How to Configuring Access Director?

Views:
 
     
 

Presentation Description

Access Director is a simple and intuitive way to remove local administrative privileged access management with Admin by Request. Stay in control with Access Information Management. Alternative of Admin By Request.

Comments

Presentation Transcript

How to Configuring Access Director?:

How to Configuring Access Director? Configuring Access Director using Group Policy Group Policy tools use Administrative template files to populate policy settings in the user interface . This allows administrators to manage registry-based policy settings . This download includes the Administrative templates released for Windows Server 2012 R2, in the following languages : en-US English - United States Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Supported Operating System:

Supported Operating System Windows 7 32‑bit and 64-bit Editions Windows 8 32‑bit and 64-bit Editions Windows 8.1 32‑bit and 64-bit Editions Windows 10 32‑bit and 64-bit Editions Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Importing Access Director administrative template files To import an ADMX file, copy the ADMX and ADML files to the folder C:\Windows\PolicyDefinitions folder on the machine performing the group policy object editing. If you're using a central store, copy the ADMX and ADML files to the folder SYSVOL\<domain>\policies\PolicyDefinitions\ Group Policy Settings Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Standard Settings:

Standard Settings Contains settings to control the behavior of Access Director. Enable Local Security Group: If you enable this policy setting, Access Director will validate if the current user is member of the defined group. If you enable this policy setting and the local security group does not exist or user is not a member, Access Director will restrict the user from assigning privileges. User is required to be direct member, as service do not resolve local group or domain group membership. If you disable or do not configure this setting, Access Director does not validate against a Local Security Group allowing current user to assigned privileges. Scope: Machine Value: Group name Default Value: Access Director Set time-span for assigning privileges: This policy setting sets the time-span for users to gain administrative privileges. If you enable this setting, time-span can be from to one to 60 minutes. If you disable do not configure this setting Access Director will use default value. Scope: Machine Value: 1 minute, 2 minutes, 5 minutes, 10 minutes, 15 minutes, 20 minutes, 30 minutes, 1 hour Default Value: 2 minutes Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Set User Name Presentation:

Set User Name Presentation This policy setting set the presentation of the user name for the Access Director Tray icon. If you enable this policy setting, user name can be set as Username, Full name or Domain\Username. If you disable or do not configure this policy setting, Access Director will use existing settings. Scope: Machine Value: 1: User name, 2: Full name, 3: Domain\User name Default Value: 2: Full name Active Directory: Contains settings to control behaviour of Active Directory settings. Active Directory Refresh: To specify the Active Directory refresh interval, click Enabled and then enter a value. The value that you specify is the number of minutes to use for the Active Directory refresh interval. For example, 60 minutes is 1 hour. Note: Setting has no effect if “Active Directory Integration” setting is disabled or not configured. Scope: Machine Value: 60 (default) Default Value: Not configured Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Active Directory Cache:

Active Directory Cache If you enable this policy setting, renewing cached information is required within the specified renewal interval. If cached information fails to validate within the renewal interval, Access Director will deny assigning privileges. To specify the cache renewal interval, click Enabled and then enter a value. The value that you specify is the number of days to use for the cache renewal interval. Note: Setting has no effect if “Active Directory Integration” setting is disabled or not configured. Scope: Machine Value: 1 day, 2 days, 3 days, 4 days, 5 days, 6 days, 1 week, 2 weeks Default Value: Not configured Active Directory Integration: If you enable this this policy setting, Access Director will be able to integrate to Active Directory for assigning privileges validation. If you enable this this policy setting, the computer must be domain-joined. Scope: Machine Value: None Default Value: Not configured Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Set Active Directory Group:

Set Active Directory Group If you enable this policy setting, Access Director will attempt to validate assignments request using Active Directory integration. If group is not available, Access Director will use cached information. Note: Setting has no effect if “Active Directory Integration” setting is disabled or not configured. Scope: Machine Value: Privileged Users (default) Default Value: Not configured Advanced Settings : Contains settings to control advanced settings for Access Director. Assign privileges at login: If you enable this policy setting, Access Director will is assign privileges to the users at login. Following the users is not required to use tray icon to assign privileges and the user is having privileges assigned during the whole login period. If you disable or do not configure this policy setting, the users is required to use tray icon to assign privileges. Scope: Machine Value: None Default Value: Not configured Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Enable Resuscitate:

