Transcription

NETWRIX PASSWORD MANAGERADMINISTRATOR’S GUIDEProduct Version: 6.6April 2016Copyright 2016 Netwrix Corporation. All Rights Reserved.

Netwrix Password Manager Administrator’s GuideLegal NoticeThe information in this publication is furnished for information use only, and does not constitute acommitment from Netwrix Corporation of any features or functions, as this publication may describefeatures or functionality not applicable to the product release or version you are using. Netwrixmakes no representations or warranties about the Software beyond what is provided in the LicenseAgreement. Netwrix Corporation assumes no responsibility or liability for the accuracy of theinformation presented, which is subject to change without notice. If you believe there is an error inthis publication, please report it to us in writing.Netwrix is a registered trademark of Netwrix Corporation. The Netwrix logo and all other Netwrixproduct or service names and slogans are registered trademarks or trademarks of NetwrixCorporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks andregistered trademarks are property of their respective owners.DisclaimersThis document may contain information regarding the use and installation of non-Netwrix products.Please note that this information is provided as a courtesy to assist you. While Netwrix tries toensure that this information accurately reflects the information provided by the supplier, please referto the materials provided with any non-Netwrix product and contact the supplier for confirmation.Netwrix Corporation assumes no responsibility or liability for incorrect or incomplete informationprovided about non-Netwrix products. 2016 Netwrix Corporation.All rights reserved.Copyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 2 of 52

Netwrix Password Manager Administrator’s GuideTable of Contents1. INTRODUCTION . 51.1. Overview . 51.2. How This Guide is Organized . 52. PRODUCT OVERVIEW . 62.1. Key Features and Benefits . 62.2. Product Architecture . 62.3. Deployment Structure . 72.4. Licensing Information . 83. INSTALLING NETWRIX PASSWORD MANAGER . 93.1. Installation Prerequisites . 93.1.1. .Hardware Requirements . 93.1.2. .Software Requirements . 93.2. Installing Password Manager Service and Web Application. 103.3. Installing Password Manager Client . 103.4. Upgrading from Previous Versions . 133.5. Migrating to Another Server . 134. CONFIGURING PASSWORD MANAGER SECURITY . 154.1. Configuring Web Application Security . 154.2. Configuring Roles. 194.3. Configuring Service Account Permissions . 194.4. Installing Web Application in a DMZ . 204.4.1. .Configuring a DMZ Server that is an AD Domain Member . 214.4.2. .Configuring a DMZ Server that is not an AD Domain Member . 244.5. Clustering for Enhanced Stability . 294.6. Configuring Password Manager Client Security . 304.7. Configuring Profile Database Security . 304.8. Configuring Built-In Security Policies . 315. CONFIGURING PASSWORD MANAGER SETTINGS . 325.1. Accessing the Administrative Portal . 325.2. Configuration Options Overview . 325.3. Configuring the Managed Domains . 335.3.1. .Configuring Google Apps Settings. 365.4. Editing Email Notification Templates . 37Copyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 3 of 52

Netwrix Password Manager Administrator’s Guide5.5. Customizing the Self-Service Portal . 385.5.1. .Branding . 395.5.2. .User Options . 395.5.3. .Predefined Questions . 405.5.4. .Questions Policy . 415.5.5. .Authentication Policy . 425.5.6. .Password Policy . 425.5.7. .Alerts . 435.5.8. .SMTP Settings . 445.5.9. .Updates . 445.6. Assigning Roles . 456. ENROLLING USERS FOR SELF-SERVICE . 466.1. Manual Enrollment . 466.2. Automatic Enrollment . 466.3. Batch Enrollment . 476.4. Batch Removal. 497. TROUBLESHOOTING NETWRIX PASSWORD MANAGER . 517.1. Error 401 . 517.1.1. .Issue Description . 517.1.2. .How to Fix . 51A APPENDIX: NETWRIX PASSWORD MANAGER REGISTRY KEYS . 52Copyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 4 of 52

