Quest One Privileged Account Management. Information Security Administrator (ISA) Version 2.4

Transcription

1 Quest One Privileged Account Management Information Security Administrator (ISA) Version 2.4

2 Table of Contents 1.0 Introduction Conventions Used in this Guide Getting Help Online User Manuals Help Bubbles Customer Portal Contacting Customer Support TPAM Definitions Terms User Types Permission Types Permission Hierarchy Accessing TPAM Permission Based Home Page Recent Activity Tab Approvals Tab Pending Reviews Tab Managing Your Own Account User Time Zone Information Application Navigation Tab Format Filter Tab Listing Tab Feedback Area Configuring Managed Systems System Details Tab Systems Connection Tab (PPM ISAs only) System Management Details Tab (PPM ISAs only) Affinity Tab Ticket Systems Tab Collections Tab Setting Permissions for PSM and PPM Functionality for Systems Adding A System Managing A System Clearing a Stored System Host Entry (PPM ISAs only) Testing a System (PPM ISAs only) Duplicating a System List Systems Managing Accounts Account Details Tab Account Reviews Tab (PPM ISAs only) Account Custom Information Tab Account Management Tab Account Ticket System Tab Managing Services in a Windows Domain Environment (PPM ISAs only) Accounts Management Logs Tab Account Management Passwords Tab (PPM ISAs only) Account Collections Tab Setting Permissions for PSM and PPM Functionality for Accounts

3 11.11 PSM Details General Tab (PSM ISAs only) PSM Session Authentication Tab (PSM Customers Only) PSM File Transfer Tab (PSM Customers Only) PSM Review Requirements Tab (PSM Customers Only) Adding an Account Managing an Account Duplicating an Account Quest One Privileged Command Manager (PSM Customers licensed for PCM only) Account Current Status Manual Password Management (PPM ISAs only) Password Management (PPM ISAs only) Managing Services in a Windows Domain Environment (PPM ISAs only) List Accounts List PSM Accounts (PSM ISAs only) Managing Secure File Storage (PPM ISAs only) Adding a File for Storage File Ticket System Tab File Collections Tab Setting Permissions for Files Updating a Stored File Reviewing File History and Activity Retrieving a Password (PPM ISAs only) Viewing Past Passwords Retrieving Files (PPM ISAs only) Session Management (PSM ISAs only) Replaying a Session Log Monitoring a Live Session Reports Report Time Zone Options Report Layout Options Adjustable Column Widths Report Export Options Activity Report ISA User Activity PSM Accounts Inventory (PSM ISAs only) Password Aging Inventory (PPM ISAs only) File Aging Inventory (PPM ISAs only) Release-Reset Reconcile (PPM ISAs only) User Entitlement Password Update Activity (PPM ISAs only) Password Update Schedule (PPM ISAs only) Password Testing Activity (PPM ISAs only) Password Test Queue (PPM ISAs only) Expired Passwords (PPM ISAs only) Passwords Currently In Use (PPM ISAs only) Password Requests (PPM ISAs only) Auto-Approved Releases (PPM ISAs only) Password Release Activity (PPM ISAs only) File Release Activity (PPM ISAs only) Windows Domain Account Dependencies (PPM ISAs only) Auto Approved Sessions (PSM ISAs only) PSM Session Activity (PSM ISAs only) PSM Session Requests (PSM ISAs only)

4 2012 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA legal@quest.com Refer to our Web site ( for regional and international office information. Trademarks Quest, Quest Software, and the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software s trademarks, please see Other trademarks and registered trademarks are property of their respective owners. Third Party Contributions Quest One Appliance-Based Privileged Account Management Solutions contain some third party components. Copies of their licenses may be found at 4

5 1.0 Introduction Total Privileged Access Management (TPAM) is a robust collection of integrated modular technologies designed specifically to meet the complex and growing compliance and security requirements associated with privileged identity management and privileged access control. The Privileged Password Manager (PPM) module provides secure control of administrative accounts. TPAM is a repository where these account passwords are stored until needed, and released only to authorized persons. Based on configurable parameters, the PPM module will automatically update these passwords. The Privileged Session Manager (PSM) module provides a secure method of connecting to remote systems, while recording all activity that occurs to a session log file that can be replayed at a later time. All connections to remote systems are proxied through Privileged Account Management (PAM) appliance ensuring a secure single access point. 2.0 Conventions Used in this Guide Element Convention Where ever this symbol is displayed it means there is new functionality or an entirely new feature being discussed. Bold Italics Text Note! Tip! Alert! Elements that appear in the TPAM interface such as menu options and field names. Used to highlight additional information pertinent to the process being described. Used to provide best practice information. A best practice details the recommended course of action for the best result. Important information about features that can affect performance, security or cause potential problems with your appliance. 3.0 Getting Help 3.1 Online User Manuals To access online user manuals click the Documents list located in the upper right hand corner of the application. The manuals that are available to you are based on your user type and the permissions assigned to your userid. 5

