Challenge/Response Authorization

Challenge/Response authorization provides an additional level of control for access to applications and privileges, by presenting users with a challenge code in an end user message. For the user to progress, they must enter a corresponding response code into the message.

Any policy that has a message in with challenge/response needs a shared key. This key is defined when you set up the first challenge/response message in your policy, although you can change it later if required. If you create a Workstyle containing a challenge/response message or you create a new challenge/response message and you are not prompted to create a shared key, then there is already a shared key for the policy. You cannot view this shared key, however you can change it if required in the Design page of a Message.

Challenge/Response authorization is configured as part of an end user message, and can be used in combination with any other authorization and authentication features of Privilege Management for Windows messaging.

Authorization is applied per user, per token, per application, meaning that each user is presented with challenge codes that when authorized, only apply to them, the token used to request access, and the specific application.

If there is still a valid Privilege Management for Windows response code available to the endpoint when the user runs the application with a Power Rule assigned to it, the application opens using the existing Privilege Management for Windows response code and the Rule Script is not run.

Challenge and response codes are presented as 8 digit numbers, to minimize the possibility of incorrect entry. When a user is presented with a challenge code, the message may be canceled without invalidating the code. If the user runs the same application, they are presented with the same challenge code. This allows users to request a response code from IT helpdesks who may not be immediately available to provide a response.

For more information, please see the following:

Shared Key

The first time you create a Privilege Management for Windows end user message with a challenge, you are asked to create a shared key. The shared key is used by Privilege Management for Windows to generate challenge codes at the endpoint.

Once you enter a shared key, it is applied to all end user messages that have challenge/response authorization enabled in the same Privilege Management for Windows settings.

To change the shared key:

  1. Right-click the Messages node of a Workstyle and select Set Challenge/Response Shared Key.
  2. In the Challenge/Response Shared Key dialog box, edit the Enter Key and Confirm Key with the new shared Key.
  3. Click OK to complete. If the key entered is not exact, you will be presented with a warning message.

We recommend your shared key be at least 15 characters and include a combination of alphanumeric, symbolic, upper, and lowercase characters. As a best practice, the shared key should be changed periodically.

Generate a Response Code

There are two ways to generate a response code. You can either use the PGChallengeResponseUI.exe utility that is installed as part of the Privilege Management Policy Editor, or you can generate the the codes in the MMC.

To generate a response code, you must have set a Challenge/Response shared key. You are prompted to do this when you create any policy that has a Challenge/Response message assigned to it. Alternatively, you can set the Challenge/Response shared key from the home page of the Privilege Management Settings node by clicking Set Challenge/Response Shared Key.

You can generate a response code from the Privilege Management Policy Editor. This launches a tool called PGChallengeResponseUI.exe. This tool is part of your installation and can be used independently of the Privilege Management Policy Editor. The tool is installed to the <Installation Dir>\Avecto\Privilege Guard Management Consoles\ path:

To generate a response code in the Privilege Management Policy Editor:

  1. Click the Privilege Management Settings node and then Tools on the right side.
  2. Click Response Code Generator.
  3. Enter the shared key you defined, and the challenge code from the end user.
  4. The response code is generated once both the Shared Key and the 8 character challenge code are entered.

The response value can then be sent to the end user to enter into their challenge dialog box.

Generate a Response Code from the Command Line

Response codes can also be generated from the command line using the PGChallengeResponse.exe command line utility, which is installed as part of the Privilege Management Policy Editor installation, and is located in the <Installation Dir>\Avecto\Privilege Guard Management Consoles\ directory:

To generate a response code from the command line:

  1. Open the Command Prompt by clicking the Start Menu and typing cmd.exe.
  2. In the Command Prompt, type the following command, then press Enter:
    cd "\program files\avecto\privilege guard management consoles"
  1. Once you open the privilege guard management consoles directory, type the following command (where <challenge> is the challenge code presented to a user):
    pgchallengeresponse.exe <challenge>
  2. At the Shared Key prompt, enter the correct shared key, then press Enter.

PGChallengeResponseUI.exe is a standalone utility and can be distributed separately from the Privilege Management Policy Editor.

Automating Response Code Generation

The PGChallengeResponse.exe utility supports full command line use, allowing it to be easily integrated into any third party workflow that supports the execution of command line executables. The command line is as follows:

PGChallengeResponse.exe <challenge code> <shared key> <duration>

The duration parameter is optional.

In the command line argument above, <challenge code> is the code presented to the user and <shared key> is the key that was configured within the Privilege Management for Windows settings which presented the end user message.

The utility returna the response code as an exit code, so it can be captured from within a custom script or wrapper application. The options for the optional <duration> parameter are once | session | forever.

Below is an example VBScript:

Dim WshShell, oExec
Dim strChallenge,strKey,strExecutable, strType
strExecutable = "C:\Program Files\Avecto\Privilege Guard Privilege Management Policy Editors\PGChallengeResponse.exe"
strChallenge = InputBox("Enter Challenge Code from user","Challenge")
strType = InputBox("Would you like a Once, Session, or Forever key?","Type")
strKey = InputBox("Enter Authorization Key from policy","Key")
Set WshShell = WScript.CreateObject("WScript.Shell")
Set oExec = WshShell.Exec(strExecutable & " " & strChallenge & " " & strType & " " & strKey )
Do While oExec.Status = 0
WScript.Sleep 100
Loop
msgbox "Response Code: " & oExec.ExitCode
Set WshShell = Nothing Set oExec = Nothing