| Administrative data items |
| User Account Credentials |
Token device can hold a number of Windows user accounts for one or several computers or domains. Each entry contains: User Name, Domain Name and Password. There can be one or many account entries stored on the token. The on-token Windows account data is utilized by ControlSphere Logon and ControlSphere Password Manager services.
Viewing ControlSphere Account Credentials will require token User PIN. Data modification and export/backup will require token Administrator/SO PIN.
See User Account Manager below for further details. |
| Encryption Keys |
ControlSphere token can have a number of encryption keys. See more on the Encryption Keys in ControlSphere feature description.
Viewing ControlSphere Encryption Key layout will require User PIN of the device. Data modification and export/backup will require Administrator/SO PIN.
See Encryption Key Manager below for further details. |
| Token Security Policy |
Token has its own customizable security policy. It consists of token PIN security policy, Windows password security and other options. Please see Token Security Policy editor for the complete description.
Viewing ControlSphere Token Security Policy will require User PIN of the device. Data modification and export/backup will require Administrator/SO PIN.
See Token Security Policy editor below for further details. |
| Publicly Accessible Data |
ControlSphere provides additional token holder identification mechanism via public data entries on a token. Token may have additional information that describes its holder or a token itself such as Token Label, holder description and photograph.
Accessing the data will not require any PIN and modifying the data will require Administrator/SO PIN of the device.
See Public Data Manager below for further details. |
| ControlSphere Token Data Manager |
Hardware token devices can hold a number of ControlSphere data items. The Data Manager will let you view and update them. The window contains links to the following ControlSphere data editors:
|
| User Account Manager |
| [Enabled in combination with ControlSphere Logon and Password Manager services only] |
User Account Manager window displays a list of Windows user accounts stored on a token. You can Add, View/Edit or Remove the account entries by clicking the corresponding buttons. You can also change entry order by clicking Move Up and Move Down buttons or Sort the entries. Ordering is mostly a cosmetic feature which does not affect the login functionality. Adding or viewing an account entry will open the Account Definition window (see below).
ControlSphere does not limit the account number which can be stored on a token. The accounts can be used with Windows logon or Single-Sign-On Automation process.
You can enable Backup updated account list option to initiate backup process for the Windows account list. If enabled, ControlSphere will open a data backup manager once the Account Manager is closed.
To commit your changes click Update Account List button. |
|
| Account Definition window |
| The Account Definition window allows viewing and updating of selected Windows account data. The following data fields are part of each entry: |
| User Name |
The Windows account user name.
|
| Domain |
This field is useful if you define a network account. In this case provide the network domain name for the field.
If you define a local account, there are two options available. You can provide a local computer name or leave it empty. When the field is left empty, the account is verified against local accounts on every computer you logon with your token regardless of the local computer name. |
| Password
|
The account password. |
|
|
You can click the Unmask Password option to view the current password value of the entry. Since the password value is confidential information not necessarily known by a user, unmasking the password will require a valid Administrator/SO PIN of the token.
Select Check account
validity option to verify the account/password once you complete the account definition and click OK. In this case ControlSphere will verify the Windows account against the accessible Windows authentication source (SAM). ControlSphere will display a note in case the account credentials cannot be verified. |
|
|
| |
| |
| Encryption Key Manager |
| [Enabled in combination with ControlSphere Encryption Service only] |
Encryption Key Manager window displays a list of Encryption Keys stored on a token device. You can Create, Remove and Export a key as well as Import one or multiple encryption keys from another token.
To encrypt the data on your PC you will need to have at least one encryption key stored on your token.
To create a new encryption key click New Key button. Doing so will open the Create New Encryption Key window (see below).
To remove a key click Remove Key button. You will be asked to confirm the key removal. Important: Please make sure it is not used by any existing encrypted media, e.g. encrypted volume before removing a key. Note that the key is not actually deleted before you commit the changes.
