Challenge / Response Authorization

Challenge / Response authorization provides an additional level of control for access to applications and privileges, by presenting users with a challenge code in a message to the user. In order for the user to progress, they must enter a corresponding response code into the message.

Any policy that includes a message with a challenge / response needs a shared key. This key is defined when you set up the first challenge / response message in your policy, although you can change it later, if required. If you create a Workstyle containing a challenge / response message or you create a new challenge / response message and you are not prompted to create a shared key, then there is already a shared key for the policy. You cannot view this shared key; however, you can change it if required in the Design page of a Message.

Challenge / Response authorization is configured as part of an end user message, and can be used in combination with any other authorization and authentication features of Privilege Management for Windows messaging.

Authorization is applied per user, per token, per application, meaning that each user is presented with challenge codes that when authorized, only apply to them, the token used to request access, and the specific application.

Challenge and response codes are presented as an 8 digit number, to minimize the possibility of incorrect entry. When a user is presented with a challenge code, the message may be canceled without invalidating the code. If the user runs the same application, they are presented with the same challenge code. This allows users to request a response code from IT helpdesks, who may not be immediately available to provide a response.

For more information, please see the following:

Shared Key

The first time you create a Privilege Management for Windows end user message with a challenge, you are asked to create a shared key. The shared key is used by Privilege Management for Windows to generate challenge codes at the endpoint.

Once you have entered a shared key, it is applied to all end user messages that have challenge / response authorization enabled in the same Privilege Management for Windows settings.

To change the shared key:

  1. Click the Messages node of a Workstyle and select Actions > Challenge / Response Keys.
  2. In the Challenge / Response Shared Key dialog box, edit the Enter Key and Confirm Key with the new shared key.
  3. Click OK to complete. If the key entered is not exact, you are presented with a warning message.

We recommend that your shared key be at least 15 characters and include a combination of alphanumeric, symbolic, upper, and lowercase characters. As a best practice, the shared key should be changed periodically.

Generate a Response Code

There are three ways to generate a response code. You can either use the PGChallengeResponseUI.exe utility that is installed as part of the Privilege Management Policy Editor or you can generate them directly within ePO.

Response codes are generated from the ePO extension using the BeyondTrust Response Generator page.

Generate Response Codes from ePO

You can use theBeyondTrust Response Generator page in ePO to generate response codes.

View the BeyondTrust Response Generator page:

The BeyondTrust Response Generator lists all the policies that contain an end user message that is configured to present a challenge to the end user. Usually, you only have one policy that contains your challenge message configuration.

Generating response codes in the BeyondTrust Response Generator page:

You do not need to type in the shared key for the policy using the BeyondTrust Response Generator page. This is managed for you by the BeyondTrust ePO Extension.

  1. Navigate to the BeyondTrust Response Generator on the menu bar.
  2. Click the Generate response code link to the right of the policy name that triggered the end user's challenge code. The Generate Response Code dialog box appears.
  3. Enter the Challenge code provided by the end user. If this Challenge code has an X at the end you can choose the Authorization period from the dropdown menu. The X is added to the Challenge code if the Authorization period has been configured to be As defined by helpdesk. If the Challenge code doesn't have an X at the end then this dropdown menu is disabled. The options for the Authorization period dropdown menu determine the longevity of the response code.
  4. Click Generate Response Code. The Response code appears below. This is the code that the user needs in order to run that application for the duration of the Authorization period.

Generate Response Codes using the PGChallengeResponseUI Utility

Response codes can be generated using PGChallengeResponseUI.exe, which is installed as part of the Privilege Management Policy Editor installation, and is located in the C:\Program Files\Avecto\Privilege Guard Management Consoles\ directory.

To generate a response code using the PGChallengeResponseUI utility:

  1. Run the program PGChallengeResponseUI.exe.
  2. In Enter shared key, enter the shared key you defined earlier, and in Enter challenge code, enter the challenge code presented to the user.
  3. The response code is automatically displayed once both the Shared Key and the 8 character challenge code have been entered.

The Generated Response value is then entered into the End User Message which presented the corresponding challenge.

PGChallengeResponseUI.exe is a standalone utility and can be distributed separately from the Privilege Management Policy Editor.

Generate a Response Code from the Command Line

Response codes can also be generated from the command line using the PGChallengeResponse.exe command line utility, which is installed as part of the Privilege Management Policy Editor installation, and is located in the C:\Program Files\Avecto\Privilege Guard Management Consoles\ directory.

To generate a response code from the command line:

  1. Open the Command Prompt by clicking the Start Menu and typing cmd.exe.
  2. In the Command Prompt, type the following command, and then press Enter:
    cd "\program files\avecto\privilege guard management consoles"
  3. Once you have opened the \privilege guard management consoles directory, type the following command (where <challenge> is the challenge code presented to a user):
    pgchallengeresponse.exe <challenge>
  4. At the Shared Key prompt, enter the correct shared key, and then press Enter.

PGChallengeResponseUI.exe is a standalone utility and can be distributed separately from the Privilege Management Policy Editor.

Automate Response Code Generation

The PGChallengeResponse.exe utility supports full command line use, allowing it to be easily integrated into any third party workflow that supports the execution of command line executables. The command line is as follows:

PGChallengeResponse.exe <challenge code> <shared key> <duration>

The duration parameter is optional.

<challenge code> is the code presented to the user and <shared key> is the key that was configured within the Privilege Management for Windows settings which presented the end user message.

The utility returns the response code as an exit code, so it can be captured from within a custom script or wrapper application. The options for the optional <duration> parameter are once | session.

Example VBScript
Dim WshShell, oExec 
Dim strChallenge,strKey,strExecutable, strType
strExecutable = "C:\Program Files\Avecto\Privilege Guard Management Consoles\PGChallengeResponse.exe"
strChallenge = InputBox("Enter Challenge Code from user","Challenge")
strType = InputBox("Would you like a Once or Session key?","Type")
strKey = InputBox("Enter Authorization Key from policy","Key")
Set WshShell = WScript.CreateObject("WScript.Shell")
Set oExec = WshShell.Exec(strExecutable & " " & strChallenge & " " & strType & " " & strKey )
Do While oExec.Status = 0
WScript.Sleep 100
msgbox "Response Code: " & oExec.ExitCode
Set WshShell = Nothing
Set oExec = Nothing

For more information, please see Message Text Options to Build Your Message.