COMMON CRITERIA CERTIFICATION REPORT No. CRP235
Citrix Password Manager, Enterprise Edition

Version 4.5

running on Microsoft Windows and Citrix Presentation Server
Issue 1.0 June 2007 Crown Copyright 2007 Reproduction is authorised provided the report is copied in its entirety
UK Certification Body CESG, Hubble Road Cheltenham, GL51 0EX United Kingdom
ARRANGEMENT ON THE RECOGNITION OF COMMON CRITERIA CERTIFICATES IN THE FIELD OF INFORMATION TECHNOLOGY SECURITY The Certification Body of the UK IT Security Evaluation and Certification Scheme is a member of the above Arrangement and as such this confirms that the Common Criteria certificate has been issued by or under the authority of a Party to this Arrangement and is the Partys claim that the certificate has been issued in accordance with the terms of this Arrangement. The judgements contained in the certificate and Certification Report are those of the Qualified Certification Body which issued it and of the Evaluation Facility which carried out the evaluation. There is no implication of acceptance by other Members of the Agreement Group of liability in respect of those judgements or for loss sustained as a result of reliance placed upon those judgements by a third party.
CRP235 Citrix Password Manager, Enterprise Edition

CERTIFICATION STATEMENT

The product detailed below has been evaluated under the terms of the UK IT Security Evaluation and Certification Scheme and has met the specified Common Criteria requirements. The scope of the evaluation and the assumed usage environment are specified in the body of this report. Sponsor Citrix Systems, Incorporated Product and Version Citrix Password Manager, Enterprise Edition, Version 4.5 Description The product is a single sign-on solution for accessing password-protected Windows, Web and host based applications. CC Part 2 Conformant CC Part 3 Conformant EAL EAL2 augmented by ALC_FLR.2 CLEF BT Date authorised 29 June 2007
The evaluation was carried out in accordance with the requirements of the UK IT Security Evaluation and Certification Scheme as described in United Kingdom Scheme Publication 01 (UKSP 01) and UKSP 02 ([a] - [c]). The Scheme has established a Certification Body, which is managed by CESG on behalf of Her Majestys Government. The purpose of the evaluation was to provide assurance about the effectiveness of the TOE in meeting its Security Target [d], which prospective consumers are advised to read. To ensure that the Security Target gave an appropriate baseline for a CC evaluation, it was first itself evaluated. The TOE was then evaluated against this baseline. Both parts of the evaluation were performed in accordance with CC Part 1 [e], CC Part 2 [f], CC Part 3 [g], the Common Evaluation Methodology (CEM) [h], and relevant Interpretations. The issue of a Certification Report is a confirmation that the evaluation process has been carried out properly and that no exploitable vulnerabilities have been found. It is not an endorsement of the product.
Trademarks: All product or company names are used for identification purposes only and may be trademarks of their respective owners.

Page 2 of 16

Issue 1.0

June 2007

CRP235 - Citrix Password Manager, Enterprise Edition

TABLE OF CONTENTS

CERTIFICATION STATEMENT...2 TABLE OF CONTENTS...3 I. EXECUTIVE SUMMARY...4
Introduction.... 4 Evaluated Product and TOE Scope... 4 Protection Profile Conformance... 5 Security Claims.... 5 Strength of Function Claims... 5 Evaluation Conduct.... 5 Conclusions and Recommendations... 5
PRODUCT SECURITY GUIDANCE...7
Introduction.... 7 Delivery.... 7 Installation and Guidance Documentation... 7
EVALUATED CONFIGURATION...8
TOE Identification.... 8 TOE Documentation... 8 TOE Scope.... 8 TOE Configuration.... 9 Environmental Requirements.... 11 Test Configuration.... 11
PRODUCT SECURITY ARCHITECTURE..12
Introduction.... 12 Product Description and Architecture... 12 Design Subsystems.... 12 Hardware and Firmware Dependencies... 13 Product Interfaces.... 13

PRODUCT TESTING....14

IT Product Testing.... 14 Vulnerability Analysis.... 14 Platform Issues..... 14

REFERENCES....15

Page 3 of 16

EXECUTIVE SUMMARY

Introduction 1. This Certification Report states the outcome of the Common Criteria security evaluation of Citrix Password Manager, Enterprise Edition, Version 4.5, to the Sponsor, Citrix Systems Incorporated, and is intended to assist prospective consumers when judging the suitability of the IT security of the product for their particular requirements. Prospective consumers are advised to read this report in conjunction with the Security Target [d], which specifies the functional, environmental and assurance requirements.

