Novell® SecureLogin 7 and Your Active Directory Setup
Thomas ManleyInformation Security EngineerSynovus Financial
Kevin PriorTechnology [email protected]
Gregory DomjanSenior [email protected]
© Novell, Inc. All rights reserved.2
Agenda
• What is new – key new features with – Novell® SecureLogin 7 and
– Novell SecureLogin 7 SP1
• Discuss Active Directory / ADAM• Strong Authentication• Shared Workstations• Demonstrations of new features• Hear from Synovus on their project
© Novell, Inc. All rights reserved.3
Novell® SecureLogin 7 Key New Features
• GUI Integration Wizards– Windows, Web and Java
– All have the same interface, unlike in 6.1 and prior
• 64-bit support
• Desktop Automation Services (DAS) enhancements
• iManager Enhancements
• New commands (when Wizard is not enough)
• Events & Auditing
• Bug fixes
© Novell, Inc. All rights reserved.4
New in Novell® SecureLogin 7
• Integration Wizard– Expanded application support
– Improved graphical user interface
– Drastically simplifies implementation
• 64-bit Support– Microsoft* Windows* Vista OS
– Microsoft* Windows* 2003
– Microsoft* Windows* 2008
© Novell, Inc. All rights reserved.5
Changed in Novell® SecureLogin 7
• Desktop Automation Services (DAS)
– Included in MSI reducing install steps
– More commands
– Configuration editor
• Commands
– GetCheck/SetCheck standardised
– SendEvent enhancment
– Read/Click now have -order option
© Novell, Inc. All rights reserved.6
Events and Auditing
• Audit events are written to Windows Event log
• Different event types
– SecureLogin process
– SecureLogin script
– Other process
> LDAP
> SecureWorkstation
• Configuration
© Novell, Inc. All rights reserved.7
SecureLogin Events
• EventId 257 GPO Failure• EventId 258 Audit event command • EventId 259 SecureLogin client started• EventId 260 SecureLogin client terminated• EventId 261 SecureLogin client enabled• EventId 262 SecureLogin client disabled• EventId 263 Password provided to the applications• EventId 264 SecureLogin Changed Password for an
application• EventId 265 SecureLogin Changed Password automatically
for an application•
© Novell, Inc. All rights reserved.8
Other Events
• LDAP Specific
– EventId 1 SecureLogin user x has logged in
– EventId 2 SecureLogin user has changed the LDAP password
– EventId 3 Workstation has been unlocked by a different user, from who locked it
• SecureWorkstation Specific
– EventId 4 Session has timed out due to inactivity.
– EventId 5 Device removal has been triggered
– EventId 6 Manual lock has been triggered
© Novell, Inc. All rights reserved.9
Novell® SecureLogin 7 SP1New Features
• Windows 7 support– 32 and 64 bit
• More specific support of .NET (WinForms & WPF) applications in addition to Win32 support
• More specific support of Oracle Forms applications in addition to Java AWT/Swing support
• Integration with Client Login Extension (CLE) for recovering forgotten passwords
• Integration wizard also extended for .NET & Oracle Forms
© Novell, Inc. All rights reserved.10
SecureLogin and Active Directory
• Use Microsoft Active Directory as back-enddata store
• Works in complete Microsoft environments
– No Novell® eDirectory™, no Novell Client™, no other Novellcomponents needed
• Schema extension for AD
• Administration through MMC and SLManager
• Option to use Group Policies
© Novell, Inc. All rights reserved.11
SecureLogin Deployment in AD
DAS Enterprise Desktop
Terminal Services
Novell SecureLogin Application B
Application A
Application C
Enterprise andClinical Systems
Report Database
Audit Server
Optional Add-on
Shared Desktop
+
ActiveDirectory
MS Client
SSO
© Novell, Inc. All rights reserved.12
SecureLogin and ADAM
• Microsoft ADAM used as back-end data store
• Schema extended from ADAM
• Administered through SLManager
• Used by Microsoft-based customers that don't want to extend AD schema
– But many use Exchange and or SMS which has this...
© Novell, Inc. All rights reserved.13
SecureLogin Deployment in ADAM
Optional Add-on
ADAM Instance
Enterprise andClinical Systems
ActiveDirectory Global
Catalog
User isAuthenticated
CacheSynchronization
SecureLogin LocatesADAM Instance
Enterprise Desktop
Terminal Services
MS Client
Novell SecureLoginSSO Application B
Application A
Application C
Report Database
Audit Server
DAS
Shared Desktop
+
© Novell, Inc. All rights reserved.14
AD Group Policies and SecureLogin
• Allows distribution of single sign-on data using directory groups, which usually will be used in enterprises to manage roles
• Supports Microsoft Group Policy Object for control over credential and application definition
• Group Policies are used to more finely manage and apply directory settings
• SecureLogin must be installed with GPO option
© Novell, Inc. All rights reserved.15
Shared Workstation with ADDesktop Automation Services (DAS)
• Runs on the workstation as a (service/app)• Configuration sourced from the directory (or the workstation)
– Managed with simple xml file, the 'Actions.xml'• Requires SecureLogin in LDAP mode for fast user switching
support (similar for Novell® eDirectory™ to Novell Client™) • Detects trigger events
– Hot keys– Buttons on desktop and in task bar – SecureLogin and other events
• Launches actions based on those events • Configure using GUI editor or as XML using the simple command
set to specify event of interest and the actions to take
© Novell, Inc. All rights reserved.16
Demonstration – 7.0 and 7.0 SP1New Features• Windows 7
• Wizard
• .net App
• Oracle Forms app
• CLE
© Novell, Inc. All rights reserved.17
Case Study: Synovus Financial
Thomas Manley
Information Security EngineerSynovus Financial
© Novell, Inc. All rights reserved.18
About Synovus Financial
Who We Are
• A financial services holding company based in Columbus, Georgia.