Netwrix Password Manager Administrator’s Guide1. INTRODUCTION1.1. OverviewThis guide is intended for system administrators and integrators. It contains a detailed productoverview, instructions on how to install the product and information about security installationand configuration options. It also explains how to setup and use Netwrix Password Manager.1.2. How This Guide is OrganizedThis section explains how this guide is organized and provides a brief overview of each chapter. Chapter 1 Introduction: the current chapter. It explains the purpose of thisdocument, defines its audience and explains its structure. Chapter 2 Product Overview provides an overview of the Netwrix Password Managerfeatures, and explains the system’s architecture and deployment structure. It alsocontains information on licensing. Chapter 3 Installing Netwrix Password Manager contains detailed instructions thatwill guide you through the installation process of the Password Manager Service andClient applications. It explains different installation scenarios, and also providesinformation on how to upgrade from previous product versions. Chapter 4 Configuring Password Manager Security explains different configurationand deployment options that provide for enhanced application security. It containsdetailed instructions on how to setup the product for maximum performance andsecurity. Chapter 5 Configuring Password Manager Settings explains how to configure the SelfService Portal and the options available to users, how to enforce verificationquestions policies and apply password restrictions, etc. Chapter 6 Enrolling Users for Self-Service lists and explains different enrollmentoptions, and provides guidance for administrators on which option to choose. Chapter 7 Troubleshooting Netwrix Password Manager lists the issues that may beencountered while using Netwrix Password Manager, and contains detailedinstructions on how to resolve them. Appendix: contains a list of all registry keys that provide additional options forNetwrix Password Manager configuration.Copyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 5 of 52

Netwrix Password Manager Administrator’s Guide2. PRODUCT OVERVIEW2.1. Key Features and BenefitsIn an Active Directory environment, administration of user passwords includes multiple tasks,such as enforcing password security requirements through Group Policy, help-desk activities,and batch configuration of user account management options. Often, these operations aredecentralized, and account owners are left out of account management.Netwrix Password Manager is a solution that helps reduce help-desk and administrationworkload by doing the following: Providing end users with self-service web access to common password managementtasks; Allowing help-desk operators to manage users’ accounts and view reports on theirstatus through a simple web interface; Allowing administrators to enforce restrictions on the kinds of passwords that canbe used, and to apply security policies and identity verification procedures to themanaged domains.To achieve this, the following three roles are distinguished: End users Help-desk operators AdministratorsBy assigning these roles to groups and single users, you can control who can perform whichpassword management operations.2.2. Product ArchitectureNetwrix Password Manager consists of the following three components: Web Application: supports the web portals that provide the Password Managerfunctionality:oAdministrative Portal: allows configuring password policies and user options,importing user account data for batch enrollment, etc.oHelp-Desk Portal: allows centralized management and reporting on theenrolled users’ accounts.oSelf-Service Portal: a web-interface for end users to perform passwordmanagement operations without contacting the help-desk. Password Manager Service: executes the operations requested through the webportals. Password Manager Client (also referred to as Windows Logon Prompt Extension*):extends the standard Windows logon prompt and pops up a dialog box that allowsend users to perform self-service password management operations. It also supportsthe enrollment wizard.*It is referred to as ‘Credentials Provider’ on Windows Server 2008 and above.Both Password Manager Client and the web clients connect to the web service via the HTTP orHTTPS protocol. The web service, in turn, connects to Password Manager Service via the RPCCopyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 6 of 52

Netwrix Password Manager Administrator’s Guideprotocol. Password Manager Service holds a secure profile database in the local file system,and communicates with Active Directory via encrypted LDAP and RPC channels.The figure below illustrates the Netwrix Password Manager architecture and workflows:Figure 1:Password Manager Architecture2.3. Deployment StructureNetwrix Password Manager components are typically distributed as follows:I.Password Manager Service runs on a member server in an Active Directory domain.Note:Installation of the Service on domain controllers is possible but notrecommended.II.Web Application is installed on the same computer where Password Manager Serviceis installed. The Administrative, Help-Desk and Self-Service portals provided by WebApplication are available from anywhere in the domain, and, optionally, from theInternet.Note:If you want to install Web Application in a DMZ (demilitarized zone), so thatthe web portals are accesible from anywhere on the Internet, you may want toinstall Password Manager Service on a different machine behind your firewall as aCopyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 7 of 52

Netwrix Password Manager Administrator’s Guidemore secure configuration option. For information on this installation scenario anddetailed instructions, refer to Section 4.4 Installing Web Application in a DMZ.III.Password Manager Client is installed on end users’ computers (this component isoptional).Note:The Password Manager Client and the Self-Service Portal are identical in termsof the functions they provide. Depending on your policies, you can choose not todeploy the Password Manager Client, and not sacrifice any functionality; or you candeploy it to give end users more self-service access options.2.4. Licensing InformationNetwrix Password Manager is licensed for a free 20-days evaluation period. Netwrix PasswordManager can be used as freeware for 100 users or less. Otherwise, a commercial license isrequired. For license types and pricing information, please refer to Netwrix Password Managerweb page.To register the product with a permanent commercial license purchased from Netwrix, takethe following steps:1. Purchase the license code (it can be requested from the product page).2.Install the product following the instructions in Chapter 3 Installing Netwrix PasswordManager.3.Open the Administrative Portal (for instructions refer to Section 5.1 Accessing theAdministrative Portal) and click License. The Licensing Information page will bedisplayed:Figure 2:4.Licensing Information PageFill in the fields and click OK.Copyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 8 of 52

