Novell SecureLogin 7 and Your Microsoft Active Directory Setup

Novell® SecureLogin 7 and Your Active Directory Setup

Thomas ManleyInformation Security EngineerSynovus Financial

Kevin PriorTechnology [email protected]

Gregory DomjanSenior [email protected]

© Novell, Inc. All rights reserved.2

Agenda

• What is new – key new features with – Novell® SecureLogin 7 and

– Novell SecureLogin 7 SP1

• Discuss Active Directory / ADAM• Strong Authentication• Shared Workstations• Demonstrations of new features• Hear from Synovus on their project


Novell® SecureLogin 7 Key New Features

• GUI Integration Wizards– Windows, Web and Java

– All have the same interface, unlike in 6.1 and prior

• 64-bit support

• Desktop Automation Services (DAS) enhancements

• iManager Enhancements

• New commands (when Wizard is not enough)

• Events & Auditing

• Bug fixes


New in Novell® SecureLogin 7

• Integration Wizard– Expanded application support

– Improved graphical user interface

– Drastically simplifies implementation

• 64-bit Support– Microsoft* Windows* Vista OS

– Microsoft* Windows* 2003

– Microsoft* Windows* 2008


Changed in Novell® SecureLogin 7

• Desktop Automation Services (DAS)

– Included in MSI reducing install steps

– More commands

– Configuration editor

• Commands

– GetCheck/SetCheck standardised

– SendEvent enhancment

– Read/Click now have -order option


Events and Auditing

• Audit events are written to Windows Event log

• Different event types

– SecureLogin process

– SecureLogin script

– Other process

> LDAP

> SecureWorkstation

• Configuration


SecureLogin Events

• EventId 257 GPO Failure• EventId 258 Audit event command • EventId 259 SecureLogin client started• EventId 260 SecureLogin client terminated• EventId 261 SecureLogin client enabled• EventId 262 SecureLogin client disabled• EventId 263 Password provided to the applications• EventId 264 SecureLogin Changed Password for an

application• EventId 265 SecureLogin Changed Password automatically

for an application•


Other Events

• LDAP Specific

– EventId 1 SecureLogin user x has logged in

– EventId 2 SecureLogin user has changed the LDAP password

– EventId 3 Workstation has been unlocked by a different user, from who locked it

• SecureWorkstation Specific

– EventId 4 Session has timed out due to inactivity.

– EventId 5 Device removal has been triggered

– EventId 6 Manual lock has been triggered


Novell® SecureLogin 7 SP1New Features

• Windows 7 support– 32 and 64 bit

• More specific support of .NET (WinForms & WPF) applications in addition to Win32 support

• More specific support of Oracle Forms applications in addition to Java AWT/Swing support

• Integration with Client Login Extension (CLE) for recovering forgotten passwords

• Integration wizard also extended for .NET & Oracle Forms


SecureLogin and Active Directory

• Use Microsoft Active Directory as back-enddata store

• Works in complete Microsoft environments

– No Novell® eDirectory™, no Novell Client™, no other Novellcomponents needed

• Schema extension for AD

• Administration through MMC and SLManager

• Option to use Group Policies


SecureLogin Deployment in AD

DAS Enterprise Desktop

Terminal Services

Novell SecureLogin Application B

Application A

Application C

Enterprise andClinical Systems

Report Database

Audit Server

Optional Add-on

Shared Desktop

+

ActiveDirectory

MS Client

SSO


SecureLogin and ADAM

• Microsoft ADAM used as back-end data store

• Schema extended from ADAM

• Administered through SLManager

• Used by Microsoft-based customers that don't want to extend AD schema

– But many use Exchange and or SMS which has this...


SecureLogin Deployment in ADAM

Optional Add-on

ADAM Instance

Enterprise andClinical Systems

ActiveDirectory Global

Catalog

User isAuthenticated

CacheSynchronization

SecureLogin LocatesADAM Instance

Enterprise Desktop

Terminal Services

MS Client

Novell SecureLoginSSO Application B

Application A

Application C

Report Database

Audit Server

DAS

Shared Desktop

+


AD Group Policies and SecureLogin

• Allows distribution of single sign-on data using directory groups, which usually will be used in enterprises to manage roles

• Supports Microsoft Group Policy Object for control over credential and application definition

• Group Policies are used to more finely manage and apply directory settings

• SecureLogin must be installed with GPO option


Shared Workstation with ADDesktop Automation Services (DAS)

• Runs on the workstation as a (service/app)• Configuration sourced from the directory (or the workstation)

– Managed with simple xml file, the 'Actions.xml'• Requires SecureLogin in LDAP mode for fast user switching

support (similar for Novell® eDirectory™ to Novell Client™) • Detects trigger events

– Hot keys– Buttons on desktop and in task bar – SecureLogin and other events

• Launches actions based on those events • Configure using GUI editor or as XML using the simple command

set to specify event of interest and the actions to take


Demonstration – 7.0 and 7.0 SP1New Features• Windows 7

• Wizard

• .net App

• Oracle Forms app

• CLE


Case Study: Synovus Financial

Thomas Manley

Information Security EngineerSynovus Financial


About Synovus Financial

Who We Are

• A financial services holding company based in Columbus, Georgia.

