SiteMinder invokes Advanced Password Services (APS) as each user attempts to login (authenticate), whether the login is valid or not. If the Directory Service and SiteMinder have determined that the user has successfully identified itself, APS is given the opportunity to do a final check. At that time, APS can determine that the password has expired or will expire shortly and whether the user has been inactive for too long.
If the user has failed to authenticate because an invalid password has been supplied, APS increments a counter associated with the user. Once this counter exceeds an administrator-supplied value, the user account can be disabled automatically.
APS can detect many such situations or events. Once APS has detected one of these events, it can take any of a number of actions, all configurable by the Administrator.
Many events may actually cause the user account to become disabled.
APS can automatically send email to users and/or administrators identifying that an event has occurred. Either the current on-line user can be redirected to another web page or a message can be displayed. All of this is under the full control of the Administrator.
APS can alert users and/or site administrators, via email notification, of any potential security breaches to their accounts and/or web sites. These breaches could be hackers attempting to access a valid user's account or a disabled (invalidated) user account attempting to gain access to a protected resource.
It is not uncommon for sites to configure APS to continue to send email when it detects ongoing attacks against an account. Typically, this mail is sent through Introduction 19 SiteMinder APS Administrator’s Guide - 5.5 an SMTP pager gateway (not supplied) to notify a site’s security administrators, in real time, that an ongoing attack is taking place.
By limiting the amount of idle time that can elapse before invalidating a user, administrators can prevent inactive users from becoming back-door logins to your system. For example, if a customer’s employee leaves the job, the employee’s account will retire immediately, before it can be used for mischief.
APS can also prevent hackers from gaining access via password-cracking tools by limiting the number of consecutive failed login attempts. At a predetermined number of consecutive failures, the accessed account will be disabled and the user (and/or administrator) notified by email.
Advanced Password Services capabilities can be broken out into several functional areas:
Advanced Password Services allows users to change their own passwords according to a comprehensive, flexible password content policy or rules. As with the rest of APS, this service is highly configurable by the site administrator.
The interface used to enter password changes is easily configurable by an HTML programmer. A simple, but complete, interface is provided with APS and limited branding may be performed without programmer intervention.
For those sites desiring more comprehensive integration, a full Application Programming Interface (API) is provided for password validation and change.
The administrator can create the password policy, or rules, that a new password must pass before a user may use it. These rules include:
Using this service, administrators can impose limitations on newly entered passwords, regardless of which Directory Service the user is stored in. A consistent password security policy makes it considerably more difficult to break into a system using a password-cracking program.
By limiting the types of passwords that can be used (e.g., at least eight characters in any combination of letters and numbers, eliminating all entries in a dictionary, etc.), site security can be greatly enhanced.
The SiteMinder Authentication Service invokes SmAPS each time that a user attempts to authenticate, whether the authentication is successful or not. The purpose is to detect certain events that might occur, such as password expiration, and to act upon them.
SmAPS will log operational and informational messages to the SiteMinder Authentication Server Console Log. The information written to this log is often useful to understand and determine the activities being performed by APS.
SmAPS also supports a special extension library called SmAPSLog that can be used to customize and extend the logging capabilities of APS. The SmAPSLog library is supplied with APS in source code.
LDAP and Windows NT Domain directories support password policies of their own, whereas ODBC directories do not.. It is important that these functions either be disabled in the underlying directory or that their settings are less strict than the ones set within APS. The Directory Service Provider will perform its lifetime tests before APS has a chance to perform its tests. If the provider rejects the login, SiteMinder and APS will not know why the login was rejected and the configured actions (mail, redirection) will not be taken.
APS handles not only passwords, but user account enablement/disablement as well. A Help Desk tool, called APSAdmin, is supplied with APS starting at version 4 (it replaces an earlier command line utility called SmBlob).
APSAdmin is a fully configurable web-based interface that can be used by Help Desk.(and QA) users to maintain user entries in your User Directories. APSAdmin does not support Windows Domain Directories.
APSAdmin can be used as a stand-alone utility or can be integrated into an existing Help Desk system. While the interface is very flexible and its look and feel can be heavily customized, some sites may wish to implement its functionality themselves. Such code can call the APSAdmin functions of the APS Application Programming Interface (API). These functions transfer XML data between the caller and APS.
APS can force users to change their passwords on a periodic basis and can force these passwords to be more complex than simple words. This is recommended for site security. However, it sometimes creates difficulties for users because they cannot necessarily use easy-to-remember passwords and they must change their passwords regularly. Thus, users will forget their passwords (and sometimes their login id!).
Most sites create some sort of Customer or User Help Desk. After some time, they realize that Help Desk Representatives spend much of their time resetting users’ passwords that have been forgotten.
APS includes a solution to this problem called Forgotten Password Services (FPS). FPS provides a highly customizable mechanism for users to reset their own passwords without human intervention.
FPS is an engine that drives the password recovery process. It presents no HTML screens itself (except as a result of a communications error). However, it drives the presentation of site-written forms, processing user input and determining the next page to be presented. It handles all User Directory access and provides a high level of security within the process logic. Sample forms, both in ASP and JSP, are provided with the APS package.
Forgotten password recovery, as a process, is probably the most unsecure part of your site. Forgotten Password Services (FPS) tries to provide the capability in as secure a manner as possible. By using the FPS capabilities of APS, you can take advantage of the paranoia and experience of all of the other FPS users, rather than discovering the various gotchas and security holes on your own.
FPS is very flexible. Sites can use any or all of its features to control the security of the process.
For the most part, FPS itself only displays catastrophic error messages. All other displays are generated by site-supplied code. FPS primarily acts as a "traffic cop", directing the user from one page to another, based on user input.
The business logic for FPS runs in the SiteMinder Authentication Service process as part of APS. There are no additional modules to buy. A CGI stub, called Forgot (Forgot.exe on Windows), runs on the Web Server to act as a client on behalf of the user.
FPS is configured, once again behind the firewall, with knowledge of how to speak with the User Directory, how to search it, the names of pages (in the DMZ) that it can use to communicate with the user, and information about those pages.
At this time, the FPS component of APS only supports LDAP and ODBC directories.
Rogue users will attack your site. If you have anything of value on your site, somebody will want to get to it. Some rogue users do not even need that reason to hack a site; they will do it just to try.
Once such a user has targeted your site, they will look for weaknesses in the security. One of the first points of attack is that little button (or link) that says, "Forgot your password?"
APS includes three different Application Programming Interfaces (APIs).
APS includes templates and interfaces for Delegated Management Services (DMS) product line. Sites can create custom self-registration, user self-service profile management and delegated user administration systems that communicate with APS to enforce password policies, manage forgotten password options and control user account enabling/disabling.
|
Copyright © 2014 CA.
All rights reserved.
|
|