SMS PASSCODE 7.2 ADMINISTRATOR S GUIDE REV. 1.0 (JUNE 2014)

(1)

SMS PASSCODE

®

7.2 ADMINISTRATOR’S GUIDE

(2)

1 INTRODUCTION

This document describes how to install, configure and administer SMS PASSCODE®_{version 7.2.}

2 NOTATION

Shorthand Description

ActiveSync Technology developed by Microsoft, used for synchronizing personal Outlook data to handheld devices.

AD Active Directory

AD FS 2.0 Active Directory Federation Services 2.0.

Windows-based Federation Service that supports the Trust, WS-Federation, and Security Assertion Markup Language 2.0 (SAML 2.0) protocols.

Reference:

http://technet.microsoft.com/en-us/library/adfs2(WS.10).aspx

CAE Citrix Access Essentials

CAG Citrix Access Gateway

CAS Client Access Server role of a Microsoft Exchange Server installation

IAG Microsoft Intelligent Application Gateway

IAS Internet Authentication Service: Optional component on a Windows Server 2003. This component is the Microsoft implementation of a RADIUS server.

IIS Internet Information Server: Optional component/role on a Windows Server.

ISA Internet Security and Acceleration Server. A Microsoft security gateway server.

LBP Load Balancing Policy

Machine This is a general term used to denote a server or a workstation.

memoPasscodes™ memoPasscodes™ refers to an SMS PASSCODE innovation making codes easier to read and memorize during authentication.

NPS Network Policy Server: Optional Role on a Windows Server 2008/2012. This Role is the Microsoft implementation of a RADIUS server.

(9)

Shorthand Description

RDS Microsoft Remote Desktop Services

PRBS SMS PASSCODE®_{Password Reset Backend Service}

PRWS SMS PASSCODE®_{Password Reset Web Site}

SMS PASSCODE®

authentication client

One of the SMS PASSCODE®_{components Citrix Web Interface}

Protection, RADIUS Protection, Cloud Application Protection, IIS Web Site Protection, ISA/TMG Web Site Protection, Windows Logon Protection or Secure Device Provisioning, i.e. one of the

components responsible for authentication for a specific type of client.

SMS PASSCODE®_core

component

One of the SMS PASSCODE®_{components Database Service, Web}

Administration Interface, Self Service Web Site, Transmitter Service or Load Balancing Service.

SDP SMS PASSCODE®_{Secure Device Provisioning}

SSWS SMS PASSCODE®_{Self Service Web Site}

TMG Threat Management Gateway.

A Microsoft security gateway server (the successor of the Microsoft ISA Server)

TS Microsoft Terminal Service

UAG Microsoft Unified Access Gateway

(the successor of the Microsoft Intelligent Application Gateway)

UGP User Group Policy

UIP User Integration Policy

(10)

3 NEW FEATURES IN VERSION 7.2

This section summarizes the most important new features introduced in SMS PASSCODE®

version 7.2.

3.1 Password Reset: Enhanced Support for Password Notifications

Previously, SMS PASSCODE®_{users could automatically receive a notification, whenever they}

were locked out in the SMS PASSCODE®_{database. The notification system has been extended}

with three new types of notifications:  AD lockout notification:

Automatically send out a notification to users, when their AD account has been locked out  Password pre-expiration notification:

Automatically send out a notification to users, when their password is about to expire  Password expiration notification:

Automatically send out a notification to users, when their password has just expired Each notification type is optional, and the content of each notification type is customizable (per User Group Policy). By default, each notification message will contain the URL of the SMS PASSCODE®_{Password Reset Web Site, thereby providing optimal assistance to users for}

handling password issues by themselves, in a convenient and effective way.

Please note, that Password Reset CALs are a pre-requisite for using the three new types of notifications.

Please read section 15.6.1.2 (page 151) for more details.

3.2 Password Reset Web Site: Adaptive Layout

The user interface of the SMS PASSCODE®_{Password Reset}

Web Site (PRWS) has been re-designed completely, now providing a modern, adaptive layout. The web site is very responsive and automatically adapts to different screen resolutions, across desktop PCs, laptops, tablets and mobile devices.

Combined with the three new password notification types listed above, this provides optimal password reset assistance, letting users reset their passwords directly on their

smartphones, as they receive a notification containing the URL of the PRWS. Just a simple click on the URL is required to launch the PRWS directly on the device.

(11)

3.3 Password Reset Web Site: Adaptive Authentication Flows

Previously, it was only possible to log in to the Password Reset Web Site in one way: Entering username, then personal passcode, then one-time passcode (OTP). Now it is optionally possible to configure different types of authentication flows depending on the login context. To allow this, the Authentication Policies have been extended with a new Password reset flow setting.

For example, it is now possible to configure the system to adapt to more convenient authentication flows, when logging in from trusted environments. As an example, only requesting username and OTP, when logging in from the internal network.

Please read sections 15.8.2.5 (page 187) and 17.3 (page 289) for more details.

3.4 User Integration Policies: Import of Personal Passcodes

The User Integration Policies have been extended to also allow import of personal passcodes from AD. This provides an easy way to maintain personal passcodes for password reset, in case an existing AD attribute can be used, such as for example an internal employee number stored in AD. Transformations are supported, in case only a part of each imported value should be used.

(12)

3.5 Cloud Application Protection:

Adaptive Layout and More Languages

The SMS PASSCODE®_{Cloud Application Protection component has been enhanced in two ways:}  The user interface of the SMS PASSCODE®_{Cloud Application Protection (AD FS 2.0)}

component has been re-designed completely, now providing a modern, adaptive layout. The web site automatically adapts to different screen resolutions, across desktop PCs, laptops, tablets and mobile devices.

