SlideShare uma empresa Scribd logo

Password Management

PortalGuard dba PistolStar, Inc.
PortalGuard dba PistolStar, Inc.

PortalGuard’s Password Management will increase the security of passwords by adding features such as more granular password quality rules, history, expiration and lockout due to incorrect logins. This is especially beneficial for applications failing to meet compliance requirements, such as homegrown web applications or custom SQL user repositories. Administrators can easily manage multiple password policies while users are given usability features such as password meters and password expiration reminders synched with their email client calendar. Tutorial: http://pg.portalguard.com/configurable_password_management_tutorial

Tecnologia
1 de 16
Baixar para ler offline
Configurable Password Management: Balancing Usability and Compliance Password Management Layer v.3.2-004 PistolStar, Inc. dba PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 617.674.2727 E-mail: sales@portalguard.com Website: www.portalguard.com © 2012, PistolStar, Inc. dba PortalGuard All Rights Reserved.
Tech Brief — Configurable Password Management PortalGuard Configurable Password Management: Balancing Usability and Compliance Table of Contents Summary ................................................................................................. 2 The Basics............................................................................................... 2 PortalGuard Password Management ....................................................... 3 Features .................................................................................................. 3 Benefits ................................................................................................... 3 How it Works ........................................................................................... 4 Password Policies ........................................................................ 4 Policy Search Order and Precedence .......................................... 4 User Profiles ................................................................................ 5 Step-by-Step Process .................................................................. 5 Configuration ........................................................................................... 9 Deployment ........................................................................................... 13 IIS Install................................................................................................ 13 System Requirements ........................................................................... 13 Supporting Videos ................................................................................. 14 Platform Layers ..................................................................................... 14 © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 1
Tech Brief — Configurable Password Management Summary Implementing strong authentication security for web-based applications before deployment to your production environment is the ideal approach however, many projects take longer than expected so some applications are deployed without security policies in place, such as password quality, password expiration and strike counts. Password management is usually added later when a security audit uncovers an applica- tion as being non-compliant. To make a web-based application compliant, you need to decide whether to build or buy a complete authentication security solution. Buying an off- the-shelf solution, such as PortalGuard, offers the much needed enterprise-ready security functionality that easily integrates into your existing web-based and SQL applications. Sometimes developers may not consider the organization’s data accessed by the web- based application to be sensitive and therefore, increasing security becomes a secondary consideration during deployment. A low risk application may require either no authentica- tion or the use of just a username and password, though this approach should not be used in applications with medium or high risk. Please review other PortalGuard tech briefs on increasing web-based authentication security with approaches such as contextual and two -factor authentication. These tech briefs provide more information on the security risks of using just passwords as a single barrier to blocking unauthorized access to your organiza- tion’s data. The Basics Passwords remain an important aspect of authentication security. A poorly chosen pass- word may result in unauthorized access and/or exploitation of an organization’s resources and critical data. The purpose of password management policies is to establish and en- force the security standard for the creation of strong passwords, the protection of those passwords, and the frequency of which to change them. However, one of the first steps to password management is educating your users on pass- word best practices via a security awareness program with information such as:  Never share your account  Never use the same password for multiple systems  Never tell a password to anyone, including those claiming to be from security or custom- er service within your organization  Never write down a password  Never provide a password over the phone, e-mail or instant messaging  Make sure to log off or lock your workstation before leaving a computer unattended  Change your password whenever you suspect it may have been compromised  Passwords should be alpha-numeric at a minimum General password management best practices provide the foundation for strong organiza- tional security policies, including:  How complex a password needs to be should be based on risk  The frequency to which you change your passwords should be based on risk  At all points, passwords should be protected from being exposed © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 2
