MatchLogon extends the User Manager application provided by Windows: Active Directory Users & Computers (ADUC) snap-in. MatchLogon adds a new property page "MatchLogon" to the existing user profile dialog. This allows network administrators centralized access to MatchLogon functionality from anywhere within the Active Directory forest, and through the applications and access points native to Windows.
MatchLogon property page integrated into ADUC - User Properties dialog
MatchLogon New User Enrollment
The process of enrolling new MatchLogon users is very simple and consists of the following steps:
- Using the standard "New Object - User" wizard, an administrator simply enrolls a new user in a domain as usual. At this point the user is a normal domain user and can logon on to the network using his password. This step is not necessary and can be skipped if the user is already enrolled as a domain user.
- The administrator then opens the "User Properties" dialog box and selects the MatchLogon tab. By enabling and applying the "User can use hardware authentication devices" option, the administrator indicates that the registered domain user is now a MatchLogon user. Also, the administrator has the ability to adjust MatchLogon user settings to comply with the security policies of the organization.
- When the user logs on to the network on the next occasion (using the password, which the user still knows) the MatchLogon Workstation will welcome the new MatchLogon user and offer to carry out the authenticator enrollment procedure. After that, the user is allowed to a use hardware authenticator instead of his password, which will normally be automatically randomly generated once the first authenticator has been enrolled.
MatchLogon User Viewer
MatchLogon provides an additional MatchLogon User Viewer MMC console intended to provide system administrators with the capability of listing all domain users and viewing their MatchLogon specific properties. The MatchLogon User Viewer console can also be useful to security officers by enabling them to identify which employees are not MatchLogon users yet, which are MatchLogon enabled but have not enrolled their authenticators yet and which are already MatchLogon users.
All of the data that the MatchLogon User Viewer console displays can be sorted or exported for analysis in more powerful report writing applications such as Microsoft Excel or Crystal Reports.
Policies
MatchLogon policies allow the administrator to customize how MatchLogon operates and interacts. Many policies determine authentication and security requirements. Using MatchLogon policies, the overall security of the system can be increased or decreased to support various security and user requirements.
Audit
Audit refers to the process of logging and/or recording events. Events in MatchLogon typically take on the form of a user ("SomeUser") who succeeded or failed to do "something". MatchLogon audit trails or logs enable administrators to see which system resources were or are being accessed, by whom, and from what workstation.
There are numerous benefits to having audit trails available. Chief among those benefits is the ability of the network/domain administrator to identify problems, possible security breaches, and to view the status of the domain.
In order to support Windows functionality and integration requirements, MatchLogon leverages the native Windows Event Viewer sub-system to report all events. It extends the standard Event categories to include a MatchLogon specific node.
MatchLogon provides a powerful mechanism for multi-centralized auditing. By specifying the names of the audit servers, administrators and security departments can access different views of system events and use the native Windows Event Viewer to control the health of the system.
