Random Password Manager Enterprise Edition

(1)

Random Password Manager

Enterprise Edition

(2)

Copyright Notice

4 Introduction

1

Overview...1

Performance Notes...1

License Agreement ...1

Limited Warranty...3

Background and Goals...3

Product Installation

5

Installation Requirements ...5

Pre-requisite Knowledge...6

Port Requirements...6

MSDE Installation Using the Download Package ...7

MSDE Installation Manually ...8

Random Password Manager Enterprise Edition Setup ...12

Random Password Manager Installation...14

Web Interface Installation

16

Web Application Installation ...16

Web Application Installation Advanced Options...17

Web Application Security...17

IIS and ASP Pages ...18

COM+ Identity Wrapper...22

COM Components ...23

Web Application Authentication and Delegation ...25

Delegation Configuration...26

Getting Started

28

Randomizing the Local Administrator Password for Every System in the Domain ...28

Schedule a Reoccurring Password Randomization...32

Grant Users of a Windows Group 'Test Group' the Ability to Recover Passwords for the Default Group.34 Recover a Password from a system in the 'Default' Group using the Web Interface ...37

Web Interface

40

Login...41

Password Recovery...41

System Status...44

Managing Access...46

(3)

Copyright Notice ii

Program Access...48

Managed Group Access...50

Account Masks ...50

Managing Systems

52

Managed Group Dialog...53

Managed Group Dialog Menus...53

System List Columns ...55

System Names and Name Resolution ...55

Add Systems to Group ...57

Add From Domain Systems List ...57

Add From Network Browse List ...59

Add From Shell Network Browse List ...60

Add Systems Manually...61

Add From Active Directory...62

Browse Options ...63

Add From IP Scanned Range ...64

Import/Export Systems List...65

Connecting to Systems...65

Selecting Systems ...65

Refresh Info ...65

Setting Managed Group System Ranges...67

Dynamic Group Memberships ...68

Dynamic Group Name and Comment ...70

Dynamic Group Domains...71

Dynamic Group IP Address Ranges...71

Dynamic Group Active Directory Paths...72

Dynamic Group Data Sources ...72

Dynamic Group Explicit Inclusions ...73

Dynamic Group Explicit Exclusions ...74

Dynamic Group Filter Options ...75

Dynamic Group Options...76

Managing Multiple Managed Groups ...77

Managing Passwords

78

Overview and Goals...78

Creating a Password Change Job ...79

Viewing Stored Passwords ...81

Deferred Processing

82

Jobs Monitor ...83

Deferred Processor Service...84

Retry Settings...85

Alternate Administrators

86

Administrator Accounts Editor ...86

(4)

Report File Output Type ...91

HTML Edit Dialog ...91

Post-Generation Action...92

Email Server Settings Overview ...93

SMTP Settings: General ...94

SMTP Settings: Outgoing Server ...95

SMTP Settings: Logging Options...96

Help Information

97

License Keys...97

Registration...99

Database Configuration ...99

Logon Info ...100

About ...101

Program Options

102

Logging...102

Datastore Configuration...103

Application Components ...106

Manage Web Application ...106

Remote Licensing ...108

Index

109

(5)

4

The software contains proprietary information of Lieberman Software Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited.

Due to continued product development this information may change without notice. The information and intellectual property contained herein is confidential between Lieberman Software and the client and remains the exclusive property of Lieberman Software. If you find any problems in the documentation, please report them to us in writing. Lieberman Software does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Lieberman Software.

Microsoft, Windows, Word, Office, SQL Server, Access, MSDE, and MS-DOS are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA 90067 310.550.8575 Internet E-Mail: [email protected] Website: http://www.liebsoft.com

(6)

This chapter includes an overview of Random Password Manager Enterprise Edition, what problems it is designed to solve, performance information, expected pre-requisite knowledge, and some background information on Windows.

This chapter also includes the license and warranty information for Random Password Manager Enterprise Edition.

In This Chapter

Overview ...1

Performance Notes ...1

License Agreement...1

Limited Warranty ...3

Background and Goals ...3

Overview

Random Password Manager Enterprise Edition is designed to randomize and store the passwords for accounts on your systems on a regular reoccurring basis. Because these passwords are stored and managed by the program, they can be retrieved via a delegated web interface. Access to the password store as well as other web interface features can be limited to specific windows groups.

Performance Notes

Random Password Manager Enterprise Edition is multi-threaded and supports automatic retry for failed systems in an operation. Most operations on a LAN will take about a second to complete, but connections over a WAN may take significantly longer. All scheduled operations and job retries are handled in the background by a deferred processor service.

License Agreement

This is a legal and binding contract between you, the end user, and Lieberman Software Corporation. By using this software, you agree to be bound by the terms of this agreement. If you do not agree to the terms

(7)

Introduction 2

of this agreement, you should return the software and documentation, as well as, all accompanying items promptly for a refund.

1. Your Rights: Lieberman Software hereby grants you the right to use Random Password Manager Enterprise Edition to manage the licensed number of systems purchased. This software is licensed for use by a single client and its designated employees, contractors and authorized 3rd parties to manage the systems owned/used by a single client. The software license may not be shared with unrelated 3rd parties. The serial number provided by Lieberman Software is designed for installation on a specific machine. You many install an unlimited number of copies of Random Password Manager Enterprise Edition for your administrators that connect to the single licensed machine. All administrators can share the pool of purchased managed node licenses.

There are no limits to the number of web servers or clients that may access the data stored by your licensed copy of Random Password Manager Enterprise Edition.

The cost of Microsoft web servers, SSL certificates, and other supporting equipment and technology are the sole responsibility of the user of this software; not Lieberman Software.

