Understanding and Configuring Password Manager for Maximum Benefits
Written by Chris Radband, senior professional services consultant, Dell Software
Introduction
About Password Manager The pain of password management—the single most common support issue—is becoming more pervasive. The need to require more complex passwords that must be changed more frequently increases the likelihood that users will forget their passwords. As a result, increasing security often also increases support costs.
Password Manager provides a simple, secure set of password management utilities that allows end users to reset forgotten passwords and unlock their user accounts themselves. Therefore, administrators can implement stronger password policies while reducing help-desk workload. Password Manager accommodates the widest possible range of organization requirements and data security standards.
2
Benefits
Password Manager offers the following benefits: • Reduced costs
• Enabling users to reset their own
passwords reduces help-desk workload
and related support costs.
• Users who forget their passwords
can get back to work faster, with less
frustration, which curbs productivity
losses.
• Increased security
• When users know they can reset their
own passwords, they are less likely to
write them down.
• Enabling stronger password policy
makes password guessing and break-ins
more difficult.
• Streamlined administration
• Password policies are easy to
implement and enforce.
• Administrators can easily track and
report on all password reset activity.
• Administrators have granular control
over password policy in Windows 2008
at a per-group level rather than for the
entire domain.
• Ease of use
• Password resets are easy through an
optional Graphical Identification and
Authentication DLL (GINA) extension.
Figure 1. Password Manager enhances security and reduces costs by enabling users to reset their own passwords.
Dell™ Password Manager, a part of the Dell One Identity
products from Dell Software, enables users to securely reset
forgotten passwords and unlock their accounts themselves,
so administrators can implement stronger password policies
without adding to the help-desk workload. This technical
brief describes Password Manager’s system requirements and
logical architecture, and discusses key configuration decisions
to help you derive maximum value from the solution.
****134243
Help desk
Securityadministrators
Verify user identity
Enforce enrollment
Define questions
Define password policies
Monitor activity
Investigate alerts
ActiveRoles Server & Identity Manager Integration
Password Synchronization with Quick Connect
Integration with Defender
Integration with Enterprise Single Sign-on
Verify account
Authenticate user
Enforce corporate policies
Enforce password history
Reset forgotten password
Manage password change
Unlock account
Log activity
Alert of suspicious activity
Forgets password Locked out of accountManages passwords
Help Desk
3
Basic requirements
Platform 800 MHz or higher Intel Pentium-compatible CPU (Quad core recommended)
Memory At least 128 MB RAM (256 MB recommended) (4+ GB recommended)
Hard disk space 100 MB ( 20 GB recommended )
Operating system
One of the following: • Microsoft Windows Server 2003 (32-bit edition) with Service Pack 1 or later • Microsoft Windows Server 2003 (64-bit edition) with Service Pack 1 or later • Microsoft Windows Server 2008 (32-bit edition) with Service Pack 1 • Microsoft Windows Server 2008 (64-bit edition) with Service Pack 1 • Microsoft Windows Server 2008 R2 (recommended)• Microsoft Windows Server 2012
Internet Information Server
One of the following: • Microsoft Internet Information Server 6.0 • Microsoft Internet Information Server 7.0 • Microsoft Internet Information Server 7.5 • Microsoft Internet Information Server 8.0It is strongly recommended that you use HTTPS with Password Manager. For more information, see the Quick Start Guide.
Browser Microsoft® Internet Explorer 6.0, 7.0, 8.0, 9.0 or 10.0
SQL Server
One of the following: • Microsoft® SQL Server™ 2005 • Microsoft® SQL Server 2008 • Microsoft® SQL Server 2008 R2 (recommended)• Microsoft® SQL Server 2012
Report definitions included with Password Manager 4.7 are designed to sup-port the functionality of Microsoft SQL Server 2005 Reporting Services and Microsoft SQL Server 2008 Reporting Services. Note: If SQL is to be hosted on the Password Manager server, these specifications should be increased.
Microsoft .NET Framework
Microsoft® .NET Framework 3.5 SP1 Microsoft® .NET Framework 3.5 SP1 is included with the Password Manager distribution package. You must install .NET Framework 3.5 SP1 before you install Password Manager.
Acrobat Reader Acrobat® Reader® 5.0 or later Acrobat Reader 7.0 is included with the Password Manager distribution package.
Client requirements
Browser
One of the following: • Microsoft® Internet Explorer 6.0, 7.0, 8.0 or 9.0 • Mozilla® Firefox® 3 • Apple® Safari® 5 • Google® Chrome® 7
System requirements
Password Manager works with Windows 2000, 2003 and 2008 domains, including domains operating in a mixed mode.
Client requirements Ensure that each client computer meets the following minimum software requirements:
4
Domain controller requirements To be able to implement password policies in an Active Directory domain managed by Password Manager, you must deploy the Password Policy Manager component on all domain controllers in the managed domain.