 The localization of the user interface has been extended with additional languages. The following 17 languages are now supported:

o Czech o Danish o Dutch o English o Finnish o French o German o Hungarian o Italian o Korean o Norwegian o Polish o Romanian o Russian o Spanish o Swedish o Turkish

3.6 Token Policies: Import of Token Seed Files

In SMS PASSCODE®_{version 7.0, support for OATH tokens was introduced, allowing both OATH}

compliant hardware and software tokens to be used for authentication. In version 7.2, a feature for import of token seed files has been added to Token Policies. This allows to import one or more token seed files into a Token Policy, where after it is possible to assign tokens to users through the serial numbers of the tokens. The serial numbers can be entered by the administrator in the web administration interface, or alternatively by the users themselves in the SMS PASSCODE®_Self

Service Web Site (if allowed to).

Supported token seed file formats: CSV and PSKC. Please read section 15.9.3 (page 213) for more details.

(13)

3.7 Authentication Policies: Enhanced Password Brute-Force

Protection

Previously, if a password brute-force attack was suspected, a user would be locked out from the SMS PASSCODE®_{database permanently. It is now possible to configure the system to a more}

relaxed behavior, where the user is initially locked out temporarily, then eventually locked out permanently, if the attack continues.

Please read section 15.8.2.2 (page 181) for more details.

4 NEW FEATURES IN VERSION 7.0

This section summarizes the most important new features that were introduced in SMS PASSCODE®_{version 7.0.}

4.1 Secure Device Provisioning (for ActiveSync Devices)

SMS PASSCODE®_{version 7.0 introduced a completely new component, called SMS PASSCODE}®

Secure Device Provisioning. This component provides a very secure, yet convenient way for end-users to approve an ActiveSync device for getting access to their Exchange mailbox.

Background: Out-of-the-box, Microsoft Exchange Server 2010 and 2013 support selective approval of ActiveSync Devices. Any new, non-approved ActiveSync device can be put

into quarantine mode automatically, until an administrator has approved the device.

The problem with this approach, especially in bigger companies, is: How does the administrator know, whether to approve a quarantined device or not? How to distinguish between a valid user device and a hacker attempting to get access to a user’s e-mail using the ActiveSync protocol? A traditional approach is to implement a manual approval procedure, that takes up extra time for internal IT, and blocks users from accessing their emails until the devices have been approved. This causes unnecessary delays and loss of worker productivity. The best approach for solving the above problem is to enable the end-users to approve any new ActiveSync device by themselves. This supports a people-centric BYOD culture. When done securely, user-driven device provisioning is more convenient, more secure, and frees IT of the burden of being responsible for the approval process.

SMS PASSCODE®_{Secure Device}

Provisioning builds on top of the existing Microsoft Exchange Server functionality, extending it to allow end-users to easily approve new devices by themselves without compromising security. Security is maintained by leveraging SMS PASSCODE’s renowned multi-factor authentication engine for approving a new device. This means among others that SMS PASSCODE’s Authentication Policies

(14)

PASSCODE®_{system to use secure provisioning using multi-factor authentication in some}

contexts, while at the same time allowing simple auto-provisioning without requiring multi-factor authentication in other contexts, e.g. in case devices are connected to a trusted network like the internal WIFI within your organization.

SMS PASSCODE’s brute-force attack protection also applies to ActiveSync devices, preventing lockout of AD accounts due to password brute-force attacks.

Please read section 18 (page 314) for more details about configuring and using the SMS PASSCODE®_{Secure Device Provisioning component.}

4.2 Support for OATH Tokens

SMS PASSCODE®_{version 7.0 introduced support for OATH compliant tokens. The token support}

is very flexible, allowing you to configure the exact types of tokens used in your organization:  Support for OATH compliant hardware tokens and software tokens

 Support for event-based (HOTP) and time-based (TOTP) OATH tokens

o Support for time-based tokens with any time-step size (e.g. 30 or 60 seconds between OTPs)

 Support for OATH tokens with 6, 7 or 8 digits

Configuration of tokens is performed using Token Policies, a new type of policy added to the policy-driven administration of SMS PASSCODE®_{. As an administrator, you may optionally allow}

end-users to select a Token Policy by themselves using the SMS PASSCODE®_{Self-Service Web}

Site. This provides end-users the flexibility of choosing by themselves the type of token to use, e.g. choosing between Microsoft Authenticator and Google Authenticator.

Optionally, Token Policies can be configured to allow end-users easy self-enrollment of software tokens, simply by logging in to the SMS PASSCODE®_{Self-Service Web Site, generate a random}

token ID by the push of a button, and then finally perform a complete configuration of the software token by scanning a QR code that is presented automatically to the end-user.

(15)

4.3 Contextual Message Dispatching

In version 6.1 SMS PASSCODE®_{introduced Authentication Policies and introduced the}

patent-pending technology of location and behavior aware authentication, in short “contextual authentication”. Since then it has been widely recognized that the principles of contextual authentication extends SMS PASSCODE®_{to provide a much more secure, yet flexible}

authentication system than traditional MFA systems. From one perspective, Authentication Policies provide you the option of increasing security, using context aware protection rules, like

geo-fencing; from another perspective, Authentication Policies give you full flexibility of balancing security and convenience at the level of your choice. E.g. you might enable SMS PASSCODE®_to

intelligently skip MFA for logins from special contexts, like self-learned trusted IP addresses, e.g. home workplaces.

In version 7.0, Authentication Policies were extended even more, introducing dynamic override of Load Balancing Policies and Passcode Policies. This means, that Authentication Policies can depending on the current authentication context, decide to override the Load Balancing Policy and/or Passcode Policy to use for the actual dispatching of a one-time-passcode. Once again, this increases flexibility, allowing you to configure the system according to your specific needs. As an example, you can configure the system to prefer SMS over voice call dispatching during logins from Europe, while preferring voice call over SMS dispatching during logins from North and South America. Yet another example is to send one-time-passcodes to your mobile phone by default, but perform a voice call to a fixed-line phone number, when you are logging in from a branch office. Please read section15.8.2.5 (page 187) for more details regarding contextual message

(16)

4.4 New License Management

Previously, there was no separation between creating a user in the SMS PASSCODE®_database

and allocating a client access license (CAL) to the user. I.e. any user created in the database was automatically allocated a CAL.