To import one or multiple keys from another token click Import Keys button. You will be asked to connect the source token and provide a User PIN to access the encryption key storage on a source token. Then you will be asked to select one or multiple keys to import from the token. Once selected, you will be asked for an Administrator PIN of the source token to allow key export. Finally the key(s) will be imported to the Encryption Key Manager space and become ready to be committed to the token.
To export a key to another token select a key to export and click Export Key button. You will be asked to provide an Administrator PIN of the token to authorize key export. Then you will be asked to connect a destination token to export the key to. You will be asked for both User and Administrator PINs of the token. Finally the key will be exported and committed to the destination token.
You can enable Backup updated encryption keys option to initiate backup process for the updated key list. If enabled, ControlSphere will open a ControlSphere data backup manager window once the Encryption Key Manager is closed.
To commit your changes click Update Encryption Keys button.
|
|
| Create New Encryption Key window |
To create a new encryption key of ControlSphere you will be asked to define a key name of the key to create, select encryption algorithm (only the standard AES256 encryption algorithm is currently available) and a key length. See full description on the Encryption Keys for complete details on key parameters.
|
 |
|
|
| |
| Token Security Policy editor |
ControlSphere Token Security Policy contains User PIN-specific and general token security options. You can customize your token to meet different security criteria.
The manager contains a set of tabs representing the token security settings grouped logically:
ControlSphere provides an ability to save token security policy settings in a template stored locally on a computer and apply them to a token in a single step. In other words the templates are useful for quick security setting reuse.
The template management options are located in the lower part of the Template Manager window. You can create a new template or select an existing one, load its settings in the tab sheet, modify them as necessary and store them in the original or different template. To store security settings in a particular template, select the destination template from the template list and click Save Template. The settings will be saved in the selected template.
You can also delete a template when it is no longer in use. Select the template from the template list and click Delete Template.
You can enable Backup updated token security policy option to initiate backup process for the updated token security policy. If enabled, ControlSphere will open ControlSphere data backup manager window once the Security Policy editor is closed.
To commit your changes click Update Security Policy button.
|
|
| User PIN Security Tab |
| This tab contains User PIN security customization options. |
|
| Enforce "secure" PIN usage |
This option defines whether the token should allow setting "secure" User PINs only.
By selecting this option you can further customize the PIN security. You can select either using standard "secure" PIN algorithm or define a custom one.
| Standard "secure" PIN algorithm forces a PIN to contain characters from three of the following four categories: |
| - |
English uppercase characters (A through Z) |
| - |
English lowercase characters (a through z) |
| - |
Base 10 digits (0 through 9) |
| - |
Non-alphanumeric characters (e.g.,!, $, #, %) |
| Custom "secure" PIN algorithm is user-adjustable, you can select to enforce the following categories: |
| - |
English characters |
| - |
English uppercase characters and lowercase characters |
| - |
Base 10 digits |
| - |
Non-alphanumeric characters |
|
|
| Minimal token PIN length |
This option defines the least number of characters that a User PIN may contain. You can set a value between 4 and 32 characters. Token uses this value in a validation process when new PIN is set.
|
|
| Enforce User PIN history |
This option defines the number of unique new User PINs to be set on a token before an old PIN can be reused. The PIN history is kept on a token securely. If this option is enabled, the value must be between 1 and 24 PINs. This policy enables administrators to enhance security by ensuring that old PINs are not reused continually. Note that if this option is set, the minimal User PIN age control is also in effect and is one day.
|
|
| User PIN Security level |
This option defines how strict the User PIN should protect the token data. Token security level should be defined by the token administrator according to the security level required. There are three different security levels defined:
Low:
This is the minimal user data protection level. ControlSphere will share the User PIN and token user session among different token data requests. That is, once a user authorized himself to the token and the token has been set "authorized", no User PIN will be required to access and change user-related token data (On-token Password Bank, Token Volume Automation Settings, change User PIN, etc). "User PIN caching" option is available with this security level set only.