Enable Resuscitate If you enable this policy setting, you can specify if Access Director will preserve local administrator membership during logoff/restart/shutdown (not recommended). If you disable or do not configure this policy setting, Access Director will remove the user from the local administrator group during an active time-span. Scope: Machine Value: 1: Preserve elevation during logout/login, 2: Preserve elevation during restart/shutdown, 3: Preserve elevation for all. Default Value: Not configured Enable user configuration: If you enable this policy setting, end users can be giving access to configure settings. Settings available: Allow Basis configuration (Assignment time, Identity), Allow Advanced configuration (AssignAtLogin (disable timer)), Allow Resuscitate configuration (Hidden from configuration window). If you disable or do not configure this policy setting, end users does not have access to configure settings. Scope: Machine Value: 1: Allow Basis configuration, 2: Allow Advanced configuration, 3: Allow Resuscitate configuration Default Value: Not configured Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Enable Verbose Logging:

Enable Verbose Logging If you enable this policy setting, Access Director will do verbose logging to %TEMP%\AccessDirector.log. If you disable or do not configure this policy setting, Access Director will maintain standard logging. Scope: Machine Value: None Default Value: Not configured Audit Settings: Contains settings to control behavior of Access Director Audit settings. Audit Logging: If you enable this policy setting the Access Director activity is logged in plain text in the audit log placed in %TEMP%\. If you disable or do not configure this policy setting, Access Director do not maintain an audit log. Scope: Machine Value: None Default Value: Not configured Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Audit Elevated Files:

Audit Elevated Files If you enable this policy setting the Access Director file activity is logged in plain text in the audit log placed in %TEMP%\. If you disable or do not configure this policy setting, Access Director do not maintain an audit log. Scope: Machine Value: None Default Value: Not configured Enable reason for assigning privileges prompt: This policy setting allows you to specify whether Access Director will request ‘reason for Assigning Privileges’ prompt as part of the assignment process. If you disable or do not configure this setting, ‘reason for Assigning Privileges’ prompt is not active. Note: Setting has no effect if “Audit Logging” setting is disabled or not configured. Scope: Machine Value: None Default Value: Not configured Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Set Audit Refresh Interval:

Set Audit Refresh Interval To specify the Audit refresh interval, click Enabled and then enter a value. The value that you specify is the number of minutes to use for the Connector refresh interval. For example, 60 minutes is 1 hour. Scope: Machine Value: None Default Value: Not configured Set Audit URL: If you enable this policy setting, Access Director will upload the audit logs to the defined URL. A properly crafted web-service must available and you have to specify the Audit URL. If you disable or do not configure this policy setting audit logs are not collected. Note: Setting has no effect if “Audit Logging” setting is disabled or not configured Scope: Machine Value: http://<servername>/upload.php Default Value: Not configured Localization Settings: Contains settings to control balloon language behavior. Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Enable Preferred UI Language:

Enable Preferred UI Language If you enable this policy setting, Access Director will use to the selected ‘UI language’. If you disable or do not configure this setting, ‘UI language’ will use Windows Display Language as reference. Note: If you configure a language and no applicable .LNG files is not present, Access Director ‘UI language’ will default to English. Scope: Machine Value: Arabic, Bulgarian, Croatian, Czech, Danish, Dutch, English (default), Estonian, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian, Lithuanian, Norwegian, Polish, Portuguese (brazil), Portuguese (Portugal), Romanian, Russian, Serbian (Latin), Simplified Chinese, Slovak, Slovenian, Spanish, Swedish, Thai, Traditional Chinese (Hong Kong), Traditional Chinese (Taiwan), Turkish, Ukrainian Default Value: Not configured Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Enable Preferred UI Reference:

Enable Preferred UI Reference If you enable this policy setting, you can specify the behavior for UI language is following Windows Display Language or the defined Keyboard layout. If you disable or do not configure this setting, ‘UI language’ will use Windows Display Language as reference. Note: If you configure a language and no applicable .LNG files is not present, Access Director ‘UI language’ will default to English. Scope: Machine Value: Windows Display Language, Keyboard layout Default Value: Not configured Token Elevation: If you enable this policy setting, users will be able to right click the tray notification icon and request elevation using a PIN code. Scope: Machine Value: 1 Default Value: Not configured Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Shared Token:

