Understanding PortalGuards

Configurable Password Management: Balancing Usability and Compliance

Highlighting the Password Management Layer of the PortalGuard Platform

By the end of this tutorial you will be able to

How PortalGuard can help you

Understand how password management can make applications compliant

Discover PortalGuards Configurable Password Management

See the Step-by-step Authentication Process Know the Technical Requirements

The PortalGuard software is a Contextual Authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing and compliance for your web, desktop and mobile applications.
Usability Single Sign-on
Password Management Password Synchronization Self-service Password Reset

Security
Knowledge-based Two-factor Authentication

Contextual Authentication
Real-time Reports/Alerts

Before going into the details

Configurable by user, group or application Security password history, expiration and complexity

Strikeout/Lockout limits to enforce a configurable number of strikes

Usability email calendar reminders and password strength meter Self-service password reset, recovery and account unlock

Password synchronization
Verbal Authentication

Easy implementation Cost effective reduce Help Desk calls

Implementing stronger authentication security

BUY BUILD

NON-Compliant

Increasing security as a secondary thought

Low risk applications - password-based authentication Medium/High risk applications - stronger authentication

Contextual Authentication Multi-factor Two-factor One-time password (OTP)

Password management is A poorly chosen password may result in unauthorized access and/or exploitation of critical data.
Password Creation Password Protection Password Change Frequency

Protection

Frequency

Complexity

The first step Educate your users on password best practices including
Never share your account Never use the same password for multiple systems Never tell a password to anyone Never write down a password Never provide a password over the phone, email or instant messaging Make sure to log off or lock workstation Change your password whenever suspect Passwords should be alpha-numeric at a minimum

Goes beyond the foundational policies and provides enhanced functionality which improves security of passwords while improving usability for users.

FEATURES

Security Features:
Password Complexity - customizable rules for minimum and maximum length, and uppercase, lowercase and special characters. Password History - prevent users from reusing their last n passwords Password Expiration - set expiration and grace periods Strikeout/Lockout Limits - enforce a configurable number of strikes before an account lockout Prevent Users from Sharing Credentials - limit multiple concurrent logon sessions Lockout Inactive User After n Days - identify and stop access from dormant user accounts

Usability Features:
Email Calendar Reminders - set reminders in users email client calendar of upcoming password expirations Expiration Grace Period notify users of expiration but allow them to skip the password reset for a configurable number of days Password Meter - provide users with visual clue of the strength of the password when resetting or creating one Password Synchronization - leveraging one strong password across multiple systems

Administrative & Help Desk Features:

Help Desk/Verbal Authentication - prove users identity when calling into the Help Desk by answering a series of challenge questions Auditing/Logging - record user login activity including invalid usernames, last login, last password change, etc. Administrative Dashboard - provides administrators with a snapshot of recent user login activity Help Desk Console application which allows Help Desk staff to perform account actions such as a password reset, account unlock, etc.

 Flexibility - configurable to the user, group or domain hierarchy Increased Usability - maintains user productivity and satisfaction with a password strength meter, email calendar reminders and selfservice password reset Increased Security - prevents both common password and code injection attacks Balances Usability and Security - supports both compliance and user Implements password best practices Compliance web-based and SQL applications now meet required standards Cost effective reduce password related Help Desk calls

HOW IT WORKS

Policy-based security settings.

To enforce password management rules for your users.

POLICY

Password History

Several previous passwords are remembered. With this policy setting, users cannot reuse old passwords when their password expires.

POLICY

Maximum Password Age

So passwords expire as often as necessary for your environment, typically every 30 to 90 days. If an attacker manages to crack a users password using offline tools, a shorter expiration interval increases the likelihood that the password is no longer current for that users account, preventing the breach.

POLICY

Minimum Password Age

So passwords cannot be changed until they are more than a certain number of days old. If a minimum age is defined, users cannot repeatedly change their passwords to get around the password history policy setting and then use their original password.

POLICY

Minimum Password Length

So passwords must consist of at least a specified number of characters. Long passwords seven or more characters are usually stronger than short ones. With this policy setting, users cannot use blank passwords, and they have to create passwords that are a certain number of characters long.

POLICY

Search Order and Precedence

Due to PortalGuards flexibility users can have multiple policies applied
1. 2. 3. 4. Policies applied directly to a user Policies applied to a group Policies applied to a domain or OU The default policy

POLICY

User Profiles
Where PortalGuards user-specific information is stored.

Strike count Last login time Password expiration time Hashed answers to challenge questions Last password change time Accepted Terms of Use time

POLICY

Step 1:
The users password is expired, but within the grace period. The user defers the password change by clicking the link shown and is allowed to login.

Step 2:
A few days later, the user attempts to login and the password is now expired. PortalGuard forces a password change.

Step 2a:
If PortalGuard is configured to use a password meter it is automatically updated as the user types their new password.

Step 2b:
If a password minimum age is enabled and the user attempts to manually change their password again, PortalGuard will prevent it.

Step 3:
When password history is enabled, a password that satisfies the complexity rules may still be rejected.

Step 4:
Once the new password is acceptable, PortalGuard changes it in the target user repository in real-time and notifies the user of the success.

Step 5:
If a password minimum age is enabled and the user attempts to manually change their password again, PortalGuard will prevent it.

Configurable through the PortalGuard Configuration Utility:

Password Rules: Minimum length Maximum length Minimum lowercase Minimum uppercase Minimum numeric Minimum special Active Directory complexity

Configurable through the PortalGuard Configuration Utility:

Rule Grouping: Combine standard password rules into pools where only a subset must be met

Configurable through the PortalGuard Configuration Utility:

Enable/Disable Password Meter:

Minimum required score when enabled

Configurable through the PortalGuard Configuration Utility:

Password History: By number of entries or time

Configurable through the PortalGuard Configuration Utility:

Password Dictionary: Standard words that passwords cannot contain

Configurable through the PortalGuard Configuration Utility:

Misc: Enforce Complexity Rules During Login Regular Expression Checking

Configurable through the PortalGuard Configuration Utility:

Password Expiration Expiration period Grace period Expire first use Minimum age Calendar reminders Lockout Strike limit Lock expiration Strike messages Inactivity Session concurrency Help Desk/Verbal Authentication

Auditing: Log last login Log last password change Log last password recovery Require acceptance URL for rejection

TECHNICAL REQUIREMENTS

A MSI is used to install PortalGuard on IIS 6 or 7.x.

This version of PortalGuard supports direct access and authentication to cloud/browser-based applications, only.
IBM WebSphere/WebSphere Portal v5.1 or higher Microsoft IIS 6.0 or higher Microsoft Windows SharePoint Services 3.0 or higher Microsoft Office SharePoint Server 2007 or later

.NET 2.0 framework or later must be installed (64-bit OS only) Microsoft Visual C++ 2005 SP1 Redistributable Package (x64) Microsoft Windows Server 2000 Microsoft Windows Server 2003 (32 or 64-bit) Microsoft Windows Server 2008 (32 or 64-bit) Microsoft Windows Server 2008 R2

THANK YOU
For more information visit PortalGuard.com or Contact Us