2. Copyright. The SOFTWARE is owned by Lieberman Software and is protected by United States copyright law and international treaty provisions. Therefore, you must treat the software like any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival purposes. The manual is a copyrighted work also--you may not make copies of the manual for any purpose other than the use of the software. 3. Other Restrictions: You may not rent, lease, or transfer the SOFTWARE to any other entity. You may not reverse engineer, de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). If the SOFTWARE is an update, any transfer must include the update and all prior versions.

4. Notice: This software contains functionality designed to periodically notify Lieberman Software of demo usage and of the detection of suspected pirated license keys. By using this software, you consent to allow the software to send information to Lieberman Software under these circumstances, and you agree to not hold Lieberman Software responsible for the use of any or all of the information by Lieberman Software or any third party.

When used lawfully, this software periodically transmits to us the serial number and network

identification information of the machine running the software. No personally identifiable information or usage details are transmitted to us in this case. The program does not contain any spyware or remote control functionality that may be activated remotely by us or any other 3rd party.

Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles

(8)

CA 90067 310.550.8575 Internet E-Mail: [email protected] Website: http://www.liebsoft.com

Limited Warranty

The media (optional) and manual that make up this software are warranted by Lieberman Software Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of your purchase. If you notify us within the warranty period of such defects in material and workmanship, we will replace the defective manual or media.

The sole remedy for breach of this warranty is limited to replacement of defective materials and/or refund of purchase price and does not include any other kinds of damages.

Apart from the foregoing limited warranty, the software programs are provided "AS-IS", without warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the programs or documentation of/for consequences of any such errors.

This agreement is governed by the laws of the State of California.

Should you have any questions concerning this Agreement, or if you wish to contact Lieberman Software, please write:

Lieberman Software Corporation 1900 Avenue of the Stars

Suite 425 Los Angeles CA 90067

You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com

(http:\\www.liebsoft.com) or email us at: [email protected] (mailto:[email protected])

Background and Goals

The Need for Strong Local Credentials

Organizations with a need for the most basic access security should use unique local logon credentials customized for each workstation and server in their environment. Unfortunately, most organizations use common credentials (same user name and password for the built-in administrator account) for each system

(9)

Introduction 4

for the ease of creating and managing those systems by the IT Department without any concern as to the consequences to the organization should these common credentials be compromised.

With the mandates of Sarbane-Oxley, HIPAA, Gramm-Leach-Bliley, California Security Breach

Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD 5015.2 and others, the implementation of reasonably hard to compromise local logon credentials is mandatory for most organizations as a means for protecting not only the confidentiality of their data, but also to protect against tampering.

Creating Strong Local Credentials

Lieberman Software’s program: Random Password Manager Enterprise Edition™ (RPMEE) can change any common account on all workstations and servers in just a few minutes without the need for scripts or any other type of program. The new common credentials can be stored in in a local or remote SQL Server database and can be recovered on demand using RPMEE.

Random Password Manager Enterprise Edition can be configured to regularly change the passwords of common accounts on all of your systems (i.e. workstation built-in administrator account) according to a schedule of your choice so that each account receives a fresh cryptographically strong password regularly. This product feature protects the overall security of your organization so that the compromise of a single machine’s local administrator password does not lead to the total compromise of your entire

organization’s security.

Delegated Password Recovery

Random Password Manager Enterprise Edition also contains a web interface to allow the remote recover of passwords. The web interface is an ASP web application that allows any user with the appropriate group memberships the right to use the application as well as the right to recover passwords for accounts managed by the Random Password Manager Enterprise Edition program. All access to the ASP program as well as all password recoveries are logged and the history is also available via the same web interface to authorized users.

Because this application provides extremely sensitive information, it is essential that you pay particular attention to the security settings of the application and also use appropriate encryption such as SSL based on the scope of access provided.

(10)

This chapter covers the installation and setup of both the Win32 console application and the web application setup.

In This Chapter

Installation Requirements...5

Pre-requisite Knowledge ...6

Port Requirements ...6

MSDE Installation Using the Download Package...7

MSDE Installation Manually...8

Random Password Manager Enterprise Edition Setup...12

Random Password Manager Installation ...14

Installation Requirements

This program requires Windows NT 4.0, Windows 2000 (NT 5.0, Server or Workstation), Windows XP (NT 5.1), or Windows 2003 (NT 5.2). We recommend at least 128 megabytes of memory and at least 50 megabytes of free disk space.

This program also requires access to a SQL Server or MSDE database to store internal data. You can connect to an existing database or create a new database to store data. The construction of the required tables, views, stored procedures, and security roles are handled automatically. MSDE is freely available from Microsoft and can be downloaded from their site directly or found on our site in a convenient installation package. The database can exist on the same system the Win32 application is installed on or can exist on another system. You must have access to the database via a SQL Server login account (Windows Integrated Authentication will not work).

The web application component requires Microsoft Internet Information Services (IIS) 5.0 or later or Microsoft Personal Web Server (PWS) with Active Server Page (ASP) server extensions enabled. The web application also requires COM+ to be enabled on the web server. The web server running the web component does not have to be the same system the Win32 application is installed on. If the web application will be installed on a different machine than the Win32 application, the active logon session must have administrative rights on the web server machine during the time of the web application installation.

The deferred processor service must be installed and running as an account with administrative rights on the local machine.

