|
Self Launching Application
The Policy Master Utility Software is a self
launching and configuring application consisting
of following files on the Disk:
 |
Policy Master
Application (Setup.exe) |
|
Policy Master
Manual |
|
Token
ManualToken |
|
Quickstart
Guide. |
The Mandylion tokens work with any application
or operating system which utilizes the durable
password as its means for authenticating the user
and granting it access privileges. The Mandylion
solution was specifically designed to work with
and improve the vulnerabilities inherent in the MS
LANMANv2 hash and its backward compatibility with
previous versions of LANMAN. LANMAN is the central
utility used in all MicrosoftOS products to
authenticate users and secure their passcodes. The
Configuration Management Utility software runs on
any Wintel platform including Microsoft Win32
(Windows 98, ME, NT 4.0, 2000, XP).
Template Based
The Policy Master Configuration Software is a
template based application. It provides a great
deal of “cut and paste” flexibility in creating
login records for a single token or multiple
tokens for whole classes of users. The basic
Policy Master Template screen is shown below. This
is the default file which appears on the screen
when the application is launched. The template is
divided into three logical areas; user information
input area; selection of default parameters to the
device including locks, alarms and default
password g eneration; Login Record Area.
Extensive Administrative Controls
The software suite provides the enterprise with a
great degree of control and authority over each
token that is licensed to it. A Policy Master
“Public” Utility is supplied as part of the suite.
This utility can be freely distributed within the
organization due to its limited configuration
capabilities.
If control among token administrators is sought
by the enterprise, the Policy Master software has
a unique ability to associate and control specific
tokens by administrator or group administrators.
Through an intuitive and secure Windows based
interface and a common USB port, each token can be
customized and pre-configured on behalf of the
user or class of users. For convenience, software
is template based. All of the user’s logins, user
ID’s and specific password requirements are
entered onto the template then saved and
downloaded into the device to which the user has
been assigned. With this new template approach, it
is easy to configure a single unit or 5 thousand.
It’s as simple as a copy, paste and "print"
exercise from one unit to the next. When
provisioned with a token, all the user has to do
is create their own fingerpattern for access and
they are done! Unused login records can be set by
the administrator to allow for the user’s
personal use.
For security purposes, only the publicly
available Login Policy (i.e. length, composition
and renewal period) is downloaded to the token.
For administrative ease, in those situations
where the administrator is responsible for the
control of the login for certain individuals or
groups of individuals, the actual password
(temporary or permanent until changed) for a
particular login record can be generated and
displayed in the configuration utility prior to
its download.
Tokens can be incrementally updated by login
record for password composition. This allows for
multiple tokens to share identical login
records.
Alternatively, a user can configure their
own token from their own PC or a shared “kiosk”
type station without the assistance of an
administrator.
Due to a unique lockout control, Login
records set by the enterprise cannot be
reconfigured or erased by the user.
Alternatively, Login records set by the user
cannot be reconfigured, erased or even accessed
by the enterprise.
Describing Your Password Policy
The
Mandylion autoload token / password management
utility supports Lotus Domino applications
including iNotes, Lotus IM and Web Conferencing
and Team WorkPlace. The Mandylion solution works
with any application or operating system which
utilizes the durable password as its means for
authenticating the user and granting it access
privileges. Via the Configuration Management
Software Module, user passwords can be specified
by length, composition and renewal interval.
Composition of each password can be specified down
to the keyspace (position) within the passcode to
be generated. Composition can be randomly drawn
from the entire printable ASCII character set
(base 94) or throttled to any or a combination of
the following subsets of the printable ASCII
character set:
Upper Case Letters
(base 26)
Lower Case Letters (base 26)
Upper and Lower Case Letters (base52)
Numbers (base 10)
Special Characters (base 31)
Any but Special Characters (base 63)
National Character Set (base 3) (a mainframe
legacy convention)
Upper Case and Numbers (base 36)
The Mandylion solution does not have any client side
software. All logins are made by the user via their native
applications and OS’s.
The following options can be enabled or disabled by the
Administrator in the creation of a password’s composition,
by login record:
- Minimum length; Maximum length;
- Password to be totally random; i.e. cannot
contain the username or word;
- Can specify minimum representation of each
ASCII character set;
- Password must contain a configurable number
of characters;
- Password must contain a special character
(from a customizable list)
- Password must contain at least one lowercase
character
- Password must contain at least one uppercase
character
- Password cannot be set to a previously used
password
- Password cannot contain any variation of the
users name
- Password cannot can not be a dictionary word
Via a combination of its configuration software
utilities, the host OS and application
authentication utilities and subsystems, and the
end user token, password quality is assured. All
of the above composition parameters of a password
can be enabled or disabled by the administrator
utilizing the Mandylion Configuration software
utility.
Setting Password Length, Composition and
Renewal
Setting an individual login
record’s password length, construction and renewal
interval policy is easily accomplished via simple
Preference Boxes accessible for each login record
on the template. There are 4 ways to specify a
password’s schema; Default, against a predefined
schema set for the token, Structured, Randomized
and Manual.
Selecting the Structured Option in the Preference
Box sets the device to generate a purely random
password of a specific length for a specific login
record. With this option, the device’s random
number generator can be further throttled to only
generate specific subsets of the ASCII character
set in each position within a particular password.
This feature allows for the creation of passwords
that fit the schema requirements of
applications/hosts which might require, for
instance, only an alphanumeric in the first
position of the password.
Setting Minimum Count of Special Characters,
Letters, Numbers in Password
 Selecting
the Randomize Option displays a Preference Box
that sets the token to generate a purely random
password of a random length within a specified
minimum and maximum length range for the login
record selected. This option also allows the
administrator to set the minimum and maximum count
of characters within the password from specific
subsets of the ASCII character set.
Unlike the Structured Option above, this option
calls on the powerful random number generators to
select the position within the password of where
these specific character sets will fall.
Of course, a manual password may also be entered
into any record as its password of record or as an
initial bootstrap, one time password.
 Individual
passwords can be set to be generated by the device
or securely loaded via the cradle from the
individual template by login record. This latter
feature allows for the input of host generated
passwords or group passwords and their
coordination among users.
When
provisioned with a token, all the user has to do
is create their own fingerpattern for access and
they are done! Unused login records can be set by
the administrator to allow for the user’s personal
use. Alternatively, a user can configure their own
token from their own PC or a shared “kiosk” type
station without the assistance of an
administrator. Due to a unique lockout control,
Login records set by the enterprise cannot be
reconfigured or erased by the user. Alternatively,
Login records set by the user cannot be
reconfigured, erased or even accessed by the
enterprise.
The Mandylion Configuration Management utility
software sets the parameters for both the
“bootstrap” or Expire on First Login password as
well as the ongoing password policy for each login
record. The administrator or user has the option
of setting the Expire On First Login password to
expire upon first use and automatically generate a
new password for the user that complies with
ongoing policy. Alternatively, the Expire On First
Login password can be delayed to first policy
change date or held static, as in the case of
group or manual password login records.
Password expiration intervals can be set and
controlled by login record. Intervals included in
the standard configuration are:
|
Upon First Use
|
|
30 Days |
|
45 Days |
|
60 Days |
|
90 Days |
|
180 Days |
|
One Year |
|
Two Years |
|
Never |
 Mandylion autoload
token/password management utility allows for a “grace
period” for password change to accommodate synchronization
with other logins and applications as well as to temporarily
delay password updates to a more convenient time to the
user. Various lockouts and alarms prevent this grace period
from being abused.
|