Tech Brief — Configurable Password Management PortalGuard Password Management PortalGuard’s password management goes beyond the foundational principles and pro- vides enhanced functionality which improves the security of passwords while improving usability for users. This is done with features such as strong password policy enforcement, password synchronization, and self-service password reset. By creating this balance be- tween security and usability PortalGuard can significantly reduce Help Desk calls and in- crease user adoption. To provide you with flexibility, PortalGuard’s password management policies can be con- figured down to the individual user, group or domain hierarchy, enforcing the appropriate level of security for each. Features  Password Complexity - customizable rules for minimum and maximum length, and up- percase, lowercase and special characters. Complexity checks can also be performed during each login to assure compliance.  Password History - prevent users from reusing their last “n” passwords  Password Expiration - set expiration and grace periods  Strikeout/Lockout Limits - enforce a configurable number of strikes before an account lockout and optionally specify a minimum “lockout time” the user must wait before the account is automatically unlocked and they can again attempt to login  Prevent Users from Sharing Credentials - limit multiple concurrent logon sessions  Lockout Inactive User After “n” Days - identify and stop access from dormant user ac- counts  Help Desk/Verbal Authentication - prove user’s identity when calling into the Help Desk by answering a series of challenge questions  Email Calendar Reminders - set reminders in user’s email client calendar of upcoming password expirations  Password Meter - provide users with visual clue of the strength of the password when resetting or creating one  Auditing/Logging - record user login activity including invalid usernames, last login, last password change, etc.  Administrative Dashboard - provides administrators with a snapshot of recent user login activity  Tailored Authentication - extend the PortalGuard framework to include specific function- ality which provides an exact fit with your requirements Benefits  Configurable - to the individual user, group or domain hierarchy  Increased usability – maintains user productivity and satisfaction with functionality such as the password strength meter, email calendar reminders, and self-service password reset  Increased security – prevents both common password and code injection attacks by enforcing strong password management best practices  Balances security and usability – with functionality to support both compliance and user demands  Implement password best practices – including account lockout limit, unlock threshold, and password history © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 3
Tech Brief — Configurable Password Management  Compliance – web-based and SQL applications now meet required industry and regula- tory standards  Cost effective – reduce password related Help Desk calls How It Works Password Policies PortalGuard uses the concept of policy-based security settings to enforce password man- agement rules for users. You can have multiple sets of rules defined within PortalGuard. Each set of rules is referred to as a policy. You can then assign users to a policy on an individual basis or by a group or domain hierarchy. If a policy is not applied to anyone, then its rules will never be enforced. Policies can be enabled or disabled. Only policies which are both enabled and have users assigned to them are enforced by PortalGuard. There are key aspects to each password policy including password length, formation, du- ration and practice. With those in mind you can define password policies so that all user accounts are protected with strong passwords. Below are examples of policies you can enforce:  Define password history policy setting so that several previous passwords are remem- bered. With this policy setting, users cannot reuse old passwords when their password expires.  Define the maximum password age policy setting so that passwords expire as often as necessary for your environment, typically, every 30 to 90 days. With this policy setting, if an attacker cracks a password, the attacker only has access to the network until the password expires.  Define the minimum password age policy setting so that passwords cannot be changed until they are more than a certain number of days old. This policy setting works in combination with the password history policy setting. If a minimum password age is defined, users cannot repeatedly change their passwords to get around the password history policy setting and then use their original password. Users must wait the specified number of days to change their passwords.  Define a minimum password length policy setting so that passwords must consist of at least a specified number of characters. Long passwords--seven or more characters--are usually stronger than short ones. With this policy setting, users cannot use blank pass- words, and they have to create passwords that are a certain number of characters long. Policy Search Order and Precedence With policies capable of being applied to individual users, groups and domain hierarchies, it is a common occurrence for a user to have multiple policies applied to them. At run-time however, only a single policy will be enforced for the user. This disparity is resolved by searching for applicable policies in the following manner with each subsequent search be- coming a less explicit match: 1. Policies applied directly to a user 2. Policies applied to a group 3. Policies applied to a domain or OU 4. The default policy © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 4
Tech Brief — Configurable Password Management User Profiles User profiles are where PortalGuard’s user-specific information is stored. Some examples of the data include, but are not limited to:  Strike count  Last login time  Password expiration date  Hashed answers to challenge question  Last password change time  Accepted Terms of Use time A profile is created for each user automatically as they log in through PortalGuard so it is not necessary to preload any user accounts. These user profiles can be stored as flat files on the PortalGuard server or in a SQL database for accessibility in clustered configura- tions. Step-by-Step Process Step 1: The user’s password is expired, but within the grace period. PortalGuard notifies the user, but provides the option of temporarily skipping the password change and going directly into the application because they are still in the grace period. The user defers the password change by clicking the link shown and is allowed to login. Step 2: A few days later, the user attempts to log in and the password is now expired. Por- talGuard enforces this by requiring the user to change their password before being al- lowed into the application. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 5
Tech Brief — Configurable Password Management a. If PortalGuard is configured to use a password meter, it is automatically updated as the user types their new password. Only when the new password is sufficiently complex will the user be allowed to submit the password change. b. If PortalGuard is configured to use standard password quality rules, the user is noti- fied which rules have been satisfied by the new password and which must still be ad- dressed. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 6