(11)

Product Installation 6

Pre-requisite Knowledge

Random Password Manager Enterprise Edition uses a Win32 console application in conjunction with a local service to setup the reoccurring password change jobs. Setting up the web application to allow access through the web interface includes the deployment of several COM objects to either the local or a remote web server as well as the creation of virtual directories for the associated ASP files used in the web interface. Random Password Manager Enterprise Edition also utilizes a SQL Server or MSDE database to store program data. We provide documentation as to the steps needed to setup and maintain Random Password Manager Enterprise Edition. We also recommend you have knowledge of database and web server administration, as these components will be used by Random Password Manager Enterprise Edition and should be patched, secured, and properly configured to ensure that the password store system will not be compromised.

Port Requirements

The following ports are used by Random Password Manager Enterprise Edition: Port 7 - Echo. We use this port to send out WakeOnLAN packets.

Port 137, 138, 139 - Netbios Name Service Ports. This service handles file and folder sharing between Windows machines. These ports are required for Random Password Manager Enterprise Edition to properly function.

Port 445 - Alternate Netbios Name Service port (Win2K, XP, 2003). This port is not required unless the normal Netbios Name Service ports are closed (137, 138, 139). Be aware that this alternate port for the Netbios Name Service will not work on Windows NT 4.

(12)

MSDE Installation Using the

Download Package

If you want to use MSDE as the data store and have downloaded our installation package for MSDE

(http://www.liebsoft.com/index.cfm/products/msde), locate and launch msdesetup.exe.

You will be asked to enter the SA account password. The SA account password is the administrative database access password. We use this account and password to connect to the database and perform database operations. You can also choose whether or not the database will be accessible remotely. If you are installing MSDE and the webserver onto the local system, you do not need to enable remote

(13)

If there is more than one instance of MSDE running on the target system, you will have to create a named instance for the new install. If MSDE has not been installed, the default instance is sufficient.

After Installing MSDE, Windows NT 4.0 systems may need to be restarted to ensure the proper services are running.

MSDE Installation Manually

This download also contains detailed instructions for installing MSDE. Additional documentation for installation and configuration can be found at Microsoft's support site for MSDE

(http://download.microsoft.com/download/d/5/4/d5402c33-65de-4464-9d82-d1de2971d9db/readmemsde2000a.htm#_3460_installing_msde_2000_release_a_fzpy) or in the MSDN library.

Make sure the file and print sharing is enabled. Also make sure the local security policy for installation behavior is as follows:

Windows XP and Windows 2003: Set the Security Option for Devices: Unsigned driver installation behavior to Silently Succeed in the Local Security Policy of the machine on which you are going to install MSDE.

Windows 2000: Set the Security Option for Unsigned non-driver installation behavior to Silently Succeed in the Local Security Policy of the machine on which you are going to install MSDE. Stop these services if they are running before installing MSDE:

(14)

Microsoft Distributed Transaction Coordinator.

Microsoft Search

MSSQLServerOLAPService

Microsoft Component Services

Microsoft Message Queuing

Microsoft COM Transaction Manager

These services should be shut down prior to install. Shut down the services from within the administrative tools service controller. They can be started again after the installation is complete. The installation should still work if the services are not shut down, but the machine will require a restart in order to restart the services after installation.

This update installs MDAC version 2.7 SP1a unless a newer version of the MDAC is detected.

By default, MSDE will install with network support disabled. If MSDE is installed on the same machine as the console and the web server, then this configuration is recommended for increased security purposes. If you need to enable network support, you can specify this with the flag

"DISABLENETWORKPROTOCOLS=0". You can also reconfigure MSDE to allow network access at a later time.

We recommend you configure MSDE to use Windows Authentication Mode and use a strong sa password for the installation. This password can be set when running the installer from the command line by specifying the parameter SAPWD. Examples of the install command string are shown below. For a complete list of parameters and explanations of configuration options, refer the Microsoft documentation for MSDE.

Note: When installing a named instance of MSDE, be careful not to overwrite an existing instance of MSDE. This applies to previous installations, as well as, other vendor's software installations of MSDE.

(15)

1. Download the MSDE installer from Microsoft. Save it to a directory on the local system and run it by double-clicking on it.

(16)

3. Open a command window and navigate to the directory that you unpacked MSDE into. Type "setup" followed by the installation configuration arguments. In this example, we are creating a default instance of MSDE and the sa password for the instance is MySecurePassword (not a very secure password).

Here is a list of the more common options.

You should see the progress as the installation takes place. After the installation you may or may not be asked to restart you system.

If you receive an errors during the install process, refer to Microsoft's online documentation or MSDN for troubleshooting. If you received no errors you have setup an instance of MSDE on the local machine.

(17)

Random Password Manager

Enterprise Edition Setup

When the program runs for the first time, you will be prompted to input your license information. For demo copies, the default demo license is sufficient. For commercial keys, enter the key that was sent to you and click OK.

After you input the license information, you will be prompted to connect to an instance of SQL Server or MSDE. First enter the name of the system running SQL Server. This can be the local system or a remote system accessible by name or IP address.

(18)

Enter the SQL Server account information and choose the database from the drop list. The account that you use must have the rights to create, edit, and delete tables, data, and procedures from the database. Click Next.

Select the database from the dropdown menu. You must use an existing database. If you have not created a database in SQL Server to use, close the application, create the SQL Server database, and then launch the application again.

(19)

Random Password Manager

Installation

Launch rpmeesetup.exe from the directory to which it was saved and follow the prompts to choose an installation directory.

Click "Next".

(20)

Click "Next" to start the installation. During the installation the program will create shortcuts on the desktop and start menu. Double click the shortcut to launch the application.

(21)

16

This chapter contains installation instructions and background information on the Web Interface portion of RPMEE. The web interface is composed of a set of ASP pages, two COM objects (one .OCX and one .DLL), and a COM+ identity wrapper.