Evaluated Product and TOE Scope 3. The version of the product evaluated was: Citrix Password Manager, Enterprise Edition, Version 4.5. 4. 5. The Developer was Citrix Systems, Incorporated. The evaluated configuration of this product is described in this report as the Target of Evaluation (TOE). Details of the TOE scope, its assumed environment and the evaluated configuration are given in Chapter III Evaluated Configuration below. The TOE provides a single sign-on solution for accessing password-protected Windows, Web and host-based applications. After a user has authenticated to the network using their primary credentials (this authentication is managed by the environment), all attempts to open controlled applications result in the TOE providing that users secondary credentials to the application. An administrator is responsible for bringing an application under the TOEs control (making a controlled application) and for defining the Password Policy to be enforced for each application or group of applications. The administrator is also responsible for setting up a users initial Secondary Credentials for an application (provisioning). In the evaluated configuration, a user is not exposed to his/her application passwords; those passwords are pre-populated by the administrator and managed and changed as required by the TOE. This means that a user cannot inadvertently or deliberately divulge his/her application passwords and also, as the user never enters an application password via the keyboard, those passwords cannot be detected via keyboard logging. It is possible for the administrator to re-provision a user by entering new provisioning data. The evaluated configuration relies on users not having administrator level permissions for the operating system on which the product is evaluated. The evaluated configuration also relies on the machines (on which the server components are installed) being physically secure and accessed only by trusted

Page 4 of 16

personnel. Additionally, the operating systems on which the TOE components are installed must have correctly installed certificates for use by Transport Layer Security (TLS) encryption services. 9. An overview of the product and its security architecture can be found in Chapter IV Product Security Architecture below.

Protection Profile Conformance 10. The Security Target [d] does not claim conformance to any protection profile. Security Claims 11. The Security Target [d] fully specifies the TOEs security objectives, the threats which these objectives counter, the Organisational Security Policies (OSPs) which those objectives meet, and the Security Functional Requirements (SFRs) and security functions to elaborate the objectives. All of the SFRs are taken from CC Part 2 [f]; use of this standard facilitates comparison with other evaluated products. 12. The TOE security policy (the Password Generation Policy) is detailed in Section 6.1 of the Security Target [d]. The OSP with which the TOE must comply is defined in Section 3.3 of the Security Target. Strength of Function Claims 13. The minimum Strength of Function (SoF) was SoF-Medium. This was claimed for security function F3, Application Password Generation. The Certification Body has determined that these claims were met. Evaluation Conduct 14. The Certification Body monitored the evaluation, which was carried out by the BT Commercial Evaluation Facility (CLEF). The evaluation addressed the requirements specified in the Security Target [d]. The results of this work, completed in June 2007, were reported in the Evaluation Technical Report (ETR) [j]. Conclusions and Recommendations 15. The conclusions of the Certification Body are summarised in the Certification Statement on page 2. 16. Prospective consumers of Citrix Password Manager, Enterprise Edition, Version 4.5, should understand the specific scope of the certification by reading this report in conjunction with the Security Target [d]. The TOE should be used in accordance with the environmental assumptions specified in the Security Target. Prospective consumers are advised to check that this matches their identified requirements and to give due consideration to the recommendations and caveats of this report.

Page 5 of 16

17. This Certification Report is only valid for the evaluated TOE. This is specified in Chapter III Evaluated Configuration below. 18. The TOE should be used in accordance with the supporting guidance documentation included in the evaluated configuration. Chapter II Product Security Guidance below includes a number of recommendations relating to the secure receipt, installation, configuration and operation of the TOE. 19. Certification is not a guarantee of freedom from security vulnerabilities; there remains a small probability (smaller with greater assurance) that exploitable vulnerabilities may be discovered after a certificate has been awarded. This Certification Report reflects the Certification Bodys view at the time of certification. Consumers (both prospective and existing) should check regularly for themselves whether any security vulnerabilities have been discovered since this report was issued and, if appropriate, should check with the Vendor to see if any patches exist for the product and whether these patches have further assurance. The installation of patches for security vulnerabilities, whether or not they have further assurance, should improve the security of the product.

Page 6 of 16

PRODUCT SECURITY GUIDANCE
Introduction 20. The following sections note considerations that are of particular relevance to purchasers of the product. Delivery 21. On receipt of the TOE, the consumer is recommended to check that the evaluated version has been supplied, and to check that the security of the TOE has not been compromised in delivery. 22. The TOE is supplied via Federal Express, DHL or UPS. The shipping company used, the shipping tracking number and a description of the items shipped is emailed to the customer. Each order is assembled and an address label attached. The TOE CD-ROM is placed in a cardboard wallet with other information and shrink wrapped. The license details are placed in a tamper evident cardboard wallet. To verify secure delivery a customer should: a. b. check that the tamper evident packaging, containing the TOE, is intact; check that the courier company used and shipping tracking number of the delivered TOE are the same as those on the email sent to the customer.
If any of these checks fail, the customer should contact Citrix Customer Service. 23. Customers are required to download a hotfix in order to install the Agent. The instructions for this are on Page 48 of the Evaluated Configuration Guide [i] (which is a PDF document dowloadable from www.citrix.com). The integrity of the download can be checked by performing an MD5 hash of the installation file (setup.msi) and comparing it to the value given in the Evaluated Configuration Guide [i] (233c33ead2b7abd566f95a66b93173ac). Installation and Guidance Documentation 24. Procedures for secure installation, generation and start-up of the TOE are provided in the Evaluated Configuration Guide [i] and the Administrators Guide [k]. These documents should be read together before installing the TOE. 25. The guidance for administration and use of the TOE can be found in the Administrators Guide [k]. Note that all human interaction with the TOE is by authorised administrators and that user guidance is therefore not applicable.