This is the most convenient setting for a token user which provides maximal Single-Sign-On comfort, but will require stricter control on the token hardware itself since leaving an unlocked workstation with the token connected may present a serious security threat when other persons can potentially access and/or modify a subset of the token data with no User PIN required. This is not a concern if the token is being carried by its holder constantly, however. Setting this level is ideal for individual users.
Medium:
This is more strict security level of protection which requires User PIN to be entered regardless of the "authorized" token status. No token data can be accessed without entering a valid User PIN. This is the recommended PIN security level for enterprises. Some token data delegation will happen without extra
authentication
though (see Password Manager service of ControlSphere).
High:
This is the strictest PIN security level which includes all features of the Medium PIN security level and adds extra User PIN requests every time user modifies user-related data on the token. It will also require User PIN to be entered while unmasking of copying a password to clipboard from the Token Password Bank window and performing login operations with ControlSphere Password Manager.
This is the recommended PIN security level for secure environments and military organizations.
|
|
| Allow User PIN caching |
ControlSphere will allow user to cache User PIN in computer memory if this option is enabled. In this case enabling "Cache PIN for the token" option in the User PIN request windows will cache the User PIN. The PIN for is cached for maximum 12 hours or until computer is restarted.
When the User PIN is cached, it will be used automatically without asking the token holder to enter the PIN. This option should definitely be OFF in secure environments.
Note that this option is available in combination with User PIN Security level set to Low only.
 |
|
|
|
| |
| User PIN Changing tab |
ControlSphere provides additional control over the User PIN changing options.
 |
|
| Force User PIN change at next authorization |
This option specifies whether the token holder must change the User PIN next time the PIN is requested. This option is especially useful when administrator is issuing new tokens to users. The tokens would have default PINs set and ControlSphere will force users to change them before the token is used for the first time.
Not compatible with the Prevent user from changing the User PIN option (see below). |
|
| Schedule and force User PIN change |
These options are applicable with ControlSphere Logon Service enabled.
To increase a token device security you can schedule and force token holder to change User PIN on a regular basis. You can choose from the following options:
| Do not force user changing the PIN |
| |
The User PIN change is not forced by ControlSphere. |
| Logon-count based model |
| |
The number of token logons that a User PIN can be used before ControlSphere requires the token holder to change it. |
| Time-based mode |
| |
An amount of time to pass before ControlSphere requires the token holder to change the User PIN. |
| Prevent user from changing the User PIN |
| |
Select this option to prevent user from changing the User PIN. ControlSphere will require an Administrator/SO PIN to be provided in case of a manual User PIN change attempt.
By enabling this option will disable an ability to set Force User PIN change at next logon option (see above). |
|
|
|
| |
| Token Security tab |
ControlSphere provides extra customization on other security settings as well.
 |
|
Protect all token data modifications by
Administrator/SO PIN |
This option enforces Administrator/SO PIN verification on every modification of the token data. Most of the token data modifications (Account Credentials, Encryption Keys, Token Security Policy Settings, etc.) already require Administrator/SO PIN, but this option will extend it to all token data items, including Password Bank storage and Encrypted Volume Automation Settings. |
|
Protect on-token passwords from
being viewed or copied |
This option enforces additional protection for the password entries stored in the Password Bank storage. If this option is enabled, ControlSphere will not allow exposing stored passwords in clear-text or allow them to be copied to clipboard, unless Administrator/SO PIN is provided. This will not affect Password Manager feature but will simply ensure a token user does not see the passwords in clear-text.
This is especially useful when an administrator defines a set of password entries for the user token, but does not want the passwords themselves to be known by a user. This way the entries can be used in Password Automation but corresponding passwords are not known even to the token user. |
|
| Enforce token check through TMS server (if TMS is enabled) |
By enabling this option enforces token verification (check for pending data updates) on the centralized TMS server of ControlSphere. User will not be able to use token features in case there is no connection to the TMS server available. Please refer to ControlSphere Token Management System manual for more information. |
|
Conform to Windows password
management policy |
This option is applicable with ControlSphere Logon Service enabled.
