Your effort to increase security for vital company information has led you to DynaPass. We think you will find your search worth the time spent. Expect us to provide you with years of dynamic service as we work together to secure one of your most precious assets . classified information.
April System Design has utilized their experienced and competent software development staff to bring you a simplified, streamlined method of reducing authentication leaks, while improving administrative monitoring. We have spent over two years developing and fine-tuning DynaPass to provide you with an efficient security solution.
When you make the decision to purchase April System Design products, we think of you as a long-term business partner. We not only provide product support, but you can expect us to always notify you of enhancements or upgrades as they occur.
(For the latest in April System Design product news, periodically check our website at http://www.aprilsystem.com).
DynaPass - the ' Open Sesame' system - gives you a password you cannot lose, forget or leave in the wrong hands. A password you get every time you need it and in between it does not exist.
DynaPass identifies the individual - it provides the user with a 'one-time' password and opens up the User Account only for the time that the user is active.
DynaPass generates 'one-time' passwords, that are limited in time, impossible to guess and easy to administrate - even if there is thousands of active users. The passwords are distributed to the users on a communication link that is completely isolated from the link used by the user terminal or workstation. The password is displayed, as an SMS-message, on the user. s cellular phone or pager.
The cellular phone
The cellular phone verifies the user' s identity. First, the subscription and access to the network is controlled and protected by a mechanism (Smart Card) built into the phone. Second, the phone is protected by a personal code.
The user needs a cellular phone with at least a receiving feature since DynaPass automatically will distribute passwords to the user. s phone.
If the phone has a sending feature, like most of the modern GSM phones, the user can initiate a new password whenever he likes.
The DynaPass method
1. DynaPass will activate the User Account and assign a randomly generated password - once a night (the time setting is optional).
2. The password will be sent as an SMS-message to the user's unit - every night.
3. Open your cellular phone with the personal code (pin-code).
4. You can, within the next few seconds, use the received password together with your User Account to log in to the system.
Automatic distribution of passwords.
Users with a phone that has SMS sending capabilities can at any time request a new password by sending a message to the central system.
Hardware:
Pentium PC with at least one serial port available.
Software:
Microsoft NT4 Service Pack 4 or later.
Microsoft Windows 2000.
ODBC driver for selected database (default MS Access) available.
Cellular phone:
SMS send
and receive capabilities
Asynchronous serial interface compliant
with:
ETSI GSM 07.05
ETSI TS 100 916 V7.5.0 (GSM 07.07)
Serial cable
to connect to DynaPass Server
Note!
Battery charger must be active all time. Some
serial adapters occupy the charger connection and obviously cannot be used in
combination with DynaPass.
System verification made using Ericsson T28 (all models), R320, T18s and T18z
Hardware:
Pentium PC.
Software:
Microsoft NT4 Service Pack 4 or later. Microsoft Windows
2000.
JAVA Virtual Machine version 1.3 or later.
ODBC driver for selected database (default MS Access)
available.
Display driver minimum SVGA resolution.
Cellular phone:
Any phone capable of at least receiving SMS messages.
You should have general knowledge of NT/W2000 administration to install DynaPass.
DynaPass is organized in three main modules.
Although they closely interact with each other they can be installed in a single machine or split up in different locations/machines in your network. Most likely you would like to run the DynaPass User Administration from a machine located in the Help Desk or administration area while the DynaPass Server is located in the server room. Depending on your selections you will be asked to input information about your network during the installation process.
The DynaPass Server runs as a number of NT/W2000 Services and can be installed in the Domain Controller or in any other NT/W2000 machine in your network. The selected machine must have one or more COM ports available where you connect the cellular phone to the DynaPass Server.
DynaPass Services must have access to the NT or Windows 2000 user database. If you install DynaPass on the Domain Controller the Services can be configured as a Local System Services. If installed elsewhere or if you want DynaPass to administrate more than a single domain you must create a User Account that grants DynaPass user administration rights in the domain(s).
Use your normal NT/W2000 user administration tools to add a user "DynaPass" to the domain. Assign a password and set it to live forever. The account must have user administration rights in the domain(s). This account name and password will be used later in the DynaPass installation process.