Page 7 of 16

III. EVALUATED CONFIGURATION
TOE Identification 26. The TOE consists of: a. b. c. one Citrix Password Manager Console version 4.5 Enterprise Edition; one Citrix Password Manager Service version 4.5 Enterprise Edition; one Citrix Password Manager Agent version 4.5 Enterprise Edition.

27. Those three items of software are all delivered on one CD-ROM labelled Citrix Password Manager, Version 4.5. TOE Documentation 28. The relevant guidance documentation for the evaluated configuration is identified above under Installation and Guidance Documentation. The Administrators Guide [k] is on the same CD-ROM as the TOE software. TOE Scope 29. The following features of Citrix Password Manager, Enterprise Edition, Version 4.5, are excluded from the scope of the evaluation: a. b. c. d. e. f. g. h. i. Key Recovery via Question-Based Authentication; Self-Service Password Reset using Question-Based Authentication; Account Unlock using Question-Based Authentication; Use of an NTFS Network Share on a Windows Server, as the Central Store; Use of a Shared Folder in a Novell Netware Directory Services Schema, as the Central Store; Hot Desktop; Initial Credential Setup by a User; Enhanced Java Support; Domain Credential Sharing Group.

Page 8 of 16

TOE Configuration 30. The evaluated TOE configuration is as detailed in Section 2 of the Security Target [d]. The TOE can be operated in four configurations as follows:
Diagram 1 TOE in Stand Alone configuration with username and password authentication
Diagram 2 TOE in Stand Alone configuration with smartcard authentication

Page 9 of 16

Diagram 3 TOE in Citrix Presentation Server configuration with username and password authentication
Diagram 4 TOE in Citrix Presentation Server configuration with smartcard authentication

Page 10 of 16

Environmental Requirements 31. The environmental configuration is as described in Sections 2.2, 2.3, 3.4 and 4.2 of the Security Target [d]. 32. Figures 2-1 and 2-2 of the Security Target [d] show the TOEs essential interactions across the network. Diagrams 1 to 4 in Paragraph 30 above show, in outline, the position of the various platforms within the TOEs environment. Test Configuration 33. The configuration in Diagram 4 of Paragraph 30 above was used for testing. The TOE was installed and configured according to the Evaluated Configuration Guide [i], referencing the Administrators Guide [k] when necessary. 34. The Service Platform was an HP ProLiant DL140 with 2.4 GHz Xeon CPU, 1Gb RAM, 80Gb HDD and Intel Pro/100 NIC running Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1. 35. The Central Store, Web Interface and Secure Gateway Platforms were the same as the Service Platform, except that they had 512Mb RAM. 36. The two firewall platforms were the same as the Service Platform except they had 512Mb RAM, two Intel Ether Express/100 NICs and were running Red Hat 9 Linux. 37. The Client and Console platforms were both Dell PowerEdge SC1420 with 3.2 GHz Xeon CPU, 2Gb RAM, 80Gb HDD and Embedded Intel Gbit NIC running Microsoft Windows XP Professional with Service Pack 2. A GEMPC Smartcard Reader was attached to each machine via USB. 38. The Presentation Server with Agent platform was a Dell PowerEdge SC1420 with 3.2 GHz Xeon CPU, 2Gb RAM, 80Gb HDD and Embedded Intel Gbit NIC running Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1.

Page 11 of 16

IV. PRODUCT SECURITY ARCHITECTURE
Introduction 39. This Chapter summarises the products main architectural features. Other details of the scope of evaluation are given in Chapter III Evaluated Configuration. Product Description and Architecture 40. An overview of the TOE and the TOE architecture is provided in Sections 2.1 and 2.2 respectively of the Security Target [d]. 41. Diagrams 1 to 4 in Paragraph 30 above show the various outline network topologies that are applicable to the TOE. 42. The TOE security policy (the Password Generation Policy) is detailed in Security Function F3 in Section 6.1 of the Security Target [d]. Specific parameter settings are detailed in the Evaluated Configuration Guide [i]. 43. The main security protection mechanisms of the TOE are : a. Secure Password Use the TOE generates strong passwords in accordance with a password policy and never discloses them to the user with whom they are associated; Secure Application Use the TOE only submits identification and authentication credentials to verified Web and Windows applications; Cryptographic Security the TOE uses cryptographic techniques to protect user and administrative data, both internally and by use of Windows encryption modules.
Design Subsystems 44. The subsystems of the Agent component are: SSOGina; Auth; Agent Crypto; Local Cache; Agent Thread; Password Generation; Sync.
45. The subsystems of the Service component are: Authenticator; Key Recovery Service; Data Integrity Service; Provisioning Service; Service Crypto.

Page 12 of 16

46. The subsystems of the Console component are: Console; Console Crypto.
47. The subsystems and interfaces of the TOE are shown within the shaded boxes in Diagram 5 below:
Diagram 5 TOE Subsystems Hardware and Firmware Dependencies 48. The TOE is a software-only TOE and is dependent on a Windows operating system to run. The TOE interacts with Windows through various Microsoft defined Application Programming Interfaces (APIs). The TOE requires Windows to be configured to use only FIPS 140 compliant encryption modules. This is stated in the Evaluated Configuration Guide [i]. Product Interfaces 49. The TOE consists of the following external interfaces: a. b. Administrators interface into the TOE via the Console subsystem; Interface between the TOE and the operating system.

