Hitachi ID Password Manager
Course Content
Introduction
Install the software
Targets and auto-discovery
- AD target (source of profiles)
- OpenLDAP target (target only)
- Linux target (target only)
- Configure the system to omit disabled accounts
- Run and troubleshoot psupdate
- Log viewer
Security questions as a backup authentication method
- Setup question sets
- Configure auth chains (very basic - Q and A and password options)
- Configure users to have mandatory enrollment on first login
- Show that users have to fill in Q and A
Password policy
- Setup basic rules
- Add a RegExp
Routine password change from web UI
- Enable PSS
- Show user experience
- Discuss caching and the need for PSLOCALR
- Add PSLOCALR and show results from a domain-member PC
Self-service password reset via web browser
- Show that it already works (Q and A, password reset, PSLOCALR)
Managed enrollment and user notification
- Discuss notification subsystem
- Configure invitations to users to fill in security questions:
- Max 500 e-mails/day
- Max 1 e-mail/user/week
- 3 e-mails before first web popup (notification client)
- 3 web popups before forced enrollment
- Mandatory enrollment (configure and demo - need to put users into a group/GPO and take them out on successful enrollment)
Notifying users of upcoming password expiry
- Discuss how notification applies here
- Discuss mobile users who get e-mails via push or OWA but aren't notified of password expiry by Windows
- Configure expiry via e-mail for 10,5,4,3,2,1 days before AD expiry
- Configure expiry via web popup for 3,2,1 days before AD expiry
Locked out users and client tools
- Domain-SKA
- Local-SKA
- GINA service for WinXP
- GINA DLL for Citrix
- Windows 7 (Vista) Credential Provider
- Self-Service, Anywhere for mobile users with corporate laptops and who are initially offline (discuss, probably don't fully configure)
- Discuss integration with VPN (command-line, special account, IP/port/time limits, credentials on the client, etc.)
- Customizing client software MSI with Orca (quick view, no details)
Help desk password reset
- User classes to grant rights (e.g., global, local help desks)
- Controlling access to security questions
- Help-desk-specific security questions
- Help desk UI for password reset and clearing intruder lockouts
- Expanded URL to specify userID, callerID, ticket number from incident management system
Full disk encryption and key recovery
- Discussion
- Introduction to HiTPM
- Discuss HiTPM integrations with Dialogic, VoIP, Asterisk
- Discuss HiTPM integrations with key recovery system
E-mail and incident management integration
- E-mails to users:
- After password changes
- After failed authentication and/or lockouts
- Invitations to action (enrollment)
- E-mails to admins:
- Replication failures
- Target update failures
- PSUPDATE problems
- Incident integration (optional - create/update/close tickets)
- SIEM integration (optional - SYSLOGD to Splunk)
RSA token PIN reset and support
- Enabling tokens as an authentication factor (auth chains, plugin)
- RADIUS plugin for authentication
- Managing RSA tokens:
- PIN reset
- Clock synch
- Emergency passcodes
Mobile phones and other authentication factors
- Enrolling phone number and provider ID
- Authentication chains to provide SMS/PIN (before Q and A)
- Authentication chains to provide CAPTCHA (Internet facing)
Reporting and surveillance
- dashboards and reports
- Scheduling reports to admins
- Activity and trend analysis