Tech Brief — Configurable Password Management Step 3: When password history is enabled, a password that satisfies the complexity rules may still be rejected by the PortalGuard server for being previously used by the user. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 7
Tech Brief — Configurable Password Management Step 4: Once the new password is acceptable, PortalGuard changes it in the target user repository (e.g. Active Directory, LDAP or a custom SQL table) in real-time and notifies the user of the success. Step 5: If a password minimum age is enabled and the user attempts to manually change their password again, PortalGuard will prevent it. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 8
Tech Brief — Configurable Password Management Configuration NOTE: All the following settings are policy specific, so you can have different values for different users/group/hierarchies. Configurable through the PortalGuard Configuration Utility:  Password Rules (Policies):  Minimum length  Maximum length  Minimum lowercase  Minimum uppercase  Minimum numeric  Minimum special  Active Directory Complexity  Rule Grouping - for combining standard password rules into pools where only a subset must be met © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 9
Tech Brief — Configurable Password Management  Enable/Disable Password Meter - minimum required “score” when enabled © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 10
Tech Brief — Configurable Password Management  Password History - by number of entries or time  Password Dictionary - standard words that passwords cannot contain © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 11
Tech Brief — Configurable Password Management  Enforce Complexity Rules During Login - any policy changes can be enforced immediately instead of waiting until the next time the user’s password expires  Regular Expression checking - for rules that cannot be enforced using the out-of -the-box rules in PortalGuard  Password Expiration:  Expiration period - number of days between required password changes  Grace period - number of days before the expiration date when the user will re- ceive notification of the impending expiration  Expire first use - expire the password the first time the user authenticates through PortalGuard  Minimum Age - number of minutes until a password can be changed again  Calendar reminders - optional sending of reminders for the day the user’s pass- word will expire next  Lockout  Strike limit - number of consecutive failed authentication attempts until the user’s account is locked in PortalGuard  Lock expiration - optional number of seconds until a lockout automatically is cleared  Strike messages - controls the level of information when a strike or lockout oc- curs, from the most generic (“bad username or password”) to the most helpful (“bad password - you have 1 strike and your account will be locked when 3 strikes are reached”)  Inactivity - the number of days of PortalGuard inactivity until an account is con- sidered “dormant” in PortalGuard. The PortalGuard server will then prevent login through its interface using these accounts © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 12
Tech Brief — Configurable Password Management  Session concurrency - prevent multiple simultaneous login sessions through the PortalGuard interface using the same credentials  Help Desk/Verbal Authentication - enables the optional functionality that allows Help Desk staff to verbally identify users over the phone by asking a configura- ble set of questions  Auditing  Log last login - track last login date/time for users  Log last password change - track last password change date/time for users  Log last password recovery - track last password reset/recovery date/time for users  Require acceptance - optional setting for requiring users to accept a Terms of Use agreement before allowing a login to complete  URL for rejection - the URL where users should be redirected if they decline the Terms of Use Deployment Implementation of the PortalGuard platform is seamless and requires no changes to Active Directory/LDAP schema. A server-side software installation is required on at least one Mi- crosoft IIS server on the network. IIS Installation A MSI is used to install PortalGuard on Microsoft IIS 6 or 7.x. If installing PortalGuard on Microsoft IIS 7.x/Windows Server 2008, make sure to have installed the following feature roles prior to launching the MSI: 1. All the Web Server Management Tools role services 2. All the Application Development role services 3. All Microsoft IIS 6 Management Compatibility role services The MSI is a wizard-based install which will quickly guide you through the installation. System Requirements This version of PortalGuard supports direct access and authentication to cloud/web-based applications, only. PortalGuard can be installed directly on the following web servers:  IBM WebSphere/WebSphere Portal v5.1 or higher  Microsoft IIS 6.0 or higher  Microsoft Windows SharePoint Services 3.0 or higher  Microsoft Office SharePoint Server 2007 or later The PortalGuard Web server also has the following requirements on Windows operating systems:  .NET 2.0 framework or later must be installed  (64-bit OS only) Microsoft Visual C++ 2005 SP1 Redistributable Package (x64) © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 13
Tech Brief — Configurable Password Management PortalGuard is fully supported for installation on virtual machines. Furthermore, Portal- Guard can currently be installed on the following platforms:  Microsoft Windows Server 2000  Microsoft Windows Server 2003 (32 or 64-bit)  Microsoft Windows Server 2008 (32 or 64-bit)  Microsoft Windows Server 2008 R2 NOTE: When run in "Sidecar" mode, PortalGuard can provide its functionality on any web server that uses a HTML login page. If you have a platform not listed here, please contact us at sales@portalguard.com to see if we have recently added support for your platform. Supporting Videos Please view the following videos to watch a demo of PortalGuard’s password manage- ment offerings: Balancing Usability & Compliance: Discussing Password Management Password Strength Meter Demonstration Platform Layers Beyond password management, PortalGuard is a flexible authentication platform with mul- tiple layers of available functionality to help you achieve your authentication goals:  Contextual Authentication  Tokenless Two-factor Authentication  Real-time Reports / Alerts  Knowledge-based  Self-service Password Reset  Single Sign-on [Platform Visual on Next Page] © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 14
Tech Brief — Configurable Password Management ### © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 15

