Passwords are the earliest and most common security and user verification mechanism; password cracking is the most common security hazard. The careless use and maintenance of passwords represents the greatest threat to the security of a network.
SiteMinder is designed to protect resources on your network, on the Internet, and on corporate intra- and extranets. SiteMinder authenticates users by interfacing to one or more user directories or Directory Services. SiteMinder can authenticate users stored in Windows NT Domains, LDAP-based directories (such as iPlanet’s Directory Server), and several external relational databases. Interfaces to new Directory Service Providers are always under development, so you should contact your CA sales representative for support for other Directory Providers.
Passwords are stored in each directory, associated with each user. Most Directory Service Providers can enforce limitations on the content of passwords (password content policies) and can control the lifetime of passwords (password lifetime policies) and user accounts (account lifetime policies) to varying degrees. These controls are collectively called password policies.
Policies implemented by Directory Services Providers do not always fulfill a site's security requirements and using more than one directory service can create inconsistencies between directories. This can cause administrative headaches.
CA offers a SiteMinder add-on module to help administrators implement and enforce robust, consistent, flexible, and comprehensive password policies across multiple directories: Advanced Password Services (or APS).
This component can greatly enhance your web site’s security by forcing your users to conform to administrator-defined rules for what a password should consist of and to control when, how, and how often a password must be changed.
SiteMinder Version 4.1 (and later) provides a feature called Password Services. This functionality is based on early versions of APS. It contains some of the basic functions provided by these earlier versions. Advanced Password Services 18 Introduction SiteMinder APS Administrator’s Guide - 5.5 provides considerable additional functionality, plus the ability to extend this functionality for your site.
This section contains the following topics:
SiteMinder (Basic) Password Services & Advanced Password Services
SiteMinder invokes Advanced Password Services (APS) as each user attempts to login (authenticate), whether the login is valid or not. If the Directory Service and SiteMinder have determined that the user has successfully identified itself, APS is given the opportunity to do a final check. At that time, APS can determine that the password has expired or will expire shortly and whether the user has been inactive for too long.
If the user has failed to authenticate because an invalid password has been supplied, APS increments a counter associated with the user. Once this counter exceeds an administrator-supplied value, the user account can be disabled automatically.
APS can detect many such situations or events. Once APS has detected one of these events, it can take any of a number of actions, all configurable by the Administrator.
Many events may actually cause the user account to become disabled.
APS can automatically send email to users and/or administrators identifying that an event has occurred. Either the current on-line user can be redirected to another web page or a message can be displayed. All of this is under the full control of the Administrator.
APS can alert users and/or site administrators, via email notification, of any potential security breaches to their accounts and/or web sites. These breaches could be hackers attempting to access a valid user's account or a disabled (invalidated) user account attempting to gain access to a protected resource.
It is not uncommon for sites to configure APS to continue to send email when it detects ongoing attacks against an account. Typically, this mail is sent through Introduction 19 SiteMinder APS Administrator’s Guide - 5.5 an SMTP pager gateway (not supplied) to notify a site’s security administrators, in real time, that an ongoing attack is taking place.
By limiting the amount of idle time that can elapse before invalidating a user, administrators can prevent inactive users from becoming back-door logins to your system. For example, if a customer’s employee leaves the job, the employee’s account will retire immediately, before it can be used for mischief.
APS can also prevent hackers from gaining access via password-cracking tools by limiting the number of consecutive failed login attempts. At a predetermined number of consecutive failures, the accessed account will be disabled and the user (and/or administrator) notified by email.
Advanced Password Services capabilities can be broken out into several functional areas:
Advanced Password Services allows users to change their own passwords according to a comprehensive, flexible password content policy or rules. As with the rest of APS, this service is highly configurable by the site administrator.
The interface used to enter password changes is easily configurable by an HTML programmer. A simple, but complete, interface is provided with APS and limited branding may be performed without programmer intervention.
For those sites desiring more comprehensive integration, a full Application Programming Interface (API) is provided for password validation and change.
The administrator can create the password policy, or rules, that a new password must pass before a user may use it. These rules include:
Using this service, administrators can impose limitations on newly entered passwords, regardless of which Directory Service the user is stored in. A consistent password security policy makes it considerably more difficult to break into a system using a password-cracking program.
