for GrIDsure

How To Configure Defender for GrIDsure Tokens
The GrIDsure token can be used to protect any website hosted on Internet Information Server (IIS).
Defender 5.6 and later supports the use of GrIDsure tokens with the Defender Desktop Login application. Please
follow the configuration steps in this document and refer to the Defender Desktop Login & GrIDsure Token User
Guide.
This guide provides information for the administrator on how to configure Defender and IIS, using the Defender
ISAPI Agent, for use with the GrIDsure token. The instructions in this guide assume that a working Defender
system is in place with the required Defender components installed and configured, refer to System
Requirements.
For further information on Defender installation and configuration, refer to the Defender Installation Guide and
the Defender Configuration Guide.
1
Defender How To Configure for Use with GrIDsure Tokens
System Requirements
Before configuring Defender to use GrIDsure tokens, ensure that the following components are installed and
configured in your Defender system:
•
Defender Administration Console version 5.5.0.907 or higher
•
Defender Security Server version 5.5.0.907 or higher
•
Defender ISAPI Agent version 5.5.0.907 or higher.
Licensing
To enable GrIDsure tokens within Defender, you must first install a Defender Desktop Token License.
To do this, from Active Directory Users & Computers select the Install Desktop Token License option
from the Defender menu. The Defender menu is available when the Defender OU is selected.
The Defender License Import Wizard starts:
1. Click Next to display the Defender Import Wizard (License Files) dialog.
2. Click Add File to add your license file to the Licenses to install list.
3. Click on the required file, then click Open. The selected file is added to the Licenses to install list.
4. Click Next twice to complete the procedure.
How to Program a GrIDsure Token
GrIDsure tokens can be programmed:
•
for a user by the Defender Administrator, or
•
created and registered by the users themselves through Auto-Enrollment.
2
Defender How To Configure for Use with GrIDsure Tokens
Programming a GrIDsure Token via the Administration Console
In Active Directory Users and Computers (ADUC), display the user properties page for the required user, then
select the Defender tab.
1. Select Program to start the Defender Token Programming Wizard.
2. Select Next. The Token Types dialog is displayed:
3
Defender How To Configure for Use with GrIDsure Tokens
3. Select Defender Desktop Token, then select Next. The Defender Desktop Token Types dialog is
displayed:
4. Select GrIDsure, then select Next.
A user can have only one GrIDsure token assigned to them at any one time. If the user already has a
GrIDsure token, the following dialog is displayed:
You can choose to overwrite the user’s existing GrIDsure token or to leave the existing token. If you
choose to overwrite the existing token, the user must register the new token before it can be used to
authenticate.
4
Defender How To Configure for Use with GrIDsure Tokens
5. The Checking User License dialog is displayed:
6. Click Next. The Defender Token Programming Complete dialog is displayed:
5
Defender How To Configure for Use with GrIDsure Tokens
7. Click Finish. The GrIDsure token is displayed in the Token Management field on the username
Proper- ties, Defender tab.
8. If GrIDsure authentication is enabled in the token policy assigned to this user (refer to Creating/Editing a
Policy for GrIDsure Tokens), the user will be required to configure his PIP the first time the token is used
for authentication through a GrIDsure aware client, i.e. the ISAPI Agent or Defender Desktop Login.
6
Defender How To Configure for Use with GrIDsure Tokens
Creating/Editing a Policy for GrIDsure Tokens
You now need to configure a Defender Policy to use GrIDsure tokens. You can either modify an existing policy or
create a new policy. For information on how to create a new policy, please refer to the Defender Configuration
Guide.
To configure the policy for use with GrIDsure tokens where the tokens will be programmed by the Defender
Administrator, perform the following steps:
1. Select the Defender OU from the Active Directory tree.
2. Select Policies.
3. Right-click on the required policy.
4. Select Properties from the menu.
The policyname -Properties Policy dialog box is displayed:
5. On the Policy tab, in the Authentication methods, Use field, select Token.
7
Defender How To Configure for Use with GrIDsure Tokens
6. Select the GrIDsure tab:
7. Select Enable GrIDsure Tokens and set the pattern length as required.
8. Select OK. The policy is now configured for GrIDsure tokens.
9. Assign the policy to the relevant access node, Defender Security Server, user or user group as required.
For information on how to assign a security policy, please refer to the Defender Configuration Guide.
8
Defender How To Configure for Use with GrIDsure Tokens
GrIDsure Token Auto-Enrollment Mode
To enable Auto-Enrollment, set the Authentication Method, Use field to Token (GrIDsure Auto-Enrollment
Mode). The first time that the user attempts to authenticate using a GrIDsure enabled policy, the GrIDsure
token will be created and configured.
Enabling User Auto-Enrollment for GrIDsure Tokens
To configure the policy that will enable GrIDsure tokens to be created and configured when the user first
attempts to authenticate, perform the following steps:
1. Select the Defender OU from the Active Directory tree.
2. Select Policies.
3. Right-click on the required policy.
4. Select Properties from the menu.The policyname -Properties Policy dialog box is displayed:
5. On the Policy tab, in the Authentication methods, Use field, select Token (GrIDsure AutoEnrollment Mode).
9
Defender How To Configure for Use with GrIDsure Tokens
6. Select the GrIDsure tab:
7. Check the Enable GrIDsure Tokens checkbox, then select OK to finish.
For information on how to authenticate in GrIDsure Auto-Enrollment Mode, refer to Accessing the Protected
Website.
