Understanding and Configuring Password Manager for Maximum Benefits

Written by Chris Radband, senior professional services consultant, Dell Software

Introduction

About Password Manager The pain of password management—the single most common support issue—is becoming more pervasive. The need to require more complex passwords that must be changed more frequently increases the likelihood that users will forget their passwords. As a result, increasing security often also increases support costs.

Password Manager provides a simple, secure set of password management utilities that allows end users to reset forgotten passwords and unlock their user accounts themselves. Therefore, administrators can implement stronger password policies while reducing help-desk workload. Password Manager accommodates the widest possible range of organization requirements and data security standards.

2

Benefits

Password Manager offers the following benefits: • Reduced costs

• Enabling users to reset their own

passwords reduces help-desk workload

and related support costs.

• Users who forget their passwords

can get back to work faster, with less

frustration, which curbs productivity

losses.

• Increased security

• When users know they can reset their

own passwords, they are less likely to

write them down.

• Enabling stronger password policy

makes password guessing and break-ins

more difficult.

• Streamlined administration

• Password policies are easy to

implement and enforce.

• Administrators can easily track and

report on all password reset activity.

• Administrators have granular control

over password policy in Windows 2008

at a per-group level rather than for the

entire domain.

• Ease of use

• Password resets are easy through an

optional Graphical Identification and

Authentication DLL (GINA) extension.

Figure 1. Password Manager enhances security and reduces costs by enabling users to reset their own passwords.

Dell™ Password Manager, a part of the Dell One Identity

products from Dell Software, enables users to securely reset

forgotten passwords and unlock their accounts themselves,

so administrators can implement stronger password policies

without adding to the help-desk workload. This technical

brief describes Password Manager’s system requirements and

logical architecture, and discusses key configuration decisions

to help you derive maximum value from the solution.

****134243

Help desk

Securityadministrators

Verify user identity

Enforce enrollment

Define questions

Define password policies

Monitor activity

Investigate alerts

ActiveRoles Server & Identity Manager Integration

Password Synchronization with Quick Connect

Integration with Defender

Integration with Enterprise Single Sign-on

Verify account

Authenticate user

Enforce corporate policies

Enforce password history

Reset forgotten password

Manage password change

Unlock account

Log activity

Alert of suspicious activity

Forgets password Locked out of accountManages passwords

Help Desk

3

Basic requirements

Platform 800 MHz or higher Intel Pentium-compatible CPU (Quad core recommended)

Memory At least 128 MB RAM (256 MB recommended) (4+ GB recommended)

Hard disk space 100 MB ( 20 GB recommended )

Operating system

One of the following: • Microsoft Windows Server 2003 (32-bit edition) with Service Pack 1 or later • Microsoft Windows Server 2003 (64-bit edition) with Service Pack 1 or later • Microsoft Windows Server 2008 (32-bit edition) with Service Pack 1 • Microsoft Windows Server 2008 (64-bit edition) with Service Pack 1 • Microsoft Windows Server 2008 R2 (recommended)• Microsoft Windows Server 2012

Internet Information Server

One of the following: • Microsoft Internet Information Server 6.0 • Microsoft Internet Information Server 7.0 • Microsoft Internet Information Server 7.5 • Microsoft Internet Information Server 8.0It is strongly recommended that you use HTTPS with Password Manager. For more information, see the Quick Start Guide.

Browser Microsoft® Internet Explorer 6.0, 7.0, 8.0, 9.0 or 10.0

SQL Server

One of the following: • Microsoft® SQL Server™ 2005 • Microsoft® SQL Server 2008 • Microsoft® SQL Server 2008 R2 (recommended)• Microsoft® SQL Server 2012

Report definitions included with Password Manager 4.7 are designed to sup-port the functionality of Microsoft SQL Server 2005 Reporting Services and Microsoft SQL Server 2008 Reporting Services. Note: If SQL is to be hosted on the Password Manager server, these specifications should be increased.

Microsoft .NET Framework

Microsoft® .NET Framework 3.5 SP1 Microsoft® .NET Framework 3.5 SP1 is included with the Password Manager distribution package. You must install .NET Framework 3.5 SP1 before you install Password Manager.

Acrobat Reader Acrobat® Reader® 5.0 or later Acrobat Reader 7.0 is included with the Password Manager distribution package.

Client requirements

Browser

One of the following: • Microsoft® Internet Explorer 6.0, 7.0, 8.0 or 9.0 • Mozilla® Firefox® 3 • Apple® Safari® 5 • Google® Chrome® 7

System requirements

Password Manager works with Windows 2000, 2003 and 2008 domains, including domains operating in a mixed mode.

Client requirements Ensure that each client computer meets the following minimum software requirements:

4

Domain controller requirements To be able to implement password policies in an Active Directory domain managed by Password Manager, you must deploy the Password Policy Manager component on all domain controllers in the managed domain.