6 3.2 Help Bubbles Throughout the application you will also notice help bubbles ( ) next to many of the fields in the application. If you hover the mouse over the bubble a pop up window provides a brief explanation about what the field is used for. 3.3 Customer Portal The Quest Software Customer Portal is where you can find product updates, user manuals, WebEx Demos and FAQ s. To access the Portal you will need a username and password from the Quest Software Technical Support group. To login go to Contacting Customer Support Quest Software's world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink at support@quest.com You can use SupportLink to create, update, or view support requests 4.0 TPAM Definitions 4.1 Terms System A system is a host computer, network device, or work station for which one or more account passwords will be maintained. It is also referred to as the managed system Collection A collection is a logical association of systems. In v2.4 collections can also include Accounts and Files. Permissions can be granted to a collection. All systems contained in the collection, or added to it, will inherit those permissions. A system can belong to multiple collections. A System cannot be in the same collection as any of its Accounts or Files UserID A UserID is defined as a user of the TPAM appliance. At the time the UserID is created the interface (Web or CLI/API) must be determined and cannot 6

7 change. There are different types of UserID s (Basic, UserAdmin, Auditor, Administrator and Cache User). See section Group A Group is a logical association of UserIDs. Groups are a mechanism for easing the burden of assigning Access Policies on systems or collections to users. Access Policies that are assigned to a group are inherited by all members in the group. When a user is added to a group, they will immediately receive all permissions assigned to the group, and all permissions received through the group are revoked when a user is removed from the group. Users can be members of multiple groups Managed Account This is the account on the remote system to which a proxied connection can be made and/or whose password is being stored and maintained through the PPM portion of TPAM. For example, root is likely to be a managed account on many of the managed UNIX systems. 4.2 User Types Basic A Basic user type can be assigned permissions for various functions throughout the application, such as requestor, reviewer, etc Administrator The Administrator is the most powerful user type for the TPAM User Interface. This user type can create and delete systems, users, groups, and collections. The administrator user type may also assign access policies to any user including themselves. An administrator may view all reports. It is recommended that this user type be assigned carefully. The Administrator may not delete or disable their user ID Auditor The auditor user type permits the individual to view reports, session logs and system information, but not to make any changes to data or view passwords. The Auditor may not delete or disable his own account. Auditors may also review completed password and session requests User Administrator This user type has the authority to manage Basic user types. User Administrators can disable and enable users, unlock user accounts, and update account information. The User Administrator does not have the ability to add users to groups or manage permissions. CLI/API user accounts cannot be managed by a User Administrator Cache User If your company opted to purchase cache servers along with TPAM you will be setting up cache user types. A cache user can only retrieve passwords through the cache server that they are assigned to. A cache user will not have access to the TPAM interface. 7

8 4.3 Permission Types Denied This user role was created so that collection permissions could be assigned to a user and then if there are specific entities within this collection that the user should not have access to the Denied permission can be set for these entities. If you are Denied for a System but have access to a specific Account/File on that System you will still be able to access the Account/File, because Account or File holds precedence over System Information Security Administrator (ISA) The role of ISA is intended to provide the functionality needed for security help desk personnel, and as a way to delegate limited authority to those responsible for resource management. An ISA permission with a Type of Session allows the user to add and update all aspects of PSM Only systems, PSM only accounts, and for PSM supported platforms. An ISA permission with a Type of Password allows the user to add and update systems and accounts for all platforms except those that are PSM only. A user must be assigned an Access Policy with a Type of both Password and Session and permission of ISA to be able to assign access policies to other entities. The ISA permission does not allow the user to delete a system Approver An Approver can be set up to approve password, session and or file requests. An approver can also be set up to only approve sessions that are requesting specific commands Requestor A Requestor can be set up to request password, session, and or file requests. A requestor can also be set up to only request sessions that run specific commands. Note! A user requesting a session that has an interactive proxy type must also have an access policy assigned to them that include password/requestor for that account Privileged Access (PAC) An individual that must go through the request process for passwords, files, and sessions but once they submit the request it is automatically approved, regardless of the number of approvers required. Note! If you have Session /PAC permissions but do NOT have Password/PAC Permissions on an account, you will only be able to start a session that is configured for one of the automatic proxy connection types, since you do not have permissions to access the password. 8

