Professional Edition Only
Companies with large numbers of employees are faced with
the problem of needing to delegate routine tasks such as resetting lost
passwords internal support departments, yet at the same time, don't really
want to distribute administrator passwords to personnel manning the company
help desk.
With SafeHouse, the solution to this dilemma is easy!
SafeHouse includes an amazing feature known as administrator smartcards. These are special smartcards prepared using the SafeHouse Branding Wizard with a single goal in mind: to be able to delegate sensitive administration tasks to support personnel or sub-level administrators without needing to tell them the SafeHouse group administrator password.
All smartcards are protected by a PIN or password. As such, SafeHouse administrator smartcards can only be used by people who are in possession of the card and also know the PIN.
Smartcards are created on a per-group basis. You must know the administrator password for a group in order to create a smartcard which can be used to administer that group.
As the top-level SafeHouse administrator, you can create an administrator smartcard and hand it to somebody you trust to perform certain administrative tasks, such as resetting SafeHouse volume passwords. When you no longer wish to allow this person to perform these tasks, simply take back the smartcard or disable it using the SafeHouseAdmin.com website. Either way, this person will not be able to perform any future administrator tasks.
Administrator smartcards offer the following features:
You can create as many of them as you need using the Branding Wizard.
Smartcard entries for multiple SafeHouse branding groups can reside on the same physical smartcard.
Top-level administrators can enable or disable smartcards at will using the SafeHouseAdmin.com website.
Each use of the card is logged at SafeHouseAdmin.com.
Users of administrator smartcards never need to know the respective SafeHouse group passwords.
Each smartcard has its own PIN or password.
Smartcards are assigned serial numbers by SafeHouse and are easily tracked.
Administrator smartcards can be used to perform both local and remote volume password resets.
If a smartcard ever falls into the wrong hands, it can be immediately disabled to prevents its future use.
There is no way that anyone in possession of an administrator smartcard can derive the corresponding group password.
Users of administrator smartcards do not need to be granted access to SafeHouseAdmin.com.
All administrator smartcard operations in SafeHouse are performed on behalf of a specific group.
Administrator smartcards are associated with specific SafeHouse branding groups. Although information for multiple groups can actually be stored on the same physical smartcard device, the intent is to give you fine-grained control over the range of groups that a specific smartcard user can administer.
When you use the SafeHouse Branding Wizard to create an administrator smartcard, what you are actually doing is creating a record on the smartcard for a given group; indexed by its serial number. Throughout the product, wherever the SafeHouse software can authenticate an administrator using a smartcard in lieu of a password, it will search the smartcard looking for an entry (by serial number) corresponding to the current SafeHouse group. If found, the holder of the smartcard is deemed to be an authenticated administrator.
Please note that the operational requirements for commercial smartcards compatible with this SafeHouse feature are higher than the much-simpler requirements for smartcards used to store SafeHouse volume passwords. The reason for this is that not all smartcards support the industry-standard cryptographic features required by SafeHouse for administrator smartcards. These advanced features are not needed to store SafeHouse volume passwords.
Smartcards compatible with this feature include:
SafeHouse's own virtual smartcards using USB flash drives and memory sticks.
Smartcards manufactured by Aladdin.
Smartcards manufactured by ActivIdentity.
Below are links for the most-common tasks relating to administrator smartcards:
You must enable SafeHouse's use of smartcards prior to creating or using an administrator smartcard.
Smartcards are enabled using the drop list found on the Options tab of the SafeHouse system tray utility. The screen shot below shows the dialog where smartcards are configured within SafeHouse. In this case, the virtual smartcard has been selected, which carries the additional requirement that you must create the virtual smartcard file on your USB flash device.
It is fully permissible to use the same smartcard for both volume passwords and the branding group entries which are being described herein.