By limiting the types of passwords that can be used (e.g., at least eight characters in any combination of letters and numbers, eliminating all entries in a dictionary, etc.), site security can be greatly enhanced.
The SiteMinder Authentication Service invokes SmAPS each time that a user attempts to authenticate, whether the authentication is successful or not. The purpose is to detect certain events that might occur, such as password expiration, and to act upon them.
SmAPS will log operational and informational messages to the SiteMinder Authentication Server Console Log. The information written to this log is often useful to understand and determine the activities being performed by APS.
SmAPS also supports a special extension library called SmAPSLog that can be used to customize and extend the logging capabilities of APS. The SmAPSLog library is supplied with APS in source code.
LDAP and Windows NT Domain directories support password policies of their own, whereas ODBC directories do not.. It is important that these functions either be disabled in the underlying directory or that their settings are less strict than the ones set within APS. The Directory Service Provider will perform its lifetime tests before APS has a chance to perform its tests. If the provider rejects the login, SiteMinder and APS will not know why the login was rejected and the configured actions (mail, redirection) will not be taken.
APS handles not only passwords, but user account enablement/disablement as well. A Help Desk tool, called APSAdmin, is supplied with APS starting at version 4 (it replaces an earlier command line utility called SmBlob).
APSAdmin is a fully configurable web-based interface that can be used by Help Desk.(and QA) users to maintain user entries in your User Directories. APSAdmin does not support Windows Domain Directories.
APSAdmin can be used as a stand-alone utility or can be integrated into an existing Help Desk system. While the interface is very flexible and its look and feel can be heavily customized, some sites may wish to implement its functionality themselves. Such code can call the APSAdmin functions of the APS Application Programming Interface (API). These functions transfer XML data between the caller and APS.
APS can force users to change their passwords on a periodic basis and can force these passwords to be more complex than simple words. This is recommended for site security. However, it sometimes creates difficulties for users because they cannot necessarily use easy-to-remember passwords and they must change their passwords regularly. Thus, users will forget their passwords (and sometimes their login id!).
Most sites create some sort of Customer or User Help Desk. After some time, they realize that Help Desk Representatives spend much of their time resetting users’ passwords that have been forgotten.
APS includes a solution to this problem called Forgotten Password Services (FPS). FPS provides a highly customizable mechanism for users to reset their own passwords without human intervention.
FPS is an engine that drives the password recovery process. It presents no HTML screens itself (except as a result of a communications error). However, it drives the presentation of site-written forms, processing user input and determining the next page to be presented. It handles all User Directory access and provides a high level of security within the process logic. Sample forms, both in ASP and JSP, are provided with the APS package.
Forgotten password recovery, as a process, is probably the most unsecure part of your site. Forgotten Password Services (FPS) tries to provide the capability in as secure a manner as possible. By using the FPS capabilities of APS, you can take advantage of the paranoia and experience of all of the other FPS users, rather than discovering the various gotchas and security holes on your own.
FPS is very flexible. Sites can use any or all of its features to control the security of the process.
For the most part, FPS itself only displays catastrophic error messages. All other displays are generated by site-supplied code. FPS primarily acts as a "traffic cop", directing the user from one page to another, based on user input.
The business logic for FPS runs in the SiteMinder Authentication Service process as part of APS. There are no additional modules to buy. A CGI stub, called Forgot (Forgot.exe on Windows), runs on the Web Server to act as a client on behalf of the user.
FPS is configured, once again behind the firewall, with knowledge of how to speak with the User Directory, how to search it, the names of pages (in the DMZ) that it can use to communicate with the user, and information about those pages.
At this time, the FPS component of APS only supports LDAP and ODBC directories.
Rogue users will attack your site. If you have anything of value on your site, somebody will want to get to it. Some rogue users do not even need that reason to hack a site; they will do it just to try.
Once such a user has targeted your site, they will look for weaknesses in the security. One of the first points of attack is that little button (or link) that says, "Forgot your password?"
APS includes three different Application Programming Interfaces (APIs).