Netwrix Password Manager Administrator’s Guide3. INSTALLING NETWRIX PASSWORD MANAGERThis chapter guides you through the installation process of Password Manager Service, WebApplication and Password Manager Client. It contains the following sections: Installation Prerequisites Installing Password Manager Service and Web Application Installing Password Manager Client Upgrading from Previous Versions Migrating to Another Server3.1. Installation Prerequisites3.1.1. Hardware RequirementsBefore installing Netwrix Password Manager, make sure that the computers, where PasswordManager Service and Web Application are going to be installed, meet the following hardwarerequirements: Minimum 20 MB of free hard disk space Minimum 512 MB of RAM3.1.2. Software RequirementsMake sure that this software has been installed on the corresponding computers beforeproceeding with the installation.Table 1: Password Manager Software RequirementsProduct ComponentPassword Manager Service andWeb ApplicationRequired SoftwarePlatform: Intel x86, AMD 32 or 64 bitGeneral requirements: Server OS: Windows Server 2008 R2 and above .NET Framework 3.5 SP1 Windows Installer 3.1 or above Microsoft Internet Explorer 6.0 or above / Mozilla Firefox2.0 or above / Apple Safari 2.0 or above / Google Chrome4.0 or aboveIIS 6.0 or above (Web Server role for Windows Server 2008)The following features must be enabled prior to the installation: IIS 6 Management Compatibility ASP extension Windows Integrated Authentication Anonymous Authentication ASP.NETFor instructions on how to install the Web Server role, please referto the following article: Installing the Web Server Role.Password Manager ClientClient OS: Windows 7 and above,Server OS: Windows Server 2008 R2 and above.NET Framework 3.5 SP1Copyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 9 of 52

Netwrix Password Manager Administrator’s GuideWeb browser: Microsoft Internet Explorer 6.0 or aboveMake sure that the end users’ computers have one of the following web browsers installed: Microsoft Internet Explorer 6.0 or above Mozilla Firefox 2.0 or above Apple Safari 2.0 or above Google Chrome 4.0 or above3.2. Installing Password Manager Service and WebApplicationProcedure 1.To install Password Manager Service and Web Application1.Run the product setup file called Netwrix Password Manager.exe on a member serveror a workstation.2.In a simple scenario, accept the default settings and specify the service account in theDOMAIN\user format. The service account must have the appropriate access rights toyour domain accounts to be able to reset passwords and unlock accounts. For detailson the service account privileges, refer to Section 4.3 Configuring Service AccountPermissions.3.Follow the instructions of the wizard to complete the installation.As a result, once the installation is complete, the Administrative Portal will be started in thedefault web browser.For security considerations, it is recommended to enable the HTTPS protocol for the Web Serveron the machine where Password Manager Service is installed. For details on how to enableencryption for IIS, refer to the following documentation: How to implement SSL in IIS How to Set Up SSL on IIS 7For the advanced installation scenario (installation on an Internet-facing DMZ server), refer toSection 4.4 Installing Web Application in a DMZ.3.3. Installing Password Manager ClientPassword Manager Client can be installed manually or automatically through Group Policy.Installation through Group Policy is recommended when you need to deploy Password ManagerClient on a large number of client computers. If you want to perform silent installation, youcan do it via the command prompt by using the msiexec component with any of its optionsenabled.See the procedures below for instructions on the installation options: Procedure 2 To install Password Manager Client manually Procedure 3 To install Password Manager Client via the command prompt Procedure 4 To install Password Manager Client via Group PolicyCopyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 10 of 52