For greater flexibility, SMS PASSCODE®_{version 7.0 introduced a new license management}

system, which makes it possible to create or import users into the SMS PASSCODE®_database,

without taking licensing into account; license allocations are handled independent of this afterwards.

This has several advantages, among others:

 It is possible to allocate MFA CALs and Password Reset CALs independent of each other. I.e. you can assign MFA CALs only, Password Reset CALs only, or both types of CALs to any subset of users.

 Previously, an AD sync would skip importing some users, if you ran out of CALs. With the new logic, the AD sync will import all users, allowing you to get a good overview in the Web Administration Interface, which users are missing a CAL.

For more details about the new License Management logic and administering CAL allocations please read sections 7 (page 30), 15.4 (page 123) and 15.6.1.5 (page 165).

4.5 Geo-Mapping

The Authentication Monitoring page in the Web Administration Interface was enhanced with a new Geo-Mapping feature. This feature allows you to visualize any subset of the SMS

PASSCODE®_{authentication attempts collected in your system on a world map. E.g. you may}

(17)

The world map is interactive, allowing you to click on any country to get detailed login statistics.

For more details regarding Geo-mapping, please read section 15.19.5 (page 272).

4.6 Persistent Column Selection

Previously, when customizing the columns shown in data grids on different pages of the Web Administration interface, these column customizations were lost, whenever the browser was closed and re-opened. Starting from SMS PASSCODE®_{version 7.0, column selections are persisted}

individually per user.

4.7 Support for Windows Server 2012 R2

In SMS PASSCODE®_{version 7.0, most components were tailored to support Windows Server}

2012 R2. This applied to:

 All SMS PASSCODE®_{core components}  SMS PASSCODE®_{RADIUS Protection}  SMS PASSCODE®_{IIS Web Site Protection}1  SMS PASSCODE®_{Windows Logon Protection}

1_{Please note, that protection of Remote Desktop Web Access sites is not supported anymore on Windows}

Server 2012 (R2) using the IIS Web Site Protection component. The Windows Logon Protection component must be used instead (cf. section 8.2, page 34).

(18)

4.8 Support for Windows 8.1

In SMS PASSCODE®_{version 7.0, SMS PASSCODE}®_{Windows Logon Protection was enhanced to}

support Windows 8.1.

4.9 Support for Outlook Web Access 2013

In SMS PASSCODE®_{version 7.0, the SMS PASSCODE}®_{IIS Web Site Protection component was}

enhanced to support protection of Outlook Web Access (OWA) 2013.

It is a requirement, that the OWA 2013 site is configured to use form-based authentication (FBA).

4.10 Support for More Languages

In SMS PASSCODE®_{version 7.0, end-user related content was localized to more languages. The}

SMS PASSCODE®_{Self-Service Web Site, the SMS PASSCODE}®_{Password Reset Web Site, and}

the SMS PASSCODE®_{Secure Device Provisioning Web Site were localized to the following 17}

languages:  Czech  Danish  Dutch  English  Finnish  French  German  Hungarian  Italian  Korean  Norwegian  Polish  Romanian  Russian  Spanish  Swedish  Turkish

4.11 Support for Multiple Password Reset Web Sites on the Same

Server

SMS PASSCODE®_{version 7.0 introduced the possibility to host several SMS PASSCODE}

Password Reset Web Sites in the same IIS (on the same server), allowing each such web site to connect to a separate SMS PASSCODE®_{Password Reset Backend Service.}

(19)

4.12 Discontinued features

The SMS PASSCODE®_{Citrix Web Interface Protection component no more supports Citrix Web}

Interface versions 4.5, 5.0.x, 5.1.x and 5.2.x.

(20)

5 FEATURE OVERVIEW

SMS PASSCODE®_{is a versatile multi-factor authentication system with an extensive list of great}

features. The most important of these features are described in the following subsections.

5.1 Authentication Clients

SMS PASSCODE®_{provides comprehensive protection for a broad range of authentication clients.}

The following clients are currently supported:  Citrix Web Interface

 RADIUS clients Supported are:

 Checkpoint  Cisco

 Citrix Access Gateway  Juniper

 Microsoft Intelligent Application / Unified Access Gateway (IAG/UAG)  Microsoft SharePoint Portal Server2

 Any other RADIUS client supporting PAP with challenge/response  Any other RADIUS client supporting MS-CHAP v23

 Cloud Applications protected by AD FS 2.0

Supports protection of any web applications that are using form-based authentication and are protected by AD FS 2.0 using SAML 2.0, WS-Federation or WS-Trust. Examples are:

 Microsoft Office 365 Web Clients  Google Apps

 SalesForce  ISA/TMG Web Sites

Supports protection of web sites that have been published through a Microsoft ISA/TMG server using a Web Listener, e.g.:

 Outlook Web Access

 Terminal Service Web Access (Windows Server 2008)  Microsoft SharePoint Portal Server

 IIS web sites using Basic or Integrated Windows Authentication  Any web site not requiring any pass-through authentication

(authentication delegation).

2_{Protection of SharePoint Portal Server using RADIUS is only supported, if the SharePoint Portal server is}

published through an Application Gateway that will ensure that the user is only requested to authenticate once during the initial logon. E.g. using the Microsoft IAG/UAG, Citrix Access Gateway Enterprise Edition or

(21)

 Internet Information Server (IIS) Web Sites

Supports protection of the following types of IIS web sites:  Outlook Web Access 2007 / 2010 / 2013

 Terminal Service Web Access (Windows Server 2008)  Remote Desktop Web Access (Windows Server 2008 R2)  IIS Web Sites using Basic or Integrated Windows Authentication  Windows Logon

Protection of:

 Terminal Service (RDP Connections)  Windows servers

 Windows workstations

 Secure Device Provisioning (for ActiveSync Devices)

Protection for secure provisioning of ActiveSync devices accessing the following versions of Exchange server:

 Exchange Server 2010  Exchange Server 2013

SMS PASSCODE®_{is fully integrated into all supported authentication clients. No extra user}

actions are necessary to trigger the transmission of passcodes – the authentication is very intuitive, which makes user training unnecessary.