In the default configuration DynaPass uses a cellular phone to automatically distribute passwords and also to detect password requests. The phone must be connected and switched on when you install DynaPass.
DynaPass can use most modern phones that come with support for asynchronous communication between the phone and the PC. However you must select a model that allows continuous charging of the phone battery. A list of supported phones can be found on our web, http://www.dynapass.com
DynaPass creates and maintains a user database containing user profiles and events. This database must be accessible to the DynaPass Server and the DynaPass User Manager. The install program will place an MS Access database on the machine running the DynaPass Server. You can move the database to any other suitable location. Since DynaPass uses standard SQL to access the database you can locate the database on an SQL Server if wanted. If you move or relocate the database you must manually configure the ODBC driver on the units running the DynaPass Server and DynaPass User Manager accordingly.
The DynaPass User Manager is a JAVA application and requires JAVA installed on the machine from which you intend to run the DynaPass administration. You can install JAVA for NT/W2000 from the DynaPass distribution CD or from http://java.sun.com/j2se/. This must be done prior to the installation of DynaPass User Manager.
You need to have Administrator access rights to install DynaPass.
If you already have DynaPass running on your machine, all DynaPass services will be stopped before the installation can proceed. Please wait for the process to complete. If necessary your database will be converted to the needs of the new version. You will not loose any of your installation or user configurations.
Before installation of DynaPassyou must install the JAVA virtual machine and connect the cellular phone to the COM port you intend to use. The phone should be turned on. Log on with Administrator access rights.
NOTE! If you don. t intend to install the DynaPass User Manager you do not have to install JAVA.
Insert the April System Design distribution CD and select DynaPass in the list of products to install. Follow the instructions on the screen.
The default suggests that you install all components on the same machine. Instructions on how to install the DynaPass User Manager on other units in your network will be discussed later in this chapter.
DynaPass Services must have access to the NT or Windows
2000 user database. If you install DynaPass on the Domain Controller the
Services can be configured as Local System Services (no account name and
password is needed). If installed elsewhere or if you want DynaPass to
administrate more than a single domain/server you must create a User
Account that grants DynaPass user administration rights in the domain(s).
Use the NT/W2000 user administration tools to add
a user "DynaPass". Assign a password and set it to live forever. The
account must have user administration rights in the domain(s). This name and
password will be used by the DynaPass services at
startup.
NOTE! If your machine is configured for WORKGROUP (not a domain member) you can NOT use a specified account. You must select System Account.
The DynaPass set up program will automatically search your machine for installed components and try to identify your cellular phone.
The install process will display the port where the phone is connected. It will also show the type of phone and the Service Center Number found on the Smart Card installed in the phone.
Contact your Mobile Network Operator if no
Service Center Number is found. SMS messages cannot be sent
from the phone without this number. The User Manual supplied with your phone
describes how to enter this number. Normally the card that goes with your
subscription comes with the number already in place.
You are advised to abort the installation if a valid cellular phone is
not found or if the Service Center Number is not available.
During installation you will be asked to configure the ODBC driver. DynaPass defaults to a Microsoft Access database located in the installation directory. Click OK to accept the suggested defaults. If you want to use another type of database, for example SQL Server or if you want to relocate the database to another location you must configure the ODBC accordingly.
The DynaPass User Manager is a JAVA application and requires JAVA installed on the machine from which you intend to run the DynaPass administration. See the section Installation Planning for more information on JAVA
Insert the April System Design distribution CD and select DynaPass in the list of products to install. Follow the instructions on the screen.
Select "Install only the DynaPass User Manager"
You will now be prompted to input information about where the DynaPass database is located. The installation program assumes that you have installed the database using the default values. If not you must edit the values to reflect your environment. The information is used to set up the DynaPass ODBC resource in your machine.
The full network path to the database will be checked when you click "Next". The installation will proceed if the path is valid and the necessary files will be copied to your disk.
You can use the NT/W2000 ODBC tool to change the values in the future.
Start the DynaPass User manager from the shortcut in the programs menu.