In This Chapter

Web Application Installation...16

Web Application Installation Advanced Options...17

Web Application Security ...17

IIS and ASP Pages...18

COM+ Identity Wrapper ...22

COM Components...23

Web Application Authentication and Delegation...25

Delegation Configuration ...26

Web Application Installation

This reference assumes that the program database is also running on the local system and the local system is running IIS 5.0 or better and is acting as the web server. These operations are implemented through a

wizard accessible through the Win32 interface (see "Manage Web Application" on page 106) which automates these steps.

The steps involved in setting up the web interface can also be performed manually. These are the steps required to install and configure the web interface:

1 Copy the ASP files from the installation directory to a folder in the "c:\inetpub\wwwroot\RPMEEWeb" directory.

2 Create a new virtual directory "RPMEEWeb" in IIS that references the "C:\inetpub\wwwroot\RPMEEWeb" directory.

3 Create a new COM+ Server Application called RPMEEWeb. Set the credentials for the application to valid local administrator credentials.

4 Add the two required COM objects to the COM+ Application as components. The two COM objects are located in the installation directory and are named "RPMEEWeb.ocx" and "RouletteWeb.dll".

5 Create a default access rule that grants full access to the web interface to members of the domain administrators group.

6 Create default access rules to allow domain administrators all access in the web interface.

(22)

7 Launch a new browser window with the web interface

The information you will need to supply is the account name and password to use for the COM+ wrapper identity. This account will need local administrative access and domain user access.

When you have entered account information, click Install Web Application to start the installation. Note: When you upgrade to a new version of Random Password Manager Enterprise Edition, you will also have to re-run the web application installation to upgrade the web pages and COM components.

Web Application Installation

Advanced Options

Using the advanced options, you can install and configure the web application to run either on the local system or on a remote web server. If you specify a remote web server, the required files and registry values will be copied out to the server along with the setup of the COM+ wrapper and the registration of the COM objects.

Using the advanced options you can:

Choose a destination directory for the ASP webpages.

Configure the web server to either create a virtual directory to reference the pages or move the pages into the root of the web server.

Choose a destination location for the required OCX and DLL files. Specify the COM+ wrapper name on the server.

Set the logon account name and password used by the COM+ wrapper.

Web Application Security

We highly recommend you install and setup SSL encryption for the web server that will be hosting the web interface for Random Password Manager Enterprise Edition. Without SSL installed and running on the web server, the credentials passed from the the web server to the authentication server could be sent unencrypted and could be vulnerable to network traffic sniffing.

If you plan to implement the web interface over the internet, then we would also recommend limiting access based on specific IP address ranges.

(23)

Web Interface Installation 18

IIS and ASP Pages

Microsoft Internet Information Services or Microsoft Personal Web Server (5.0 or better) is required to be running on the web server to use the web application component of Random Password Manager

Enterprise Edition; processing of ASP pages must also be enabled. By default ASP pages are turned off in IIS 6.0. To enable ASP pages open up the IIS control panel and open the properties of the default web site.

(24)

Make sure the .asp extension is listed and references the "C:\windows\system32\inetsrv\asp.dll" file.

Part of the installation of the web application involves creating a virtual directory in IIS. This virtual directory will reference the set of ASP pages which provide the user interface for the web application. During the automated web application installation, the ASP files are copied from the installation directory to the "C:\Inetpub\wwwroot\RPMEEWeb" directory and the new virtual directory is created in IIS. Shown here are the manual steps of making these changes.

(25)

Name the new virtual directory "RPMEEWeb".

Point the virtual directory to the location of the ASP pages.

(26)

The ASP pages used for the web interface are found in the "\UmpWebInterface" subdirectory under the installation path. If you install manually, you should copy them to a a directory under the

"C:\inetpub\wwwroot\" directory and reference that directory in the virtual directory. You don't need to copy the files to the "wwwroot" directory, but you need to ensure that the account which IIS is using to process ASP pages has access to the directory, which the files are located in. By default, the IIS accounts will have access to files and folders under the "wwwroot" directory, which is why the files are copied there by default on install.

After making changes to the configuration IIS, an IIS restart will be required. You can restart IIS either through the IIS control console or through the command line with the command "iisreset". Restarting IIS will stop the web server service as well as any COM objects or services that are currently being held open by the web server.

Lastly, because of the nature of this application, the web server has the capability to send passwords out to the users of the web application. If there is the possibility of unauthorized users sniffing traffic from the web server, we recommend you install and use an SSL certificate on your web server to encrypt

passwords viewed through the web interface. . Support of SSL and the issuance of certificates will need to be handled by your organization.

(27)

COM+ Identity Wrapper

Random Password Manage Enterprise Edition utilizes a COM+ Server Application to store credentials for use by the COM objects used by the web application. Because the COM+ Application is a server

application, it uses a specified set of credentials instead of using the launching process' credentials. Running as a specific user allows the COM+ Application to run the COM components at an elevated level of access without running the website as that powerful account. For the web application to work, the COM+ application must be running using an account which has local administrative rights, as well as, domain user rights. COM+ must be supported and enabled on the web server for the web application installation. The creation of the COM+ object is handled through the web application installation wizard, but the steps can also be performed manually as shown below.

Open the Component services utility and browse to the COM+ Applications folder on the local machine. Create a new COM+ Server Application (specific credentials) called RPMEE.

(28)

Title the application RPMEEWeb and choose Server Application.

Enter the user account for the COM+ application. This account must have administrative access to the local machine.

Finish the wizard to create the COM+ Application. Initially it will be empty and you will have to add the required COM components to it so the web application can access them.