5.2 Security

SMS PASSCODE®_{provides improved security from several aspects. From a technical point of}

view, SMS PASSCODE®_{provides these important security features:}

 Strong authentication security with protection against modern internet threats such as advanced Phishing-attacks, because passcodes are:

o Session-specific (opposite to hardware-token based solutions!)

o Randomly created in real-time without the usage of any pre-deterministic algorithm (opposite to hardware-token based solutions as well as many competing message-based solutions)

o Challenge-based o Time-constrained

 Patent pending location and behavior aware authentication for even stronger security, making it possible to prohibit access or alert users in case of advanced attacks like some cases of man-in-the-middle attacks

 Cryptographically strong random passcodes are generated using FIPS-140 validated crypto modules

 Configurable passcode length, complexity and lifetime  Strong encryption

o Build-in 256bit AES encryption of all network communication o Optional 256bit AES encryption of the database files

(22)

 Brute-force attack protection

o Automatic lockout of users on consecutive incorrect password entries o Automatic lockout of users on consecutive incorrect passcode entries  Denial-of-service attack protection

 Lockout Notification

o Optional feature, immediately notifying a user in the event of a user lockout, thereby giving the user the chance to take immediate counteractions, in case the event is unexpected.

From a user perspective, SMS PASSCODE®_{provides increased security compared to e.g.}

traditional hardware-token based solutions due to:

 High user awareness of stolen or lost cell phone means shorter period before counter-actions are taken

 High user awareness of the necessity to block SIM card of stolen or lost cell phone to prevent misuse, which implies lock down of access using SMS PASSCODE®

 Users can lock their stolen or lost cell phone (SIM card) themselves – meaning faster reaction and shorter period of security breach

 Users are automatically alerted in case their user credentials have been stolen, since they will start receiving passcode messages not requested by themselves

 Users are alerted by irregularities in the contextual message information, in case location and behavior aware authentication has been enabled

5.3 Password Reset Module

Many IT helpdesks struggle with the burden of helping end users with password related issues. There are several reasons, why this happens. Some examples are:

 End users are requested to change their password frequently. It sometimes happens during this process that users forget the new password, they chose.

 When end users forget their password, they often try to guess it, attempting logins with different password entries. This usually results in user accounts becoming locked out.  When end users are requested to change their password, they do not always perceive prior

warnings about this, potentially resulting in blocked access to IT systems.

In many cases, users will not be able to get access to relevant IT systems and continue work, before the IT helpdesk has been able to resolve the problem.

The SMS PASSCODE®_{Password Reset Module was introduced to lessen the burden on IT}

helpdesks related to password issues, while at the same time making it quicker and simpler for end users to reset their password, when needed. As a result, users can regain access to required IT systems and continue work immediately.

(23)

Important characteristics of the SMS PASSCODE®_{Password Reset module are:}

 Convenient:

The SMS PASSCODE® Password Reset Module provides a web site, where users can reset their own Active Directory password. It is very intuitive to use. Several authentication flows are supported to let users reset their password, for example using their user ID and the personal passcode that was entered (during activation) in the SMS PASSCODE® Self Service Web Site, followed by a one-time passcode (OTP).

 Hassle-free real-time notifications:

An important part of a password reset system is to ensure that a user is aware of the

possibility of resetting his / her password, when needed. The SMS PASSCODE® Password Reset Module ensures this in a hassle-free way, without the need to install additional

software on PCs or smartphones, by making intensive use of automated real-time notifications.

Several types of notifications exist in SMS PASSCODE®_{, each of which can be enabled}

or disabled as required. The idea is that a user will automatically receive a notification that reminds him about the possibility to reset his password, whenever it seems relevant. The following types of notifications are provided:

 SMS PASSCODE®_{lockout notification}

o Notifies a user, whenever he is locked out from the SMS PASSCODE®_{system due}

to several log in attempts with a wrong password  AD lockout notification

o Notifies a user, whenever he is locked out from AD  Password pre-expiration notification

o Notifies a user, whenever his AD password will expire soon (e.g. within the next 3 days)

 Password expiration notification

o Notifies a user, whenever his AD password has just expired

The content of each notification type is customizable. By default, each message contains the URL of the SMS PASSCODE®_{Password Reset Web Site. This is a user-friendly, effective way to}

remind the user about the possibility to reset his password by himself; and additionally to inform where and how to do it.

Note: If a user succeeds resetting his password, the SMS PASSCODE®_{Password Reset module}

will automatically unlock the user, if he was locked out, whereby the user regains access to all relevant systems.

5.4 Installation

Installation of SMS PASSCODE®_{is very simple, since SMS PASSCODE}®_{is an “out-of-the-box”}

end-to-end solution containing all necessary software and hardware. Simply connect the included GSM modem(s) to your servers, install the software, and you are ready.

(24)

The component architecture of SMS PASSCODE®_{offers maximum flexibility of installation,}

allowing distribution of SMS PASSCODE®_{components according to your specific needs.}

Unlike traditional hardware-token based solutions, SMS PASSCODE®_{works without distribution of}

any hardware-tokens. As a result, the logistic overhead involved is minimal and roll-out is much faster. You can get SMS PASSCODE®_{up and running with thousands of users within}

minutes. Just extract all cell phone numbers from your Active Directory, or import them from a comma-separated file, or even let the users enter the cell phone numbers themselves using the SMS PASSCODE®_{Self Service Web Site.}

5.5 Administration

The daily administration of SMS PASSCODE®_{is simple due to:}

 No logistic overhead regarding administration and distribution of hardware-tokens.  No need to involve IT personnel in the event of a lost cell phone, since users will quickly

discover the loss and act on own impulse to block the SIM card.

