Service & Process Account Management

Transcription

1 Introduction Powerful privileged accounts and shared administrator credentials are everywhere in an enterprise. These passwords control administrative access to servers, workstations, mobile systems, databases, firewalls, network devices and business critical applications. Enterprise Random Password Manager (ERPM) eliminates the need for anyone to know the passwords for privileged IT assets; authorized individuals are only allowed audited, secure access to privileged account credentials on time-limited basis, for valid reasons. With ERPM, administrators are no longer able to share privileged passwords or keep them stored in an insecure spreadsheet or vault. Built-in privileged accounts are used by people to login as the administrator on systems, databases, network devices, and applications. These accounts are referred to as the local or firecall account. To find where all service account Most organizations, however, have the daunting passwords exist and update each challenge of managing service and process of them would take a good two to accounts. These are privileged accounts that run four weeks per change and automated business processes and are used by that s assuming that you applications, not people. They can be stored in succeeded in locating them all. services, tasks, COM applications, IIS, SharePoint, databases, and applications, and they are found in It s like painting the Golden Gate all cross platform environments. A single service or Bridge starting at one end, process account may be used and referenced in working your way to the other multiple subsystems and places. Since these end, and then starting all over. accounts are interconnected, making a password Essentially by the time you were change can potentially lock out the account and done changing service account bring down the entire process if performed passwords, you would have to incorrectly. start it all over again. Service and process accounts passwords are incredibly difficult to change manually because first you have to identify everywhere the service account is in use (discovery), and then you must change the password everywhere it is in use (propagation). ERPM automatically takes care of this for you. ERPM automates that tedious, error-prone process for us. - Large Federal Credit Union Customer

2 Continuous Auto-Discovery of Accounts Used by Windows Services A unique capability of ERPM is the dynamic discovery of every location throughout the environment that an account is referenced by a Windows service, task, COM/DCOM object, or AT account. Discovering where service accounts are used is half the battle. You can t change service account passwords if you don t know where they are in use. ERPM dynamically discovers service account enumeration prior to changing service account passwords every time it executes a password change job. In dynamic environments, with hundreds or thousands of service accounts, ERPM removes the need to dedicate massive amounts of time and resources to manually maintain a catalog of managed services. Propagation of Privileged Account Credentials Prior to changing service account passwords, since ERPM performs a fresh discovery to identify all current uses of the service accounts, ERPM can successfully propagate (distribute) the new credentials to all places where they are being used. The discovery will occur every time the password change job runs to ensure that the items being managed are always up to date. This process ensures that credentials are secured and updated immediately after use. ERPM s comprehensive accuracy and coverage greatly reduces the chance of account lockouts, system failures, and downtime caused when process accounts are not updated with the newly changed password. Further, if dependencies are identified, they will be stopped (if running) in the proper order, the root service will be changed, then all services (that were running) will be restarted, again in the proper order. This propagation of changed credentials is a complex and error prone process that requires extensive and mature technology to accomplish successfully. Due to Lieberman Software s long history and legacy in the discovery and management of service and process accounts, the breadth and depth of ERPM s service account auto-discovery, change and propagation technology is unrivaled. Service account management is a key differentiator; ERPM is the only solution which will automate the discovery of service/process accounts in subsystems and show the interdependencies.

3 Propagation Settings ERPM provides sophisticated off-the-shelf and customized propagation settings. ERPM enables you to configure propagation steps that are appropriate for your environment you specify what subsystems on which target computer(s) should be checked for needed updates when a service or process password change job runs. Custom Propagations With ERPM s custom propagations, you can change service and process account passwords in applications, scripts, files, and all the places where the accounts are linked. Custom propagations can be deployed on Windows and in the cross platform environment to include Linux/Unix, Mainframe, Databases, etc. ERPM leverages the following methods for custom propagations: String Replacements in Files ERPM can manage both text based and binary (executable) type files. This action can be performed against either Windows or Linux/UNIX systems, and an unlimited number of files may be added to the target list and managed. Arbitrary Processes This allows a custom command line application to be run to update credentials, and the process can perform any action such as updating another program, process, file, location with new credentials, running another program, etc. Arbitrary Processes can also perform customized account enumerations. Aggregation of Multiple Base Types ERPM allows for a custom propagation to be defined that contains multiple steps where those steps must be taken in a particular order. A common use case includes resetting a COM object prior to running an arbitrary program, prior to resetting a service. Local Cache for Java Client The Java SDK that ships with ERPM permits the local caching of managed passwords for use by scripts, applications, and other processes. The Local Cache for Java Client custom propagation examines the credentials stored in the Lieberman Java Client SDK found previously installed on target system. Accounts in.net Config Files ERPM examines the.net configuration files made available via the default Microsoft.NET management API, and automatically includes native encryption found in.net.