The domain controllers where you plan to install the 32-bit or 64 bit-version of Password Policy Manager component must meet the following requirements:
Target computer requirements To allow password resets from the Windows logon screen, you must deploy the Secure Password Extension on
all target computers in the managed domain. The target computers must meet the following minimum software requirements:
Domain controller requirements
Operating system
One of the following: • Microsoft® Windows® 2000 Service Pack 4 • Microsoft® Windows Server™ 2003 (32-bit or 64-bit edition) • Microsoft® Windows Server™ 2008 (32-bit or 64-bit edition) • Microsoft® Windows Server™ 2008 R2
Hard disk space 5 MB of free hard disk space
Target computer requirements
Operating system
One of the following: • Microsoft® Windows® 2000 Server Service Pack 4 • Microsoft® Windows Server™ 2003 • Microsoft® Windows Server™ 2008 • Microsoft® Windows Server™ 2008 R2 • Microsoft® Windows® 2000 Professional Service Pack 4 • Microsoft® Windows® XP Professional Service Pack 2 or later • Microsoft® Windows® Vista • Microsoft® Windows 7™
Browser
Microsoft® Internet Explorer 6.0, 7.0, 8.0 or 9.0 We do not recommend use of any plug-ins for Microsoft Internet Explorer on computers where you plan to deploy Secure Password Extension, since the plug-ins extend Internet Explorer functionality and could pose security threats.
SQL sizing Database size estimation is based upon the number of records stored. An estimation of size can be generated using the following information and is primarily based upon user count: • Generic user activity (such as enroll,
password reset or unlock database) per
1000 users is estimated at less than 3–5
MB. For example, if password reset rate is
10 per day, then database growth will be
in the region of 30–50k per day, or about
1–1.5 MB per month.
• Reporting data is also stored in the
database. No sizing estimate is available,
but this is expected to be less than the user
activity estimates above.
For more information, see Dell Support Solution 21284.
5
Logical architecture
Placement of the Password Manager server (which hosts IIS) and the SQL components (which can alternatively be hosted on the Password Manager server) is shown in Figure 2.
Firewall ports
Hosting Password Manager in the DMZ requires ports to be open into the LAN, as shown in Figure 3.
QPM tra�c
53-DNS80-HTTP88-Kerberos139-NetBios443-HTTPS
445-MS DS636-S/LDAP3266-AD GC1433-SQ
LAN DMZ External
HTTPS
443-HTTPS
InternetQPM/IIS server
Internal firewall
Externalfirewall
Port 25 SMTP
SQL Server
Active Directory
SQL reporting services
Open firewall ports:53-DNS80-HTTP88-Kerberos139-NetBios*389-LDAP*443-HTTPS445-MS DS*636-S/LDAP3266-AD GC
Open firewall ports:443-HTTPS
LAN DMZ External
InternetIISQPM
Internal firewall
QPMtra�c HTTPS
Externalfirewall
Active Directory
Figure 2. Logical architecture
Figure 3. Firewall ports
* All communications through http port 80 can use https port 443. ** SQL connection uses a dynamic port (TCP 1816 SQL TCP Dynamic Port, to SQL) which is selected by SQL.
6
Several processes participate in communications. Some of them directly belong to Password Manager, and some are helpers used by Password Manager. Password Manager Server • (Add Domain\Create QA profile\Change
Password\Reset Password)
• Svhost.exe in TCP 80 (HTTP)
• Lsass.exe out UDP 53 (DNS)
• W3wp.exe out UDP 53 (DNS)
• W3wp.exe out UDP 389(LDAP) to DC
• W3wp.exe out TCP 389(LDAP) to DC
• W3wp.exe out TCP 636(LDAPS) to DC
• Lsass.exe out TCP 88 (Kerberos) to DC
Lsass.exe out UDP 88 (Kerberos) to DC
• QPMSERVICE.exe out UDP 389(LDAP)
to DC
• QPMSERVICE.exe out TCP 389(LDAP)
to DC
• Svhost.exe out ICMP
SQL connection • W3wp.exe out UDP 1434 (SQL) to SQL
• W3wp.exe out TCP 1816 (SQL TCP
Dynamic Port) to SQL
• QPMSERVICE.exe out TCP 1816 (SQL TCP
Dynamic Port) to SQL
Report Server • W3wp.exe out TCP 80 (HTTP) to
Report Server
• W3wp.exe out TCP 25 (SMTP) to
SMTP server
• QPMSERVICE.exe TCP 25 (SMTP) to
SMTP server
• Secure Password Extension (SPE)
• Winlogon.exe out TCP 389(LDAP) to DC
• LSASS out UDP 88 (Kerberos) to DC
• SPEnroll.exe out TCP 389(LDAP) to DC
• Winlogon.exe out TCP 80 (HTTP) to
QPM host
• SPEHtml.exe out TCP 80 (HTTP) to
QPM host
For more informationFor more information about the ports used by Password Manager, see Dell Support Solution 61085.
Service account requirements
Password Manager service account When you install Password Manager, you are prompted for the name and password of the Password Manager service account. For Password Manager to run successfully, the Password Manager service account must meet the following requirements: • You need to add the Password Manager
service account to the Administrators
group on the web server where Password
Manager is installed.