Recomendados

Password Manager: Detailed presentation
Password Manager: Detailed presentationPassword Manager: Detailed presentation
Password Manager: Detailed presentationHitachi ID Systems, Inc.
 
Password management
Password managementPassword management
Password managementWilmington University
 
Password Management
Password ManagementPassword Management
Password ManagementDavon Smart
 
Password management
Password managementPassword management
Password managementPortalGuard dba PistolStar, Inc.
 
Password Management
Password ManagementPassword Management
Password ManagementRick Chin
 
Password management for you
Password management for youPassword management for you
Password management for youChit Ko Ko Win
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
Evaluating a password manager
Evaluating a password managerEvaluating a password manager
Evaluating a password managerEvan J Johnson (Not a CISSP)
 

Recomendados

Password Manager: Detailed presentation
Password Manager: Detailed presentationPassword Manager: Detailed presentation
Password Manager: Detailed presentationHitachi ID Systems, Inc.
 
Password management
Password managementPassword management
Password managementWilmington University
 
Password Management
Password ManagementPassword Management
Password ManagementDavon Smart
 
Password management
Password managementPassword management
Password managementPortalGuard dba PistolStar, Inc.
 
Password Management
Password ManagementPassword Management
Password ManagementRick Chin
 
Password management for you
Password management for youPassword management for you
Password management for youChit Ko Ko Win
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
Evaluating a password manager
Evaluating a password managerEvaluating a password manager
Evaluating a password managerEvan J Johnson (Not a CISSP)
 
Adding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyAdding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyNick Malcolm
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor AuthenticationPortalGuard dba PistolStar, Inc.
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
Why Two-Factor Authentication?
Why Two-Factor Authentication?Why Two-Factor Authentication?
Why Two-Factor Authentication?Fortytwo
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor AuthenticationFortytwo
 
Time based authentication secure your system
Time based authentication secure your systemTime based authentication secure your system
Time based authentication secure your systemSanjay Kumar (Seeking options outside India)
 
Defence against large scale online guessing attacks using persuasive cued cli...
Defence against large scale online guessing attacks using persuasive cued cli...Defence against large scale online guessing attacks using persuasive cued cli...
Defence against large scale online guessing attacks using persuasive cued cli...Ayisha M Kalburgi
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AlonePortalGuard
 
Greater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityGreater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityJohn Parkinson
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Nilesh
Nilesh Nilesh
Nilesh KN331992
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDECTM360
 
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...ConorGilsenan1
 
Shoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login systemShoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login systemAkshay Surve
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of passwordMohammedAlhamoodi
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
Jun 29 - 2016-MultiFactorAuthentication
Jun 29 - 2016-MultiFactorAuthentication Jun 29 - 2016-MultiFactorAuthentication
Jun 29 - 2016-MultiFactorAuthentication banerjeea
 
Power point presentation shweta patil.
Power point presentation shweta patil.Power point presentation shweta patil.
Power point presentation shweta patil.Malla Reddy College of Pharmacy
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 

Mais conteúdo relacionado

Mais procurados

Adding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyAdding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyNick Malcolm
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
Why Two-Factor Authentication?
Why Two-Factor Authentication?Why Two-Factor Authentication?
Why Two-Factor Authentication?Fortytwo
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor AuthenticationFortytwo
 
Defence against large scale online guessing attacks using persuasive cued cli...
Defence against large scale online guessing attacks using persuasive cued cli...Defence against large scale online guessing attacks using persuasive cued cli...
Defence against large scale online guessing attacks using persuasive cued cli...Ayisha M Kalburgi
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AlonePortalGuard
 
Greater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityGreater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityJohn Parkinson
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDECTM360
 
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...ConorGilsenan1
 
Shoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login systemShoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login systemAkshay Surve
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Jun 29 - 2016-MultiFactorAuthentication
Jun 29 - 2016-MultiFactorAuthentication Jun 29 - 2016-MultiFactorAuthentication
Jun 29 - 2016-MultiFactorAuthentication banerjeea
 

Mais procurados (20)

Adding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with AuthyAdding Two Factor Authentication to your App with Authy
Adding Two Factor Authentication to your App with Authy
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
 
Why Two-Factor Authentication?
Why Two-Factor Authentication?Why Two-Factor Authentication?
Why Two-Factor Authentication?
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication
 
Time based authentication secure your system
Time based authentication secure your systemTime based authentication secure your system
Time based authentication secure your system
 
Defence against large scale online guessing attacks using persuasive cued cli...
Defence against large scale online guessing attacks using persuasive cued cli...Defence against large scale online guessing attacks using persuasive cued cli...
Defence against large scale online guessing attacks using persuasive cued cli...
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not Alone
 
Greater Wheeling AITP Web Security
Greater Wheeling AITP Web SecurityGreater Wheeling AITP Web Security
Greater Wheeling AITP Web Security
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 
Nilesh
Nilesh Nilesh
Nilesh
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDETWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
 
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
 
Shoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login systemShoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login system
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of password
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Jun 29 - 2016-MultiFactorAuthentication
Jun 29 - 2016-MultiFactorAuthentication Jun 29 - 2016-MultiFactorAuthentication
Jun 29 - 2016-MultiFactorAuthentication
 