 Smart policy-driven administration making it easy to maintain settings on a system wide level, user group level or individual user level.

 No need to involve IT personnel when end-users have to enter or change personal data like (mobile) phone numbers. The IT personnel can optionally allow end-users to maintain such data themselves using the SMS PASSCODE®_{Self Service Web Site.}

 No need to involve IT personnel when users have forgotten their AD password. The IT personnel can optionally allow end-users to reset their own AD password in a secure manner using the SMS PASSCODE®_{Password Reset Module.}

Additionally SMS PASSCODE®_{includes an excellent Active Directory Integration feature that}

allows administration of SMS PASSCODE®_{users in your Active Directory. The list of AD}

Integration features are:

 Works “out-of-the-box”. No schema extension of your AD is needed!  Supports both LDAP and Global Catalog lookups.

 Supports encrypted secure communication (for both LDAP and Global Catalog lookups)  Supports extraction of users from multiple separate AD Domains.

 Supports nested groups including groups from child domains and trusted domains.  Customizable extraction of several user attributes from the AD, like (mobile) phone

numbers, e-mail addresses and token IDs. Even searching through a prioritized list of AD attributes is possible.

(25)

5.6 Enterprise Environment Support

Failover and scalability is very important in enterprise environments. SMS PASSCODE®_provides

failover and scalability on all levels thus providing unmatched support for enterprise environments:

 Database level:

Each SMS Transmitter service and Load Balancing service cache all data locally – meaning independence of backend database and high scalability. I.e. system operation is maintained even in the event that the backend database is down.

 Transmitter level:

A load balancing service provides intelligent distribution of all incoming requests to many transmitter services, thereby providing full failover and load balancing between all

transmitter services. I.e. system operation is maintained even in the event that a transmitter service is down. An unlimited number of transmitter services are supported.

 GSM Modem level:

Each transmitter supports a modem pool containing up to 32 GSM modems, thereby providing full failover and load balancing between all modems in a pool. I.e. system

operation is maintained even in the event of a GSM modem being down. If SIM cards from different carriers are used, then you can even obtain failover on the GSM service provider level.

 Authentication client level:

Each authentication client may forward incoming requests to several transmitter services or load balancing services. I.e. system operation is maintained even in case some of the transmitter services or load balancing services are down. An unlimited number of transmitter services and load balancing services are supported.

 Authentication type level:

Global diversities of messaging infrastructures can be a challenge for global enterprises. SMS PASSCODE®_{addresses this issue by providing support for several passcode}

dispatching mechanisms and authentication mechanisms. Users with specific needs can be set to receive one-time-passcodes by e-mail, voice calls or web service SMS; or be allowed to authenticate using hardware tokens, software tokens or time-constrained personal passcodes.

Additionally, using Load Balancing Policies it is possible to control the load balancing of passcode messages across all GSM modems or other passcode dispatchers at a granular level. Since the Load Balancing Policies are very flexible, the number of possibilities is enormous. Some examples of the usage are:

 Prefix load balancing: Group modems according to the country where they are located. Preferable send SMS messages from GSM modems with SIM cards having the same phone number prefix as the receiver. Additionally, users with specific mobile number prefixes can be set to receive passcodes by alternative dispatching mechanisms, i.e. by e-mail, voice call or web service SMS.

 GSM service provider failover: Group modems according to the GSM service provider of the SIM cards. Preferable send SMS messages using a selected GSM service provider, but use another one for failover (e.g. automatically send another passcode using a second

(26)

service provider if the first passcode could not be sent or was not entered within a specified time limit).

 GSM receiver failover: Allocate both a primary and a secondary cell phone number to some users. Automatically send another passcode to the secondary cell phone if the first passcode could not be sent or was not entered within a specified time limit.

This clearly demonstrates that SMS PASSCODE®_{has been designed and built with even the most}

demanding enterprise environments in mind.

6 COMPONENTS

SMS PASSCODE®_{is composed of the following software components:}

SMS PASSCODE

®

Core Components Authentication Clients Add-on modules4

 Database Service

 Web Administration Interface

 Transmitter Service

 Load Balancing Service

 Self Service Web Site

 Citrix Web Interface Protection

 RADIUS Protection

 Cloud Application Protection

 IIS Web Site Protection

 ISA/TMG Web Site Protection

 Windows Logon Protection

 Secure Device Provisioning

(for ActiveSync devices)

Password Reset Module

Component Description

Database Service Database for storing all SMS PASSCODE®_{user data and}

configuration data.

Web Administration Interface Web site for maintaining SMS PASSCODE®_{user data and}

configuration data.

Transmitter Service Service responsible for dispatching messages and validation of SMS PASSCODE®_{logons. Handles load balancing and failover}

between all GSM modems connected to the service.

Load Balancing Service Service responsible for handling load balancing and failover between all Transmitter services.

This optional service is recommended for enterprise installations where multiple Transmitter services are present. It should be installed in the following cases:

1) Advanced failover and load balancing of SMS messages between all Transmitter services is required, or

(27)

Self Service Web Site Web site that allows end-users to maintain some of their personal SMS PASSCODE®_{account settings themselves.}

Citrix Web Interface Protection Integrates SMS PASSCODE®_{with Citrix Web Interface providing}

SMS PASSCODE®_{authentication for Citrix Web Interface users. It}

is optionally possible to run the Citrix Web Interface protection side-by-side with hardware-token based two-factor authentication systems, e.g. RSA SecurID®_{or SafeWord}®_.

Both AD and NDS authentication is supported.

RADIUS Protection Integrates with RADIUS systems providing SMS PASSCODE®

authentication for RADIUS clients. It is optionally possible to run this integration side-by-side with other RADIUS authentication systems, e.g. hardware-token based two-factor authentication systems.

When using Windows Server 2003, RADIUS protection is provided by means of an extension for the Microsoft Internet Authentication Service (IAS).

When using Windows Server 2008 or 2012, RADIUS protection is provided by means of an extension for the Microsoft Network Policy Server (NPS).