COM Components

Once the COM+ Application has been created, the COM objects used by the web application will have to be added so they will be registered with the system. Once the COM objects have been registered with the system, they can be called from other applications (in this case the web server can call them from ASP pages). The benefit of adding the COM objects to a COM+ application is that they will run as the user account stored in the COM+ application, rather than the context of the calling user. The required COM components are copied to the installation directory. The files which contain the COM objects are named "RpmEEWeb.ocx" and "RouletteWeb.dll". The installation wizard will automatically add the COM objects to the COM+ application, but you can also do this manually.

(29)

Open the Component Services console and locate the components folder of the RPMEEWeb COM+ Application. Choose to add new components to the application.

Choose to install new component(s).

Browse to the installation directory and add the RpmEEWeb.ocx and RouletteWeb.dll files to the COM+ application.

(30)

Once the COM objects have been added as components, the web server will be able to create and access them.

Web Application Authentication and

Delegation

The web server uses a low-powered account to handle the processing of web pages. This is desired because if the website were to be compromised, any malicious behavior or executed code would run in the context of the web server. This design means the web server will not have access to the database directly or the ability to perform operations such as group and user lookups to check authentication. Because the webserver will not have access to the database or to the domain, the COM+ wrapper must have local administrative rights and domain user rights. The credentials needed to access the SQL server database are also stored locally and used by the COM objects when retrieving password, system, and delegation information from the database. The credentials are never used directly by the web server and thus are not exposed to the outside world.

The authentication mechanism starts when the web server requests a security token from the COM object. A security token is granted for each successful login and then stored in the database. This token contains the encoded rights associated with a specific login including lifetime for the login. Once the token has been passed back from COM object, the web server stores it in the active session. Requests to perform operations are passed to the COM object along with the token, and the COM object determines whether or not the user has the appropriate access based on the token. Using this scheme, the web server does not have access to the database directly, so even if the web server were to be compromised, the attacker would not have access to any of the password data.

The delegation scheme for the web interface consists of a set of rules stored in the database that map directly to real Windows Domain Groups. The domain the web server is in will be the source for these Windows Groups. When you create an access rule, you specify both the action that is allowed and the Windows Group which is allowed to perform the action. User identification and authentication takes place by passing the account name and password through the web server to the COM object, which attempts to perform a domain logon. If the logon is successful, the COM object will perform a group lookup for the username and build a list of the domain groups the user is a member of. The COM object will then build the set of rights granted to the one or more groups the user belongs to and encode those rights into a security token, which it saves to the database and passes back to the web server. When subsequent requests are made to the COM object from the web server, this security token is verified to ensure the user has the correct rights.

There are two basic types of delegation rules you can create for Windows Groups. The first is a Global Program Access Rule. This type of rule defines what basic web application operations are allowed to the members of a specific Windows Group. These rights include the logon right, access to all passwords, and the ability to change the delegation rules and check logs. Any Windows groups you want to have access to the web interface must be granted the logon right. The second type of rule is the Managed Group Access Rule. These rules determine which managed groups a Windows group has the right to access. If you want Windows users in a group to be able to recover passwords for a set of systems, you will create a Managed Group Access Rule for that Windows group and that set of systems.

(31)

Delegation Configuration

The default web application installation gives all access to direct members of the domain administrators group. To delegate rights out to other groups, login to the web interface as a user in the domain admins group.

Click on the Manage Access tab and then the Program Access tab. From here you can choose which windows groups have access to the most powerful program level rules. These rules are the ability to logon to the web interface, the ability to recover all stored passwords, and the ability to change access rules. Use this section to grant access to the Windows groups that will be allowed to use the web interface.

(32)

After granting Windows groups program access, click the Manage Group Access tab. This tab will allow you to set which Windows groups have access to each logical group of systems (and their accounts).

(33)

28

This chapter contains a few common tasks for Random Password Manager Enterprise Edition and step by step examples of how to accomplish these tasks.

In This Chapter

Randomizing the Local Administrator Password for Every System in the Domain ...28

Schedule a Reoccurring Password Randomization ...32

Grant Users of a Windows Group 'Test Group' the Ability to Recover Passwords for the Default Group ...34

Recover a Password from a system in the 'Default' Group using the Web Interface...37

Randomizing the Local Administrator

Password for Every System in the

Domain

The first step is to add the domain to the system range of the current group. To do this, click "Edit Current System Set Properties..." from the SystemsList menu.

(34)

Now select the domain tab and enter the name of the domain.

Click "OK" to return to the main dialog and click "Update Current System Set Now" to add all the domain systems to the current Managed Group.

(35)

Getting Started 30

You should see the systems in the domain in the system list. Highlight them all and click the Lock button in the lower middle right of the dialog.

The default option is the local administrator account. Make sure the local administrator account option is selected. This option will change the built-in local administrator account on each machine, even if it has been named.

(36)

By default the password will be randomized, make sure the password is set to be randomized.

Set this password change to run now by selecting "Immediately" as the scheduling option.

Click Finish to start the job. When the job is complete, you will see a results dialog, which shows the status of each system that was part of the job.

(37)

Schedule a Reoccurring Password

Randomization

Select the system(s) which have accounts you want to randomize and click the Lock button in the middle lower right of the main dialog.

Enter the account name of the account you want to randomize. This will randomize the password for this local account on each of the selected machines.

(38)

By default the password will be randomized, make sure the password is set to be randomized.

Select monthly for the scheduling option. The job shown will run at 12:00 AM on the first of every month.

(39)

Grant Users of a Windows Group

'Test Group' the Ability to Recover

Passwords for the Default Group

Begin by logging into the web interface as a user with the ability to change delegation rules.

