secureauth health analyzer vam best practices … 2 secureauth health analyzer vam best practices...

Health Analyzer VAM Best Practices Guide

Copyright Information

2017. SecureAuth© is a copyright of SecureAuth Corporation. SecureAuth’s IdP software, appliances, and other products and solutions, are copyrighted products of SecureAuth Corporation.

Version 2.1

March, 2017

For information on supporting this module, contact your SecureAuth sales representative:

Email: [email protected]

Phone: +1.949.777.6959 or +1-866- 859-1526

Website: https://www.secureauth.com/Support.aspx

mailto:[email protected]

https://www.secureauth.com/Contact-Us.aspx

Contents

Introduction 1Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Deployment 2Deployment Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Installing the Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Running the Health Analyzer 5Interpreting the Report 8Individual Realm Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Score Calculation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Use Case 12

IntroductionThe SecureAuth Health Analyzer tests SecureAuth Realms to gather the following information and generate an HTML report based on the results. The elements tested include:

+ Average health and security score of all realms combined

+ Number of Identity Manager (IdM) Realms

+ Number of SSO Realms

+ Number of Network Realms

+ Machine Name & Host Name

+ Whether the machine is joined to a domain

+ Whether the server has an enabled firewall

+ IPv4 and Ipv6 address

This is followed by a list of all realms with a hyperlink to drill down into specifics for each realm. Each link is summarized with the title, authentication mode, purpose, and audit score. This testing applies to the IdM, SSO, and Network Realm.

Benefits+ Conducts a detailed analysis of the IdM, SSO, and network realms

+ Enables managers and installers to establish the health and current configuration of the SecureAuth deployment

+ Audits the results and provides an HTML report

Introduction 1

SecureAuth Health Analyzer VAM Best Practices Guide

DeploymentWhile there are several ways to deploy the Health Analyzer, the procedure detailed on the following pages is the approach recommended by SecureAuth.

+ Deployment Prerequisites

+ Best Practices

+ Installing the Module

+ Running the Health Analyzer

+ Interpreting the Report

Deployment PrerequisitesThe requirements for deployment of this VAM are:

+ SecureAuth IdP version 9.0.x or later

Best PracticesWhen planning for deployment, keep in mind the following best practices:

+ Make sure you download the latest deployment package from the SecureAuth website that matches your version of SecureAuth IdP. Remember: the Health Analyzer cannot interpret a version of IdP earlier than 2.0.

+ Make sure that all realms you are using have been fully configured. An incompletely configured realm will automatically register an error.

+ The computer bearing the SecureAuth IdP appliance must have a designated D: drive. The Health Analyzer expects to create a directory for its report on the computer’s D: drive. (This should not be a problem in most cases, since SecureAuth IdP normally creates a D: drive when deployed.)

+ We strongly recommend using Thread Feeds that take advantage of threat intelligence to prevent misuse of stolen credentials.

+ The Analyzer is designed to identify the ‘adaptive’ gaps in your IdP configuration. If you are not running Adaptive functionality – such as Geo-fencing, Geo-velocity, and Geo-location – you are not taking advantage of IdP’s full power or protecting your system to its maximum extent.

Most problems can be alleviated by using the Health Analyzer and examining the resulting report.

Deployment 2

SecureAuth Health Analyzer VAM Best Practices

Installing the ModuleTo configure the SecureAuth Health Analyzer installation, perform the following steps:

1. Download the SecureAuth Health Analyzer Setup.msi file from the SecureAuth site.

The file should appear in your Download folder.

2. Double-click SecureAuth Health Analyzer Setup.msi.

A Welcome screen appears like Figure 1.

FIGURE 1. Health Analyzer Setup Wizard Welcome Screen

3. Click Next.

The Select Installation Folder screen appears like Figure 2, “Select Installation Folder Screen,” on page 3.

FIGURE 2. Select Installation Folder Screen

NOTE: Only those customers with a license to use this VAM are permitted to download this product.

Deployment 3


4. Either click Next to accept the current destination folder, or select a new destination folder then click Next.

In most cases, the default destination folder should be sufficient.

The Confirm Installation Folder screen appears like Figure 2, “Select Installation Folder Screen,” on page 3.

FIGURE 3. Confirm Installation Screen

5. Click Next to start the installation.

When the installation is complete, an Installation Complete screen appears.

6. Click Finish to exit the wizard.

The Health Analyzer icon is placed on the desktop.

Proceed to the next section, “Running the Health Analyzer” on page 5.

Deployment 4


Running the Health AnalyzerTo run the Health Analyzer, perform the following procedure:

1. From desktop, double-click on SecureAuth Health Analyzer.exe icon.

The Health Analyzer is started. A screen like Figure 4 appears.

FIGURE 4. Health Analyzer Start Page

2. Click the Start button.

The Analyzer automatically detects the location of the SecureAuth IdP then inspects the existing SecureAuth IdP realms and associated files. As it works, it presents a status update like Figure 5.

FIGURE 5. Analyzer Updates

All currently configured realms are examined and analyzed in sequence, starting with Realm0 and proceeding through every created realm.

Once the analysis is finished, the ‘Tasks Complete’ message appears at the bottom of the run status list.

When the task is completed, this message appears.

Running the Health Analyzer 5


3. Once the analysis is completed, the Analyzer deposits its findings into a special Report directory on the D: drive like Figure 6.

FIGURE 6. Analyzer Report Location

The report folder is generated and placed on the D: drive.

At least four subfolders appear here. The report itself is found in the subfolder that is dated. If the analyzer is run more than once a day, only the latest report appears in this folder. If a report is run on multiple days, each report appears in its own dated folder.

4. Click on the dated subfolder you require.

Two or more files appear. One of the files will be named ‘index.html’. One or more auxiliary files bearing the name of each realm that has been inspected also appears like the example in Figure 7.

FIGURE 7. Contents of the Dated Subfolder

5. Double-click on the Index.html file.

Notice the report is placed in its own subfolder like this.

Each dated folder includes an index file like this...



The report appears in your default browser, like the example in Figure 8.

FIGURE 8. Health Analyzer Report Format

6. If required, drill down into the status of individual realms by clicking on the available realm name links.

For more on the fields in this report and their meaning, refer to “Interpreting the Report” on page 8.



Interpreting the ReportWhen you double-click on the report index.html file, a screen like Figure 9 appears.

FIGURE 9. Main Report

Interpreting the Report 8


The fields that appear on the Analyzer report include:

Field Description

Total Realms The total number of realms that have been defined for this IdP

Avg Score Average score for the realms on this IdP. For an explanation of what the score entails, refer to “Score Calculation” on page 11.

IdM Realms The total number of realms that have been defined for IdM activities

SSO Realms The total number of realms defined for SSO activities

Ntwk Realms The number of realms defined for network activities

Machine Name The name of the computer on which this IdP appliance resides

Domain Joined Indicates whether this IdP appliance is joined to a Active Directory domain (Yes) or not (No)

Firewall Enabled Indicates whether the host’s firewall has been enabled for this IdP appliance (Yes) or not (No)

Host Name The name of the host on which this IdP appliance resides. In many cases, the Host Name field and the Machine Name field are identical.

IP Addresses... The range of IP addresses assigned to the realms and components of this IdP appliance

Realm List – a list of the realms defined for this IdP appliance

# The number assigned to this realm.

Title The name assigned to this realm. This is a link to specific realm information. To drill down and view the report for this individual realm, click the link. The individual realm report appears as explained in “Individual Realm Report” on page 10.

Auth The authentication path this realm follows as defined by the IdP workflow configuration

Purpose The purpose for creating this realm

Audit Score The composite percentage the Health Analyzer has assigned to this realm. To view the elements on which this score is based, click this link and the individual realm report appears as explained in “Individual Realm Report” on page 10.

Notifications List – a list of issues the Health Analyzer encountered.

Issue A color-coded notification identifies an issue as critical, warning, recommendation, support, or information issue then describes the specific issue.

Affected Realms The realm(s) identified as affected by the issue.



Individual Realm ReportIf you click on the realm list title or audit score link, a report of the individual realm appears like Figure 10.

FIGURE 10. Individual Realm Report

The drilled-down individual realm diagnostic report includes the following sections and fields:

Field Description

Overview

Title The name assigned to this realm

Header The header assigned to this realm

Description A description of this realm

Auth Workflow The type of workflow mode this realm follows to authenticate

Purpose The purpose for which this realm was created (such as IdM, SSO, Network)

Directories

Auth Directory The data source this realm uses for authentication (such as Active Directory)

Auth Connection The connection string used to connect this source for authentication data

Profile Directory The source this realm uses for storing profile data (such as sAMAccountName)

Profile Connection The connection method used to connect this source for profile data (such as the Active Directory domain)



To drill up, simply click the left arrow on your browser and the general report reappears.

Score CalculationThe scores displayed on the report screen are broken down into a series of escalating concerns on a scale of 1 to 5, where 5 is critical.

Interface

Theme The theme assigned to this realm

Logo The logo assigned to this realm

Portal Log The logo assigned to the portal of this realm

Email Logo The logo used for the email function of this realm

Additional Auth

Second Factors The second authentication factor assigned to this realm, such as email, PIN, or phone

Group Restriction Any restrictions by user groups imposed on this realm

OTP Length The length of the OTP assigned to this realm. This tells the PIN OTP page the length of the OTP to generate.

Purpose

SecureAuth Type The type of SecureAuth function specified by this realm, such as IdM, SSO, or Network

Post-Auth Destination The destination of this realm post-authentication

Profile List List of profile fields for IdM such as ‘Show’, ‘Hidden’, and ‘Enabled’

Score Meaning

1 - Non-issue non-issue

2 - Support Issue Support Issues, such as The Password Expiration cannot be determined. Please contact SecureAuth support.

3 - Recommendation Recommendations, such as Audit Logging has only TEXT files selected. Please consider utilizing either Syslog or SQL as a logging type.

4 - Warning Configuration issues, such as Debug Logging, are currently enabled and may cause issues in a production environment.

5 - Critical Critical, such as SSL, is currently not required for this realm.

Please enable SSL and ensure it is always used.

Field Description



Use CaseThere are two cases for which the Health Analyzer VAM is expressly designed:

+ Your present SecureAuth IdP installation is misbehaving and you want to run a health check to isolate the problem

+ You are planning to upgrade your current SecureAuth IdP deployment to the most recent version and want to determine whether you should get SecureAuth Professional Services involved in the upgrade effort

Use Case 12

secureauth health analyzer vam best practices … 2 secureauth health analyzer vam best practices...

Documents