Besides VPN systems the RADIUS protection component is also useful for protecting access to Microsoft SharePoint Portal servers using application gateways, e.g. using Microsoft Intelligent Application Gateway, Microsoft Unified Access Gateway, Citrix Access Gateway Enterprise Edition or Juniper SA.

Cloud Application Protection Integrates with Microsoft Active Directory Federation Services (AD FS) 2.0 providing SMS PASSCODE®_{authentication for cloud}

applications protected by AD FS 2.0.

Cloud applications are supported that use form-based authentication, and use any of the following protocols for authentication:

 SAML 2.0  WS-Federation  WS-Trust

(28)

ISA/TMG Web Site Protection Integrates SMS PASSCODE®_{with Microsoft ISA/TMG Server,}

providing SMS PASSCODE®_{authentication for web sites directly}

on an ISA/TMG Server. The web sites are required to be published through the ISA/TMG server using a Web Listener.

Currently the following types of web sites are supported:  Microsoft Outlook Web Access

 Microsoft Terminal Service Web Access (TS Web Access)

 Microsoft SharePoint Portal Server

 IIS web sites using authentication delegation

 Any web site not requiring any pass-through authentication (authentication delegation)

SMS PASSCODE®_{authentication can be enabled and disabled for}

each specific Web Listener in the ISA/TMG server.

ISA/TMG Web Site protection is provided by means of an ISA/TMG filter.

IIS Web Site Protection Integrates SMS PASSCODE®_{with Microsoft Internet Information}

Server (IIS) providing SMS PASSCODE®_{authentication for IIS}

Web Sites. Currently the following types of Web Sites are supported:

 Microsoft Outlook Web Access 2007, 2010 and 20135

 IIS Web Sites using Basic or Integrated Windows Authentication5

 Microsoft Terminal Service Web Access (TS Web Access), Windows Server 2008 only.  Microsoft Remote Desktop Web Access

(RD Web Access), Windows Server 2008 R2 only. SMS PASSCODE®_{authentication can be enabled/disabled for}

each specific IIS web site – it is even possible to configure different settings for specific URL’s and/or specific client IP addresses. IIS Web Site protection is provided by means of an ISAPI filter.

Windows Logon Protection Integrates SMS PASSCODE®_{with Windows Logon, thereby}

providing SMS PASSCODE®_{authentication for users logging on}

Windows. This is for example useful for protecting Microsoft Terminal Service / Remote Desktop server environments, or VMware View virtual clients.

SMS PASSCODE®_{authentication can be enabled and disabled for}

each specific RDP Listener.

Windows Logon integration is provided by means of a custom GINA (Windows XP and Windows Server 2003) and a custom Credential Provider (Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2).

(29)

Component Description Secure Device Provisioning

Integrates SMS PASSCODE®_{with Microsoft Exchange Server’s}

built-in functionality for provisioning of ActiveSync Devices, thereby providing secure, multi-factor authentication based

self-provisioning of such devices.

The integration is provided by means of two components:  The SMS PASSCODE®_{Monitoring Module, which is an}

HTTP Module that monitors the ActiveSync traffic on each server with the Exchange CAS role.

 The SMS PASSCODE®_{Secure Device Provisioning Web}

Site, to which users will be redirected for performing secure self-provisioning of new ActiveSync devices.

Password Reset Module  Password Reset Web Site

 Password Reset Backend Service

Add-on module providing a web site where SMS PASSCODE®

users that have forgotten their AD password can reset this password in a secure way.

The module actually consists of two components that can be installed on separate servers: The SMS PASSCODE®_Password

Reset Web Site and the SMS PASSCODE®_{Password Reset}

Backend Service.

The Password Reset Web Site provides the user interface of the Password Reset module. It acts as a proxy for the actual Password Reset logic, which is performed by the Password Reset Backend Service.

The components Database Service, Web Administration Interface and Transmitter Service are required components – i.e. they must always be present in an SMS PASSCODE®_{installation. The}

remaining components are optional.

The term SMS PASSCODE®_{core component is used in the subsequent sections of this} documentation to denote one of the components: Database Service, Web Administration Interface, Transmitter Service, Load Balancing Service or Self Service Web Site.

The term SMS PASSCODE®_{Authentication client is used in the subsequent sections of this} documentation to denote one of the components: Citrix Web Interface Protection, RADIUS Protection, Cloud Application Protection, ISA/TMG Web Site Protection, IIS Web Site Protection, Windows Logon Protection or Secure Device Provisioning

(30)

7 LICENSING

This section describes how SMS PASSCODE®_{licensing relates to the SMS PASSCODE}®

components described in the previous section.

When acquiring SMS PASSCODE® _{software, you have to take different kinds of licenses into}

account:

 Starter Pack

Acquisition of an SMS PASSCODE®_{Starter Pack is required for any SMS PASSCODE}®

installation.

 Client Access Licenses (CALs)

Each CAL provides a single end-user the right to access specific types of clients.  Modem Licenses

Each modem license allows a single hardware modem to be attached to the SMS PASSCODE®_{infrastructure.}

Please note that you may install every SMS PASSCODE®_{component as many times as you like}

within your infrastructure, without acquiring extra licenses for this; the one exception being the SMS PASSCODE®_{Database component, which is only allowed to be installed once per SMS}

PASSCODE®_{Starter Pack acquired.}

The following types of CALs exist:  MFA Standard CAL

Each such CAL provides a single user the right to access any number of SMS PASSCODE®_{Authentication Clients within a single SMS PASSCODE}®_{installation.}  Password Reset CAL

Each such CAL provides a single user the right to access any number of SMS

PASSCODE®_{Password Reset Web Sites within a single SMS PASSCODE}®_{installation.}

The table below summarizes the licensing requirements:

Component Number of installations allowed License requirements Database Service The Database Service is allowed to

be installed once within a single SMS PASSCODE®_{infrastructure (i.e. once}

per acquired SMS PASSCODE®

Starter Pack).