4 Services and Clustered Services Lieberman Software s long legacy of managing service accounts provides technology to handle complex clustered services and does so via Microsoft's cluster management API. ERPM examines all services via the Service Control Manager (SCM). When services are found running as the target account, the dependencies will be examined as will usage for clustering. If dependencies are identified, they will be stopped (if running) in the proper order, the root service will be changed, then all services (that were running) will be restarted automatically to avoid lockouts. Update Logon Cache ERPM will update the Windows logon cache and place the target account into the logon cache of the system. The goal of this propagation is to ensure that any services, tasks or other processes that rely on the target account will continue to run regardless of domain controller availability. This ensures things like backup jobs, AV updates and the like continue to occur until the domain controller can come back online for proper authentication. Update Auto Logon Account ERPM examines the credentials configured on Windows systems that attempt to auto login. Auto Logon account configuration is stored in clear text in the registry of the system allowing the auto logon. Typically, companies that make use of point of sales systems or automatic system controls, like machinery, or kiosks, will make use of auto-login accounts. Windows Scheduler Task RunAs Identities - examines the credentials configured to run the various scheduled tasks on Windows systems. Windows Scheduler AT Service Account - examines the credentials configured to run the scheduling system on Windows systems. COM+ Application Identities - examines the credentials configured to run the various COM applications on Windows systems. DCOM Object RunAs Identities - examines the credentials configured to run the various DCOM applications on Windows systems. IIS6 Metabase Account Info - examines the credentials configured to run the various IIS 6 components on Windows systems. IIS 6 Metabase info checks for anonymous account configuration, and usage for application pools. When application pools are changed, they will also be restarted. IIS7 Account Info - examines the credentials configured to run the various IIS 7 components on Windows systems. IIS 7 info checks for anonymous account configuration, and usage for application pools. When application pools are changed, they will also be restarted. This step also examines IIS 7.5 (Windows 7 and 2008 R2).

5 SCOM Run As Accounts - examines the credentials configured to run the Run As accounts configured within Microsoft System Center Operations Manager (SCOM) 2007 and later. This propagation will examine the Run As accounts via the WMI interface created by SCOM when SCOM is installed. Credentials in SQL Server - examines the credentials configured for external connection in a Microsoft SQL Server instance. This propagation will examine and propagate to credentials under the credentials node in SQL Server Management Studio using OLEDB connections and calls. Credentials in J2EE, Oracle/BEA WebLogic, IBM WebSphere and others full autodiscovery, management and propagation. Propagation Scope ERPM s propagation scope options include to limit the propagation to only the system where the account exists, to propagate to all systems in a managed group, and for Windows systems, to propagate to systems in trusting domains (including the local domain) which will examine all trust relationships to determine if the account is in use cross-domain, and further, to limit that propagation to only managed systems. ERPM The Only Automated Solution Service account management is a key differentiator for ERPM. Competing privileged identity management solutions only offer manual options for cataloging Windows services and their accounts. ERPM reduces the amount of manual labor and will effectively discover and manage service and process accounts through its auto-discovery and built-in propagation capabilities. Through auto-discovery and propagation, ERPM will effectively reduce the amount of manual labor required to manage service and process and accounts, and avoid costly lockouts. With ERPM, organizations can take a proactive, automated approach to managing service and process accounts, thus eliminating manual change control procedures. Reduce the operational burden of manually cataloging Windows service account locations, and free up IT support staff focus on other, more strategic responsibilities. ERPM is fully automated and adapts to your dynamic and evolving IT environment. Immediately and over time, ERPM reduces the costs and burden of an inferior solution that does not provide the same level of automation.

6 About Lieberman Software Lieberman Software has been developing and delivering security management solutions since our first commercial product was released in We are the oldest and most experienced vendor in the privileged identity management space. We leverage our years of experience to offer the fastest deployment and lowest operational costs available in the market. Competing products are not comparable with us in these areas simply because we ve been doing it longer. Our clients find that our strategic automated discovery and service account management are far superior for supporting large, dynamic, complex environments. By automating time-intensive administration tasks, Lieberman Software increases control over the IT infrastructure, reduces security vulnerabilities, improves productivity, and ensures regulatory compliance. Headquartered in Los Angeles, CA, Lieberman Software is a mature, profitable company with over 1200 enterprise customers including: AT&T, BlueCross BlueShield, Carnegie Mellon, CSC, Deloitte & Touche, HP, IBM, Mattel, Sears, UCLA, UPS, USDA, and VISA. All software development is done in the US. A managed Microsoft Gold Certified Partner, we also work with ArcSight, Cisco, Dell, Hewlett-Packard, IBM, Intel, Novell, Oracle, Red Hat, Thales and other technology companies in varying capacities.