APS includes templates and interfaces for Delegated Management Services (DMS) product line. Sites can create custom self-registration, user self-service profile management and delegated user administration systems that communicate with APS to enforce password policies, manage forgotten password options and control user account enabling/disabling.
Starting with Version 4.1, SiteMinder included Password Services. The functionality included is essentially a subset (with a few extensions) of the Advanced Password Services Version 1.1 functionality. Compared to APS Version 1.1, PS adds policies based on the user’s location in the Directory and removes email support and support for Windows NT user directories.
Not every site requires Advanced Password Services. For some sites, the functionality provided by Password Services is sufficient.
It should be noted that there are no utilities for converting data from PS to APS or vice versa. Each system stores its information separately; they cannot access each other’s data.
The following table compares the features of PS with this version of APS. Check with your CA Representative for current comparisons.
|
Feature |
Basic PS (v6.0) |
APS (v5.5) |
Comment |
|---|---|---|---|
|
Password format control
|
|||
|
Minimum Length |
Yes |
Yes |
|
|
Maximum Length |
Yes |
Yes |
|
|
Minimum Letters |
Yes |
Yes |
|
|
Minimum Uppercase Letters |
Yes |
Yes |
|
|
Minimum Lowercase Letters |
Yes |
Yes |
|
|
Minimum Digits |
Yes |
Yes |
|
|
Minimum Alphanumeric |
Yes |
Yes |
|
|
Minimum Punctuation |
Yes |
Yes |
|
|
Minimum Symbols |
No |
Yes |
|
|
Minimum non-alphanumeric |
Yes |
Yes |
|
|
Maximum Repeat |
Yes |
Yes |
|
|
Minimum Type Combinations |
No |
Yes |
|
|
Complexity Thresholds |
No |
Yes |
|
|
Forced case (case-insensitivity) |
Yes |
Yes |
|
|
Regular Expression Match |
Yes |
Yes |
|
|
Regular Expression Forbid |
Yes |
Yes |
|
|
Allowed Characters List |
No |
Yes |
|
|
Disallowed Characters List |
No |
Yes |
|
|
Reuse Timer |
Yes |
Yes |
|
|
Reuse Counter |
Yes |
Yes |
|
|
Require Percentage Change |
Yes |
Yes |
|
|
Prevent use of Profile Values |
Yes |
Yes |
APS can parse words in the profile and exclude specific attributes |
|
Directory Support (see the CA Support Site for specific vendors & versions)
|
|||
|
LDAP Consumers |
Yes |
Yes |
|
|
Access to all values |
No |
Yes |
Except password history |
|
Requires Schema mods |
No |
Yes |
|
|
Exclude Accounts from Processing |
No |
Yes |
|
|
Event Handling
|
|||
|
Number of Unique Events |
1 |
7+ |
APS can selectively trap events |
|
Redirect user |
Yes |
Yes |
|
|
Macro substitution into URL |
No |
Yes |
Attribute substitution as well |
|
Vary URL by realm/user |
No |
Yes |
|
|
Send Mail |
No |
Yes |
|
|
Macro substitution into Mail |
N/A |
Yes |
Attribute substitution as well |
|
Notify of Password Change |
N/A |
Yes |
|
|
Password Expiration
|
|||
|
Warning before expiration |
Yes |
Yes |
APS can send warning without requiring a user login |
|
Password Expires |
Yes |
Yes |
|
|
Grace period after expiration |
No |
Yes |
|
|
Grace logins after expiration |
No |
Yes |
|
|
Per-user overrides of period |
No |
Yes |
|
|
Account Expiration
|
|||
|
Disable at login |
Yes |
Yes |
|
|
Warn days before disabling |
No |
Yes |
|
|
Disable upon expiration |
No |
Yes |
|
|
Disable at specific date/time |
No |
Yes |
|
|
Disable if no login by date/time |
No |
Yes |
|
|
Disable until specified date/time |
No |
Yes |
|
|
Per-user overrides of period |
No |
Yes |
|
|
Report when eligible for purge |
No |
Yes |
|
|
