated with HP ProtectTools for different organizational units. This may be useful when, for example, your security requirements demand that passwords for delegated administrators be longer than users' passwords. Integration with HP ProtectTools also allows you to have the Self-Service site display newly generated passwords in a hyphenated form which makes them easy-to-remember. To enable Password Manager to use HP ProtectTools Authentication Services for password generation, ensure that the following requirements are met. • Password Policy Manager is not installed on domain controllers in the managed domain. For more information about the Password Policy Manager component, see “About Password Policies” on page 45. • The password generation utility of the HP ProtectTools Authentication Services V3.1 release is installed on every computer that hosts an instance of Password Manager in the managed domain. • You have configured HP ProtectTools-related settings for all Password Manager instances in the managed domain. To configure the HP ProtectTools-related settings, follow the procedure outlined below. To configure HP ProtectTools-related settings: 1. Connect to the Administration site. 2. On the home page of the Administration site, click the Managed Domains box. 3. On the Configure Managed Domains page, click a domain. 4. Click the General tab. 5. Under HP ProtectTools Authentication Services, select the Use HP ProtectTools Authentication Services to generate passwords check box, and then do the following: • 6. Select the Display passwords in hyphenated form (may-feb-hek) check box to have the Self-Service site show the newly generated user passwords in hyphenated form. Otherwise, clear this check box. Click Save. To set an OU-specific password length: 1. 90 Create a password policy by using the procedure outlined in “Creating and Configuring a Password Policy” on page 46. Administrator Guide 2. Define the Password Generation Format policy rule by using the procedure outlined later in this section. Password Generation Format is the only policy rule that you can define for a password policy when HP ProtectTools Authentication Services is used to generate passwords. 3. Link the policy to the target organizational units by using the procedure outlined in “Managing Password Policy Links” on page 55. To configure the Password Generation Format policy rule: 1. On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens. 2. Under the Password policies table heading, click the link next to the domain that you want to manage. 3. On the Password Policies for the <DomainName> Domain page, click a policy whose properties you want to view or modify. 4. On the Domain Password Policies page, click a policy, and then click the Policy Rules tab. 5. On the Password Generation Format page, set the required length of generated passwords. 6. Click Save. 91 Quest Password Manager 92 Administrator Guide Glossary A account application log attribute A record that consists of all the information that defines a user to Microsoft® Active Directory. This includes the user name and password required for the user to log on, the groups in which the user account has membership, and the rights and permissions the user has for using the computer and network and accessing their resources. The log that lists all actions performed by Quest Password Manager. A piece of data that stores information that is specific to an object. A set of attributes stores the data that defines an object. D domain A logical collection of resources that consists of computers, printers, computer accounts, user accounts, and other related objects. domain controller For a Windows Server domain, the server that authenticates domain logons and maintains the security policy and the security accounts master database for a domain. Domain controllers manage user access to a network, which includes logging on, authentication, and access to the directory and shared resources. G Group Policy An administrator’s tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization. L locked Questions and Answers Profile A Questions and Answers Profile that temporarily cannot be used. A Questions and Answers Profile can become locked after a number of unsuccessful attempts to answer the questions. M mailbox The delivery location for all incoming mail messages addressed to a designated owner. Information in a user's mailbox is stored in the private information store on a Microsoft® Exchange server computer. A mailbox can contain received messages, message attachments, folders, folder hierarchy, and more. Server applications for Microsoft® Exchange server are often designed with a mailbox for communication. 93 Quest Password Manager mandatory question A question, the same for all users in a domain, that a person must answer in order to authenticate themselves using Quest Password Manager. managed domain A domain registered with Quest Password Manager. You can manage multiple domains by using Quest Password Manager. mixed mode The default mode setting for domains on Windows 2000/2003/2008 domain controllers. Mixed mode allows Windows 2000/2003/2008 domain controllers and Windows NT backup domain controllers to co-exist in a domain. Mixed mode does not support the universal and nested group enhancements of Windows 2000/2003/2008. N native mode A Windows® 2000/2003/2008 Domain is in native mode when: All domain controllers in the domain have been upgraded to Windows® 2000/2003/2008. O An administrator has enabled the native mode operation using the domain property page in the Active Directory™ Users and Computers snap-in. optional question A question from the pre-defined list that a person must answer in order to authenticate themselves using Quest Password Manager. organizational unit An Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed. It can contain objects only from its parent domain. P Password Manager Service Realm A set of Password Manager instances sharing common configuration to ensure enhanced availability and load balancing. A single domain may be managed by several different Password Manager realms. Password Manager Realm Affinity An association between Secure Password Extension and a Password Manager Service. If you enforce an affinity to specific Password Manager realm using Group Policy, all the clients running Secure Password Extension and affected by this policy will use only the Password Manager Service instances that belong to the specified realm. Q Questions and Answers Profile (Q&A Profile) A set of questions selected by a user from the Question list and user's answers to them. A Questions and Answers Profile is used to authenticate a person using Quest Password Manager. 94 Administrator Guide Question list A set of questions used in creating users' Questions and Answers profiles. The list is defined by the administrator and contains a series of questions in a certain language that users from a specific domain must answer in order to create or update their personal Questions and Answers profiles. A question list defines the number of questions of each type and the wording of mandatory and optional questions. S Secure Password Extension A component of Password Manager that facilitates access to the Self-Service site from the Windows logon screen. This component is installed on end-user computers. site One or more Microsoft® Exchange servers that provide services to a set of users. Sites can be centrally managed and can span physical locations. special character A character that is neither alphabetic nor numeric. U user-defined question A question that a person must provide along with the answer in order to authenticate themselves using Quest Password Manager. 95

Quest Password Manager - User Guide

Related documents

Products

Support

Quest Password Manager - User Guide

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib