Scorpion Software’s RWWGuard helps protect your small business and enhance its remote access security with the addition of two-factor authentication directly into Remote Web Workplace. This doesn’t impact your choice of what services RWW can provide or how they work, yet it’s a substantially stronger protection to unlock the door. Now you also require a physical key. Combining the standard RWW domain credentials with the one time password (OTP) from your key even eliminates password guessing done inside your business from being used later from the outside.
You have much greater assurance that the remote user connecting in is actually your trusted user, and not some rogue imposter who may have captured or guessed the login credentials. And unlike standard RWW access, RWWGuard records an audit trail showing you summarized and detailed login records of your RWW users.
Please review the following information to see if you meet minimum system requirements to use RWWGuard 2003. RWWGuard 2003 has been tested on SBS 2003 SP1, SBS 2003 SP1 and SBS 2003 R2 respectively.
Supported Operating Systems
- Small Business Server 2003
- Small Business Server 2003 SP1
- Small Business Server 2003 R2
- Microsoft Internet Explorer 6.0 or later
- .NET Framework 1.1
- Microsoft Installer Services (MSI) 2.0
- The AuthAnvil Two Factor Auth Strong Authentication System; or
- A strong authentication server supporting RADIUS. Recommended software includes Scorpion Software’s AuthAnvil Two Factor Auth, CryptoCard’s CryptoServer and RSA’s SecurID.
What you need to begin
To begin your installation of RWWGuard, we recommend you collect and prepare the following items:
- RWWGuard installer file, typically named RWW-Guard-Setup.exe. You can download this file from our Zero Media install site at http://www.scorpionsoft.com/downloads.
- The RWWGuard Installation Guide. Consider having this guide available during your actual installation session.
- Administrative access to a supported operating system in which you wish to install RWWGuard. It is recommended that during evaluation you test RWWGuard in a non-production environment.
- The IP address and RADIUS shared secret of the strong authentication server if using RADIUS, or the Two Factor Auth SAS URL if using Two Factor Auth.
Download the latest RWWGuard Setup from Scorpion Software Corp’s website at http://www.scorpionsoft.com/downloads.
- Double click on the EXE file to begin the installation.
- The setup program will prompt you for standard path information like where to install the files, and analyze your IIS configuration to make the proper Virtual Directory for the management console. It will then backup the original Remote Web Workplace files, and install all the new appropriate files.
- After installation, the setup program will launch the locally defined web browser to the RWWGuard Manager console, typically installed to: https://servername/RWWGuardManager/
- You can log in to the RWWGuard Manager with normal administrator domain credentials.
On installation RWWGuard is initially disabled. RWWGuard must be configured to communicate to a strong authentication server before it can start offering two-factor authentication to remote users.
When you first log into the RWWGuard Manager, you will be presented with the dashboard, which will have no useful stats. Once RWWGuard has been in use for a while, the dashboard stats will begin to offer insight to the state of your password login metrics in your organization.
To configure RWWGuard, log into the RWWGuard Manager and select the Settings tab.
NOTE: After making changes to the settings for RWWGuard you MUST press the “Save Settings” button before it will be applied. Leaving the page will abandon all changed settings not yet saved.
Selecting the Authentication Mode
When you select “RADIUS” for “Authentication Mode”, RWWGuard will communicate to a RADIUS server with the configured shared secret. If you select “Two Factor Auth”, RWWGuard will communicate via SOAP/XML web services directly with an Two Factor Auth Strong Authentication System.
Configuring RADIUS settings
RWWGuard can be configured to communicate with a RADIUS server to validate an OTP Passcode. In the “RADIUS Settings” you need to configure the IP address where the RADIUS server lies, and the Shared Secret that will be used to communicate securely.
NOTE: You may need to configure the firewall on SBS2003 to allow for RADIUS to be spoken to/from the server. The RADIUS protocol uses UDP port 1812.
NOTE: The Shared Secret must match IDENTICALLY between the RADIUS server and RWWGuard.
Configuring Two Factor Auth settings
RWWGuard can communicate via web services directly with an Two Factor Auth server to validate an OTP Passcode. In the “Two Factor Auth Settings” you need to configure the URL and Admin URL to where the Two Factor Auth SAS service lies.
Example: https://localhost/Two Factor AuthSAS/SAS.asmx
If you wish to use a different Two Factor Auth server to authentication the user when logging in as the named account “Administrator”, you can point the Admin URL to the destination Two Factor Auth server. This is useful for external IT staff and MSPs who manage multiple networks and want to control their techs access from a central Two Factor Auth system.
NOTE: You may need to configure the firewall on SBS2003 to allow for HTTPS to be spoken to/from the server. For safety and security of the user PIN and OTP, it is NOT recommended to use the clear text HTTP protocol.
NOTE: The SBS Server where RWWGuard resides MUST trust the remote digital certificate if connecting to an external Two Factor Auth server. The easiest way to test this is to go to the URL of the remote Two Factor Auth server from the SBS server with a browser. If a prompt for the certificate is shown, make sure you add it to the Trusted Root Certificate Authorities store.
NOTE: You may need to configure the Directory Security IP address restrictions in IIS to allow external access to the Two Factor Auth Web Service. You will also need to configure the IP address of the SBS box where RWWGuard resides within Two Factor Auth to get authorization to authenticate remotely. If using Two Factor Auth on the same machine as RWWGuard, you can use localhost, which is preconfigured.
When you select “Yes” for “Enable RWWGuard”, a new “OTP Passcode” field is present on the RWW logon page.
Force two-factor authentication
When you select “Yes” for “Force OTP Auth”, all users logging in from Remote Web Workplace will be required to enter in an OTP Passcode unless their name is in the exception list. If you select “No”, then no users are required to enter in an OTP Passcode unless their name is in the exception list.
When you select “Yes” for “Allow Impersonation”, you give the option to your users to employ a different username when completing the OTP auth by clicking “Show Advanced”. If you want to FORCE that the user matches the same username for both Active Directory and OTP auth, select “No”.
NOTE: If you select “No”, you need to dedicate a token for each account.
NOTE: Two Factor Auth users do not need to use this feature. You can configure Grouped User to accomplish this same goal.
RWWGuard is licensed on a yearly subscription model. You can see when your copy of RWWGuard expires here. If you need to activate a new license key to update the expiration, you can select the “Activate new license” link to do so.
The exception list is designed to OVERRIDE the default behaviour of RWWGuard for certain users. If “Force OTP Auth” is enabled, then anyone in the exception list is not required to provide an OTP Passcode. If “Force OTP Auth” is NOT enabled, then anyone in the exception list IS required to do so.
When RWW-Guard is installed but not enabled, it will continue to provide detailed audit logging in the RWW-Guard Event Log. It looks and acts EXACTLY like the traditional Remote Web Workplace logon page, with the one caveat that RWW-Guard does not currently support the “Change Password” functionality if an Active Directory password expires.
When RWW-Guard is enabled, a new OTP Passcode field is added to the logon form.If a user is required to provide an OTP Passcode, the username is sent along with the OTP Passcode to the configured RADIUS or Two Factor Auth source. On success, the active directory credentials are then verifies, and finally logon to Remote Web Workplace occurs.
Using alternate strong authentication credentials
There may be times where the username you wish to send to the RADIUS server does not match your Active Directory username. You can do this by clicking the “Show Advanced” link beside the OTP Passcode field and filling out the “User name” field.
An example where this could be useful is by using user “Bob’s” two-factor authentication credentials to logon to the “Administrator” account. In this way, you know that it was “Bob” that logged in to the Administrator account over the Internet, and not “Alice”.
NOTE: If you disable Impersonation, this feature is NOT available. See section above on “Allowing Impersonation”.
Reviewing Audit Logs
Viewing the Authentication Logs
RWWGuard provides detailed audit logs for all users who use Remote Web Workplace. Included in this are the following fields:
- Active Directory Username
- Strong Auth Account
- Logon Time
- IP Address
NOTE: The Strong Auth Account will match the Active Directory Username unless the alternate username field was used in the RWWGuard Advanced logon form.
Viewing Failed Logons in the SBS Daily Report
RWWGuard stores its authentication logs in a custom Event Log catalogue. Because of this, during the generation of the daily “Server Performance Report” any failed logon attempts will be shown in the report.
Congratulations! There is always so much to see in a new product, and you have just successfully completed an installation and review of the key features of Scorpion Software’s RWWGuard product.
While this Installation Guide can only cover the highlights of RWWGuard in action, we have been able to see several key points:
- RWWGuard is easy to set up and install. As a built in web application on SBS2003, it blends easily with your existing management process.
- RWWGuard protects your small business and enhances its remote access security with the addition of two-factor authentication directly into Remote Web Workplace.
- RWWGuard puts daily, comprehensible failed logon reports in the hands of the administrators who need them through the daily SBS report.
- RWWGuard not only highlights logon failures, it allows the administrator to go from high-level detection to detailed analysis of current password policies.
Thank you for taking the time to install RWWGuard. If you have any questions or comments on RWWGuard, or wish to provide feedback on this document, please feel free to email firstname.lastname@example.org.
Appendix A – Testing RWWGuard without a Strong Authentication Server
If you don’t currently have a strong authentication server available you can still test RWWGuard on your server. If you set the IP Address in the “RADIUS Settings” to 0.0.0.0, the password stored in the “Shared Secret” field will be used as the valid OTP Passcode. All other features within RWWGuard will continue to work the same way.
Note: This should be done for TESTING purposes only.