9 4.3.6 Reviewer The reviewer role permits the individual to view reports on specific systems to which they have been granted reviewer rights. A Session/Command Reviewer can also replay sessions and review/comment on these sessions. If the user has Password Reviewer permissions they can review a password release that has expired and comment on that password release. 5.0 Permission Hierarchy Because TPAM allows groupings of Users (Groups) and remote systems (Collections), it is possible - even likely, that a user could appear to have multiple conflicting permissions for a particular system, account, and or file. To prevent this, TPAM implements a precedence of permissions. The precedence, in order of decreasing priority is: An Access Policy assigned to a User for an Account/File (most specific) An Access Policy assigned to a User for a System An Access Policy assigned to a User for a Collection containing Accounts or Files An Access Policy assigned to a User for a Collection of Systems An Access Policy assigned to a Group for an Account /File An Access Policy assigned to a Group for a System An Access Policy assigned to a Group for a Collection containing Accounts or Files An Access Policy assigned to a Group for a Collection of Systems (least specific)(*) (*) This category includes Users who are assigned to any of the Global XXX Groups. The Groups grant their respective permissions to an internally-maintained All Systems collection. Note! A single Denied Access Policy assignment at any level overrides all other permissions at that level. When any of the permissions are changed, for instance by adding or removing a user from a group, the precedence is recalculated, and if necessary, the permissions for the user are changed to reflect the new level that results. 9

10 In the scenario shown above, the groups and users have been assigned Access Policies which grant the permissions specified. In this situation, the precedence of permissions will be applied and the effective permissions would be as follows: User A has Approver permission on System C through the Group to System assignment. User A has been assigned Reviewer rights on System A, Account B1, and File C1 via Group A to Collection B assignment. These Review rights on File C1 take precedence over the Approve rights on System C because assignment to a Collection containing an Account or File is more specific 10

11 6.0 Accessing TPAM than a collection containing just the System. User A may still Approve requests to all accounts on System C and all of C s files with the exception of File C1. Users A, C, and D have Request rights on System A, Account B1, and File C1 through Group B. Note that as with above, the Group B to Collection B assignment of Request rights for User A on File C1 override the Approver rights from Group A. Since User A is in both Groups A and B he has both Review and Request rights on all the items in Collection B. Assignments at the same hierarchy level are combined. User B has been Denied access to System B, which includes all Accounts and Files thereon. Even though the Group A to Collection B assignment User B grants Review to Account B1 on System B, User B is still denied access because the User to Collection assignment trumps the Group to Account in a Collection assignment. If User B had instead been assigned the Review permission directly (as opposed to through Group A) to Account B1 that would have replaced the Denied assignment on System B, but only for that one account. User B also has Review rights on all Accounts and Files on System A and File C1 on System C. User C has been granted explicit ISA rights on Account B1. This User to Account assignment supersedes both policies User C received via the Group to Collection assignments, but only for Account B1. User C still has Review and Request permissions to System A and File C1. User D has been granted ISA rights over Collection A. This assignment takes precedence over D s Request permission on System A which is through the Group B to Collection B. D still retains the Request permissions on Account B1 and File C1 from the Group assignment, however that removes D s ISA permissions on Account B1 (although D still has ISA permissions over any other accounts on System B). Where there is more than one permission granted at the same level of the permission hierarchy those permissions are combined, as long as one of those permissions is not Denied. If a User is in 3 different groups (A, B, and C) with policies to the same System (A grants Approver, B grants Reviewer, and C grants Requestor) the user has all three permissions in effect on that system. However, if Group B has Denied permissions instead of Reviewer that takes precedence over all other "Group to System" assignments for that User on that System. To access TPAM, point your browser to TPAM s IP address or FQDN followed by /egp or /par. For example, if the IP address for TPAM has been configured as , the URL would be Connectivity To communicate with the TPAM appliance and successfully initiate a session your computer will need to be able to pass traffic on ports 443 (HTTPS) and 22 (SSH). 1 For additional information and instruction on the initial configuration of the appliance, see the Quest One Privileged Account Management Configuration and Administration Manual. 11