Page 13 of 16

PRODUCT TESTING
IT Product Testing 50. The Evaluators confirmed that the Developers testing covered all security functions stated in the Security Target [d], and covered all subsystems and interfaces stated in Chapter IV Product Security Architecture above. 51. The Evaluators performed independent functional testing on the TOE to confirm that it operates as specified. They also repeated a sample of 21% of the Developers tests to confirm the adequacy of the Developers testing of all of the TOE Security Functions (TSF), subsystems and TSF Interface (TSFI). The Evaluators performed this testing between April 30th and May 3rd 2007 at Citrix premises in Fort Lauderdale, Florida, USA. 52. The Evaluators then performed penetration testing, which confirmed the SoF claimed in the Security Target [d] for the password generation mechanism. That testing also confirmed that all identified potential vulnerabilities in the TOE have been addressed, i.e. that the TOE in its intended environment has no known exploitable vulnerabilities. The Evaluators performed this testing between April 30th and May 3rd 2007 at Citrix premises in Fort Lauderdale, Florida, USA. 53. The Evaluators used Brutus Release 2 tool (obtained from http://www.hoobie.net) during their testing. Other than that, no specialist tools or techniques were used. Vulnerability Analysis 54. The Developers vulnerability analysis describes the disposition of all known vulnerabilities relating to the TOE, as identified by design analysis and an extensive search of public domain sources of vulnerabilities. 55. The Evaluators vulnerability analysis, which preceded penetration testing, was based on both public domain sources and the visibility of the TOE given by the evaluation process. The Evaluators confirmed that the Developers vulnerability analysis was consistent with the Security Target [d] and with the countermeasures detailed in the Evaluated Configuration Guide [i] and the Administrators Guide [k]. This analysis resulted in the identification of penetration tests, which were executed by the Evaluators. No exploitable vulnerabilities were identified. Platform Issues 56. Details of the TOE scope, its assumed environment and the evaluated configuration are given in Chapter III Evaluated Configuration above. 57. The Developer provided evidence of testing the TOE on the evaluation platforms detailed in Paragraphs 33 to 38 above. 58. The Evaluators re-ran the Developers test sample using the same configuration and equipment as the Developer.

Random Password Manager Enterprise Edition

Contents

Copyright Notice Introduction 4 1
Overview.....1 Performance Notes.....1 License Agreement.....1 Limited Warranty.....3 Background and Goals.....3

Product Installation

Installation Requirements.....5 Pre-requisite Knowledge....6 Port Requirements.....6 MSDE Installation Using the Download Package...7 MSDE Installation Manually....8 Random Password Manager Enterprise Edition Setup...12 Random Password Manager Installation....14
Web Interface Installation
Web Application Installation.....16 Web Application Installation Advanced Options...17 Web Application Security.....17 IIS and ASP Pages....18 COM+ Identity Wrapper.....22 COM Components....23 Web Application Authentication and Delegation....25 Delegation Configuration....26

Getting Started

Randomizing the Local Administrator Password for Every System in the Domain..28 Schedule a Reoccurring Password Randomization...32 Grant Users of a Windows Group 'Test Group' the Ability to Recover Passwords for the Default Group.34 Recover a Password from a system in the 'Default' Group using the Web Interface..37

Web Interface

Login.....41 Password Recovery.....41 System Status.....44 Managing Access.....46 View Log.....46

Copyright Notice

Program Access....48 Managed Group Access....50 Account Masks.....50

Managing Systems

Managed Group Dialog....53 Managed Group Dialog Menus....53 System List Columns.....55 System Names and Name Resolution....55 Add Systems to Group.....57 Add From Domain Systems List....57 Add From Network Browse List....59 Add From Shell Network Browse List....60 Add Systems Manually....61 Add From Active Directory....62 Browse Options....63 Add From IP Scanned Range....64 Import/Export Systems List....65 Connecting to Systems.....65 Selecting Systems.....65 Refresh Info....65 Setting Managed Group System Ranges....67 Dynamic Group Memberships....68 Dynamic Group Name and Comment...70 Dynamic Group Domains....71 Dynamic Group IP Address Ranges...71 Dynamic Group Active Directory Paths...72 Dynamic Group Data Sources....72 Dynamic Group Explicit Inclusions...73 Dynamic Group Explicit Exclusions....74 Dynamic Group Filter Options....75 Dynamic Group Options....76 Managing Multiple Managed Groups....77

Managing Passwords

Overview and Goals....78 Creating a Password Change Job....79 Viewing Stored Passwords....81

Deferred Processing

Jobs Monitor.....83 Deferred Processor Service....84 Retry Settings.....85

Alternate Administrators

Administrator Accounts Editor....86

Report Generator

Report File Output Type.....91 HTML Edit Dialog....91 Post-Generation Action....92 Email Server Settings Overview.....93 SMTP Settings: General....94 SMTP Settings: Outgoing Server....95 SMTP Settings: Logging Options....96

Help Information

License Keys.....97 Registration.....99 Database Configuration....99 Logon Info....100 About.....101