The domain controllers where you plan to install the 32-bit or 64 bit-version of Password Policy Manager component must meet the following requirements:

Target computer requirements To allow password resets from the Windows logon screen, you must deploy the Secure Password Extension on

all target computers in the managed domain. The target computers must meet the following minimum software requirements:

Domain controller requirements

Operating system

One of the following: • Microsoft® Windows® 2000 Service Pack 4 • Microsoft® Windows Server™ 2003 (32-bit or 64-bit edition) • Microsoft® Windows Server™ 2008 (32-bit or 64-bit edition) • Microsoft® Windows Server™ 2008 R2

Hard disk space 5 MB of free hard disk space

Target computer requirements

Operating system

One of the following: • Microsoft® Windows® 2000 Server Service Pack 4 • Microsoft® Windows Server™ 2003 • Microsoft® Windows Server™ 2008 • Microsoft® Windows Server™ 2008 R2 • Microsoft® Windows® 2000 Professional Service Pack 4 • Microsoft® Windows® XP Professional Service Pack 2 or later • Microsoft® Windows® Vista • Microsoft® Windows 7™

Browser

Microsoft® Internet Explorer 6.0, 7.0, 8.0 or 9.0 We do not recommend use of any plug-ins for Microsoft Internet Explorer on computers where you plan to deploy Secure Password Extension, since the plug-ins extend Internet Explorer functionality and could pose security threats.

SQL sizing Database size estimation is based upon the number of records stored. An estimation of size can be generated using the following information and is primarily based upon user count: • Generic user activity (such as enroll,

password reset or unlock database) per

1000 users is estimated at less than 3–5

MB. For example, if password reset rate is

10 per day, then database growth will be

in the region of 30–50k per day, or about

1–1.5 MB per month.

• Reporting data is also stored in the

database. No sizing estimate is available,

but this is expected to be less than the user

activity estimates above.

For more information, see Dell Support Solution 21284.

5

Logical architecture

Placement of the Password Manager server (which hosts IIS) and the SQL components (which can alternatively be hosted on the Password Manager server) is shown in Figure 2.

Firewall ports

Hosting Password Manager in the DMZ requires ports to be open into the LAN, as shown in Figure 3.

QPM tra�c

53-DNS80-HTTP88-Kerberos139-NetBios443-HTTPS

445-MS DS636-S/LDAP3266-AD GC1433-SQ

LAN DMZ External

HTTPS

443-HTTPS

InternetQPM/IIS server

Internal firewall

Externalfirewall

Port 25 SMTP

E-mail

SQL Server

Active Directory

SQL reporting services

Open firewall ports:53-DNS80-HTTP88-Kerberos139-NetBios*389-LDAP*443-HTTPS445-MS DS*636-S/LDAP3266-AD GC

Open firewall ports:443-HTTPS

LAN DMZ External

InternetIISQPM

Internal firewall

QPMtra�c HTTPS

Externalfirewall

Active Directory

Figure 2. Logical architecture

Figure 3. Firewall ports

* All communications through http port 80 can use https port 443. ** SQL connection uses a dynamic port (TCP 1816 SQL TCP Dynamic Port, to SQL) which is selected by SQL.

6

Several processes participate in communications. Some of them directly belong to Password Manager, and some are helpers used by Password Manager. Password Manager Server • (Add Domain\Create QA profile\Change

Password\Reset Password)

• Svhost.exe in TCP 80 (HTTP)

• Lsass.exe out UDP 53 (DNS)

• W3wp.exe out UDP 53 (DNS)

• W3wp.exe out UDP 389(LDAP) to DC

• W3wp.exe out TCP 389(LDAP) to DC

• W3wp.exe out TCP 636(LDAPS) to DC

• Lsass.exe out TCP 88 (Kerberos) to DC

Lsass.exe out UDP 88 (Kerberos) to DC

• QPMSERVICE.exe out UDP 389(LDAP)

to DC

• QPMSERVICE.exe out TCP 389(LDAP)

to DC

• Svhost.exe out ICMP

SQL connection • W3wp.exe out UDP 1434 (SQL) to SQL

• W3wp.exe out TCP 1816 (SQL TCP

Dynamic Port) to SQL

• QPMSERVICE.exe out TCP 1816 (SQL TCP

Dynamic Port) to SQL

Report Server • W3wp.exe out TCP 80 (HTTP) to

Report Server

• Email

• W3wp.exe out TCP 25 (SMTP) to

SMTP server

• QPMSERVICE.exe TCP 25 (SMTP) to

SMTP server

• Secure Password Extension (SPE)

• Winlogon.exe out TCP 389(LDAP) to DC

• LSASS out UDP 88 (Kerberos) to DC

• SPEnroll.exe out TCP 389(LDAP) to DC

• Winlogon.exe out TCP 80 (HTTP) to

QPM host

• SPEHtml.exe out TCP 80 (HTTP) to

QPM host

For more informationFor more information about the ports used by Password Manager, see Dell Support Solution 61085.

Service account requirements

Password Manager service account When you install Password Manager, you are prompted for the name and password of the Password Manager service account. For Password Manager to run successfully, the Password Manager service account must meet the following requirements: • You need to add the Password Manager

service account to the Administrators

group on the web server where Password

Manager is installed.