Destaque

Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
Intruders
IntrudersIntruders
Intruderstechn
 
Privacy Options on SlideShare
Privacy Options on SlideSharePrivacy Options on SlideShare
Privacy Options on SlideShareShivani Ramnath
 
purchasing process
purchasing processpurchasing process
purchasing processonearbaein
 
Purchasing management
Purchasing managementPurchasing management
Purchasing managementMandeep Raj
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 
Getting Started With SlideShare
Getting Started With SlideShareGetting Started With SlideShare
Getting Started With SlideShareSlideShare
 

Destaque (12)

Power point presentation shweta patil.
Power point presentation shweta patil.Power point presentation shweta patil.
Power point presentation shweta patil.
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
Intruders
IntrudersIntruders
Intruders
 
Privacy Options on SlideShare
Privacy Options on SlideSharePrivacy Options on SlideShare
Privacy Options on SlideShare
 
Pricing of services
Pricing of servicesPricing of services
Pricing of services
 
Pricing of services
Pricing of servicesPricing of services
Pricing of services
 
Virus ppt
Virus pptVirus ppt
Virus ppt
 
Purchase management
Purchase managementPurchase management
Purchase management
 
purchasing process
purchasing processpurchasing process
purchasing process
 
Purchasing management
Purchasing managementPurchasing management
Purchasing management
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
 
Getting Started With SlideShare
Getting Started With SlideShareGetting Started With SlideShare
Getting Started With SlideShare
 

Semelhante a Password Management

Configurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and ComplianceConfigurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and CompliancePortalGuard
 
Password Security and CJIS Compliance
Password Security and CJIS CompliancePassword Security and CJIS Compliance
Password Security and CJIS CompliancePortalGuard
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET Journal
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Two-factor Authentication: A Tokenless Approach
Two-factor Authentication: A Tokenless ApproachTwo-factor Authentication: A Tokenless Approach
Two-factor Authentication: A Tokenless ApproachPortalGuard
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environmentwebhostingguy
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webSafeNet
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Systems, Inc.
 
SailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfSailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfVishnuGone
 
Contextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachContextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachPortalGuard
 
Pg presentation for steph
Pg presentation for stephPg presentation for steph
Pg presentation for stephKjohnson33
 
Sever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsSever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsPortalGuard
 
Centralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopCentralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopPortalGuard
 
Save guard 60_ig_eng_installation, encrypt
Save guard 60_ig_eng_installation, encryptSave guard 60_ig_eng_installation, encrypt
Save guard 60_ig_eng_installation, encryptnilicfu
 
Gallagher Systems Catalogue
Gallagher Systems CatalogueGallagher Systems Catalogue
Gallagher Systems CatalogueClaudiu Sandor
 

Semelhante a Password Management (20)

Configurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and ComplianceConfigurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and Compliance
 
Self-service Password Reset
Self-service Password ResetSelf-service Password Reset
Self-service Password Reset
 
Password Synchronization
Password SynchronizationPassword Synchronization
Password Synchronization
 
Contextual Authentication
Contextual AuthenticationContextual Authentication
Contextual Authentication
 
Password Security and CJIS Compliance
Password Security and CJIS CompliancePassword Security and CJIS Compliance
Password Security and CJIS Compliance
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure Authentication
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Two-factor Authentication: A Tokenless Approach
Two-factor Authentication: A Tokenless ApproachTwo-factor Authentication: A Tokenless Approach
Two-factor Authentication: A Tokenless Approach
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environment
 
Authentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_webAuthentication_Best_Practices_WP(EN)_web
Authentication_Best_Practices_WP(EN)_web
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security Analysis
 
SailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfSailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdf
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
Contextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor ApproachContextual Authentication: A Multi-factor Approach
Contextual Authentication: A Multi-factor Approach
 
Pg presentation for steph
Pg presentation for stephPg presentation for steph
Pg presentation for steph
 
Sever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsSever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple Passwords
 
Centralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopCentralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows Desktop
 
Saas security
Saas securitySaas security
Saas security
 
Save guard 60_ig_eng_installation, encrypt
Save guard 60_ig_eng_installation, encryptSave guard 60_ig_eng_installation, encrypt
Save guard 60_ig_eng_installation, encrypt
 
Gallagher Systems Catalogue
Gallagher Systems CatalogueGallagher Systems Catalogue
Gallagher Systems Catalogue
 

Mais de PortalGuard dba PistolStar, Inc.

The Cost and Loss of Not using Single Sign-On with Two-Factor Authentication
The Cost and Loss of Not using Single Sign-On with Two-Factor AuthenticationThe Cost and Loss of Not using Single Sign-On with Two-Factor Authentication
The Cost and Loss of Not using Single Sign-On with Two-Factor AuthenticationPortalGuard dba PistolStar, Inc.
 