Arbitrary Account Disable |
No |
Yes |
With custom reason codes |
|
"n"-strikes, you’re out processing
|
|||
|
Configurable number of strikes |
Yes |
Yes |
|
|
Works with LDAP outage |
No |
Yes |
|
|
Automatic reset after time |
Yes |
Yes |
|
|
Manual reset |
Yes |
Yes |
|
|
Permanently disable account |
Yes |
Yes |
Optional in both cases |
|
Notify Administrator |
No |
Yes |
Via email event/pager interface |
|
Notify Administrator of continuing attack |
No |
Yes |
Via email event/pager interface |
|
Configuration
|
|||
|
By location in LDAP DIT |
Yes |
Yes |
|
|
By arbitrary expression |
Limited |
Full |
|
|
Policies stored in |
Policy Store |
Flat File |
|
|
Simple Policy Configuration |
Yes |
Yes |
|
|
Cascading Policies |
Yes |
Yes |
|
|
Easy migration of configuration information between environments |
No |
Yes |
Meaning promotion from DEV to QA to Production environments by separating environment specific settings from configuration settings into separate files. |
|
Password Change Forms
|
|||
|
Languages supported |
Limited |
Any |
|
|
Internationalized messages |
No |
Yes |
|
|
Customized messages |
No |
Yes |
|
|
User-initiated password change |
Yes |
Yes |
|
|
Redirect on error |
No |
Yes |
|
|
Administrator Interface
|
|||
|
Supports all product features |
No |
Yes |
|
|
Limit access to subsets of users |
No |
Yes |
|
|
Audited |
Yes |
Yes |
|
|
Can be externally accessible |
No |
Yes |
|
|
Can add custom attributes |
No |
Yes |
|
|
Attribute access by user |
No |
Yes |
|
|
Look & Feel configurable |
No |
Yes |
By user, if desired |
|
Can be tied into existing apps |
No |
Yes |
|
|
Tools Supplied |
|
|
|
|
Set Force Change Flag |
Yes |
Yes |
|
|
Command line change password |
No |
Yes |
|
|
Other tools |
None |
7 |
|
|
Per User Usage Statistics
|
|||
|
Available in responses |
Limited |
Yes |
|
|
Last Login Date |
Available in responses |
Yes |
Includes IP address |
|
Previous Login Date |
Available in responses |
Yes |
Optional. Includes IP address |
|
Last Password Change Date |
No |
Yes |
|
|
Last Failure Date |
No |
Yes |
Optional. Includes IP address |
|
Login History |
No |
Yes |
Optional. Includes IP address |
|
Failures since last login |
No |
Yes |
Optional. Includes IP address |
|
Failures since previous login |
No |
Yes |
Optional. Includes IP address |
|
Max failures between logins |
No |
Yes |
Optional |
|
Total Logins |
No |
Yes |
Optional |
|
Total Failures |
No |
Yes |
Optional |
|
Forgotten Password Usage |
No |
Yes |
Optional |
|
Forgotten Password Support
|
|||
|
Included with package |
No |
Yes |
|
|
User-selected password |
N/A |
Yes |
|
|
Automatically login at end |
N/A |
Yes |
|
|
Lockout with Counter |
N/A |
Yes |
|
|
Sample Forms |
N/A |
Yes |
|
|
Consumable questions |
N/A |
Yes |
|
|
One-use passwords |
N/A |
Yes |
|
|
Secure new password delivery |
N/A |
Yes |
|
|
Encrypted/hashed answers |
N/A |
Yes |
|
|
Sample forms provided |
N/A |
asp/jsp |
|
|
SiteMinder Integration
|
|||
|
Policy Server different from Web Agent’s Policy Server |
No |
Yes |
|
|
Failover Policy Servers |
Yes |
Yes |
|
|
Round-robin Policy Servers |
Yes |
Yes |
|
|
Configured through Policy GUI |
Yes |
No |
|
|
Integrates with DMS2 |
Yes |
Yes |
|
|
Application Programming Interface
|
Limited |
Yes |
|
|
Miscellaneous
|
|||
|
Custom Logging |
No |
Yes |
Source provided |
|
Custom Extensions |
No |
Yes |
|
|
Disabled groups |
No |
Yes |
|
|
Redirect at first/next login |
No |
Yes |
|
|
Message of the Day Service |
No |
Yes |
|
|
Copyright © 2013 CA.
All rights reserved.
|
|