12 If TPAM will be accessed via Microsoft Internet Explorer (IE), there are two important setting changes to verify or change in the IE configuration: Pop-Up Blocker When the /par website is accessed, the initial instance of the browser will be closed and a new window will open without menu or title bars. Browsers that are configured to block popups often interpret this as a pop-up and the page will not be displayed. Be sure to add the URL for TPAM to the list of allowed pop-ups. Tip: Holding the Ctrl key will temporarily allow pop-ups. User Authentication Settings It may also be necessary to modify the User Authentication option of the IE Security Settings. The recommended setting is Prompt for user name and password. A setting of Automatic logon may attempt to pass the username and password from the workstation or domain to TPAM. This will cause logon failures and may lockout the user s TPAM account. 12

13 7.0 Permission Based Home Page Your home page is based on the user type and permissions assigned to your user id in the TPAM application. You can return to the home page from anywhere in the TPAM application by clicking the home icon located on the far left side of the menu ribbon. Note! The screen shots in this manual represent a UserID that has been assigned a Global ISA Access Policy. The screens that you see when you log into the par interface may or may not have all of these options depending on your permissions. The first tab that displays is the default message of the day which is configured through paradmin interface. To immediately approve a session, password or file request click the blue links. 7.1 Recent Activity Tab The recent activity tab shows all your activity in the TPAM for the last 7 days. 13

14 7.2 Approvals Tab The Approvals tab will show any requests (Password, File or Session) that require your approval. Once they are approved or denied you will still see the request in this list until the release duration expires. By clicking on the request id you will be taken directly to the appropriate Requests Approval Detail tab so that you can approve or deny the request. To use the auto-refresh option check the box and enter the number of minutes you would like the screen refreshed. 14

15 7.3 Pending Reviews Tab If you are an eligible reviewer for any post password releases or sessions you will see the Pending Reviews tab on your home page. Any password releases or sessions that are pending review will be seen on this tab. By clicking on the request id you will be taken directly to the Password Release Review Details or Session Review Details tab. To use the auto-refresh option check the box and enter the number of minutes you would like the screen refreshed. 8.0 Managing Your Own Account Any user may change their password and update individual account details using the My Info menu option. To reset your own password, select My Info Change Password from the menu. Enter the existing password, the new password desired, and confirm the new password. User passwords are subject to the requirements of the Default Password Rule. 15

16 Other individual account information can also be self managed, such as contact information and full name. Select My Info User Details from the menu to make modifications to your own account information. A user may not modify the UserID, Last Name, or First Name fields. 8.1 User Time Zone Information You can edit your time zone information through the My Info User Details menu option. The TPAM administrator will also be able to edit your time zone. If you are in the same time zone as the server and follow the same Daylight Saving Time (DST) rules the first radio button should be selected. If you are in a different time zone and/or follow different DST rules and do not want to follow server time, the second radio button should be selected, and the appropriate time zone chosen from the list. With this option most dates and times that the user sees in the application or on reports will be converted to your local time. If a date or time still reflects server time it will be noted on the screen. 16

17 Note! It the Sys-Admin has disabled User Time zone changes in the paradmin interface the User Time Zone Information block shown above will be visible only for Administrator users. Example: TPAM appliance is located in New York, NY on Eastern Time. The user is located in Los Angeles, CA, which is on Pacific Time. If the user chooses to set their time zone to Pacific Time, any requests, approvals, etc that they make will be reflected in Pacific Time to them, and they will have the option to view some reports in their local time zone. If the TPAM Administrator is in the Eastern Time zone the admin will see this user s transactions stamped with the Eastern Time. Alert! If you are in Daylight Saving Time (DST) you must remember to check the DST box and uncheck it when it is over. This box does NOT automatically get changed for you. You will be automatically redirected to the User Details page when attempting a new transaction if: The server has undergone a DST transition since your last activity. The time zone on the server has been changed since your last activity. The server has had a patch applied that has rendered your current time zone obsolete according to Microsoft s time zone updates. You will be able to see the server time on the bottom left of your screen and your local GMT offset (if different from the server) in the middle bottom of the screen. You will see the time listed in reference to GMT (Greenwich Mean Time), using notation to indicate the number of hours ahead or behind GMT. So for example US Eastern Standard Time is 5 hours behind GMT, or GMT -05:00, New Delhi, India is 5 ½ hours ahead or GMT +05: Application Navigation This section provides an overview how to navigate through the user interface. 9.1 Tab Format One of the first things the user will notice is that upon selecting an action from the main menu bar the data will be displayed through multiple tabs. 17