Program Options

Logging......102 Datastore Configuration....103 Application Components....106 Manage Web Application....106 Remote Licensing.....108
Copyright 2003-2005 Lieberman Software Corporation. All rights reserved. The software contains proprietary information of Lieberman Software Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited. Due to continued product development this information may change without notice. The information and intellectual property contained herein is confidential between Lieberman Software and the client and remains the exclusive property of Lieberman Software. If you find any problems in the documentation, please report them to us in writing. Lieberman Software does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Lieberman Software. Microsoft, Windows, Word, Office, SQL Server, Access, MSDE, and MS-DOS are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA 90067 310.550.8575 Internet E-Mail: support@liebsoft.com Website: http://www.liebsoft.com

Introduction

This chapter includes an overview of Random Password Manager Enterprise Edition, what problems it is designed to solve, performance information, expected pre-requisite knowledge, and some background information on Windows. This chapter also includes the license and warranty information for Random Password Manager Enterprise Edition.

This chapter covers the installation and setup of both the Win32 console application and the web application setup.
Installation Requirements...5 Pre-requisite Knowledge..6 Port Requirements..6 MSDE Installation Using the Download Package.7 MSDE Installation Manually...8 Random Password Manager Enterprise Edition Setup.12 Random Password Manager Installation..14
Installation Requirements
This program requires Windows NT 4.0, Windows 2000 (NT 5.0, Server or Workstation), Windows XP (NT 5.1), or Windows 2003 (NT 5.2). We recommend at least 128 megabytes of memory and at least 50 megabytes of free disk space. This program also requires access to a SQL Server or MSDE database to store internal data. You can connect to an existing database or create a new database to store data. The construction of the required tables, views, stored procedures, and security roles are handled automatically. MSDE is freely available from Microsoft and can be downloaded from their site directly or found on our site in a convenient installation package. The database can exist on the same system the Win32 application is installed on or can exist on another system. You must have access to the database via a SQL Server login account (Windows Integrated Authentication will not work). The web application component requires Microsoft Internet Information Services (IIS) 5.0 or later or Microsoft Personal Web Server (PWS) with Active Server Page (ASP) server extensions enabled. The web application also requires COM+ to be enabled on the web server. The web server running the web component does not have to be the same system the Win32 application is installed on. If the web application will be installed on a different machine than the Win32 application, the active logon session must have administrative rights on the web server machine during the time of the web application installation. The deferred processor service must be installed and running as an account with administrative rights on the local machine.

Pre-requisite Knowledge

Random Password Manager Enterprise Edition uses a Win32 console application in conjunction with a local service to setup the reoccurring password change jobs. Setting up the web application to allow access through the web interface includes the deployment of several COM objects to either the local or a remote web server as well as the creation of virtual directories for the associated ASP files used in the web interface. Random Password Manager Enterprise Edition also utilizes a SQL Server or MSDE database to store program data. We provide documentation as to the steps needed to setup and maintain Random Password Manager Enterprise Edition. We also recommend you have knowledge of database and web server administration, as these components will be used by Random Password Manager Enterprise Edition and should be patched, secured, and properly configured to ensure that the password store system will not be compromised.

After you input the license information, you will be prompted to connect to an instance of SQL Server or MSDE. First enter the name of the system running SQL Server. This can be the local system or a remote system accessible by name or IP address.
Enter the SQL Server account information and choose the database from the drop list. The account that you use must have the rights to create, edit, and delete tables, data, and procedures from the database. Click Next.
Select the database from the dropdown menu. You must use an existing database. If you have not created a database in SQL Server to use, close the application, create the SQL Server database, and then launch the application again.
Click Finish. You will now see the main management dialog of the application.
Random Password Manager Installation
Launch rpmeesetup.exe from the directory to which it was saved and follow the prompts to choose an installation directory.

Click "Next".

Read through the license agreement and click "Agree"
Click "Next" to start the installation. During the installation the program will create shortcuts on the desktop and start menu. Double click the shortcut to launch the application.
This chapter contains installation instructions and background information on the Web Interface portion of RPMEE. The web interface is composed of a set of ASP pages, two COM objects (one.OCX and one.DLL), and a COM+ identity wrapper.
Web Application Installation...16 Web Application Installation Advanced Options..17 Web Application Security..17 IIS and ASP Pages..18 COM+ Identity Wrapper..22 COM Components..23 Web Application Authentication and Delegation..25 Delegation Configuration...26
Web Application Installation
This reference assumes that the program database is also running on the local system and the local system is running IIS 5.0 or better and is acting as the web server. These operations are implemented through a wizard accessible through the Win32 interface (see "Manage Web Application" on page 106) which automates these steps. The steps involved in setting up the web interface can also be performed manually. These are the steps required to install and configure the web interface: 1 Copy the ASP files from the installation directory to a folder in the "c:\inetpub\wwwroot\RPMEEWeb" directory. 2 Create a new virtual directory "RPMEEWeb" in IIS that references the "C:\inetpub\wwwroot\RPMEEWeb" directory. 3 Create a new COM+ Server Application called RPMEEWeb. Set the credentials for the application to valid local administrator credentials. 4 Add the two required COM objects to the COM+ Application as components. The two COM objects are located in the installation directory and are named "RPMEEWeb.ocx" and "RouletteWeb.dll". 5 Create a default access rule that grants full access to the web interface to members of the domain administrators group. 6 Create default access rules to allow domain administrators all access in the web interface.