Netwrix Password Manager Administrator’s GuideProcedure 2.To install Password Manager Client manually1.Run the Netwrix Password Manager client.msi installation package (located in thePassword Manager installation folder) on all computers where you want to deploy thePassword Manager Client (Windows Logon Prompt Extension). The installation wizardwill start.2.When prompted, specify the installation path and the path to the Self-Service Portal.3.Follow the instructions of the wizard to complete the installation.Procedure 3.To install Password Manager Client via the command prompt1.Run the following command in the command prompt:msiexec.exe /INetwrix Password Manager client.msi PM URL https://localhost/pm/quiet2.To check all available options, type in “msiexec/help” and press Enter.3.To enable the required Password Manager self-service option, add its name and a valueto the command prompt when installing the client. The available options are as follows: PM NOLPE: can be “true” or “false”, quotes needed. If “true”, only the enrollmentwizard is installed, without the logon prompt extension, which helps reset apassword from the logon screen. PM URL:URLofthehttp://%PRMservername%/pm. ALLUSERS: can be “1” or “2”, if 1 – the enrollment wizard is installed for all users. PM NOREBOOT – can be “true” or “false”, quotes needed.PasswordManagerserver,bydefaultThe options should be added in the following format:msiexec /i file name .msi option name %option value% /quietExample:msiexec.exe /i Netwrix Password Manager client.msi ALLUSERS "1"PM URL https://localhost/pm /quietTo add several options, separate them by a space in the following format:msiexec /i file name .msi option1 name %option1 value% option2 name %option2 value% quietExample:msiexec.exe /i Netwrix Password Manager client.msi ALLUSERS "1"PM NOLPE "false"PM URL https://localhost/pm PM NOREBOOT "true" /quietProcedure 4.1.To install Password Manager Client via Group PolicyVerify that: Password Manager Service and Web Application are installed on the server. The Group Policy Management Console (GPMC) is installed on the target computer.Note:The Group Policy Management Console is a free download from Microsoft,and can be obtained from the following link:http://go.microsoft.com/fwlink/?linkid 585412.Start the GPMC by going to Start Control Panel Administrative Tools GroupPolicy Management.Copyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 11 of 52

Netwrix Password Manager Administrator’s Guide3.Right-click the OU (organizational unit), or the entire domain, that your clientcomputers belong to, and select Create and Link a GPO Here. Enter the name of thenew GPO (Group Policy Object), for example ‘Netwrix Password Manager’.4.Right-click the newly created GPO and select Edit to start Group Policy Object Editor.5.Navigate to the Computer Configuration Administrative Templates node, right clickit and select the Add/Remove Templates option. Click Add and browse to theNetwrixpm.adm file (by default installed to C:\ProgramFiles\Netwrix PasswordManager).6.Navigate to the Computer Configuration Administrative Templates NetwrixPassword Manager node and double-click Password Manager server URL in the rightpane. In the dialog that opens, select the Enabled option, and enter the Self-ServicePortal URL.7.Adjust the advanced options (for example Suppress Enrollment Errors, Reset LocalCredentials Cache, and others) if necessary.8.Place the Netwrix Password Manager client.msi package in a network share, e.g.\\MYSERVER\Share.Note:9.This share and its contents must be available to all users.Navigate to Computer Configuration Policies Software Settings. Right-clickSoftware Installation, and select New Package.10. Select the package from the share. In the Deploy Software dialog select Assigned (thedefault value), and click OK.The Password Manager Client will be deployed automatically on end users’ computers duringthe next startup. They will be restarted automatically after the installation.Note:If later the Password Manager Web Application is moved to another server,the Password Manager URL must be updated.Figure 3: below shows the logon dialog for Windows 7 with the Logon Prompt Extension thatwill now be displayed each time you log on the system:Figure 3:Logon Prompt Extension Dialog in Windows 7Copyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 12 of 52

Netwrix Password Manager Administrator’s GuideNote:If you cannot log on the system, click the Other Credentials button, and thenselect the Can’t log on? Click HERE for assistance icon:Figure 4:The logon assistance icon3.4. Upgrading from Previous VersionsProcedure 5.To upgrade Password Manager Service and Web Application1.Back up the three .bin files in the product installation folder (alinfo.bin, inv logon.binand secrets.bin).2.Install a new version in the same way as explained in Section 3.2 Installing PasswordManager Service and Web Application above.All current product settings will be preserved, and no reconfiguration is required.Note:If you applied some specific IIS settings to your previous Netwrix PasswordManager version, verify them and reconfigure if necessary.Procedure 6.To upgrade Password Manager Client via Group Policy1.Upload the latest Netwrix Password Manager client.msi file to a network share asexplained in Procedure 4 To install Password Manager Client via Group Policy.2.Navigate to Start Control Panel Administrative Tools Group PolicyManagement. To locate the required Domain Policy, expand the Forest forest name Domains domain name Group Policy Objects node. Right-click the nodeand select Edit.3.Navigate to Computer Configuration Policies Software Settings, right-clickPassword Manager Client package and select All Tasks Redeploy Application.The Password Manager Client will be reinstalled on all computers where the Group Policyapplies.3.5. Migrating to Another ServerProcedure 7.To migrate Netwrix Password Manager to another server1.Install Netwrix Password Manager on a new server.2.Stop Netwrix Password Manager Service on the server where the product was installedinitially.3.On the old server, navigate to the product installation directory (the default path isC:\ProgramFiles(x86)\Netwrix Password Manager) and copy the following files to thesame location on the new server:Copyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 13 of 52