18 Once a specific System, Account, Collection, etc is selected all of the details about this entity can be viewed by clicking on the different tabs along the top of the page. Tabs which do not apply to a given system are disabled. For example, the Connection and Management Details tabs do not apply to a system unless the Enable Automatic Password Management option is checked. 18

19 9.2 Filter Tab This tab was developed for companies that are managing a large number of systems, accounts collections and groups. By entering specific criteria on the Filter tab, the user will be able to quickly get to the piece of data that they need to review or edit without searching through thousands of records. The Max Rows to Display list allows you to limit the number of records returned even if there are more that meet this criteria. The Default Filter Settings has choices of Clear, Save and No Action. If Save is selected then every time the user selects the menu item they will land on the Listing tab and the same filter will be applied until a new filter is saved or if the filter is cleared. The saved filters are on a user by user basis, that is if user dlynch saves a filter it has no effect on a filter saved by glucas. Once your filter criteria have been entered click the Listing tab to get the results of your filter. 19

20 9.3 Listing Tab The results from your Filter will be listed in the Listing tab. Notice that in the example above 2 records actually met the Filter criteria that was entered and the user choose to only display 50 rows. If 120 records had met the filter criteria only 50 would have been displayed but it would have said Displaying 50 out of 120 rows meeting filter criteria, warning the user that was all that was returned in the Listing tab. Once you find the record that you want to work with click the row once to highlight the row on the screen and then click the tab where you want to go next. Note! If you are already displaying the Listing tab, clicking the tab label (circled area below) a second time will refresh the listing from the database based on the current criteria. 9.4 Feedback Area The feedback area is located in the bottom center of each window. This area was created to notify the user what transaction was last completed. As soon as the user selects a new entity i.e. system, account, collection, from the listing then the Feedback area will be cleared and remain empty until a new transaction occurs. 20

21 10.0 Configuring Managed Systems If your System Administrator has set the Restrict ISA System Creation global setting to Yes, you will not be allowed to add systems. Selecting Systems & Accounts Systems Add System or Systems & Accounts Systems Manage Systems will lead to the configuration pages for managed systems. If modifying an existing system, first select the desired system by entering criteria on the Systems Management Filter tab, clicking on the Listing tab, clicking on the System Name you are looking for and then clicking on any of the additional tabs to edit the system configuration. Below is a description of all the configuration fields on the various tabs. As a PSM ISA you will NOT be able to access the Connection or Management Details tabs (except for e-dmz SPCW systems). 21

22 10.1 System Details Tab System Name This is the descriptive name of the system. Typically, the hostname will be used. Within the TPAM, the system name must be unique. The name can be 1-30 characters long, but cannot include empty space (i.e. spaces, carriagereturns, etc.) Network Address The IP Address (i.e ) or DNS Name (server1.domain.bigco.com) of the system. It is imperative that this information is entered correctly, as the back-end automation procedures will use this address to connect to the remote system to proxy and record the session activity and setting or checking of the password for the managed account(s) ISA Policy You will see this list option when adding a System if your userid is assigned an Access Policy that contains an ISA permission. From this list you can select which ISA policy should be applied for your access to this new system once it has been saved. If you have ISA access granted via a single Access Policy it will be pre-selected. 22

23 Alert! If you select Do not Assign an ISA Policy and do not assign the System to a Collection that you have access to, you will NOT have any access to the system after it is saved Platform Choose the appropriate platform for the operating system running on the remote host. For PSM this field is primarily descriptive, since it is the proxy connection type that actually determines how the session will be established. However, if the passwords for this system will be managed by PPM, then it is very important that this be entered correctly, as the PPM uses it to determine the most secure and reliable way to manage the passwords on the remote system. Note! If you are only a PSM ISA the platform list will only contain PSM enabled platforms. Note! A system added to TPAM with a platform type not supported by PSM will appear in the list of systems on TPAM, and the accounts defined for that system will appear in the TPAM accounts list for the system however, the option to allow sessions will be disabled Password Rule Select the desired password rule to serve as the default for all accounts defined for the system. If the selection is not changed (or if no other rules have been defined in TPAM) the Default Password Rule will be selected. The password rule will govern the construction requirements for new passwords generated by PPM. Password rules are managed by Sys-Admin users in the parconfig interface Maximum Duration This is the maximum duration for a password release on the account. If this is overridden by an Access Policy assignment, the lower of the two durations will be used. The default duration that the requestor will see for any new password request is 2 hours, or the maximum duration, whichever is less Contact Allows support personnel to receive notifications from TPAM. Alerts or warnings are sent when the condition of the remote system is not as expected. This field can be left blank, in which case errors will be logged but notifications will not be sent. The address in this field will be the one notified when Manually managed account passwords are scheduled to be changed Description The description field may be used to provide additional information about the system, special notes, business owner, etc Enable Automatic Password Management? (PPM ISA s only) Tells TPAM whether to automatically manage remote system account passwords, based upon configuration parameters for each system. Auto- 23