The token will conform to Windows password management policy if this option is enabled. I.e. ControlSphere will automatically update the token with a new password should the old one expire or need to be changed. |
|
| Generate secure passwords automatically |
This option is applicable with ControlSphere Logon Service enabled.
Automatic Windows account password management allows ControlSphere generating secure passwords automatically without user assistance. Passwords generated on ControlSphere token are much more secure than ordinary ones. Once the password is automatically generated and stored, nobody (even token holder) knows what the password is except the token itself. Enabling this option is recommended for secure environments only. |
|
|
|
| |
| |
| Public Data Manager |
The Public Token data Manager displays publicly accessible token data items: token label, additional token holder identification data and token holder image/photograph.
The token label data item is read-only and can only be defined at the token profile creation stage. Other data items can be modified when needed.
You can optionally format the additional token holder identification data with tabulation symbols.
If there is no token holder image attached to the token yet, it will let you browse for an image. You can attach any image type supported by Microsoft Internet Explorer. We
recommend using compressed picture format such as JPEG. Note that the image should be less than 10 kilobytes in size to fit the token.
If the token holder image/photograph is already present, the manager will let you Show and Remove it from the token.
You can enable Backup updated public data items option to initiate backup process for the updated public token data. If enabled, ControlSphere will open a data backup manager once the Public Token Data Manager is closed.
To commit your changes click Update Public Data button. Modifying the items will require Administrator/SO PIN.
|
 |
|
| |
| |
| Password Bank Manager |
Password Bank is a secure on-token password storage managed by ControlSphere. You can store any number of password records on your token as well as associate them with the password automation rules of ControlSphere Password Manager. See Password entry definition below for detailed information on password entry attributes.
| You can perform the following actions in the Password Bank Manager window: |
Add
|
This action will open a Password record definition window where you can define a new password record. |
Edit
|
This action will open currently selected password record or folder for editing. |
Remove
|
This action will remove currently selected password record from the password list. If a folder is selected, it will remove the sub-records as well. |
| Unmask Password |
This action will display an unmasked password for the currently selected password record. You may be asked to confirm Administrator/SO PIN at this point if configured in the token security policy. |
| Copy Password To Clipboard |
This action will copy password data from the selected password record to the system clipboard. You may be asked to confirm Administrator/SO PIN at this point if configured in the token security policy. |
| Update Password Bank |
This action will update password bank changes to a token. When there are no changes made to update, this button is disabled. You may be asked to confirm Administrator/SO PIN at this point if configured in the token security policy. |
You can enable Backup updated password bank data option to initiate backup process for the updated Password Bank data. If enabled, ControlSphere will open a data backup manager once the Password Bank Manager is closed.
Some password records may be locked by Administrator via centralized ControlSphere TMS system. A locked record will become read-only for a user and its modification will require the user to provide an Administrator/SO PIN. Password from such records cannot be viewed or copied in a clear text.
To commit your changes click Update Password Bank button. You may be asked to confirm Administrator/SO PIN at this point if configured in the token security policy.
