Voici une petite vidéo, très simple, en cinq minutes, on va faire la mise a jour d’SMS PASSCODE en version 7 sortie en ce mois de janvier 2014.
Nous sommes sur une plate forme Windows 2003 32Bits et la version 6.2 est déjà installée sur le serveur.
Dans la prochaine vidéo, nous verrons l’installation et la configuration sur une plate forme Windows 2012 R2. Windows 2012 R2 justement prise en charge exclusivement par la 7.
Petit rappel des possibilités de protection de la version 7:
– Citrix Web Interface
– RADIUS clients
– Cloud Applications protected through Microsoft Active Directory
Federation Services (AD FS) 2.0
(e.g. Microsoft Office 365 Web Clients, Google Apps, SalesForce)
– Microsoft Terminal Services / Remote Desktop Services
– IIS Web Sites (e.g. Microsoft Outlook Web Access)
– Web Sites published through ISA Server 2006 or TMG 2010
– Microsoft SharePoint Portal Server
– Windows Logon
La mise a jour est possible depuis les versions 5.0, 6.0, 6.0 SP1, 6.1, 6.2 and 6.2 SP1.
Les nouveautés de cette version 7 en plus de la prise en charge de Windows 2012 R2 pour la partie serveur et de windows 8.1 pour le logon agent sont:
Secure Device Provisioning (for ActiveSync Devices)
Secure Device Provisioning is a completely new component introduced in
version 7.0. This component provides a very secure, yet convenient way
for end-users to approve an ActiveSync device for getting access to
their Exchange mailbox.
SMS PASSCODE Secure Device Provisioning builds on top of the existing
Microsoft Exchange Server functionality, extending it to allow end-
users to easily approve new devices by themselves without compromising
security. Security is maintained by leveraging SMS PASSCODE’s renowned
multi-factor authentication engine for approving a new device.
As an additional benefit, the Secure Device Provisioning component
monitors ActiveSync traffic and prevents AD account lockouts caused by
password brute-force attempts.
Support for OATH Tokens
SMS PASSCODE version 7.0 introduces support for OATH compliant tokens.
The token support is very flexible, allowing you to configure the
exact types of tokens used in your organization:
– Support for OATH compliant hardware tokens and software tokens
– Support for event-based (HOTP) and time-based (TOTP) OATH tokens
– Support for time-based tokens with any time-step size
(e.g. 30 or 60 seconds between OTPs)
– Support for OATH tokens with 6, 7 or 8 digits
Configuration of tokens is performed using Token Policies, a new type
of policy added to the policy-driven administration of SMS PASSCODE.
As an administrator, you may optionally allow end-users to select a
Token Policy by themselves using the SMS PASSCODE Self-Service Web
Site. This provides end-users the flexibility of choosing by
themselves the type of token to use, e.g. choosing between Microsoft
Authenticator and Google Authenticator.
Enrollment of Software Tokens using QR codes
Optionally, Token Policies can be configured to allow end-users easy
self-enrollment of software tokens, simply by logging in to the SMS
PASSCODE Self-Service Web Site, generate a random token ID by the push
of a button, and then finally perform a complete configuration of the
software token by scanning a QR code that is presented automatically
to the end-user.
Contextual Message Dispatching
In version 6.1 SMS PASSCODE introduced Authentication Policies and
introduced the patent-pending technology of location and behavior
aware authentication, in short “contextual authentication”. Since then
it has been widely recognized that the principles of contextual
authentication extends SMS PASSCODE to provide a much more secure, yet
flexible authentication system than traditional MFA systems. From one
perspective, Authentication Policies provide you the option of
increasing security, using context aware protection rules, like geo-
fencing; from another perspective, Authentication Policies give you
full flexibility of balancing security and convenience at the level of
your choice. E.g. you might enable SMS PASSCODE to intelligently skip
MFA for logins from special contexts, like self-learned trusted IP
addresses, e.g. home workplaces.
In version 7.0, Authentication Policies have been extended even more,
now introducing dynamic override of Load Balancing Policies and
Passcode Policies. This means, that Authentication Policies can now
depending on the current authentication context, decide to override
the Load Balancing Policy and/or Passcode Policy to use for the actual
dispatching of a one-time-passcode. Once again, this increases
flexibility, allowing you to configure the system according to your
specific needs. As an example, you can configure the system to prefer
SMS over voice call dispatching during logins from Europe, while
preferring voice call over SMS dispatching during logins from North
and South America.
New License Management
Previously, there was no separation between creating a user in the SMS
PASSCODE database and allocating a client access license (CAL) to the
user. I.e. any user created in the database was automatically
allocated a CAL.
For greater flexibility, a new license management system has been
introduced. It is now possible to create or import users into the SMS
PASSCODE database, without taking licensing into account; license
allocation is then handled independent of this afterwards.
This has several advantages, among others:
– It is now possible to allocate MFA CALs and Password Reset CALs
independent of each other. I.e. you can assign MFA CALs only,
Password Reset CALs only, or both types of CALs to any subset of
– Previously, an AD sync would skip importing some users, if you
ran out of CALs. With the new logic, the AD sync will import all
users, allowing you to get a good overview in the Web
Administration Interface, which users are missing a CAL.
The Authentication Monitoring page in the Web Administration Interface
has been enhanced with a new Geo-Mapping feature. This feature allows
you to visualize any subset of the SMS PASSCODE authentication
attempts collected in your system on a world map. E.g. you may
activate a filter showing only failed authentication attempts within a
specific period, and then plot these attempts on a world map, to get a
geographic visualization of login attempts from unexpected locations.
The world map is interactive, allowing you to click on any country to
get detailed login statistics.
Persistent Column Selection
Previously, when customizing the columns shown in data grids on
different pages of the Web Administration interface, these column
customizations were lost, whenever the browser was closed and re-
opened. Now, column selections are persisted individually per user.
Support for Windows Server 2012 R2
Most components have been tailored to support Windows Server 2012 R2.
This applies to:
– All SMS PASSCODE core components
– SMS PASSCODE RADIUS Protection
– SMS PASSCODE IIS Web Site Protection
– SMS PASSCODE Windows Logon Protection
Support for Windows 8.1
SMS PASSCODE Windows Logon Protection is now also supported on Windows
Support for Outlook Web Access 2013
The SMS PASSCODE IIS Web Site Protection component now also supports
protection of Outlook Web Access (OWA) 2013. It is a requirement, that
the OWA 2013 site is configured to use form-based authentication
Support for More Languages
End-user related content has been localized to more languages. Now,
the SMS PASSCODE Self-Service Web Site, the SMS PASSCODE Password
Reset Web Site, and the SMS PASSCODE Secure Device Provisioning Web
Site are all localized to the following languages:
Support for Multiple Password Reset Web Sites on the Same Server
It is now possible to host several SMS PASSCODE Password Reset Web
Sites within the same IIS (on the same server), allowing each such web
site to connect to a separate SMS PASSCODE Password Reset Backend
Fonctionnalités disparu dans la version 7.
The SMS PASSCODE Citrix Web Interface Protection component no more
supports Citrix Web Interface versions 4.5, 5.0.x, 5.1.x and 5.2.x.
Citrix Web Interface versions 4.6, 5.3.0, 5.4.0 and 5.4.2 are still