The last step of the installation process installs the DynaPass User Manager and you will be asked if you want to launch the manager immediately.
The DynaPass User Manager is the only part of DynaPass that is visible to the administrator. The purpose is to give the administrator a simple way to maintain a DynaPass User Account.
The User Manager allows you to:
The DynaPass user database is built and maintained by the DynaPass User Manager. The list of users is picked up from the NT/W2000 Domain Controller/server selected in the Server list.
New User Accounts must always be added using the standard tools provided for your network environment. The account must exist in this environment before it can be activated in DynaPass. Accounts removed from the network will be automatically removed from the DynaPass administration at next startup or request for a new password.
The DynaPass database contains information about the profile for the particular account. Except for the phone number the profile describes different conditions for the account - once the password is generated - such as expiration time and selected password prefix.
In the Run.. Menu, type the full path to the DynaPass installation directory and the program name. The default is: c:\Program Files\Dynapass\DPUM.JAR
The last step in the installation process sets up and
launches -if wanted- the DynaPass User Manager. The manager can also be started
from the shortcut on your desktop or by selecting:
C:\Program Files\Dynapass\DPUM.JAR from the run menu.
In the login dialog box you must enter the name of the DynaPass database. The name is given during installation and the default name is DynaPass. Click OK and wait for the main screen to appear.
Note!
Use the standard tools for the database (default
MS Access) to set the user access properties such as user name and password.
The main screen gives a quick overview of the User Accounts on the selected Server. It shows if there is a phone number assigned and also if the account is activated for DynaPass control. By clicking the list headings you can sort the list according to your wishes.
The list of users will be empty the first time you launch the DynaPass User Manager. In the Server list box you should enter the name of the server you want to administrate.
Note: The server name is normally the name of the Domain Controller in your network; it is not to be confused with the Domain Name.
If you have more than one server or other NT/W2000 units and want the User Accounts on these machines/servers controlled by DynaPass you should enter these machine/server names in the list.
Normally the NT/W2000 Domain Controller controls all User
Accounts in the network so it should not be necessary to maintain User
Accounts on several locations. In a Workgroup environment however (no
Domain controller) you must control users on each server
individually.
NOTE! To remove a server from the list just select the name
and clear the field.
Select the server you want to administrate from the list
to view the User Accounts. Then click on the database refresh button to update
the DynaPass database. A list of User Accounts on the selected server will
appear.
Double click the user you want to configure for DynaPass security. A folder showing the details for the selected user will open. The top part will show the User Account information as registered in the NT/W2000 user database. Proceed as follows to activate a user for DynaPass control.
'Never' - The password is valid until a new password is requested or automatically generated and distributed by DynaPass. This is the default setting.
'After' - The password will expire after the specified number minutes.
'At' - The password will be disabled at the specified time.
Finally, activate the account for DynaPass control by
marking the DynaPass account active checkbox. The
User Account is now set for DynaPass control and the user can at any time make a
request for a new password by sending an empty SMS message to the cellular phone on the DynaPass server.
NOTE! Active users with the same phonenumber are not allowed.
DynaPass can be configured to automatically assign a new password to a user on a regular basis. The schedule is set for each user individually.
In the main screen double click the user you want to administrate. In the user detail screen open the folder Automatic Password Distribution and select one of the three Occurrence alternatives.
'On request' - There is no automatic scheduling activated. The user must always request a new password by sending an SMS message to the cellular phone connected to the DynaPass server.
'Daily' - A new password will be assigned and distributed every day according to the settings entered in the Daily Frequency fields.
'Weekly' - Mark the day/days of the week you want to assign and distribute a new password. You must also set the weekly interval by entering this in the edit box. The example above assigns a new password every week Monday through Friday.
Specify the time of the day you want the password distribution to occur by setting the options in the Daily Frequency area. Mark one of the alternatives as described below.
'Occurs once at' - Set the time for renewal in the edit box if you want a new password once a day.
'Occurs every' - Select this if you want a password renewal more then once a day. Enter the period in the edit box and select minutes or hours in the corresponding list box. Enter the start and stop time in the corresponding edit boxes.
