Defender Delegated Administration. User Guide

(1)

Defender

Delegated

Administration

User Guide

(2)

this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc.

If you have any questions regarding your potential use of this material, contact:

Quest Software World Headquarters LEGAL Dept

5 Polaris Way

Aliso Viejo, CA 92656 USA www.quest.com

email: [email protected]

Refer to our Web site for regional and international office information.

TRADEMARKS

Quest, Quest Software, the Quest Software logo, and Defender are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software's trademarks, please see

http://www.quest.com/legal/trademark-information.aspx. Other trademarks and registered trademarks are property of their respective owners.

Disclaimer

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product

descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

Quest Defender Delegated Administration User Guide Updated - April 2012

Software Version - 5.7

(3)

iii

. . . 5

Q

UEST

O

NE

I

DENTITY

S

OLUTION

. . . 6

A

UDIENCE AND

S

COPE

USTOMER

S

UPPORT

. . . 8

CHAPTER 1 DELEGATED ADMINISTRATION

. . . 9

I

NTRODUCTION

. . . .10

W

HAT IS

D

EFENDER

D

ELEGATED

A

DMINISTRATION

? . . . .10

P

RE

-

REQUISITES

. . . .10

I

NSTALLING

D

EFENDER

D

ELEGATED

A

DMINISTRATION

. . . .11

CHAPTER 2 ADMINISTRATION ROLES

ERVICE

A

CCOUNTS

. . . .16

D

EFENDER

S

ECURITY

S

ERVER

. . . .16

D

EFENDER

T

OKEN

D

EPLOYMENT

S

T

OKEN

’

S

PIN . . . .18

A

SSIGN

D

V

IOLATION

C

OUNT

. . . .18

M

ODIFY

D

EFENDER

ID . . . .18

S

ELECT

P

OLICY

ONTROL

. . . .20

D

ELEGATING

R

OLES

. . . .21

(5)

About this Guide

• Quest One Identity Solution

• Conventions

• Audience and Scope

• Conventions

• About Quest Software

• Contacting Quest Software

(6)

Quest One Identity Solution

Defender is a component of the Quest One Identity Solution, a set of enabling technologies, products, and integration that empowers organizations to simplify identity and access management by:

• Reducing the number of identities

• Automating identity administration

• Ensuring the security of identities

• Leveraging existing investments, including Microsoft Active Directory

Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance by addressing identity and access management challenges as they relate to:

• Single sign-on

• Directory consolidation

• Provisioning

• Password management

• Strong authentication

• Privileged account management

• Audit and compliance.

Audience and Scope

This book is intended for administrators who want to use Defender Delegated Administration.

This book does not provide tutorial information on the use of the Windows operating system or on network communication concepts. Users must have experience in using the specified operating system and an understanding of networking concepts.

(7)

About

7

Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes, and cross-references.

ELEMENT CONVENTION

Select This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons.

Bolded text Used to highlight installation questions and responses.

courier text File, daemon, utility, option, attribute names.

Italic text Used for comments.

Bold Italic text Used for emphasis.

Blue text Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink.

Used to highlight additional information pertinent to the process being described.

Used to provide Best Practice information. A best practice details the recommended course of action for the best result.

Used to highlight processes that should be performed with care.

+ A plus sign between two keystrokes means that you must press them at the same time.

| A pipe symbol (vertical bar) between elements means that you must select the elements in that particular sequence.

\ The back slash, immediately followed by a new line, indicates a Unix command line continuation.

<version>.<build number> References to the product version you are installing are displayed with <version>.<build number> in angle brackets.

(8)

About Quest Software

Quest Software, Inc., a two-time winner of Microsoft’s Global Independent Software Vendor Partner of the Year award, delivers innovative products that help organizations get more performance and productivity from their

applications, databases Windows infrastructure and virtual environments.

Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 100,000 customers worldwide meet higher expectations for enterprise IT. Quest’s Windows management solutions simplify, automate secure and extend Active Directory, Exchange Server, SharePoint, SQL Server, .NET and Windows Server as well as integrating Unix, Linux and Java into the managed environment. Quest Software can be found in offices around the globe and at www.quest.com.

Contacting Quest Software

Phone 949.754.8000 (United States and Canada) Email [email protected]

Mail Quest Software World Headquarters 5 Polaris Way

Aliso Viejo, CA 92656 Web site www.quest.com

Please refer to our Web site for regional and international office information.