Open the Home Directories Tab and Click on the Configuration button for Application Settings.
Make sure the.asp extension is listed and references the "C:\windows\system32\inetsrv\asp.dll" file.
Part of the installation of the web application involves creating a virtual directory in IIS. This virtual directory will reference the set of ASP pages which provide the user interface for the web application. During the automated web application installation, the ASP files are copied from the installation directory to the "C:\Inetpub\wwwroot\RPMEEWeb" directory and the new virtual directory is created in IIS. Shown here are the manual steps of making these changes.
Name the new virtual directory "RPMEEWeb".
Point the virtual directory to the location of the ASP pages.
Use the default permissions (read and run scripts).
The ASP pages used for the web interface are found in the "\UmpWebInterface" subdirectory under the installation path. If you install manually, you should copy them to a a directory under the "C:\inetpub\wwwroot\" directory and reference that directory in the virtual directory. You don't need to copy the files to the "wwwroot" directory, but you need to ensure that the account which IIS is using to process ASP pages has access to the directory, which the files are located in. By default, the IIS accounts will have access to files and folders under the "wwwroot" directory, which is why the files are copied there by default on install.
After making changes to the configuration IIS, an IIS restart will be required. You can restart IIS either through the IIS control console or through the command line with the command "iisreset". Restarting IIS will stop the web server service as well as any COM objects or services that are currently being held open by the web server.
Lastly, because of the nature of this application, the web server has the capability to send passwords out to the users of the web application. If there is the possibility of unauthorized users sniffing traffic from the web server, we recommend you install and use an SSL certificate on your web server to encrypt passwords viewed through the web interface. Support of SSL and the issuance of certificates will need to be handled by your organization.

COM+ Identity Wrapper

Random Password Manage Enterprise Edition utilizes a COM+ Server Application to store credentials for use by the COM objects used by the web application. Because the COM+ Application is a server application, it uses a specified set of credentials instead of using the launching process' credentials. Running as a specific user allows the COM+ Application to run the COM components at an elevated level of access without running the website as that powerful account. For the web application to work, the COM+ application must be running using an account which has local administrative rights, as well as, domain user rights. COM+ must be supported and enabled on the web server for the web application installation. The creation of the COM+ object is handled through the web application installation wizard, but the steps can also be performed manually as shown below. Open the Component services utility and browse to the COM+ Applications folder on the local machine. Create a new COM+ Server Application (specific credentials) called RPMEE.

If the logged in user account has been granted the all access right, then the 'All' tab will be available in the secondary menu (shown above). This tab provides a search of all systems in the tool. This search ignores the managed group memberships for systems and consequently is a higher level of access to the system status information.

Managing Access

This section covers using delegation to manage access for the web interface. The delegation scheme uses rules applied to Windows groups to allow or deny rights within the web interface. The top level rights (program rights) determine which program level rights a Windows groups is granted. These rights include the ability to login, the ability to see everything, and the ability to change access rules. The second level of rules, managed group access rules, determines which managed group(s) a specific Windows group has access. This level of delegation includes managed group access control lists and account name based filters. This section also contains the log information. The log tracks all users who attempt to log into the web interface and all password retrievals.

View Log

The activity log for all web interface logons and password retrievals is stored in the Manage Access section. To view the log, you must have been granted the program right to manage all web access controls. First choose which log you want to view. The access log shows all attempted logons to the web interface. The Recovery Log displays all passwords that were retrieved and you may also select the range of time you are interested in. In addation, you can choose to view the activity for a specific user that has logged in or recovered passwords.
The access log shows the time of the logon, the originating IP address, the result of the attempt, and the logon username.
The recovery log shows the date of the recovery, the IP originating IP address, the authenticated username, the managed group that allowed access to the system, the system name, and the name of the account that was recovered.
Note: when account passwords are recovered, they are scheduled to be automatically randomized in four hours.

Program Access

This section controls the higher level global program access rules. These rules dictate which Windows groups have rights in the web interface. The rights granted here are program wide and include: logon, display all accounts, manage web access controls. The right to logon is the most basic right. This allows members of the Windows group to log into the web interface. This right will also allow users to see the System Status tab and the Password Recovery tab, but users in the group will not have access to any managed groups initially. The right to see all account passwords grants members of the Windows group the right to recover the stored account passwords for any account saved within the system. This bypasses the managed group access check and applies to both the Password Recovery section and the System Status section.

Contents - Displays this document. License Keys - Shows which systems are currently using license tokens. Register - Enter a serial commercial key to register the application. Also supports remote licensing to connect to a licensed remote instance of the application. Database Configuration - Information about the current database connection settings. Logon Info - Information about the current logon session (user name, rights, etc). About - Displays version information, contact information, and the active serial number.