• In IIS 6.0, the Password Manager service

account must be a member of the IIS_WPG

local group on the web server. In IIS 7.0,

Password Manager service account must

be a member of the IIS_IUSRS local group

on the web server.

Permissions to access a managed domain Usually, the Password Manager service account is used both to run the service and to access managed domains. In that case, the following permissions are required by the service account: • Membership in the Domain Users group

• Read permission for all attributes of user

objects

• Write permission for the following

attributes of user objects: pwdLastSet,

comment, and userAccountControl

• The right to reset user passwords

• Write permission to create user accounts in

the Users container

• Read permission for attributes of the

organizationalUnit object and domain

objects

• Write permission for the gpLink attribute of

the organizationalUnit objects and domain

objects

• Read permission for attributes of the

groupPolicyContainer objects

• Write permission to create and delete

the groupPolicyContainer objects in the

System Policies container

• Read permission for the

nTSecurityDecriptor attribute of the

groupPolicyContainer objects

• The permission to create and delete

container and the serviceConnectionPoint

objects in Group Policy containers

7

• Read permission for the attributes of the

container and serviceConnectionPoint

objects in Group Policy containers

• Write permission for the

serviceBindingInformation and

displayName attributes of the

serviceConnectionPoint objects in Group

Policy containers

• The permission to create container objects

in the System container

• The permission to create the

serviceConnectionPoint objects in the

System container

• The permission to delete the

serviceConnectionPoint objects in the

System container

• Write permission for the keywords attribute

of the serviceConnectionPoint objects in

the System container

Configuration design decisions

Note that the following configurations are common but not definitive.

Managed domains • General logon security options—Configure

logon security options as shown in Figure

4. The lockout conditions configured in

Password Manager should be in line with

user account policy.

• Groups—Use the following groups to

manage access to Password Manager and

mail notifications, and to enable phased

rollout and registration:

• Groups allowed to access the Password

Manager Self-Service site

• Groups denied access to the Password

Manager Self-Service site

• Groups allowed to receive registration

notifications

• Groups denied receiving registration

notifications

• Groups allowed to receive password

expiration notification

• Groups denied receiving password

expiration notification

• Challenge questions—A project is currently

underway to define the questions users will

have to answer for registration or password

resets. To register, a user should have to

answer 5–6 questions from a list of 15–20

questions. To reset the password or unlock

the account, a user should have to answer

2–3 questions.

• Q&A policy—Configure Q&A policy as

shown in Figure 6. The minimum answer

length depends somewhat upon the

question list.

Figure 4. Logon security options

8

Figure 5. Configuring the number of questions required to register, reset a password, or unlock an account

Figure 6. Configuring the Q&A policyFigure 6. Configuring the Q&A policy

9

Figure 7. Configuring enforcement of Q&A profile policy

Figure 8. Configuring the self-service site

• Enforcement of Q&A profile policy—The

settings for user enforcement are illustrated

in Figure 7

Settings • Self-service site—The common

configuration of the self-service site is

illustrated in Figure 8.

• Days to notify before password expires: 10

10

• Help desk site—The usual configuration of

the help desk site is shown in Figure 9.

• Profile update policy—Figure 10 shows

how the profile update policy is commonly

configured. To minimize profile update

requirements, ensure that the Q&A policy

definition is correct before rolling it out to

the entire user base.

• Reporting and logging—A SQL Server and a

SQL Server Reporting Services instance are

required.

• Notification—Notification is usually

disabled other than for troubleshooting

or other special purposes. The available

settings are illustrated in Figure 11.

Figure 9. Configuring the help desk site

Figure 10. Configuring the profile update policy

11

Figure 11. Configuring notifications

Customization

Website and logo The look and feel of the website can be modified; it is common to customize the logos. More details can be found in Dell Support Solution 61098.

Disaster recovery

Backing up the domain controllers Password Manager stores all important information in Active Directory, so as long as there is a valid backup of the domain controllers, the Password Manager Q&A profiles will be recoverable. Recovering data for individual users will be much easier if you have Dell™ Recovery Manager for Active Directory.

Backing up the encryption key Another requirement is to have a backup copy of the encryption key. By default, this key is stored on the Password Manager server at: C:\Program Files\Quest Software\Quest One Password Manager\QPMEnckey.bin

Backing up the audit database, if desired Password Manager uses a database, DDSLogSubsystem, to store auditing information, such as who has reset a password. If this information is needed in your organization, back up the database.

A backup of the local.spr file is also recommended.

For more information For more information about disaster recovery, see Dell Support Solution 31859.

12

TechBrief-ConfigQ1PMmaxBene-US-VG-2013-11-20

© 2013 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. (“Dell”).

Dell, Dell Software, the Dell Software logo and products—as identified in this document—are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.

The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,

DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.

About Dell SoftwareDell Software helps customers unlock greater potential through the power of technology—delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com.

If you have any questions regarding your potential use of this material, contact:

Dell Software5 Polaris Way Aliso Viejo, CA 92656www.dellsoftware.comRefer to our Web site for regional and international office information.

For More Information