(40)

Select the Program Access tab.

Select the "Allow Web Logon" right from the drop list on the left and the "Test Group" from the list of Windows domain groups to the right. Granting this right will allow Windows users who are members of this Windows group to logon to the web interface. Click Add "Global Access Rule".

(41)

Click the "Managed Group Access" tab.

Select the Managed Group "Default" from the drop list on the left and the Windows group "Test Group" from the drop list on the right. This step will give the users in the Windows group "Test Group" the ability to see and recover the saved passwords for accounts on systems in the "Default" managed systems group. Click Add Group Access Rule.

(42)

Recover a Password from a system in

the 'Default' Group using the Web

Interface

Log into the web interface with an account which has been granted ability to recover passwords for the "Default" managed systems group.

(43)

Click "Find Systems" to list all systems in this group.

(44)

The recovered password will be shown in the display (as shown below) and an automatic password re-randomization will be scheduled for 4 hours in the future.

(45)

40

This chapter covers the use of the web interface portion of Random Password Manager Enterprise Edition. This chapter includes instructions for both users and administrators of the web interface. Topics covered include: logging in to the web interface, recovering passwords, viewing system information, settings access rules, viewing log activity for the web interface, delegating managed group access to Windows groups.

Note that throughout this chapter, the screenshots reflect an administrative user view. Users granted less rights will not have access and therefore not see some of the sections shown in the screenshots.

In This Chapter

Login ...41 Password Recovery ...41 System Status ...44 Managing Access ...46

(46)

Login

The first step in using the web interface is to login. By default, access is given to members of the domain administrators group on the domain the web interface is installed on. Access can be configured through the web interface. Choose one of the trusted domains from the drop list and log on using Windows username and password.

All logon attempts are saved to the web interface activity log and can be viewed from the web interface. In order for users in a Windows group to access the web interface, they must be granted the logon right through the tool. Account authentication is done using the Microsoft Windows challenge/response system.

For more information about setting up and configuring the web interface see Web Application Installation.

Password Recovery

After logging in to the web interface the most common task will be retrieving passwords. To do this, click the Password Recovery tab and then the Managed Groups tab on the secondary menu. You will need to know the name of the account you want to recover as well as the name of machine that account is on. You will also need to know the name of one of the managed groups that contains that system. In the Managed Groups list you will only be able to see the names of each managed group you have been given access to. Click on the name of the managed group that contains the system. If the system is contained in more than one managed group, any of the managed groups that contain that system will suffice.

(47)

Web Interface 42

The right to recover passwords is granted to all Windows groups that are allowed to login to the web interface. The specific managed groups each Windows group has access to is further controlled through the Manage Access portion of the web interface.

(48)

When you select a managed group, you can choose to search for a known system by filter or display all systems with stored passwords from that group. To search for a known set of systems, use a substring to search for system names as they appear in the tool. For this example, "dev2" will return the "dev2000" system and "evp" will return the "devpat" system.

Click on "recover' to show the password for the account. The recovered password can be highlighted and copied to the clipboard for ease of use.

If the logged in user account has been granted the all access right, then the 'All' tab will be available in the secondary menu (shown above). This tab provides a search of all stored passwords for all accounts on all systems in the tool. This search ignores the managed group memberships for systems and consequently grants a higher level of access to the password store.

Recovering a password will also cause the password to be scheduled for randomization. The time between the recovery and the change is configurable and the default time is 4 hours. All password retrievals are logged to the program log.

Note: If you have access to a system through a managed group, by default you will have access to all stored passwords for all accounts on that system. This can be configured using the password filters which is explained here (see "Account Masks" on page 50).

(49)

System Status

Using the System Status tab, you can see the latest status of systems based on a managed group. The right to view system status is granted to all Windows groups with the proper program logon right. Authorized users can access the web interface can see the status of systems that are members of any managed group they have been granted access. Granting or denying control to specific managed groups of systems can be limited through the the Manage Access portion of the web interface.

(50)

The columns shown in the system status view are the same columns shown in the Win32 application for each system. Note: the information for each system is only as current as the last operation (password change or refresh in the Win32 app) for that system. When you select a managed group, you can choose to search for a known system by filter or display all systems with from that group. To search for a known set of systems, use a substring to search for system names as they appear in the tool. For this example, "dev2" will return the "dev2000" system while "evp" will return the "devpat" system.

If the logged in user account has been granted the all access right, then the 'All' tab will be available in the secondary menu (shown above). This tab provides a search of all systems in the tool. This search ignores the managed group memberships for systems and consequently is a higher level of access to the system status information.

(51)

Managing Access

This section covers using delegation to manage access for the web interface. The delegation scheme uses rules applied to Windows groups to allow or deny rights within the web interface. The top level rights (program rights) determine which program level rights a Windows groups is granted. These rights include the ability to login, the ability to see everything, and the ability to change access rules. The second level of rules, managed group access rules, determines which managed group(s) a specific Windows group has access. This level of delegation includes managed group access control lists and account name based filters.

This section also contains the log information. The log tracks all users who attempt to log into the web interface and all password retrievals.

View Log

The activity log for all web interface logons and password retrievals is stored in the Manage Access section. To view the log, you must have been granted the program right to manage all web access

controls. First choose which log you want to view. The access log shows all attempted logons to the web interface. The Recovery Log displays all passwords that were retrieved and you may also select the range of time you are interested in. In addation, you can choose to view the activity for a specific user that has logged in or recovered passwords.

(52)

The access log shows the time of the logon, the originating IP address, the result of the attempt, and the logon username.