Contacting Customer Support

Quest Software's world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions.

SupportLink www.quest.com/support Email at [email protected]

You can use SupportLink to do the following:

• Create, update, or view support requests

• Search the knowledge base

• Access FAQs

• Download patches

(9)

9

1

Delegated Administration

• Introduction

• What is Defender Delegated Administration?

• Installing Defender Delegated

Administration

(10)

Introduction

This guide describes how to use Defender Delegated Administration to create and manage users or groups with delegated administrative roles.

What is Defender Delegated

Administration?

Defender Delegated Administration provides a scalable approach to the administration of access rights, enabling you to create and manage users or groups with delegated administrative roles.

A simple configuration wizard enables system administrators to administer users and groups, and delegate the appropriate administrative roles.

Pre-requisites

The following pre-requisites need to be considered for the following components.

• Microsoft Visual C++ 2008 SP1 is required to install the Defender MMC Console (these are distributed on the Defender autorun CD)

• Microsoft .NET 3.5 SP1 or later is required to run the Defender Delegated Administration wizard.

The Defender Administration console should be run with a Domain Admins account (or similar) with the rights to modify account permissions for other groups of users.

To use the Defender Delegated Administration wizard you must have Microsoft .NET 3.5 SP1 or later installed. If you do not, you will not be able to run the wizard and a warning message will be displayed when you attempt to launch it.

(11)

Installation

11

Installing Defender Delegated

Administration

The Defender Delegated Administration wizard is installed automatically when you install the Defender Administration console.

To access Defender Delegated Administration, from the Defender menu, select Delegate Control. The Delegated Administration Wizard will start.

The Defender Administration wizard only modifies permissions within your Active Directory for Defender attributes in the schema. It does not modify any standard Microsoft Active Directory permissions.

(12)

2

Administration Roles

• Roles

• Service Accounts

• Advanced Control

• Full Control

• Delegating Roles

(13)

Defender Delegated Administration User Guide

14

Roles

Roles are typically granted to groups of users, such as a helpdesk group of users.

The available roles are:

Administrator

Defender Administrators can modify any Defender object and have complete control over the Defender configuration. This includes modification of all user based Defender items, such as:

• assign and unassign tokens

• set the Defender password

• set Defender PIN

• modify Access Nodes, Security Servers, Policies, Tokens and RADIUS Payloads

• manage Defender licenses.

(14)

Basic Helpdesk

When this permission is granted, the user or group can:

• reset a Defender Token

• test a Defender Token via the Defender Console.

• reset a locked Defender token by resetting the Violation Count on the username Properties page.

Provisioning

• assign a Defender token

• program a Defender token

• remove a Defender token from a user’s account

• reset a Defender PIN.

Enhanced Helpdesk

• assign a Defender token

• program a Defender token

• remove a Defender token

• reset a Defender token

• recover a Defender token

• test a Defender token

• reset a locked Defender token

• set a Defender PIN

• set Defender password

• assign a temporary token response.

(15)

16

Auditor

When this permission is granted, the user or group have read-only access to:

• all Defender objects of Users and Groups

• all Defender attributes of Users and Groups.

If one of the above roles alone does not provide the required level of authority, you can combine two or more roles. For example, you could combine the Basic Helpdesk role with a specific right from the Advanced Control menu, described below.

Service Accounts

Service accounts are created to provide the correct permissions for the following Defender components.

Defender Security Server

This will ensure that the service user account, used by the Defender Security Server to connect to Active Directory, has the required permissions.

The account should be configured on the Defender Security Server Configuration dialog.

Defender Token Deployment System

This will ensure that the service user account, used by the Defender Token Deployment System to connect to Active Directory, has the required permissions.

To do this perform the following steps:

For Defender v5.5 and earlier, using the Defender Self Registration component:

1. Load Component Services.

(16)

2. Navigate to Computer, My Computer, DCOM Config, Defender.

3. Right click Defender, then select Properties.

4. Select the Identify tab.

5. Modify the service account credentials.

For Defender 5.6 and above, using the Defender Token Deployment System:

Set the account on the Common Settings tab.

For Defender 5.7 and later, using the Defender Management Portal System:

Configure the account on the System Configuration \ Credentials tab.