24 management includes automatic testing and changing of the passwords. Checked = Yes, Unchecked = No. This option is available at both the system and account levels, therefore it is possible to allow TPAM to auto-manage one account on a specific system, while another account on the same system is not auto-managed. However, if the option is unchecked at the system configuration level, no accounts on the system can be auto-managed. If the appliance has exceeded the number of PPM managed systems that were licensed this option will not be able to be checked for any new systems until you check the Disable PPM Functionality checkbox on another managed system Disable PPM Functionality (Only ISA s with both PPM and PSM Permission) This checkbox sets the system to PSM only which means you cannot use any of the PPM features on this system such as password change history, release logs, password checking and changing, and releasing passwords. The reason for this is product licensing. You are not limited to the number of PSM only systems you can add, but we will limit the number of managed (PPM) systems you can add based on the number of licenses you purchased Approver Escalation You have the ability to send an escalation to a specific address if no approvers have responded to a Password/File request within X minutes. You can enter multiple addresses by separating them with a comma up to the field maximum of 255 characters Delegation Prefix (specific platforms only) This field can be used to preface the commands that PPM uses to manage passwords for this system. The delegation prefix can also be used to specify an absolute path to the command that PPM uses to manage password for the system Computer Name(specific platforms only) This field is designated for the system s computer name and is required for proper password management. If it is not populated, TPAM will attempt to determine the system s computer name when the system is tested and update the field. The Computer Name field is also used with TPAM s Autologon feature. You have the option to have TPAM log the user into the remote system using the WORKSTATION\USERID format. This will prevent any incorrect logon if the Default domain is saved as the DOMAIN name versus the Local Workstation. If a Domain user is selected from the Session Authentication screen in PSM details, the user credentials will be passed as DOMAIN\USERID. You will notice with both options that the DOMAIN field is grayed out at login. 24

25 System Location Information There are six customizable fields that you can use to track location information about each system. These custom fields are enabled and configured by the System Administrator in the paradmin interface. If these fields have not been enabled the system location section of this page will not appear at all on the Details tab Systems Connection Tab (PPM ISAs only) Note! PSM ISA s will only see this tab for SPCW systems Fields available for connection settings will differ according to the platform type of the managed system. 25

26 Alternate Port Most non-windows platforms allow alternate ports to be configured for communication of standard protocols, such as SSH, Telnet, or database ports. TPAM now supports the ability to specify these system specific ports via the Connection tab Domain Name (specific platforms only) When the system platform being created represents a central authority such as Active Directory, BokS, or PowerPassword, the domain name must be specified. This name cannot be an alias, simple name, or NetBIOS name, but must be the fully qualified DNS name of the domain NetBIOS Domain Name (Windows domains only) Windows domain systems (Active Directory, NT Domain, or edmz SPCW) also include the NetBIOS Domain Name field. Specify the name of the domain in NetBIOS format Alternate Address (specific platforms only) When the system platform being created represents a central authority such as Active Directory, BokS, or PowerPassword, the alternate address field can 26

27 contain the network address of an alternate authority (i.e. another domain controller) for redundancy Functional Account The Functional Account defines the account that will be used to manage the accounts on the managed system. This account must be defined and configured on the managed system as defined in the appropriate Client Setup Instructions. The credential defines whether SSH will use a predefined key (DSS) to authenticate or a standard password. DSS is the preferred and more secure way of managing accounts on systems that support SSH. You have the option to let PPM manage the functional account. The auto-change parameters for this password may then be configured via the Account Details tab, as with any other account. This helps to secure the managed system, by not maintaining a static password on a functional account. Alert! After a system is saved for the first time, any changes in the system parameters will not automatically be applied to the functional account, unless the Propagate to All Accounts switch on the Management Details tab has been checked. The auto manage function will never be propagated to the functional account. It must be manually set PSM Functional Account (edmz SPCW platform only) The PSM functional account is used to provide secure communication during the session and file transfer during a session. If the PSM enabled account on the system is configured to use a proxy type of RDP through SSH, the PSM Functional account will be used during this connection Account Credentials When using DSS key authentication, a function is available to permit specific configuration of the public/private keys used. Avail. System Std. Key will use the single standard SSH keys (either Open SSH or the commercial key) stored centrally in TPAM. You have the ability to have up to three active keys simultaneously. These keys are configured in the paradmin interface. Use the list to select the key you want to retrieve. 27