In the Duration area you should enter the start date when you want this account to be active for DynaPass control. Enter today. s date if you want it to be immediately available. Then select either of the following.
'End date' - For temporary accounts. Enter the date when the account should be deactivated in DynaPass.
'No end date' - The account is active for DynaPass control until manually removed.
NOTE! Press the Reset button to return to DynaPass default settings.
DynaPass initially defaults all user settings to the schedule "DynaPass Defaults" Follow the procedures below to create templates with your own settings.
In the DynaPass User Manager Main Screen you can select a user to which you have assigned a schedule. This schedule can be used as a template when configuring other accounts.
In the menu bar select
Options and Create
Template. This will copy all settings for the selected user except for the
prefix and phone number to a template that can be used later on when
configuring new users for DynaPass control.
Type the template name and description in the dialog box and click yes if you want the created template to be the default template. You can repeat the procedure to create more templates using other settings.
Once you have created one or more templates you can select which one to use when configuring future users.
The names and description of all templates will
appear in the list. Select the one you want to use and mark as active. The
bullet indicates the template in use.
Using templates makes it very easy to configure
and maintain the users; the only thing that has to be configured individually per user is
the phone number, and optionally the prefix.
To be able to follow up what has happened in your system and who has accessed it - all important DynaPass events are logged in the System Application Event log. All incoming calls/messages are timestamped and recorded as well as the outgoing messages. The content of the outgoing message (password) is not recorded for security reasons.
The following basic type of events are logged:
Use the NT/W2000 Event Viewer to view and audit DynaPass activities.
If needed use the
Filtering options to view DynaPass events only.
Select and double click to
view details about the event (see example below).
If logging is not possible (Event log full) DynaPass will continue operation without logging. When logging becomes possible DynaPass will log a message indicating the number of events that were lost. If the system is restarted during this condition the indication represents the number of events since the last restart.
DynaPass continuously checks the number of users active in the system. The number of active users must not exceed the number of licenses purchased. The system administrator will receive a warning when the limit is reached.
In the DynaPass User Manager Main Screen select 'Help' and then 'About'.
A compiled list of all licenses found in the system is displayed. Use this information when asking for support or updates.
License expires and Days left helps the administrator keep track of temporary time limited licenses. License No: displays the serial numbers of the license/licenses installed on your system.
Available User Licenses indicates the number of users you can still activate for DynaPass control without violating the license conditions.
Licenses Currently in Use shows the current number of configured users.
When purchasing DynaPass you will receive a license information document. It contains product information such as serial number, number of users and expire date. It also contains a 20 character Activation Code. Save this document. It is the key to future upgrade and support.
Select 'Activ.License' and enter the Activation code. If you want to you can also enter information about your organization.
Follow the same procedure if you have purchased add on licenses. All license information will be stored in the DynaPass database and DynaPass will compute the total number of licensed users.
For evaluation purpose DynaPass will run for a limited time (30 days) without a valid license. Contact your supplier or April system design for more information on how to order or extend the evaluation time.
Ensure that your phone is switched on and registered on the network during the following procedures.
If you have decided to enhance the security by using a prefix, please follow the steps described above. Remember to type your prefix in front of the password received when logging on to your system.
DynaPass generates passwords in upper case using a mix of alphabetic characters and digits. Passwords should be entered in upper case at log in. The prefix must be typed using upper/lower case exactly as typed at registration time.
The user with a phone that can send SMS messages has the option to control DynaPass activity by sending specific control messages to DynaPass as listed in the table below.
| Message Content | DynaPass Response | Action |
| Blank or upper case A | Password | New password generated and sent to user |
| OFF | Automatic distribution OFF | Automatic distribution stopped until ON received |
| ON | Automatic distribution ON | Automatic distribution started (default) |
To check the status of the SMS delivery system and the condition of the cellular phone connected on the DynaPass server you can send a control message containing SST to the DynaPass server. The response indicates the status of the server and its phone and looks like 95/READY /22. The example indicates that the battery is charged to 95% and that the signal level is 22 (max 50). Low values of battey charge indicates problem with the charger. The lack of response obviously indicates a problem in the SMS delivery system or that your phone is not registered with DynaPass.
