Challenge / Response Authorization

Challenge / Response authorization provides an additional level of control for access to applications and privileges, by presenting users with a challenge code in an end user message. In order for the user to progress, they must enter a corresponding response code into the message.

Any policy that has a message with a challenge / response requires a shared key. This key is defined when you set up the first challenge / response Message in your policy, although you can change it later if required. If you create a Workstyle containing a challenge / response message or you create a new challenge / response message and you are not prompted to create a shared key then there is already a shared key for the policy. You cannot view this shared key, however you can change it here if required.

Challenge / Response authorization is configured as part of an end user message, and can be used in combination with any other authorization and authentication features of Privilege Management for Mac messaging.

Users will be presented with a different, unique challenge code each time a challenge / response message is displayed.

Shared Key

The first time you create a Privilege Management for Mac end user message with a challenge, you are asked to create a shared key. The shared key is used by Privilege Management for Mac to generate challenge codes at the endpoint.

Once you have entered a shared key, it will be applied to all end user messages that have challenge / response authorization enabled in the same Privilege Management for Mac settings.

To change the shared key:

  1. Click the Messages node of a Workstyle and select Actions > Challenge / Response Keys.
  2. In the Challenge / Response Shared Key dialog box, edit the Enter Key and Confirm Key with the new Shared Key.
  3. Click OK to complete. If the key entered is not exact, you will be presented with a warning message.

We recommend that your shared key be at least 15 characters and include a combination of alphanumeric, symbolic, uppercase, and lowercase characters. As a best practice, the shared key should be changed periodically.

Generate a Response Code

There are two ways to generate a response code. You can either use the PGChallengeResponseUI.exe utility that is installed as part of the Privilege Management Policy Editor or you can generate them directly within ePO.

Response codes are generated from the ePO extension using the BeyondTrust Response Generator page.

For more information on configuring challenge / response authorization enabled end user Messages, please see Challenge/Response Authorization.

Generate Response Codes from ePO

You can use the BeyondTrust Response Generator page in ePO to generate response codes.

View the BeyondTrust Response Generator Page

The BeyondTrust Response Generator lists all the policies that contain an end user Message that is configured to present a challenge to the end user. Usually, you only have one policy that contains your challenge Message configuration.

Generate Response Codes in the BeyondTrust Response Generator Page

You do not need to type in the Shared Key for the policy using the BeyondTrust Response Generator page. This is managed for you by the BeyondTrust ePO Extension.

  1. Navigate to the BeyondTrust Response Generator on the menu bar.
  2. Click the Generate response code link to the right of the policy name that triggered the end user's challenge code. The Generate Response Code dialog box appears.
  3. Enter the Challenge code provided by the end user. The options for the Authorization period dropdown menu determine the longevity of the response code.
  4. Click Generate Response Code. The Response code appears below. This is the code that the end user needs to run that application for the duration of the Authorization period.

For more information, please see Challenge/Response Authorization.

Generating Response Codes using the PGChallengeResponseUI Utility

Response codes can be generated using PGChallengeResponseUI.exe, which is installed as part of the Privilege Management Policy Editor installation, and is located in the C:\Program Files\Avecto\Privilege Guard Management Consoles\ directory.

To generate a response code using the PGChallengeResponseUI utility:

  1. Run the program PGChallengeResponseUI.exe.
  2. In Enter shared key, enter the shared key you defined earlier, and in Enter challenge code, enter the challenge code presented to the user.
  3. The response code is automatically displayed once both the Shared Key and the 8 character challenge code are entered.

The Generated Response value is then entered into the End User Message which presents the corresponding challenge.

PGChallengeResponseUI.exe is a standalone utility and can be distributed separately from the Privilege Management Policy Editor.