The permissions configured when applying the Token Deployment System service account are also suitable for user who require full access to Defender Reports.

Advanced Control

Assign Defender Token

Assign a token to a user from the Defender Token OU or on the username Properties page.

Program Defender Token

Program a token on the username Properties page or from Program Token from the Defender tool bar menu.

Recover Defender Token

Recover a token from the username Properties page or right click on the token within the Token OU and then select recovery.

Recover token applies to certain tokens types only.

(17)

18

Reset Defender Token

Reset a token on the username Properties page or select the token within the Defender Token OU.

Set and Clear Defender Token’s PIN

Add and remove a pin on a users token. This can be set on the username Properties page or on the token within the Defender Token OU.

Assign Defender Token Temporary

Response

Set a helpdesk response on the username Properties page.

Set Defender Password

Set a Defender Password on the username Properties page.

Test Defender Token

Test a user’s token response for a specific token and also optionally verify the PIN on the user’s account. This can be tested on the username Properties page or on the token within the Defender Token OU.

Unassign Defender Token

Unassign a token on the username Properties page or by selecting the token within the Defender Token OU.

Reset Defender Token Violation Count

Reset the token violation count on the username Properties page or by selecting the token within the Defender Token OU.

Modify Defender ID

Set a Defender ID on the username Properties page.

(18)

Select Policy

Select a Defender security policy.

Select RADIUS Payload

Select a RADIUS policy.

Update Defender User License

Required for assigning, unassigning and programming tokens, and is automatically assigned as required. However, you may need to grant this specific right in a multi domain environment depending on where your license is located.

If the Update Defender User License right is not automatically assigned to the required user/group, run the Delegated Administration Wizard again, as described in Delegating Roles on page 21.

Update Defender Token License

Required for assigning, unassigning and programming tokens and is automatically assigned as required. However, you may need to grant this specific right in a multi domain environment depending on where your license is located.

If the Update Defender Token License right is not automatically assigned to the required user/group, run the Delegated Administration Wizard again, as described in Delegating Roles on page 21.

(19)

20

Full Control

The settings in this section grant the full permissions necessary to manage specific Defender objects, including the permissions to view or modify any of the object properties, create, delete, rename or move objects on a user or group.

The available options are:

• Defender Access node full control

• Defender DSS full control

• Defender License full control

• Defender Policy full control

• Defender RADIUS Payload full control

• Defender Token full Control

• Defender Token License full control.

(20)

Delegating Roles

To delegate administrative roles to a user or group, perform the following steps:

1. From the Defender menu, select Delegate Control:

2. The Defender Delegated Administration Wizard starts and the Users and Groups dialog is displayed:

(21)

22

3. Click Add to specify the user or group to which you want to delegate administrative roles. The Select Users and Groups dialog is displayed:

4. Enter the names of the users or groups.

5. Click OK to continue. The Users and Groups dialog is displayed, showing your selected users and groups.

6. Click Next to continue. The Tasks to Delegate dialog is displayed:

The Tasks to Delegate dialog includes the following sections:

• Roles

• Service Accounts

• Advanced Control

• Full Control.

(22)

Check the boxes adjacent to the administrative functions that you want to delegate to the selected user or group.

7. Click Next to continue. The User Locations dialog is displayed:

8. Click Add to specify the location of the users that will be managed by the user or group to which you have delegated the tasks.

9. Click OK to continue. The User Location dialog displays the selected locations.

(23)

24

10. Click Next to continue. The Summary dialog is displayed:

11. Click Finish to complete the procedure.

Defender Delegated Administration. User Guide

Defender

Delegated

Administration

User Guide

Contents

. . . 5

Q

O

I

S

. . . 6

A

S

. . . 6

C

. . . 7

A

Q

S

. . . 8

C

Q

S

. . . 8

C

C

S

. . . 8

. . . 9

I

. . . .10

W

D

D

A

? . . . .10

P

-

. . . .10

I

D

D

A

. . . .11

. . . .13

R

. . . .14

A

. . . .14

B

H

. . . .15

P

. . . .15

E

H

. . . .15

A

. . . .16

S

A

. . . .16

D

S

S

. . . .16

D

T

D

S

. . . .16

A

C

. . . .17

A

D

T

. . . .17

P