28 Note! When using the System Std. Keys you cannot specify which key will be used. You may download one or all available keys to put on the remote system, but TPAM will attempt to use all currently active keys when communicating with the remote system. Use System Specific Key will allow the generation and download of a specific SSH key to be used with this system only. The key must first be generated using the button, and then downloaded in either Open SSH or Sec SSH (commercial) format Enable Password (Cisco and ProxySG only) Some systems may require the use of very specific accounts for access (ex. Cisco PIX requires the use of pix as the ID, Cisco routers use cisco as the Id, etc.) If the managed device is Cisco device, the password for the Enable Password must also be specified in the configuration SID / Service_Name (Oracle DB only) Specifies either the Security ID (SID) or the service name for Oracle databases, and should match the setting in SQLNET.ORA at the database server Connection Timeout The connection timeout value determines the amount of time in seconds that a connection attempt to the managed system will remain active before being aborted. In most cases, it is recommended to use the default value (20 seconds). If there are problems with connection failures with the system, this value can be increased (for example, connections to Windows systems are often slower than SSH connections and may require a significantly higher timeout value) Server O/S (BoKs platform only) Select the O/S running on the server from the list Expert Password (CheckPoint SB only) Setting up an Expert Password will allow configuration access to the system. 28

29 Non-Privileged Functional Account (Windows Active Directory only) If this box is checked any password changes for accounts on this system will use the account s current password to log in and make the password change instead of using the functional account password Authentication Method (Cisco Router TEL only) Username/Password is used when a username is needed when connecting to the system. Line Definition is used when there is no username to be specified, it is simply a password on the terminal connection Allow Functional Account to be Requested for Password Release If this box is checked then Requestors on this system can make a request to release the password for the functional account. If this box is not checked the functional account passwords are not available for release to a requestor and will only be accessible to an ISA Custom Command (Mainframe platforms only) If there is a special command that needs to be entered prior to being prompted for authentication credentials, it is specified by placing the command in the custom command field Use SSL? (specific platforms only) Check this box if communications between TPAM and the device requires the SSL option Tunnel DB Connection Through SSH (database platforms only) Database tunneling through SSH provides the ability to securely connect to a remote database. 29

30 Enter the Account Name that you will use to connect to the remote system. If SSH is not listening on port 22 please provide the correct port you want the connection forwarded to. For DBMS accounts, SSH tunneling only uses public key and not manual passwording for establishing the SSH connections. Alert! Make sure that the default of AllowTCP Forwarding is set to Yes in the SSH Configuration file of the managed system System Management Details Tab (PPM ISAs only) The System Management Details tab lists options that once set will be inherited by all accounts set up on this system. These options can be overridden at the account level. 30

31 Password Check and Reset Options The automatic password testing function may be enabled or disabled for managed systems by using the Check Password and Don t Check Password radio buttons. If enabled, the option to have the password automatically reset when a mismatch is found is also available. By default Reset Password on Mismatch will be selected. When auto reset is disabled only a notification will be sent when a password mismatch is encountered (assuming the system contact field is populated). Change Password after any release indicates whether the password for the account should be automatically reset by PPM following a release to any user (including ISA users). The option is enabled by default. If disabled, the password will not be changed after releases, but will still be changed based upon the Change Frequency settings Change Frequency This specifies the interval at which the password will be automatically changed, regardless of whether or not the password has been released. Typically, this will be set to the value specified in your company s security policy, which defines password expiration age. Available choices are: First Day of the Month the password will be changed every month, on the first day of the month Last Day of the Month the password will be changed every month, on the last day of the month 31