• Synovus provides commercial and retail banking, as well as investment services, to customers through 30 banks and 330 offices in Georgia, Alabama, South Carolina, Florida and Tennessee.
• Approximately 6,500 employees
© Novell, Inc. All rights reserved.19
The Business Case for SSO
Front-line employees had to maintain as many as six different passwordsForgotten passwords and locked accounts impacted operations and generated Help Desk callsPassword fatigue results in employees…
– creating weak passwords– following predictable patterns when changing a password
(e.g. incrementing a number)– storing passwords by writing them in a “password journal”
An application may not enforce a password policy or comply with the company approved policy
© Novell, Inc. All rights reserved.20
Proof of Concept (PoC)
• Evaluated Novell® SecureLogin and a competing appliance-based solution
• Included 9 essential front-line applications:– 4 Windows applications– 3 mainframe applications– 2 Web applications
• Applications share a common credential set• Must be able to leverage directory service attributes• Support for multiple logins per application per user
© Novell, Inc. All rights reserved.21
Product Selection
Novell® SecureLogin• Tight integration with directory service
– Leverages existing systems
– Stores encoded user data within the directory
– Inherits resilience of the directory architecture
– Can query directory attributes for authentication or definition logic
• Supports credential provisioning• Robust application definition language
© Novell, Inc. All rights reserved.22
Implementation
• Included 16 front-line applications (inc. PoC apps)– 8 Web applications
– 5 Windows applications
– 3 mainframe applications
• Branded Novell® SecureLogin as Synovus Simplified Sign-on (SSO)
• Video training course provided prior to deployment• Augmented internal training and process documents to
include SSO
© Novell, Inc. All rights reserved.23
Implementation (Cont.)
• Deployed SSO using Novell® ZENworks®
• SecureLogin installed in LDAP mode and addressing a layer 4 switch for load balancing
• Local cache enabled to provide fail-over access to user credentials
• Piloted SSO at one bank for 4 months
• Phased deployment to remaining 29 banks and holding company over 2 months
© Novell, Inc. All rights reserved.24
Support
• Trained Help Desk personnel to facilitate SSO enrollment and troubleshooting
• Authored and maintaining a Help Desk reference document detailing common troubleshooting procedures
• Specified escalation path to provide agile first-, second- and third-tier support
• Integrated SSO quality assurance testing into existing application QA testing processes
• Identified user acceptance testing group
© Novell, Inc. All rights reserved.25
The Users Have Spoken
“Speeds up the process so much quicker. After I clock in it seems to take no time to have all the screens up that I need to work with.”
– Personal Banker
“This has been a user-friendly process. Signing on to three applications w/out keying in the password is so much better. Many thanks to your brilliant team.”
– Lending Assistant
© Novell, Inc. All rights reserved.26
Summary
Lower costs
Mitigate security risks
Deliver a quick win
Increase productivity
© Novell, Inc. All rights reserved.27
For More Information
• Visit table A5 in IT Central• Walk through the SecureLogin demo in the Installation
and Migration Depot• Attend the following complementary sessions:
– BOF106: SecureLogin in the Real World Panel Discussion– IAM205: Novell SecureLogin Installation, Deployment and
Lifecycle Management– IAM302: Using Hard Disk Encryption and SecureLogin– IAM303: Enhancing SecureLogin with Multi-factor Authentication– IAM304: Securing Shared Workstation with SecureLogin
• Visit www.novell.com/securelogin
Question and Answer
© Novell, Inc. All rights reserved.29
For More Information
• Visit table A5 in IT Central• Attend the following complementary sessions:
– BOF106: SecureLogin in the Real World Panel Discussion– IAM205: Novell SecureLogin Installation, Deployment and Lifecycle
Management– IAM207: SecureLogin and Your Active Directory Setup– IAM302: Using Hard Disk Encryption and SecureLogin– IAM303: Enhancing SecureLogin with Multi-factor Authentication– IAM304: Securing Shared Workstation with SecureLogin
• Walk through the SecureLogin demo in the Installation and Migration Depot
• Visit www.novell.com/securelogin
Try SecureLogin for Yourself
We'll install SecureLogin on your machine (for free).
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.