Shared Token When token elevation is enabled, the encrypted shared key must reside in the ShareToken data field. Scope: Machine Value: 1 Default Value: Not configured Configure Access Director using the Registry: If a registry entry must be created or modified to correctly configure the product, you can edit the entry directly using the registry editor Regedit.exe. Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the registry reference. Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

To Create a New Registry Entry by Using the Registry Editor:

To Create a New Registry Entry by Using the Registry Editor In the Run dialog box, type regedit, and then click OK. In the registry editor, navigate to the key or subkey under which you wish to add an entry and select the name of the key or subkey by clicking on it. On the Edit Menu, point to New and then click the data type for the entry, such as String Value, Binary Value, or DWORD Value. In the details pane, type the name of the registry entry, and then press ENTER to create the entry. To assign a value to the registry entry, right-click the entry and then click Modify. If the entry has been defined as Binary Value, click Modify Binary Data instead. In the Edit Value Type Value dialog box, type an appropriate value in the Value data text box. Type or select the value of other options, such as the base (hexadecimal or decimal) for DWORD values, and then click OK. Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Registry Options in Alphabetic Order:

Registry Options in Alphabetic Order AccessGroup Type: REG_SZ AccessPeriod Type: REG_DWORD ActiveDirectory Type: REG_SZ ActiveDirectoryCache Type: REG_SZ ActiveDirectoryGroup Type: REG_SZ ActiveDirectoryRefresh Type: REG_SZ Audit Type: REG_DWORD AuditElevatedFiles Type: REG_DWORD AuditRFE Type: REG_DWORD SharedToken Type: REG_SZ TokenElevation Type: REG_SZ WebAduitInterval Type: REG_DWORD AuditURL Type: REG_SZ ConnecterRefresh Type: REG_DWORD Connector Type: REG_DWORD ConnectorURL Type: REG_SZ ElevateAtLogin Type: REG_DWORD Identity Type: REG_DWORD Language Type: REG_SZ PreferredUIReference Type: REG_SZ Resuscitate Type: REG_DWORD UserConfig Type: REG_DWORD VerboseLogging Type: REG_DWORD Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Default Registry Configuration:

Default Registry Configuration HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Basic Bytes\Access Director Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes Name Type Data AccessPeriod REG_DWORD 120 Audit REG_DWORD 1 AuditElevatedFiles REG_DWORD 1 AuditPrograms REG_DWORD 1 AuditRefresh REG_DWORD 3600 AuditRFE REG_DWORD 1 AuditURL REG_SZ http://accessdirector Language REG_SZ Auto VerboseLogging REG_DWORD 1

Configuring PIN Elevation:

Configuring PIN Elevation The use of PIN Codes can be combined with the normal elevation process or with Active Directory Integration, PIN Code elevation can also work as sole way of elevation. Registry requirements: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Basic Bytes\Access Director Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes Name Type Data TokenElevation REG_SZ 1 SharedToken REG_SZ {ENCRYPTED SHARED TOKEN}

The generate the encrypted shared Token::

The generate the encrypted shared Token: Open the OTP Key Application Click Advanced Insert Random 16 digit string ( a). Can be generated from https://www.random.ord/strings or any other random string generator. Click Enter Copy the Shared Key and Encrypted Shared Key Click Close Type the Shared Key in the OTP Key Application Click check Save the Encrypted Shared Key to the click Registry location SharedToken (a). Client restart is not required. When a user requests privileges by right clicking on the access director icon in the tray notification area, a PIN Verification prompt is shown. The user code must be entered into the OTP Key Application by service desk or an automated framework. A response key (Generated Code) will be available and should be given to the user. Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Known issues:

Known issues Group Policy: UAC deny – set by Microsoft Policy Restricted Groups might remove user from Admin group User member of Local/Domain/Nested groups that grants access for interactive users Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Contact Details:

Contact Details Company: Basic Bytes Address: Humlevej 20, 8543 Hornslet Denmark Phone: +45 81818481 Email: info@Basic-Bytes.com Website: https://basic-bytes.com/ Download Access Director: Access Director Basic-bytes.com Access Director wwwBasicBytescom Basic_Bytes basic-bytes

Thank You:

Thank You

authorStream Live Help