• Synovus provides commercial and retail banking, as well as investment services, to customers through 30 banks and 330 offices in Georgia, Alabama, South Carolina, Florida and Tennessee.

• Approximately 6,500 employees


The Business Case for SSO

Front-line employees had to maintain as many as six different passwordsForgotten passwords and locked accounts impacted operations and generated Help Desk callsPassword fatigue results in employees…

– creating weak passwords– following predictable patterns when changing a password

(e.g. incrementing a number)– storing passwords by writing them in a “password journal”

An application may not enforce a password policy or comply with the company approved policy


Proof of Concept (PoC)

• Evaluated Novell® SecureLogin and a competing appliance-based solution

• Included 9 essential front-line applications:– 4 Windows applications– 3 mainframe applications– 2 Web applications

• Applications share a common credential set• Must be able to leverage directory service attributes• Support for multiple logins per application per user


Product Selection

Novell® SecureLogin• Tight integration with directory service

– Leverages existing systems

– Stores encoded user data within the directory

– Inherits resilience of the directory architecture

– Can query directory attributes for authentication or definition logic

• Supports credential provisioning• Robust application definition language


Implementation

• Included 16 front-line applications (inc. PoC apps)– 8 Web applications

– 5 Windows applications

– 3 mainframe applications

• Branded Novell® SecureLogin as Synovus Simplified Sign-on (SSO)

• Video training course provided prior to deployment• Augmented internal training and process documents to

include SSO


Implementation (Cont.)

• Deployed SSO using Novell® ZENworks®

• SecureLogin installed in LDAP mode and addressing a layer 4 switch for load balancing

• Local cache enabled to provide fail-over access to user credentials

• Piloted SSO at one bank for 4 months

• Phased deployment to remaining 29 banks and holding company over 2 months


Support

• Trained Help Desk personnel to facilitate SSO enrollment and troubleshooting

• Authored and maintaining a Help Desk reference document detailing common troubleshooting procedures

• Specified escalation path to provide agile first-, second- and third-tier support

• Integrated SSO quality assurance testing into existing application QA testing processes

• Identified user acceptance testing group


The Users Have Spoken

“Speeds up the process so much quicker. After I clock in it seems to take no time to have all the screens up that I need to work with.”

– Personal Banker

“This has been a user-friendly process. Signing on to three applications w/out keying in the password is so much better. Many thanks to your brilliant team.”

– Lending Assistant


Summary

Lower costs

Mitigate security risks

Deliver a quick win

Increase productivity


For More Information

• Visit table A5 in IT Central• Walk through the SecureLogin demo in the Installation

and Migration Depot• Attend the following complementary sessions:

– BOF106: SecureLogin in the Real World Panel Discussion– IAM205: Novell SecureLogin Installation, Deployment and

Lifecycle Management– IAM302: Using Hard Disk Encryption and SecureLogin– IAM303: Enhancing SecureLogin with Multi-factor Authentication– IAM304: Securing Shared Workstation with SecureLogin

• Visit www.novell.com/securelogin

Question and Answer


For More Information

• Visit table A5 in IT Central• Attend the following complementary sessions:

– BOF106: SecureLogin in the Real World Panel Discussion– IAM205: Novell SecureLogin Installation, Deployment and Lifecycle

Management– IAM207: SecureLogin and Your Active Directory Setup– IAM302: Using Hard Disk Encryption and SecureLogin– IAM303: Enhancing SecureLogin with Multi-factor Authentication– IAM304: Securing Shared Workstation with SecureLogin

• Walk through the SecureLogin demo in the Installation and Migration Depot

• Visit www.novell.com/securelogin

Try SecureLogin for Yourself

We'll install SecureLogin on your machine (for free).

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Date post:	17-Jan-2015
Category:	Documents
Upload:	novell
View:	2,708 times
Download:	2 times

Novell SecureLogin 7 and Your Microsoft Active Directory Setup

Documents