Hitachi ID Password Manager - Integrated Introduction and Advanced Concepts

Topics in this course include:


Install the software

Targets and auto-discovery

  • AD target (source of profiles)
  • OpenLDAP target (target only)
  • Linux target (target only)
  • Configure the system to omit disabled accounts
  • Run and troubleshoot psupdate
  • Log viewer

Security questions as a backup authentication method

  • Setup question sets
  • Configure auth chains (very basic - Q and A and password options)
  • Configure users to have mandatory enrollment on first login
  • Show that users have to fill in Q and A

Password policy

  • Setup basic rules
  • Add a RegExp

Routine password change from web UI

  • Enable PSS
  • Show user experience
  • Discuss caching and the need for PSLOCALR
  • Add PSLOCALR and show results from a domain-member PC

Self-service password reset via web browser

  • Show that it already works (Q and A, password reset, PSLOCALR)

Managed enrollment and user notification

  • Discuss notification subsystem
  • Configure invitations to users to fill in security questions:
    • Max 500 e-mails/day
    • Max 1 e-mail/user/week
    • 3 e-mails before first web popup (notification client)
    • 3 web popups before forced enrollment
    • Mandatory enrollment (configure and demo - need to put users into a group/GPO and take them out on successful enrollment)

Notifying users of upcoming password expiry

  • Discuss how notification applies here
  • Discuss mobile users who get e-mails via push or OWA but aren't notified of password expiry by Windows
  • Configure expiry via e-mail for 10,5,4,3,2,1 days before AD expiry
  • Configure expiry via web popup for 3,2,1 days before AD expiry

Locked out users and client tools

  • Domain-SKA
  • Local-SKA
  • GINA service for WinXP
  • GINA DLL for Citrix
  • Windows 7 (Vista) Credential Provider
  • Self-Service, Anywhere for mobile users with corporate laptops and who are initially offline (discuss, probably don't fully configure)
  • Discuss integration with VPN (command-line, special account, IP/port/time limits, credentials on the client, etc.)
  • Customizing client software MSI with Orca (quick view, no details)

Help desk password reset

  • User classes to grant rights (e.g., global, local help desks)
  • Controlling access to security questions
  • Help-desk-specific security questions
  • Help desk UI for password reset and clearing intruder lockouts
  • Expanded URL to specify userID, callerID, ticket number from incident management system

Full disk encryption and key recovery

  • Discussion
  • Introduction to HiTPM
  • Discuss HiTPM integrations with Dialogic, VoIP, Asterisk
  • Discuss HiTPM integrations with key recovery system

E-mail and incident management integration

  • E-mails to users:
    • After password changes
    • After failed authentication and/or lockouts
    • Invitations to action (enrollment)
  • E-mails to admins:
    • Replication failures
    • Target update failures
    • PSUPDATE problems
  • Incident integration (optional - create/update/close tickets)
  • SIEM integration (optional - SYSLOGD to Splunk)

RSA token PIN reset and support

  • Enabling tokens as an authentication factor (auth chains, plugin)
  • RADIUS plugin for authentication
  • Managing RSA tokens:
    • PIN reset
    • Clock synch
    • Emergency passcodes

Mobile phones and other authentication factors

  • Enrolling phone number and provider ID
  • Authentication chains to provide SMS/PIN (before Q and A)
  • Authentication chains to provide CAPTCHA (Internet facing)

Reporting and surveillance

  • dashboards and reports
  • Scheduling reports to admins
  • Activity and trend analysis