ActivID ActivClient Deployment Process
The following sections outline the main stages of the deployment process and the decisions to be taken.
Deployment and Policy Planning
-
Select ActivClient features to be installed. This defines the functionality available to the end user.
For further information, see the ActivID ActivClient for Windows Installation Guide.
-
Define the policies to specify ActivClient behavior. The final result should be a combination of security and usability.
For further information, see Defining the ActivID ActivClient Policies.
For details on specific ActivClient capabilities and the associated policies, see the following sections:
Preparation
Customize the setup to meet your organization’s needs in terms of features and policies.
For further information, see Customizing the ActivID ActivClient Setup.
Deployment
-
Select the deployment method − remote or local − so that either users can perform an interactive setup, or you can automate software installation and configuration using corporate software management technology.
-
Deploy the policies.
For further information, see Deploying the ActivID ActivClient Setup.
Upgrading
Select the upgrade method according to the original installation/deployment method.
You can also use the ActivClient Auto-Update tool to publish and install the software updates.
For further information, see Upgrading and Updating.
ActivID ActivClient Management
Once ActivClient is successfully deployed and users are using their smart cards for authentication, digital signature or encryption services, the main administrative tasks are to:
-
Modify and re-deploy the policies according to organizational needs.
-
Monitor ActivClient using the auditing functions (applicable only to specific ActivClient services).
-
Troubleshoot any issues (Troubleshooting).
Administrative Tools
The \Admin folder of the ActivClient distribution contains the following utilities, created to facilitate your ActivClient deployment:
-
Administrative setups − unsigned versions of the ActivClient MSI to use if you want to customize the setup. For further information, see Customizing the ActivID ActivClient Setup.
-
Configuration − Active Directory administrative template for ActivClient (in ADMX format) to use if you want to deploy ActivClient policies in an Active Directory environment. For further information, see Defining the ActivID ActivClient Policies.
-
Installation script – Install ActivClient MSI with MSP.bat script file to use if you want to install the MSI (Microsoft Installer) and MSP (Microsoft Patch) together. For further information, see Installation of ActivClient MSI and MSP.
Device Guard and Credential Guard Security
Device Guard is a group of key features part of the Microsoft Windows operating system, designed to harden a computer system against malware. Its focus is preventing malicious code from running by ensuring only known good code can run.
Credential Guard is a specific feature that is not part of Device Guard that aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network-based vector.
Installation of ActivClient in Device Guard Enforced Mode
In order to install the ActivClient in Device Guard enforced Mode, Code Integrity policies need to be created on the golden machine along with the catalog file.
For more information, follow the below links:
-
To enable Device Guard in an Enforced mode, visit https://blogs.technet.microsoft.com/ukplatforms/2017/04/04/getting-started-with-windows-10-device-guard-part-1-of-2/.
-
To create a custom catalog file, visit https://blogs.technet.microsoft.com/ukplatforms/2017/05/04/getting-started-with-windows-10-device-guard-part-2-of-2
-
To know more details on the Device Guard, visit https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-and-credential-guard-demystified/
Enable Credential Guard
To enable the credential guard, refer to Microsoft documentation.
For ActivClient 7.4.3 installation, see Deploying Using Standard Methods.
LSA Protection
The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.
To enable the LSA protection, refer to Microsoft Documentation.