Mais de PortalGuard dba PistolStar, Inc. (6)

The Cost and Loss of Not using Single Sign-On with Two-Factor Authentication
The Cost and Loss of Not using Single Sign-On with Two-Factor AuthenticationThe Cost and Loss of Not using Single Sign-On with Two-Factor Authentication
The Cost and Loss of Not using Single Sign-On with Two-Factor Authentication
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Self-service Password Reset
Self-service Password ResetSelf-service Password Reset
Self-service Password Reset
 
Password Synchronization
Password SynchronizationPassword Synchronization
Password Synchronization
 
Context Based Authentication
Context Based AuthenticationContext Based Authentication
Context Based Authentication
 
Make Your Employees More Security Aware
Make Your Employees More Security AwareMake Your Employees More Security Aware
Make Your Employees More Security Aware
 

Último

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Último (20)

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

Password Management

  • 1. Configurable Password Management: Balancing Usability and Compliance Password Management Layer v.3.2-004 PistolStar, Inc. dba PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 617.674.2727 E-mail: sales@portalguard.com Website: www.portalguard.com © 2012, PistolStar, Inc. dba PortalGuard All Rights Reserved.
  • 2. Tech Brief — Configurable Password Management PortalGuard Configurable Password Management: Balancing Usability and Compliance Table of Contents Summary ................................................................................................. 2 The Basics............................................................................................... 2 PortalGuard Password Management ....................................................... 3 Features .................................................................................................. 3 Benefits ................................................................................................... 3 How it Works ........................................................................................... 4 Password Policies ........................................................................ 4 Policy Search Order and Precedence .......................................... 4 User Profiles ................................................................................ 5 Step-by-Step Process .................................................................. 5 Configuration ........................................................................................... 9 Deployment ........................................................................................... 13 IIS Install................................................................................................ 13 System Requirements ........................................................................... 13 Supporting Videos ................................................................................. 14 Platform Layers ..................................................................................... 14 © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 1
  • 3. Tech Brief — Configurable Password Management Summary Implementing strong authentication security for web-based applications before deployment to your production environment is the ideal approach however, many projects take longer than expected so some applications are deployed without security policies in place, such as password quality, password expiration and strike counts. Password management is usually added later when a security audit uncovers an applica- tion as being non-compliant. To make a web-based application compliant, you need to decide whether to build or buy a complete authentication security solution. Buying an off- the-shelf solution, such as PortalGuard, offers the much needed enterprise-ready security functionality that easily integrates into your existing web-based and SQL applications. Sometimes developers may not consider the organization’s data accessed by the web- based application to be sensitive and therefore, increasing security becomes a secondary consideration during deployment. A low risk application may require either no authentica- tion or the use of just a username and password, though this approach should not be used in applications with medium or high risk. Please review other PortalGuard tech briefs on increasing web-based authentication security with approaches such as contextual and two -factor authentication. These tech briefs provide more information on the security risks of using just passwords as a single barrier to blocking unauthorized access to your organiza- tion’s data. The Basics Passwords remain an important aspect of authentication security. A poorly chosen pass- word may result in unauthorized access and/or exploitation of an organization’s resources and critical data. The purpose of password management policies is to establish and en- force the security standard for the creation of strong passwords, the protection of those passwords, and the frequency of which to change them. However, one of the first steps to password management is educating your users on pass- word best practices via a security awareness program with information such as:  Never share your account  Never use the same password for multiple systems  Never tell a password to anyone, including those claiming to be from security or custom- er service within your organization  Never write down a password  Never provide a password over the phone, e-mail or instant messaging  Make sure to log off or lock your workstation before leaving a computer unattended  Change your password whenever you suspect it may have been compromised  Passwords should be alpha-numeric at a minimum General password management best practices provide the foundation for strong organiza- tional security policies, including:  How complex a password needs to be should be based on risk  The frequency to which you change your passwords should be based on risk  At all points, passwords should be protected from being exposed © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 2