• In IIS 6.0, the Password Manager service
account must be a member of the IIS_WPG
local group on the web server. In IIS 7.0,
Password Manager service account must
be a member of the IIS_IUSRS local group
on the web server.
Permissions to access a managed domain Usually, the Password Manager service account is used both to run the service and to access managed domains. In that case, the following permissions are required by the service account: • Membership in the Domain Users group
• Read permission for all attributes of user
objects
• Write permission for the following
attributes of user objects: pwdLastSet,
comment, and userAccountControl
• The right to reset user passwords
• Write permission to create user accounts in
the Users container
• Read permission for attributes of the
organizationalUnit object and domain
objects
• Write permission for the gpLink attribute of
the organizationalUnit objects and domain
objects
• Read permission for attributes of the
groupPolicyContainer objects
• Write permission to create and delete
the groupPolicyContainer objects in the
System Policies container
• Read permission for the
nTSecurityDecriptor attribute of the
groupPolicyContainer objects
• The permission to create and delete
container and the serviceConnectionPoint
objects in Group Policy containers
7
• Read permission for the attributes of the
container and serviceConnectionPoint
objects in Group Policy containers
• Write permission for the
serviceBindingInformation and
displayName attributes of the
serviceConnectionPoint objects in Group
Policy containers
• The permission to create container objects
in the System container
• The permission to create the
serviceConnectionPoint objects in the
System container
• The permission to delete the
serviceConnectionPoint objects in the
System container
• Write permission for the keywords attribute
of the serviceConnectionPoint objects in
the System container
Configuration design decisions
Note that the following configurations are common but not definitive.
Managed domains • General logon security options—Configure
logon security options as shown in Figure
4. The lockout conditions configured in
Password Manager should be in line with
user account policy.
• Groups—Use the following groups to
manage access to Password Manager and
mail notifications, and to enable phased
rollout and registration:
• Groups allowed to access the Password
Manager Self-Service site
• Groups denied access to the Password
Manager Self-Service site
• Groups allowed to receive registration
notifications
• Groups denied receiving registration
notifications
• Groups allowed to receive password
expiration notification
• Groups denied receiving password
expiration notification
• Challenge questions—A project is currently
underway to define the questions users will
have to answer for registration or password
resets. To register, a user should have to
answer 5–6 questions from a list of 15–20
questions. To reset the password or unlock
the account, a user should have to answer
2–3 questions.
• Q&A policy—Configure Q&A policy as
shown in Figure 6. The minimum answer
length depends somewhat upon the
question list.
Figure 4. Logon security options
8
Figure 5. Configuring the number of questions required to register, reset a password, or unlock an account
Figure 6. Configuring the Q&A policyFigure 6. Configuring the Q&A policy
9
Figure 7. Configuring enforcement of Q&A profile policy
Figure 8. Configuring the self-service site
• Enforcement of Q&A profile policy—The
settings for user enforcement are illustrated
in Figure 7
Settings • Self-service site—The common
configuration of the self-service site is
illustrated in Figure 8.
• Days to notify before password expires: 10
10
• Help desk site—The usual configuration of
the help desk site is shown in Figure 9.
• Profile update policy—Figure 10 shows
how the profile update policy is commonly
configured. To minimize profile update
requirements, ensure that the Q&A policy
definition is correct before rolling it out to
the entire user base.
• Reporting and logging—A SQL Server and a
SQL Server Reporting Services instance are
required.
• Notification—Notification is usually
disabled other than for troubleshooting
or other special purposes. The available
settings are illustrated in Figure 11.
Figure 9. Configuring the help desk site
Figure 10. Configuring the profile update policy
11
Figure 11. Configuring notifications
Customization
Website and logo The look and feel of the website can be modified; it is common to customize the logos. More details can be found in Dell Support Solution 61098.
Disaster recovery
Backing up the domain controllers Password Manager stores all important information in Active Directory, so as long as there is a valid backup of the domain controllers, the Password Manager Q&A profiles will be recoverable. Recovering data for individual users will be much easier if you have Dell™ Recovery Manager for Active Directory.
Backing up the encryption key Another requirement is to have a backup copy of the encryption key. By default, this key is stored on the Password Manager server at: C:\Program Files\Quest Software\Quest One Password Manager\QPMEnckey.bin
Backing up the audit database, if desired Password Manager uses a database, DDSLogSubsystem, to store auditing information, such as who has reset a password. If this information is needed in your organization, back up the database.
A backup of the local.spr file is also recommended.
For more information For more information about disaster recovery, see Dell Support Solution 31859.
12
TechBrief-ConfigQ1PMmaxBene-US-VG-2013-11-20
© 2013 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. (“Dell”).
Dell, Dell Software, the Dell Software logo and products—as identified in this document—are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.
The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.
About Dell SoftwareDell Software helps customers unlock greater potential through the power of technology—delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com.
If you have any questions regarding your potential use of this material, contact:
Dell Software5 Polaris Way Aliso Viejo, CA 92656www.dellsoftware.comRefer to our Web site for regional and international office information.
For More Information