32 Every n Days this allows you to specify the frequency with which the password will be changed. The n value can be between 1 (changed every day) and 999. None - no scheduled changes Change Time Allows you to specify the time of day when automatic password changes will take place. This should be set to a time when the system is not scheduled to be down for regular maintenance and when system activity is not at its peak. The change time will take place when the TPAM server reaches this time and not the time in your local time zone Default duration for ISA releases of password (can only be entered by Admin) The duration for ISA release may be specified up to a maximum of 7 days. This is the amount of time that will transpire between the initial ISA retrieval and the automatic reset of the password (if enabled) Allow ISA to enter Duration on Release (can only be checked by Admin) If this checkbox is checked, an ISA may enter a release duration other than the default when retrieving a password. The duration must be >0 and <= the max of either ISA Duration (Mgt Details tab) or Max Release Duration (Details tab). This column was added to the System and Account Imports and Batch Updates. This flag is also a value that can be pushed to Account and pulled from System Propagating Auto Password Management and Management Detail Settings Default change settings can be configured differently between systems and the defined accounts for those systems. If the desire is to ensure consistency throughout this parent-child relationship, it is possible to push the configuration of the default change settings from the system object to all child objects defined for the system. Using the check boxes, select the desired level of propagation of the current system settings: Push Defaults to All Accounts and Enable auto management on All Accounts. To push auto management to all accounts you must first check Push Defaults to All Accounts and then you will be able to check the Enable auto management on All Accounts flag if you so choose. The currently configured default change settings and auto-manage properties will be changed accordingly on the child objects when the button is clicked. This is a one-time synchronization and may still be changed at the account level. The functional account defined for the system will not receive the Enable Auto Management on All Accounts setting during a push. The automanage property must be manually enabled for the functional account. 32

33 10.4 Affinity Tab The Affinity option will allow you to optimize performance of session recording and playback and password checking and changing if you have opted to purchase one or more DPA servers along with your TPAM appliance. This tab will not be enabled until you save the system PSM DPA Affinity Settings (PSM ISAs Only) Use the PSM DPA Affinity Settings to optimize session recording and playback. The default setting will be Allow PSM sessions to be run on any defined DPA. The default DPA Server name will be LocalServer which is the local TPAM appliance. If your company purchased and configured additional DPA s to optimize performance you will see these listed in the DPA Server Name column. Enter the Priority number next to each DPA and click the button. The priority numbers used in the Affinity settings only have meaning in relation to each other. For example, 1,2,3 has the same meaning to the system as 98,99,100. When the appliance goes to figure out which DPA to use it looks at them in order of priority from lowest to highest and picks the 1st one that has an open slot. A value of 0 (zero) is simply "more important" than any higher value. If you want to make it so that a particular DPA is 33

34 never used for session recording for a given system, then the priority should be empty (NULL), not zero PPM DPA Affinity Settings (PPM ISA s only) Use the PPM DPA Affinity Settings to optimize password checking and changing. The default setting will be Use local PPM appliance for password checks and changes. If you want to use one of your DPAs for password checking and changing on this system select the Selected DPA affinity radio button, enter the Priority number next to each DPA, and click the button. Note! The password checking and changing functionality requires DPA v Ticket Systems Tab The options available on this tab will be predetermined by how Ticket Systems were configured in the paradmin Interface. If no Ticket Systems have been configured and enabled in the paradmin interface the Ticket System tab will be inaccessible. Any changes to the settings on this page are recorded in the System Activity Log. These options will be the defaults for any Accounts or Files added to the system. 34

35 Require Ticket Number from: Check this box if you want to require ticket number validation every time a password or file request is submitted for this system. If multiple Ticket Systems are enabled they will be listed in the list for selection. You can specify the ticket system or allow entry of a ticket number from any system that is enabled. If this box is not checked users will still be able to enter a Ticket Number on a request, but will also be able to create a request without a Ticket Number entered Ticket required for: If Ticket Validation is required then all requestors will be required to provide a ticket number. You also have the option to require users making requests through the CLI or API to supply a ticket number prior to retrieving a password or file. As an ISA you cannot determine if a ticket is required for ISAs, so this checkbox is disabled Send to: If any of the ISA, CLI or API required boxes are left unchecked you also have the option of entering one or more addresses (up to 255 characters) that will receive an when an ISA, CLI or API user releases or retrieves a password or file without supplying a ticket Propagation You have the option of pushing the Ticket System settings out to all Accounts and Files. When a new account or file is created it will take on the Ticket System settings of the parent system Collections Tab Note! These checkbox values are a onetime update each time they are checked and the Save Changes button is selected. After that there is no forcing of the settings to remain in synch. The settings on the Accounts can be overridden. Systems may be assigned membership to one or more collections. The collections list shows all for which the user holds the ISA role. By assigning the system to collections, the system automatically inherits user and group permissions that have been assigned at the collection level. To modify collection membership, simply click the Not Assigned or Assigned radio buttons next to each collection name and click the button. Note! An ISA can only assign systems to a collection if they have both PPM and PSM ISA permissions on the system and the collection. Note! If a collection is tied to either AD or Generic Integration the system s membership status in that collection cannot be changed. 35