-

Web Administration Interface

No limitation. -

Transmitter Service No limitation. A modem license per modem

(31)

Component Number of installations allowed License requirements Citrix Web Interface

Protection

No limitation. Each user needs to have a MFA Standard CAL allocated.

RADIUS Protection No limitation. Each user needs to have a MFA

Standard CAL allocated.

Cloud Application Protection

ISA/TMG Web Site Protection

IIS Web Site Protection No limitation. Each user needs to have a MFA

Standard CAL allocated.

Windows Logon Protection

Secure Device Provisioning

Password Reset Web Site

No limitation. Each user needs to have a Password Reset CAL allocated.

Password Reset Backend Service

No limitation. -

NOTE: Under specific circumstances, a user might be allowed to log in to an SMS

PASSCODE® Authentication client without an SMS PASSCODE®_{Standard MFA CAL allocated,}

when bypassing multi-factor authentication. Please read section 7.1 below for details.

7.1 Authentication Behavior: Authentication Clients

The table below summarizes authentication behavior for SMS PASSCODE®_protected

(32)

assigned to the user (cf. section 15.8) and by the fact whether Proof-of-Concept (PoC) mode has been enabled (cf. section 15.3.1):

User Exists in the SMS PASSCODE® Database MFA Standard CAL allocated to the user Default behavior (PoC mode disabled)

PoC mode enabled

Yes Yes If the user attempts to log in to an SMS

PASSCODE®_{protected authentication client,}

authentication occurs according to the user’s Authentication Policy. This typically means that multi-factor authentication occurs, unless explicitly defined otherwise by the Authentication Policy.

No change, i.e. default behavior as described in the column to the left.

Yes No If the user attempts to log in to an SMS

PASSCODE®_{protected authentication client,}

access is denied unless the user’s Authentication Policy is set to bypass multi-factor authentication.

The user is allowed to log in to any

SMS PASSCODE®_protected

authentication client, bypassing multi-factor authentication (i.e. the user’s Authentication Policy is not applied)

No - The user is not allowed to log in to any SMS

PASSCODE®_{protected authentication client.}

7.2 Authentication Behavior: Password Reset

The table below summarizes authentication behavior for the SMS PASSCODE®_{Password Reset}

Web Site. Please note that the behavior can be affected by the Authentication Policy assigned to the user (cf. section 15.8), whereas Proof-of-Concept (PoC) mode (cf. section 15.3.1) has no impact in this case:

User Exists in the SMS PASSCODE® Database Password Reset CAL allocated to the user Default behavior (PoC mode disabled)

PoC mode enabled

Yes Yes The user has access to the SMS

PASSCODE®_{Password Reset Web Site}

using multi-factor authentication, unless the user’s Authentication Policy denies access. Bypassing multi-factor authentication can never occur.

Yes No The user has no access to the SMS

PASSCODE®_{Password Reset Web Site.}

No - The user has no access to the SMS

PASSCODE®_{Password Reset Web Site.}

(33)

8 SYSTEM REQUIREMENTS

In this section, the system requirements are listed for each SMS PASSCODE®_software

component (cf. section 6). Please note:

All SMS PASSCODE®_{components require the Microsoft .NET 3.5 SP1 Framework; except}

the Password Reset Web Site component, which requires the Microsoft .NET 4.5 Framework. The SMS PASSCODE®_{Secure Device Provisioning component requires both the Microsoft}

.NET 3.5 SP1 and .NET 4.5 Framework.

Component Requirement

Database Service  Supported operating systems:

o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)

 Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand If you are planning to enable the Active Directory Integration feature, it is recommended to install this component on a domain member server or a domain controller.

Web Administration Interface

 Supported operating systems:

o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)  IIS 6.0, 7.0, 7.5, 8.0 or 8.5 required

 Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand It is recommended to install this component on the same server as the

Database Service component. However, it is possible to install this component

on a separate server (cf. section 8.4, page 40).

Transmitter Service  Supported operating systems:

o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)

 Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand  An unused serial port6_{(COM port) for each GSM modem.}

 An active SIM card for each GSM modem in use.

6_{If the server does not have a free serial port, you may use a serial port server instead. When using this}

solution, you map a virtual serial port on the computer to a serial port on a device, which is connected to the network. SMS PASSCODE®_{has been tested with serial port servers (“Terminal Servers”) from Moxa}

(34)

Component Requirement Load Balancing

Service

 Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand

Self Service Web Site  Supported operating systems:

o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)  IIS 6.0, 7.0, 7.5, 8.0 or 8.5 required

 Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand  Must be installed on a domain member server or a domain controller. It is recommended to install this component on the same server as the

Database Service component. However, it is possible to install this component

on a separate server (cf. section 8.4, page 40).

Citrix Web Interface Protection

o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64)

 Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand  You must install Citrix Web Interface on the server and publish at least

one Web Interface before installing this component.

The following Citrix Web Interface versions are supported on Windows Server 2003 (x86/x64):

o Citrix Web Interface 4.6

o Citrix Web Interface 5.3.0, 5.4.0 and 5.4.2 o Citrix Access Essentials 2.0

The following Citrix Web Interface versions are supported on Windows Server 2008 (x86/x64) and Windows Server 2008 R2 x64:

o Citrix Web Interface 5.3.0, 5.4.0 and 5.4.2  AD and NDS authentication is supported.

(35)

Component Requirement

RADIUS Protection  Supported operating systems:

Please note: Only Windows Server Editions including the Internet

Authentication Service (IAS) or Network Policy Service (NPS) are supported. This means, that Windows Server 2003 Web Edition, Windows Server 2008 Web Edition, Windows Server 2012 Hyper-V

Edition and Windows Server 2012 Storage Edition are not feasible.

 Windows Server 2003: Internet Authentication Service (IAS) must be installed before installing this component.