10
Defender How To Configure for Use with GrIDsure Tokens
Additional Configuration Options
During configuration, the following options can be set on the GrIDsure tab if required:
•
Block consecutive patterns (horizontal, vertical and diagonal)
Check this box to enforce additional complexity rules for the PIP. Use this option to prevent the use of
horizontal, vertical and diagonal patterns.
•
Enable Pattern Expiry
Check this box to force the user to provide a new pattern (PIP) after a set number of days. This option
is similar to setting a password expiry limit for AD passwords.
•
Use numbers in grid
The default configuration is to use numbers only within the grid.
•
Use letters in grid
Check this box to use letters in the grid.
11
Defender How To Configure for Use with GrIDsure Tokens
If both Use numbers in grid and Use letters in grid are selected then the grid will display a combination of
both.
•
Grid Style
Displays the GrIDsure Style dialog enabling you to change the size and style of the grid as required.
12
Defender How To Configure for Use with GrIDsure Tokens
Installing the Defender ISAPI Agent
The Defender ISAPI Agent can be used as an ISAPI filter to provide Defender authentication for the website. To
install the Defender ISAPI Agent on the server hosting IIS, perform the following steps:
1. Run the installation file Defender ISAPI Agent x64 Installer.exe (for x64 platforms), or Defender
ISAPI Agent Installer.exe (for x86 platforms).
2. Select Next.
3. Accept the License Agreement.
13
Defender How To Configure for Use with GrIDsure Tokens
4. Select Next.
5. Select Next to accept the default installation location, alternatively select Browse to choose a different
location.
6. Select Next.
14
Defender How To Configure for Use with GrIDsure Tokens
7. The Defender ISAPI Agent installation starts and the Installation Progress dialog is displayed:
8. On completion of the installation, the Installation Complete dialog is displayed:
9. Select Finish.
15
Defender How To Configure for Use with GrIDsure Tokens
Configuring the ISAPI Agent
On completion of the ISAPI Agent installation, select Configure Defender ISAPI Agent Now. The Defender
ISAPI Agent Configuration dialog is displayed:
To configure the ISAPI Agent:
1. On the DSS Parameters tab, select Add.
2. Enter the name of the Defender Security Server where user authentication will be performed.
3. Enter the IP address of the Defender Security Server.
4. Enter the port number and shared secret configured on the access node that this connection will use.
5. Select the Protected Sites tab.
6. Select the site that you want to protect with Defender, then click OK to save the selection.
16
Defender How To Configure for Use with GrIDsure Tokens
Accessing the Protected Website
This section describes how to access the protected website using Defender authentication and a GrIDsure
token.
1. From Internet Explorer, access the protected website. The Login page is displayed:
2. Enter your username and then select Login.
3. If you are using the GrIDsure Auto-Enrollment Mode and have no other token types assigned you will be
prompted for your Active Directory Windows password to start the registration process for your GrIDsure
token.
4. Enter your Windows password, then select Login.
17
Defender How To Configure for Use with GrIDsure Tokens
If you have more than one token type assigned, you can choose which token to use for authentication.
In the example below, the user can enter either the synchronous response from a Go-x token, or if the
user has a registered GrIDsure token, or the administrator has programmed a GrIDsure token, the user
can click Use GrIDsure to authenticate with a GrIDsure token.
On first use, you are required to configure your GrIDsure pattern or PIP.
The GrIDsure grid (as defined on the Defender security policy) is displayed.
5. Select a pattern using the letters within the grid and then enter these letters, without spaces, in the
Configure your GrIDsure PIP: box.
For example, the policy configured in Creating/Editing a Policy for GrIDsure Tokens, requires a pattern of
between 4 and 8. Therefore a pattern, or PIP, such as AJBBBGAN would create a pattern using the top
left square and then the first 3 squares from row 2.
18
Defender How To Configure for Use with GrIDsure Tokens
If the PIP does not meet the complexity rules configured on the policy, the following dialog is displayed:
Enter a PIP that meets the complexity requirements.
6. Select Login to save the PIP.
7. You are then prompted to authenticate using the PIP that was created for your token.
19
Defender How To Configure for Use with GrIDsure Tokens
8. Enter the PIP in the Use your GrIDsure PIP: box and select Login, e.g. 3305.
9. You will now be authenticated and allowed access to the protected website.
10. A GrIDsure token is now created for you. This can be viewed in the username Properties Defender
tab in Active Directory Users and Computers. The next time you access the website, you will be
prompted for your user name only and the PIP corresponding to your pattern.
© 2012 Quest Software, Inc. ALL RIGHTS RESERVED.
Quest, Quest Software, the Quest Software logo and iToken are trademarks and registered trademarks of Quest Software, Inc.
in the United States of America and other countries. GrIDsure and the GrIDsure logos are trademarks and registered trademarks of Gridlock TS Limited. All other trademarks and registered trademarks are property of their respective owners.
20