Netwrix Password Manager Administrator’s Guide alinfo.bin secrets.bin PredefinedQuestions.txt the entire Templates folder4.Start Password Manager Service on the new server.5.If you are using Netwrix Password Manager Client, change Netwrix Password Managerserver address as follows:a. Navigate to Start Administrative Tools Group Policy Management Console.b. Right-click the GPO created for Netwrix Password Manager and select Edit fromthe pop-up menu.c. In the dialog that opens, navigate to Computer Configuration AdministrativeTemplates Your Password Manager Template .d. In the right pane, specify the new server URL in the Password Manager ServerURL entry field.Copyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 14 of 52

Netwrix Password Manager Administrator’s Guide4. CONFIGURING PASSWORD MANAGER SECURITYThere are several ways to enhance Password Manager operational security. This chapterexplains the available security options and provides detailed instructions on how to configurethem.This chapter covers: Configuring Web Application Security Configuring Roles Configuring Service Account Permissions Installing Web Application in a DMZ Clustering for Enhanced Stability Configuring Password Manager Client Security Configuring Profile Database Security Configuring Built-In Security Policies4.1. Configuring Web Application SecurityThe Web Application component does not have any inner security logic: it acts merely as acommunication and presentation layer between the Web Portals/Password Manager Client andthe Password Manager Service. All security checks and policy enforcements are realized on thePassword Manager Service side.However, to provide for secure communications, SSL (Secure Sockets Layer) is required toprevent data eavesdropping and tampering. You must install an SSL certificate (for example,obtained from http://www.verisign.com) on your web server, and enable the HTTPS protocolat port 443. It is recommended to disable the non-secure HTTP protocol on port 80.To install an SSL certificate, perform one of the procedures below depending on your IIS version: Procedure 8 To install an SSL certificate on IIS7 Procedure 9 To install an SSL certificate on IIS6To redirect users from any page of your website right to the Password Manager Portal, or tocreate redirection from an http address to an https address, follow the procedure below: Procedure 8.Procedure 10 To create a redirect in IISTo install an SSL certificate on IIS71.On the Password Manager server, navigate to Start Control Panel AdministrativeTools Internet Information Services (IIS) Manager. In the left pane, select thecomputer where the Password Manager Web Application is installed.2.In the center pane, double-click Server Certificates.3.In the Server Certificate dialog that opens, select one of the options in the Actionspane depending on the action you want to take: import an existing certificate, requesta certificate, or create a certificate:Copyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 15 of 52

Netwrix Password Manager Administrator’s GuideFigure 5:Server Certificate: Actions Tab4.When a certificate has been installed, in the left pane select the default web sitewhere your PRM folder is displayed.5.In the Actions pane, click Bindings, and then click Add. The following dialog will bedisplayed:Figure 6:6.In the Type drop-down list, select ‘https’, specify your SSL certificate, and click OK.Procedure 9.1.Add Site BindingTo install an SSL certificate on IIS6On the Netwrix Password Manager server, navigate to Start Control Panel Administrative Tools Internet Information Services (IIS) Manager computer name Web Sites Default Web Site, where your PRM folder isdisplayed.Copyright 2016 Netwrix Corporation. All Rights Reserved.Suggestions or comments about this document? www.Netwrix.com/feedbackPage 16 of 52

Netwrix Password Manager Administrator’s Guide2.Right-click the web site folder and switch to the Properties Directory Securitytab:Figure 7:3.Default Web Site PropertiesClick the Server Certificate button and follow the Web Server Certificate Wizard byspecifying your certificate.Procedure 10.To create a redirect in IIS1.On the Password Manager server, make sure you have installed the HTTP Redirectfeature for IIS: navigate to Start Control Panel Programs and Features and selectTurn Windows features on or off.2.In the Server Manager dialog, select Web Server (IIS) and click Add Role Services onthe right.3.In the Add

Netwrix Password Manager is licensed for a free 20-days evaluation period. Netwrix Password Manager can be used as freeware for 100 users or less. Otherwise, a commercial license is required.