 Windows Server 2008 (R2) and Windows Server 2012 (R2): Network Policy Service (NPS) must be installed before installing this component.  Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand  Supported RADIUS clients: All RADIUS clients that support the PAP or

MS-CHAP v2 authentication protocol. The best user experience is achieved using RADIUS clients that support PAP with Challenge

Response. Among others the following RADIUS clients support Challenge Response:

o Juniper SSL VPN o Fortigate SSL VPN o Cisco PIX 5XX

 min. Cisco VPN client 4.87_(PC)

 min. Cisco VPN client 4.9 (MAC) o Cisco ASA 5XXX

 min. Cisco VPN client 4.8 (PC)  min. Cisco VPN client 4.9 (MAC) o Cisco VPN Concentrator 3000

 min. Cisco VPN client 4.8 (PC)  min. Cisco VPN client 4.9 (MAC)

o

Check Point FW-1/VPN-1 NG/FP3



Check Point VPN-1 SecuRemote Connection Client o Citrix Access Gateway 4.x8

 Standard Edition (min. ver. 4.5)  Enterprise Edition

o Citrix Access Gateway 5.0

o Microsoft Intelligent Application / Unified Access Gateway (IAG/UAG)

o WatchGuard Firebox

 WatchGuard Windows VPN Client Please contact your SMS PASSCODE®_{reseller or}

[email protected] for further information regarding supported RADIUS clients.

7_{Please note, that versions 5.0.00.x - 5.0.01.x had problems with the RADIUS challenge/response}

implementation. You must upgrade to a newer version of the Cisco VPN client 5.x.

(36)

Component Requirement Cloud Application

Protection

o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 20129_(x64)

 Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand  Microsoft AD FS 2.0 must be installed before installing this

component10_.

ISA/TMG Web Site Protection

 Supported scenarios:

o Windows Server 2003 x86 with Microsoft ISA Server 2006 SP1 installed.

o Windows Server 2008 x64 with Microsoft TMG 2010 installed. o Windows Server 2008 R2 x64 with Microsoft TMG 2010

installed.

 Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand

IIS Web Site Protection

 Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand  IIS 6.0, 7.0, 7.5, 8.0 or 8.5 required

Windows Logon Protection

 Supported operating systems: o Windows XP (x86/x64)11 o Windows Server 2003 (x86/x64) o Windows Vista (x86/x64)11 o Windows 7 (x86/x64)11 o Windows 8 (x86/x64)11 o Windows 8.1 (x86/x64)11 o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)

 Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand  Terminal Service / Remote Desktop is supported

Secure Device Provisioning (for ActiveSync devices)

Supported on Windows Servers with the Exchange Client Access Server (CAS) role installed beforehand.

The following versions of Microsoft Exchange Server are supported:  Exchange Server 2010

(37)

Component Requirement Password Reset Web

Site

o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64) o Windows Server 2012 (x64) o Windows Server 2012 R2 (x64)

 Pre-requisite: Microsoft .NET Framework 4.5 installed beforehand  IIS 7.0, 7.5, 8.0 or 8.5 required

 A certificate is required to protect communication with the Password Reset Web Site using SSL/TLS.

Password Reset Backend Service

 Pre-requisite: Microsoft .NET Framework 3.5 SP1 installed beforehand  It is recommended to install a certificate on relevant domain

controller(s) to encrypt the communication between the Password Reset Backend Service and the domain controller(s) using SSL/TLS.

8.1 Requirements for Location and Behavior Aware Authentication

Location and behavior aware authentication12 is the overall term for making use of Passcode Policies, Authentication Policies and User IP Histories to achieve a more advanced and secure authentication experience. The pre-requisite for this to work is that the SMS PASSCODE®_system

must be able to collect the correct end-user IP address that an authentication attempt originates from.

9_{Windows Server 2012 R2 is NOT supported yet}

10_{On Windows Server 2012 please note, that AD FS 2.0 is not supported on Hyper-V, Storage or MultiPoint}

Editions.

11_{It is not recommended to install Windows Logon Protection on laptops because SMS PASSCODE}®

logon is only possible when the laptop is able to connect to a SMS PASSCODE®_{Transmitter Service.}

Since this connection is typically established via the network, the laptop may lose its connection to the Transmitter service when it is undocked – and thereby prohibit user authentication.

SMS PASSCODE 7.2 ADMINISTRATOR S GUIDE REV. 1.0 (JUNE 2014)

SMS PASSCODE

®

7.2

ADMINISTRATOR’S GUIDE

TABLE OF CONTENTS

1 INTRODUCTION

2 NOTATION

3 NEW FEATURES IN VERSION 7.2

3.1

Password Reset: Enhanced Support for Password Notifications

3.2

Password Reset Web Site: Adaptive Layout

3.3

Password Reset Web Site: Adaptive Authentication Flows

3.4

User Integration Policies: Import of Personal Passcodes

3.5

Cloud Application Protection:

Adaptive Layout and More Languages

3.6

Token Policies: Import of Token Seed Files

3.7

Authentication Policies: Enhanced Password Brute-Force

Protection

4 NEW FEATURES IN VERSION 7.0

4.1

Secure Device Provisioning (for ActiveSync Devices)

4.2

Support for OATH Tokens

4.3

Contextual Message Dispatching

4.4

New License Management

4.5

Geo-Mapping

4.6

Persistent Column Selection

4.7

Support for Windows Server 2012 R2

4.8

Support for Windows 8.1

4.9

Support for Outlook Web Access 2013

4.10 Support for More Languages

4.11 Support for Multiple Password Reset Web Sites on the Same

Server

4.12 Discontinued features

5 FEATURE OVERVIEW

5.1

Authentication Clients

5.2

Security

5.3

Password Reset Module

5.4

Installation

5.5

Administration

5.6

Enterprise Environment Support

6 COMPONENTS

SMS PASSCODE

7 LICENSING

7.1

Authentication Behavior: Authentication Clients

7.2

Authentication Behavior: Password Reset

8 SYSTEM REQUIREMENTS

o



8.1

Requirements for Location and Behavior Aware Authentication