(53)

The recovery log shows the date of the recovery, the IP originating IP address, the authenticated username, the managed group that allowed access to the system, the system name, and the name of the account that was recovered.

Note: when account passwords are recovered, they are scheduled to be automatically randomized in four hours.

Program Access

This section controls the higher level global program access rules. These rules dictate which Windows groups have rights in the web interface. The rights granted here are program wide and include: logon, display all accounts, manage web access controls.

The right to logon is the most basic right. This allows members of the Windows group to log into the web interface. This right will also allow users to see the System Status tab and the Password Recovery tab, but users in the group will not have access to any managed groups initially.

The right to see all account passwords grants members of the Windows group the right to recover the stored account passwords for any account saved within the system. This bypasses the managed group access check and applies to both the Password Recovery section and the System Status section.

(54)

The right to manage web access controls grants members of the Windows group the right to access the Manage Access section, which includes the log for the web interface. This section also contains the controls to change access to the web interface for Windows groups. This is the most powerful right granted and by default is only given to the domain administrators Windows group.

To grant a right to a Windows group you will create a rule. First select the program wide right from the left drop list then select the Windows group from the right drop list. Now click "Add Global Access Rule". A list of the global access rules is shown. This list contains all the groups with rights within the web interface. Windows groups not listed cannot log onto the web interface or recover any passwords. To remove a rule, click the 'del' link to the right of a specific rule.

(55)

Managed Group Access

This section controls the delegation of password recovery for managed groups to specific Windows groups. To allow a Windows group to recover the passwords for accounts on systems in a managed group, create a managed group access rule. First select the managed group from the left drop list. Next select the Windows group you want to grant access from the right drop list. Now click "Add Group Access Rule".

The list of Managed Group Access Rules shows each managed group with one or more access rules. Each group is listed on the left. On the right of each managed group is the list of Windows groups which have been given the right to recover passwords for accounts on systems in that group. To remove a Managed Group Access Rule, click the 'del' link to the right of the Windows Group name.

Note: If a Windows group has been given the global program access right to see all account passwords, users in that group will have access to all systems regardless of managed group memberships.

Account Masks

The Account Masks tab is used to filter the list of accounts for which a Windows group can recover passwords. Account Masks limit the accounts to which a member of the Windows group has access based on searching for one or more substrings within the account name. The account masks are not case

sensitive.

Example: You have stored passwords for "Administrator", "User", and "Guest" accounts. The account mask of "admin" would allow members of that Windows group to still see and recover the password for only the "Administrator" account. The account mask of "u" would allow members of that Windows group to see and recover passwords for the "User" and "Guest" accounts.

(56)

The accounts a Windows group is allowed access to is the union of all the account filters. In the example above, if both filters were applied to a Windows group, then the group would be able to see and recover passwords for all three accounts.

Note: The account masks feature does not effect Windows groups which have been granted the right to access all accounts as a global program access rule. Authorized Windows groups will still be able to view and recover passwords for all accounts.

(57)

52

Systems are organized into logical managed groups in Random Password Manager Enterprise Edition. The initial group called "Default" is the only group created when the program is installed. Operations are performed on systems by adding them to a managed group, selecting them, and then choosing the

operation to perform.

In This Chapter

Managed Group Dialog ...53 Managed Group Dialog Menus ...53 System List Columns ...55 System Names and Name Resolution...55 Add Systems to Group ...57 Connecting to Systems ...65 Selecting Systems...65 Refresh Info...65 Setting Managed Group System Ranges ...67 Dynamic Group Memberships ...68 Managing Multiple Managed Groups ...77

(58)

Managed Group Dialog

From this dialog you can add system to or remove system from the current active managed group. This is also where operations such as password change jobs are created. The system information associated with each system can also be seen here once it has been collected with a refresh operation.

Managed Group Dialog Menus

File

Logging - Displays the details for the log file location and allows you to view the log.

Datastore Configuration

Wizard - A step by step guide to connection to a database.

Advanced - Complete database connection options.

Application Components - View or change the settlings for the application components.

Manage Web Application

Simple - A simple interface which allows you to install the web application to the default paths given account information for the COM+ application.

Advanced - A complete set of options for installing the web application locally or remotely.

Report Generator - An interface for exporting dialog data from the application to text files, xls files, html files.

(59)

Managing Systems 54

Refresh All Systems - Refresh the system information for the systems in the active managed group (version, OS, etc).

Refresh Selected Systems - Refresh the system information for the selected systems (version, OS, etc).

View Stored Passwords - View all passwords for all systems that have been saved to the program's password store.

SystemList

Manage System Sets - Create, change, or delete a managed group.

Edit Current System Set Properties - Change the range for systems which will by dynamically included in this group.

Update Current System Set Now - Update the current managed group according to the ranges for system membership.

Add From Domain Systems List - Add systems to the current managed group manually from the domain list.

Add From Browse List - Add systems to the current managed group from the domain browse list.

Add Systems Manually - Add systems to the current managed group by manually entering their names.

Add From Active Directory - Add systems to the current managed group by querying Active Directory.

Scan IP Range for Groups/Machines - Add systems to the current managed group by scanning an IP range for systems.

Delete Systems From List - Remove the selected systems from the current managed group.

Eliminate Duplicate Systems From List - Remove any systems that are duplicates (same system by IP and name).

Export Systems List to a Text File - Export the list of systems from the current managed group to a text file.

Import Systems List from a Text File - Import from a text file the systems for the current managed group.

ConnectAs

Alternate Administrator Accounts - Add alternate credentials to grant access to systems which refuse the current logon account credentials.

DeferredProcessor

Jobs Monitor - A dialog which shows all jobs scheduled to happen and the progress of both current jobs and past jobs.

