Transcript Lieberman Software Corporation

“Shared superuser accounts – typically system-defined in operating
systems, databases, network devices and elsewhere – present significant
risks when the passwords are routinely shared by multiple users.”
Gartner MarketScope for Shared-Account/Software-Account Password Management, 2009
Server, Desktop & Network OS
– Administrator, Domain/Local
– Root, Super user, Admin, …
Databases (DBA + Apps)
– SA, Sysadmin
– SYS, …
Middleware
– Proxy Accounts
– Gateway Accounts, …
Mainframes
– UID=0, Line-of-business
– RACF Special, …
Applications
– Setup, Admin, App Local
– Web Service Accounts, …
VM Environments
– Administrator
– Root
• Manual Processes
– Error-Prone
– “Like Painting the Golden Gate
Bridge…”
• Or, Never Changed
Identity & Access Management (IAM)
Privileged Identity Management (PIM)
ERPM Architecture
Password Recovery Console
Audited Password Check Out
Dashboard Drill Down
Hosted Virtualization
Applications
Applications
Applications
OS
OS
OS
Virtual
Machine #1
Virtual
Machine #2
Virtual
Machine #n
Hypervisor
Host Operating System
Shared Hardware
Every privileged identity – in every host OS, guest OS, and application –
presents a potential security threat if unsecured.
Identify and track the location of
privileged account credentials
AC-2
AC-4
Enforce rules for password strength,
uniqueness, change frequency
AC-2
Delegate so that only appropriate
personnel can access
Audit and alert to show requesters,
access history, purpose, duration, etc.
Operators, Vendors, Contractors
Regulatory Guide 5.71
US NRC
Entities that store, process, or
transmit credit card data
PCI-DSS
Transmission Service Providers /
Owners / Operators, Generation
Owners / Operators, Load Serving
Entities, …
NERC
Providers, Insurance Plans, Employers,
Health Care Clearinghouses
HIPAA
NIST Special Publication 800-53 R. 3
Defense Contractors, Information
Processors
FISMA
Document that
You Have Measures
In Place To…
B.R5.1.
(Implicit)
7.2.1
Appendix A, B.1.2
Appendix A, B.1.3
Appendix A, B.1.4
45§164.308(5)(D)
45§164.312(2)(i)
B.R5.3.1.
B.R5.3.2.
B.R5.3.3.
8.5.5
8.5.8
8.5.9
Appendix A, B.1.2
AC-3
AC-6
45§164.308(3)(i)
45§164.308(3)(B)
45§164.308(3)(C)
45§164.312(a)(1)
B.R5.1.
B.R5.2.
B.R5.2.1.
B.R5.2.3.
2.1
6.3.6
7.7.1
8.5.4
8.5.6
Appendix A, B.1.2
Appendix A, B.1.3
Appendix A, B.1.5
Appendix A, B.1.6
AU-3
AU-9
45§164.308(5)(C)
B.R5.1.2.
10.2
Appendix A, B.1.2
Appendix A, B.1.3
•
Grant Access to Privileged Credentials within
SCOM/SCCM Interface
•
Update SCOM Credentials
•
Provide Trouble Ticket Integration with SCSM
Right-Click to Recover Passwords in SCCM, SCOM
Privileged Identity Incident in SCSM
• Get List the existing jobs
• Human management of sensitive assets on an ongoing
basis is impractical
$password =
Get-LSPasswordWithReason $token devpat3 DomainName TestUser
“Adding machine to domain”
$DomainCredential =
New-Object System.Management.Automation.PSCredential TestUser
$password
Add-Computer –DomainName DomainName –Credential $DomainCredential
Set-LSPasswordCheckIn $token devpat3 DomainName TestUser
“Added machine to domain”
$LocalAccounts = Get-LSListWindowsAccountsForSystem $token devpat3
# create a new empty array to store our local admin accounts
$LocalAdmins = @()
foreach ($account in $LocalAccounts)
{
# this will add only the accounts that have admin permissions to the list for job creation
if ($account.Privilege -eq 2)
{
$LocalAdmins = $LocalAdmins + $account;
}
}
Foreach ($LocalAdmin in $LocalAdmins)
{
# this creates a new job for each local admin account on the system, will not create the account if it is not
found, sets the password to a random 14 character string, and schedules the job to run immediately.
New-LSJobWindowsChangePassword $token devpat3 $LocalAmdin.AccountName $false 14 -RunNow
}
[email protected]
[email protected]