System List Columns

The columns shown for each system are: Role - WS for workstations and SRV for servers. Version - NT4, WK2, 2003, XP. Resolve By - SN (System Name), NB (NetBios), or IP (IP Address). NetBIOS Name IP Address Subnet Mask DHCP - Shows whether or not the IP address for this system is assigned through DHCP. MAC Address Checked - The last time this system was successfully contacted Status - The last result message or error code for any operations on this system.
System Names and Name Resolution
NetBIOS names typically only resolve on a local subnet unless a WINS Server is provided. IP addresses can be used, but they have two problems: they don't provide a very meaningful identification for a machine, and they may be re-assigned through DHCP. Both of these problems might cause an administrator to make changes on the wrong machine inadvertently. With a DNS name, you can specify a machine in both an easily identifiable way, and a way which is insensitive to changes in the machine's IP address through DHCP as long as you are using DHCP and dynamic DNS linked together.
To check if a name is resolvable, try pinging the machine by name from the command line interface. If the ping resolves to the correct machine, our tool should be able to use that name to manage the machine (it uses the same resolution mechanism as ping does). When the program does a Get Role/Version (Refresh) operation, it retrieves the NetBIOS name and IP address of each managed machine. By default, the machine is resolved by whatever name is in the System column (which can be a NetBIOS name, an IP address, or a DNS name). You can change the resolution type by right-clicking on the machine(s), and selecting a "Resolve By" option. This will cause the product to use the alternate name of the machine for name resolution. In most cases, however, the system name should be sufficient for name resolution. In addition; the other information can then be examined to make sure operations will affect the correct system(s). Note: If you are having trouble connecting to machines using their DNS names, check to make sure the name you are using resolves to the correct machine (through ping).

Add Systems to Group

There are various ways to populate your groups with systems once the group has been created: Add from domain systems list. Add from network browse list. Add from shell network browse list. Add systems manually by name Add from Active Directory Add from scanned IP ranges. Import/Export Systems List from text file. These methods are in addition to the IP Scanner and ODBC query, which can both be used to populate a group.
Add From Domain Systems List
Shown below is the Add from Domain List dialog.
The fastest method of adding NT/2000/Server 2003/XP systems to this program is to inquire at the Primary Domain Controller (or just a Domain Controller for 2000/2003/XP) for the list of machines which have joined the domain. There are a few confusing cases when viewing servers in the domain list. The
machine list may not represent all of the machines on the network (some machines may not have joined the domain). The list usually contains systems that have left the domain, but have not been purged from the PDC database via NT/2000/XPs server management tools. After adding machines to the Selected Systems list, you can use the "Platform?" button to verify the connectivity, credentials, and version of the selected systems. The "Platform?" feature contacts each machine on the list and inquires as to what version of the operating system it is running, as well as, which network services (Type) are running on the machine. This feature is an excellent way to verify that only live appropriate systems are added. The Platform field indicates what operating system type is running: DOS OS/2 and Windows 95/98 Windows NT/2000/XP UNIX/OSF DEC VMS The system name and system comment are both shown in the available systems list. After systems have been selected and checked (by pressing "Platform?"), there are columns to display the Platform, Version (4.0 is NT, 5.0 is Windows 2000, 5.1 is Windows XP, and 5.2 is Server 2003), Role, and Net Services. The Net Services field indicates which network services are running on each system. It is normal for both an NT/2000/XP Workstation and NT/2000/XP Server to both have the Workstation and Server services running. When performing domain lookups and platform checks the status, progress, and thread count are all updated in real time. The status box displays messages about the status of current the operation, and the active thread count displays how many threads have yet to complete for this operation.

Using this dialog, you can create or delete groups and change the current active managed group. The Auto create option allows you to quickly create a managed group for each OU in the current active directory. Groups created this way will be named according to their Distinguished Name in Active Directory and will contain all the systems that are contained in the OU. This option is only available if the system running the Win32 application is in an Active Directory domain.
This chapter covers how to use Random Password Manager Enterprise Edition to change passwords on your systems, recover stored passwords from within the Win32 application, and schedule password changes to happen on an ongoing basis. Note: For password change jobs to occur on a scheduled basis, the deferred processor service must be installed and correctly configured.
Overview and Goals...78 Creating a Password Change Job..79 Viewing Stored Passwords..81

Overview and Goals

The primary goal of Random Password Manager Enterprise Edition is to make password changes very easy. The most common task that comes up is the need to change the local administrator account on a lot of machines on a regular basis. The interface has been designed with this specific task in mind. We also realize the local administrator account may have been renamed on one or more systems, so we have provided an option to change the local administrator account regardless of its current name. The structure of password change jobs are system based, rather than account based, which means it is very easy to change the same account on many systems at once with the same job. This choice also means that changing multiple accounts on the same system will require multiple jobs, one for each specific account. In most cases after jobs have been created, they will be set to run either once or indefinitely and will not require user interaction. The first step in changing a password requires you to select the systems to be included in the job. Once the systems have been selected, the name of the account to be changed needs to be entered. The account can be specified by name explicitly or can be set to one of the built-in account types. After the account is entered, the new password settings are supplied. The password for the account on all selected systems can be set to a static value or can be generated randomly in compliance with compatibility and complexity settings. Once the password settings are entered, the only remaining step is to set the schedule for the password update job. The scheduling option will dictate whether the job runs once, runs right away, runs at a later time, or runs on an ongoing basis.