  • 4. Tech Brief — Configurable Password Management PortalGuard Password Management PortalGuard’s password management goes beyond the foundational principles and pro- vides enhanced functionality which improves the security of passwords while improving usability for users. This is done with features such as strong password policy enforcement, password synchronization, and self-service password reset. By creating this balance be- tween security and usability PortalGuard can significantly reduce Help Desk calls and in- crease user adoption. To provide you with flexibility, PortalGuard’s password management policies can be con- figured down to the individual user, group or domain hierarchy, enforcing the appropriate level of security for each. Features  Password Complexity - customizable rules for minimum and maximum length, and up- percase, lowercase and special characters. Complexity checks can also be performed during each login to assure compliance.  Password History - prevent users from reusing their last “n” passwords  Password Expiration - set expiration and grace periods  Strikeout/Lockout Limits - enforce a configurable number of strikes before an account lockout and optionally specify a minimum “lockout time” the user must wait before the account is automatically unlocked and they can again attempt to login  Prevent Users from Sharing Credentials - limit multiple concurrent logon sessions  Lockout Inactive User After “n” Days - identify and stop access from dormant user ac- counts  Help Desk/Verbal Authentication - prove user’s identity when calling into the Help Desk by answering a series of challenge questions  Email Calendar Reminders - set reminders in user’s email client calendar of upcoming password expirations  Password Meter - provide users with visual clue of the strength of the password when resetting or creating one  Auditing/Logging - record user login activity including invalid usernames, last login, last password change, etc.  Administrative Dashboard - provides administrators with a snapshot of recent user login activity  Tailored Authentication - extend the PortalGuard framework to include specific function- ality which provides an exact fit with your requirements Benefits  Configurable - to the individual user, group or domain hierarchy  Increased usability – maintains user productivity and satisfaction with functionality such as the password strength meter, email calendar reminders, and self-service password reset  Increased security – prevents both common password and code injection attacks by enforcing strong password management best practices  Balances security and usability – with functionality to support both compliance and user demands  Implement password best practices – including account lockout limit, unlock threshold, and password history © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 3
  • 5. Tech Brief — Configurable Password Management  Compliance – web-based and SQL applications now meet required industry and regula- tory standards  Cost effective – reduce password related Help Desk calls How It Works Password Policies PortalGuard uses the concept of policy-based security settings to enforce password man- agement rules for users. You can have multiple sets of rules defined within PortalGuard. Each set of rules is referred to as a policy. You can then assign users to a policy on an individual basis or by a group or domain hierarchy. If a policy is not applied to anyone, then its rules will never be enforced. Policies can be enabled or disabled. Only policies which are both enabled and have users assigned to them are enforced by PortalGuard. There are key aspects to each password policy including password length, formation, du- ration and practice. With those in mind you can define password policies so that all user accounts are protected with strong passwords. Below are examples of policies you can enforce:  Define password history policy setting so that several previous passwords are remem- bered. With this policy setting, users cannot reuse old passwords when their password expires.  Define the maximum password age policy setting so that passwords expire as often as necessary for your environment, typically, every 30 to 90 days. With this policy setting, if an attacker cracks a password, the attacker only has access to the network until the password expires.  Define the minimum password age policy setting so that passwords cannot be changed until they are more than a certain number of days old. This policy setting works in combination with the password history policy setting. If a minimum password age is defined, users cannot repeatedly change their passwords to get around the password history policy setting and then use their original password. Users must wait the specified number of days to change their passwords.  Define a minimum password length policy setting so that passwords must consist of at least a specified number of characters. Long passwords--seven or more characters--are usually stronger than short ones. With this policy setting, users cannot use blank pass- words, and they have to create passwords that are a certain number of characters long. Policy Search Order and Precedence With policies capable of being applied to individual users, groups and domain hierarchies, it is a common occurrence for a user to have multiple policies applied to them. At run-time however, only a single policy will be enforced for the user. This disparity is resolved by searching for applicable policies in the following manner with each subsequent search be- coming a less explicit match: 1. Policies applied directly to a user 2. Policies applied to a group 3. Policies applied to a domain or OU 4. The default policy © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 4
  • 6. Tech Brief — Configurable Password Management User Profiles User profiles are where PortalGuard’s user-specific information is stored. Some examples of the data include, but are not limited to:  Strike count  Last login time  Password expiration date  Hashed answers to challenge question  Last password change time  Accepted Terms of Use time A profile is created for each user automatically as they log in through PortalGuard so it is not necessary to preload any user accounts. These user profiles can be stored as flat files on the PortalGuard server or in a SQL database for accessibility in clustered configura- tions. Step-by-Step Process Step 1: The user’s password is expired, but within the grace period. PortalGuard notifies the user, but provides the option of temporarily skipping the password change and going directly into the application because they are still in the grace period. The user defers the password change by clicking the link shown and is allowed to login. Step 2: A few days later, the user attempts to log in and the password is now expired. Por- talGuard enforces this by requiring the user to change their password before being al- lowed into the application. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 5
  • 7. Tech Brief — Configurable Password Management a. If PortalGuard is configured to use a password meter, it is automatically updated as the user types their new password. Only when the new password is sufficiently complex will the user be allowed to submit the password change. b. If PortalGuard is configured to use standard password quality rules, the user is noti- fied which rules have been satisfied by the new password and which must still be ad- dressed. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 6