|
| |
| Password Record Definition |
The Password record dialog allows you to define new or edit an existing password record. Password records have the following attributes:
|
| Record Name |
| A brief name for the password record. This name will appear in ControlSphere password automation windows. |
| Group by Folder |
| An optional folder name to store the record in which is used for grouping purposes only. You can select an existing folder from the drop-down menu or define a new one. The folder name will appear in ControlSphere password automation windows as well. |
| User Prefix Name |
| An optional name or value which prefixes the user name field. Used with ControlSphere Password Manager when automating password entry for WEB forms. |
| User Name |
| A user name to associate with the entry. It can be empty. |
| Password |
| A password to associate with the entry. It can be empty. |
| Comments |
| Comment string to associate with the record, optional. If defined, it can be viewed and copied from ControlSphere password automation windows. Comment field can hold extra authentication data when required. |
|
 |
|
|
| |
| |
| Encrypted Volume Automation Manager |
| [Enabled in combination with ControlSphere Encryption Service only] |
In addition to the manual encrypted volume mounting feature, ControlSphere provides ability to auto-mount pre-configured encrypted volumes for a token device. This feature eliminates the need of manual volume mounting operations completely. The manager helps organizing Encrypted Volume Automation rules stored on your token. A list of existing rules is displayed in the list control which contains detailed information about the rules and their associated volume status.
Preferred
|
This is a preferred drive letter index for a volume. If the entry was defined as a User Home Drive, you will see a corresponding mark near it. |
Mounted As
|
This is a current drive letter index for the volume if it has been mounted. If the volume is mounted as a User Home Drive, you will see a corresponding mark near it. |
Volume Name
|
This is an identification name for the volume defined on its creation time. |
| Size |
This is the volume size, in megabytes. |
| Encryption Key Name |
This is a name of the encryption key of the volume. |
| Volume file Location |
This is a location path for the encrypted volume file. |
| Mount under the following users |
Displays a list of Windows user accounts to enable the automatic mounting rule for. By default a rule is operational under all user accounts. |
You can Add, Edit or Remove volume automation entries from the list by clicking the corresponding buttons. See Automate Volume Mounting window for more details on the automation entry definition.
You can enable Backup update automated volume configuration option to initiate backup process for the updated volume configuration data. If enabled, ControlSphere will open a data backup manager once the Volume Automation Manager is closed.
Some password records may be locked by Administrator via centralized ControlSphere TMS system. A locked record will become read-only for a user and its modification will require the user to provide an Administrator/SO PIN.
To commit your changes click Update Configuration button. You may be asked to confirm Administrator/SO PIN at this point if configured in the token security policy.
|
| |
| Automate Volume Mounting window |
An encrypted volume automation rule is a part of token-automated volume configuration. The configuration is stored on the token itself and is token-dependent. See Encrypted Volume Automation for the complete description on this technology.
Each automation rule has following attributes:
|
| Volume Location |
| This is a location/path for the encrypted volume file. If a volume is configured to be mounted from a removable media (USB Flash drive, for example), ControlSphere will try to resolve the volume path and mount the volume even if it is mapped under a different drive letter on another computer. |
| Preferred Drive Letter |
| This is a preferred drive letter index for the volume. If the drive letter is occupied, ControlSphere uses first available drive letter to mount a volume on. |
| Make the volume "User Home Drive" |
A volume can be marked as a User Home Drive. In this case it will be mounted as a User Home Drive on token-based logon and user shell folders will be redirected to it. Please see additional description on User Home Drive technology of ControlSphere.
There could be several User Home Drive-marked volumes per token. In this case ControlSphere will ask for the one to use when volumes are mounted. |
| Redirect temporary user environment to the drive |
| This option is available for User Home Drive volumes only. If enabled, ControlSphere will redirect temporary user folders (TEMP, TMP and Temporary Internet Files) to the drive once it is mounted
and restore them to original location once the drive is dismounted.
By redirecting temporary user folders will ensure temporary user session data is stored securely on the encrypted drive and cannot be accessed or analyzed by third parties. |
| Dismount when user logs off |
All encrypted volumes are dismounted when user logs off.
This option is always ON. |
| Dismount the drive when disconnecting a key-source token |
| Select this option to forcibly dismount the volume when a token which was used to mount the volume is being disconnected/removed from the port adapter. |
| Mount the volume automatically for the specific Windows user(s) only |
| Select this option to enable the automation rule for specific Windows users only. You will be asked to define a number of user/domain entries to enable the automation for. |
|
 |
|
|