Creating a Password Change Job
To create a password change job, select one or more systems in the current managed group and click the 'Create new password change job' button in the middle of the dialog (the button shows a picture of a lock). The first step is identifying the account you want to change. You can either input the name of a specific account or choose the built-in administrator or guest accounts. If you choose a specific account and that account is not found on one or more of the selected systems, you can choose to add the account to those systems. If you choose to add the account to missing systems, you will need to specify the type of account to ensure it is placed in the correct local groups.
Once you choose the account to update, the next step is setting the password settings. You can choose to either set the account(s) to a static password or create a randomly generated password for each account. Both static passwords and randomly generated passwords are stored in the program database and can be viewed through the Win32 application and through the web interface. If you opt for a random password, there are a variety of options to tailor the password complexity and compatibility.
After the password change settings have been entered, the next step is to set the scheduling options for this password change. The options for scheduling are immediately, one time, every hour, every day, every week, every month, or every year. Jobs that run immediately and jobs that run once will not be saved to run on a reoccurring basis.
After setting the job schedule settings, select finish to schedule the job. If the job is scheduled to run immediately, the job will start running in the managed group dialog. If the job is scheduled to run later, you can check its scheduled status in the job monitor.

Viewing Stored Passwords

Once passwords have been changed using Random Password Manager Enterprise Edition, you can view all the stored passwords by selecting View Stored Passwords from the View menu in the Managed Group dialog.

Report File Output Type...91 Post-Generation Action..92 Email Server Settings Overview..93

Report File Output Type

There are four file types that the Report Generator can generate: Comma Delimited - Column data is separated with a comma with the first row containing the column names. This can be read into a spreadsheet such as Excel. Tab Delimited - Similar to comma delimited except tab characters are used rather than commas. Fixed Column Width - This allows you to specify how wide each column is in characters. This is useful for fixed size viewing, printing, and some displays that may have limited space. Information that does not fit within the fixed size is truncated on generation. This format is useful for generating human readable output. HTML - Customizable HTML reports.

HTML Edit Dialog

This edit window, shown below, allows you to edit the format for the HTML report output. The HTML output template is set to the default template the first time the report generator is run, and you can always revert to the default template by pressing the "Default" button.
You can have any number of template files for HTML reports. The file name editor lets you select which template file you are currently editing. The file menu lets you open or save templates. The current template file is shown in the template editing window, and can be edited directly. Alternatively, you can edit the template outside of the program in your favorite editor.
The top of the edit window shows the variables which you can use in your report that will be automatically populated with data specific to the actual report being generated. You can insert these variables into the template file at the current cursor position by using the "Insert" button, double-clicking the variable you wish to insert, or simply entering the variable name directly into the template. The look of the generated report data is controlled by several CSS style elements. The default template has default styles for these elements, but you can modify them as appropriate. The look of the report title elements is set directly in the HTML (which you can also modify). By modifying the style elements and HTML, you can generate whatever report templates are appropriate for your organization.

Post-Generation Action

Database Configuration

This dialog shows the settings which are being used to connect to the program database. These settings can be changed through the File -> Datastore Configuration options.

Logon Info

This dialog provides information about the current logon session. This information includes what the logon domain is, the operating system version, and the list of effective rights for the currently logged on user.
The About dialog shows the product version and serial number, as well as the product license information and our company contact information. If you need to find your serial number, it is listed here.
This section contains information about other program options that do not fall into a specific category or are not associated with a particular operation. Some examples include database connection settings and logging options.
Logging...102 Datastore Configuration...103 Application Components..106 Manage Web Application...106 Remote Licensing...108

Logging

Before you begin using the product, you should examine the log file settings. The log file settings are on the "File" menu under "Logging". Depending on your needs, you may want to increase the level of logging performed by Random Password Manager Enterprise Edition to track changes or create records of operations (successes and error codes). By default, the log file will be created in the location recommended by Microsoft for application log files. If you prefer another location for log files, simply specify a new log file location/name using the '.' button. There are two thresholds of logging available: extended and normal. The extended (verbose) mode includes normal log information and information on the internal phases the product goes though while performing changes and logging. In normal operation extended logging is not necessary. The extended logging information is useful for debugging should it become necessary.
The log file is always appended too. It is always safe to read/copy the log file when changes are not in progress. You may have to stop the program before removing the active log file.
Log Statistics - By checking the Log Statistics check box, the log will receive the pre and post transaction counts for the following categories: users, groups and group memberships. This information will be logged to the log file. View - View the log in the Notepad text editor. Print - Print the log file. Delete - Delete the log file. Log Size - Displays the current size of the log file in bytes. Windows Event Log - These options tell the program to also log to the computer's Application Event log. The remote computer is the computer that is being changed by the program and the local machine is the machine that the program is running on. The Windows Application Event Log is a record of program activity and can be useful in tracking operations performed with Random Password Manager Enterprise Edition which would reflect changes to the network configuration or security.

Schedule a Reoccurring Password Randomization 32 Selecting Systems 65 Setting Managed Group System Ranges 67 SMTP Settings General 93, 94 Logging Options 93, 96 Outgoing Server 93, 95 System List Columns 55 System Names and Name Resolution 55 System Status 44
View Log 46 Viewing Stored Passwords 81