  • 8. Tech Brief — Configurable Password Management Step 3: When password history is enabled, a password that satisfies the complexity rules may still be rejected by the PortalGuard server for being previously used by the user. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 7
  • 9. Tech Brief — Configurable Password Management Step 4: Once the new password is acceptable, PortalGuard changes it in the target user repository (e.g. Active Directory, LDAP or a custom SQL table) in real-time and notifies the user of the success. Step 5: If a password minimum age is enabled and the user attempts to manually change their password again, PortalGuard will prevent it. © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 8
  • 10. Tech Brief — Configurable Password Management Configuration NOTE: All the following settings are policy specific, so you can have different values for different users/group/hierarchies. Configurable through the PortalGuard Configuration Utility:  Password Rules (Policies):  Minimum length  Maximum length  Minimum lowercase  Minimum uppercase  Minimum numeric  Minimum special  Active Directory Complexity  Rule Grouping - for combining standard password rules into pools where only a subset must be met © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 9
  • 11. Tech Brief — Configurable Password Management  Enable/Disable Password Meter - minimum required “score” when enabled © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 10
  • 12. Tech Brief — Configurable Password Management  Password History - by number of entries or time  Password Dictionary - standard words that passwords cannot contain © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 11
  • 13. Tech Brief — Configurable Password Management  Enforce Complexity Rules During Login - any policy changes can be enforced immediately instead of waiting until the next time the user’s password expires  Regular Expression checking - for rules that cannot be enforced using the out-of -the-box rules in PortalGuard  Password Expiration:  Expiration period - number of days between required password changes  Grace period - number of days before the expiration date when the user will re- ceive notification of the impending expiration  Expire first use - expire the password the first time the user authenticates through PortalGuard  Minimum Age - number of minutes until a password can be changed again  Calendar reminders - optional sending of reminders for the day the user’s pass- word will expire next  Lockout  Strike limit - number of consecutive failed authentication attempts until the user’s account is locked in PortalGuard  Lock expiration - optional number of seconds until a lockout automatically is cleared  Strike messages - controls the level of information when a strike or lockout oc- curs, from the most generic (“bad username or password”) to the most helpful (“bad password - you have 1 strike and your account will be locked when 3 strikes are reached”)  Inactivity - the number of days of PortalGuard inactivity until an account is con- sidered “dormant” in PortalGuard. The PortalGuard server will then prevent login through its interface using these accounts © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 12
  • 14. Tech Brief — Configurable Password Management  Session concurrency - prevent multiple simultaneous login sessions through the PortalGuard interface using the same credentials  Help Desk/Verbal Authentication - enables the optional functionality that allows Help Desk staff to verbally identify users over the phone by asking a configura- ble set of questions  Auditing  Log last login - track last login date/time for users  Log last password change - track last password change date/time for users  Log last password recovery - track last password reset/recovery date/time for users  Require acceptance - optional setting for requiring users to accept a Terms of Use agreement before allowing a login to complete  URL for rejection - the URL where users should be redirected if they decline the Terms of Use Deployment Implementation of the PortalGuard platform is seamless and requires no changes to Active Directory/LDAP schema. A server-side software installation is required on at least one Mi- crosoft IIS server on the network. IIS Installation A MSI is used to install PortalGuard on Microsoft IIS 6 or 7.x. If installing PortalGuard on Microsoft IIS 7.x/Windows Server 2008, make sure to have installed the following feature roles prior to launching the MSI: 1. All the Web Server Management Tools role services 2. All the Application Development role services 3. All Microsoft IIS 6 Management Compatibility role services The MSI is a wizard-based install which will quickly guide you through the installation. System Requirements This version of PortalGuard supports direct access and authentication to cloud/web-based applications, only. PortalGuard can be installed directly on the following web servers:  IBM WebSphere/WebSphere Portal v5.1 or higher  Microsoft IIS 6.0 or higher  Microsoft Windows SharePoint Services 3.0 or higher  Microsoft Office SharePoint Server 2007 or later The PortalGuard Web server also has the following requirements on Windows operating systems:  .NET 2.0 framework or later must be installed  (64-bit OS only) Microsoft Visual C++ 2005 SP1 Redistributable Package (x64) © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 13
  • 15. Tech Brief — Configurable Password Management PortalGuard is fully supported for installation on virtual machines. Furthermore, Portal- Guard can currently be installed on the following platforms:  Microsoft Windows Server 2000  Microsoft Windows Server 2003 (32 or 64-bit)  Microsoft Windows Server 2008 (32 or 64-bit)  Microsoft Windows Server 2008 R2 NOTE: When run in "Sidecar" mode, PortalGuard can provide its functionality on any web server that uses a HTML login page. If you have a platform not listed here, please contact us at sales@portalguard.com to see if we have recently added support for your platform. Supporting Videos Please view the following videos to watch a demo of PortalGuard’s password manage- ment offerings: Balancing Usability & Compliance: Discussing Password Management Password Strength Meter Demonstration Platform Layers Beyond password management, PortalGuard is a flexible authentication platform with mul- tiple layers of available functionality to help you achieve your authentication goals:  Contextual Authentication  Tokenless Two-factor Authentication  Real-time Reports / Alerts  Knowledge-based  Self-service Password Reset  Single Sign-on [Platform Visual on Next Page] © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 14
  • 16. Tech Brief — Configurable Password Management ### © 2012, PistolStar, Inc. dba PortalGuard All rights reserved. Page 15