Retry Policy - Configure the failure behavior of manual and scheduled jobs.

(60)

Contents - Displays this document.

License Keys - Shows which systems are currently using license tokens.

Register - Enter a serial commercial key to register the application. Also supports remote licensing to connect to a licensed remote instance of the application.

Database Configuration - Information about the current database connection settings.

Logon Info - Information about the current logon session (user name, rights, etc).

About - Displays version information, contact information, and the active serial number.

System List Columns

The columns shown for each system are:

Role - WS for workstations and SRV for servers. Version - NT4, WK2, 2003, XP.

Resolve By - SN (System Name), NB (NetBios), or IP (IP Address). NetBIOS Name

IP Address Subnet Mask

DHCP - Shows whether or not the IP address for this system is assigned through DHCP. MAC Address

Checked - The last time this system was successfully contacted

Status - The last result message or error code for any operations on this system.

System Names and Name Resolution

NetBIOS names typically only resolve on a local subnet unless a WINS Server is provided.

IP addresses can be used, but they have two problems: they don't provide a very meaningful identification for a machine, and they may be re-assigned through DHCP. Both of these problems might cause an administrator to make changes on the wrong machine inadvertently.

With a DNS name, you can specify a machine in both an easily identifiable way, and a way which is insensitive to changes in the machine's IP address through DHCP as long as you are using DHCP and dynamic DNS linked together.

(61)

To check if a name is resolvable, try pinging the machine by name from the command line interface. If the ping resolves to the correct machine, our tool should be able to use that name to manage the machine (it uses the same resolution mechanism as ping does).

When the program does a Get Role/Version (Refresh) operation, it retrieves the NetBIOS name and IP address of each managed machine. By default, the machine is resolved by whatever name is in the System column (which can be a NetBIOS name, an IP address, or a DNS name). You can change the resolution type by right-clicking on the machine(s), and selecting a "Resolve By" option. This will causethe product to use the alternate name of the machine for name resolution. In most cases, however, the system name should be sufficient for name resolution. In addition; the other information can then be examined to make sure operations will affect the correct system(s).

Note: If you are having trouble connecting to machines using their DNS names, check to make sure the name you are using resolves to the correct machine (through ping).

(62)

Add Systems to Group

There are various ways to populate your groups with systems once the group has been created:

Add from domain systems list.

Add from network browse list.

Add from shell network browse list.

Add systems manually by name

Add from Active Directory

Add from scanned IP ranges.

Import/Export Systems List from text file.

These methods are in addition to the IP Scanner and ODBC query, which can both be used to populate a group.

Add From Domain Systems List

Shown below is the Add from Domain List dialog.

The fastest method of adding NT/2000/Server 2003/XP systems to this program is to inquire at the

Primary Domain Controller (or just a Domain Controller for 2000/2003/XP) for the list of machines which have joined the domain. There are a few confusing cases when viewing servers in the domain list. The

(63)

machine list may not represent all of the machines on the network (some machines may not have joined the domain). The list usually contains systems that have left the domain, but have not been purged from the PDC database via NT/2000/XP’s server management tools.

After adding machines to the Selected Systems list, you can use the "Platform?" button to verify the connectivity, credentials, and version of the selected systems. The "Platform?" feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added.

The Platform field indicates what operating system type is running:

DOS

OS/2 and Windows 95/98

Windows NT/2000/XP

UNIX/OSF

DEC VMS

The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing "Platform?"), there are columns to display the Platform, Version (4.0 is NT, 5.0 is Windows 2000, 5.1 is Windows XP, and 5.2 is Server 2003), Role, and Net Services. The Net Services field indicates which network services are running on each system. It is normal for both an NT/2000/XP Workstation and NT/2000/XP Server to both have the Workstation and Server services running.

When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation.

(64)

Add From Network Browse List

Shown below is the Add From Network Browse dialog.

To add a machine using the Network Neighborhood browsing architecture of the operating system, press the "Insert" key on the keyboard or the "Browse" button on the Manage Systems dialog.

If you are working with systems that have not joined a domain (workgroups), the easiest way to find and add them is to use the Network Browser architecture of Windows. This dialog allows you to browse the different network providers (Microsoft, Novell, Banyan), and then drill down to find the different machines on each network.

(65)

DOS

Windows NT/2000/XP

UNIX/OSF

DEC VMS

When performing domain lookups and platform checks the status, progress, and thread cosunt are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation.

Add From Shell Network Browse List

The Shell Network Browser dialog allows you to browse the network for systems to add using the shell's browse functionality. This may be helpful for adding machines from organizational units in Active Directory, since the shell allows browsing of the Active Directory hierarchy. In this view, organizational units are represented as folders in the hierarchy. If you are creating a separate group for each

(66)

Add Systems Manually

Shown below is the Add Systems Manually dialog.

In cases where machines are not visible within the Network Neighborhood, and have not joined the domain, you may have to add them manually.

The Platform field indicates what operating system type is running:

DOS

Windows NT/2000/XP

UNIX/OSF

DEC VMS

When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation.

(67)

Add From Active Directory

Shown Below is the Add Systems from Active Directory dialog on the Active Directory Browse page.

When running on Windows 2000/XP/Server 2003 you have the ability to use a special Active Directory control known as the Object Picker. We have programmed the Object Picker to search for computers in Windows 2000/XP/Server 2003. The default options for the control are to show you both uplevel (native and mixed mode) systems, as well as, downlevel systems (NT). You can modify the options to force the search of any domain controller and have the search executed on your machine of choice remotely. You can also specify the type of directory to search (if needed).