DynaPass installs three NT/W2000 Services shown in the table below.
| File Name | Service Name as viewed in control panel |
| DPC.EXE | DynaPass Client Service |
| DPDBS.EXE | DynaPass Data Base Service |
| DPGSMS.EXE | DynaPass GSM Service |
The default suggests Local services that start automatically as shown below. All DynaPass services must be configured the same way. Use the normal NT/W2000 Services tool to configure the DynaPass services.
If you install DynaPass on the Domain Controller it can be configured as a Local System Service as shown above. If installed elsewhere or if you want DynaPass to administrate more than a single domain, you must create a User Account that grants DynaPass User Administration rights in the domain(s).
In the Services dialog box enter the Log on account name and password you have selected for this Service. Remember that the password for this account should be set to live forever. Set the services to start automatically.
NOTE! Repeat these steps for all DynaPass services as listed above.
The DynaPass Services are dependent on each other. This should be taken into consideration when starting and stopping the Services manually. The install process will automatically start all Services in the correct order. You can use the NT/W2000 Services dialog box to manually start and stop the Services. The picture shows the dependencies and indicates the start/stop order.
Starting DynaPass - In the services control panel select DynaPass Client Service and click START.
Stopping DynaPass - In the services control panel select DynaPass Database Service and click STOP.
What happens if I lose my password?
Users with a phone that has SMS sending capabilities can at
anytime request a new one by sending a message to the central system. Within a
few seconds a new password will appear on their phone.
Users without SMS
sending capabilities will have to ask the helpdesk to 'kick-start' the process.
The new password will appear on the phone within a few seconds.
What happens if my phone is 'out of range' or turned off when the password is distributed?
The SMS-message
will be delivered as soon as the phone is 'detected' by the network i.e. when
the phone is switched on or when it comes within range.
Are there other ways to distribute the password?
Yes, DynaPass has the option to distribute the password
through other channels, for example a nation wide paging system. However, the
channel must for security reasons be encrypted 'in the air'.
My network operator has a gateway for sending
SMS-messages. Can DynaPass use that?
Yes, DynaPass has
support for a wide range of methods and protocols to access SMS Centers. Contact
April System Design for more information
Can I combine automatic distribution and distribution on
request?
Yes.
What about capacity? I have 500 users in my domain and
they all want to 'login' at nine in the morning, will there be a long wait
for password?
No, the automatic distribution is
spread over time and the new password is in your phone when you wake up in the
morning.
Are there other ways to 'kick-start' the distribution
process?
Yes, DynaPass supports different
ways depending on your local environment.
If someone calls my helpdesk and claims that he is ME and
asks for a new password, will he get it?
No, a
new password will be distributed but it will end up on YOUR phone.
What happens if my phone dies?
You will have to fall back to the old procedure and ask your system
administrator or helpdesk for an emergency password.
Does DynaPass change my current procedures for user
administration?
No, DynaPass lives together with your
current system. You still add and delete users using the tools provided with
your system. DynaPass automatically picks up the changes and lets you easily
assign a phone number to the account.
'Harry' is gone for a couple of weeks. Can I stop
distribution temporarily?
Yes, send an SMS message with
the content OFF to DynaPass. This will inhibit automatic password distribution
for this account until a SMS message containing ON is received. Remember that
you can always request a new password even if you have activated the Soft Stop.
If your phone does not have SMS sending capability you can ask your helpdesk to
deactivate . Harry. in DynaPass.
Cellular phones use radio waves. Can someone
listen?
Well, you can listen but not understand. Modern
cellular networks, for example GSM, use digital transmission technique and the
communication links are encrypted while 'in the air'.
All GSM-traffic 'in open air'-
including messages - are encrypted and therefore impossible to decipher.
I have an
SQL server in my network. Can I use this to host the DynaPass database?
Yes, just configure the ODBC to point at the database selected.
| BACK TO APRIL'S HOME PAGE » |