Skip to main content

Password History

Error checking is implemented to guard against a password being set before the Hitachi ID Privileged Access Manager server is able to store the password value -- i.e., a PC or server can never get a new password for a privileged account while Privileged Access Manager is unable to store the password.

Consider a laptop on which the local Privileged Access Manager service determines that the time has come to change passwords:

If it simply changes passwords and then attempts to contact a central server to upload the new value, it may not manage to connect to Privileged Access Manager and consequently must either undo the password change or store the new password and periodically test for connectivity, in the hopes that the new password can be uploaded before anyone needs to use it.

To avoid this problem, Privileged Access Manager's "local service mode" mode of operation (used on laptops) works as follows:

  1. First, the laptop service connects to Privileged Access Manager and asks it to generate a new, random password for a privileged account.
  2. The laptop service then changes the password in the local security database and sends a confirmation message to Privileged Access Manager.
  3. Privileged Access Manager updates the password in its vault and replicates the update to all other Privileged Access Manager servers.

In the event that the Privileged Access Manager server did not receive a confirmation message -- for example in the event that the PC was suddenly turned off or disconnected -- it will retain both the old and new passwords. The new password is assumed to be current and the old password is archived.

As a fail-safe, all old passwords are retained in the vault. This is not only to support a fail-safe password change process, but also to be able to retrieve old password values in the event that a managed system is restored from archive media in the future.

Read More:

  • Randomize Privileged Passwords:
    Privileged Access Manager periodically randomizes passwords on privileged accounts.
  • Launch Privileged Login Sessions:
    Privileged Access Manager launches login sessions to privileged accounts subject to access control policies and/or workflow approvals.
  • Limit Concurrent Administrator Logins:
    Privileged Access Manager controls how many people can sign into the same privileged account at the same time using a checkout/checkin process.
  • Record Administrator Logins:
    Privileged Access Manager can record the login sessions it launches for users to sign into privileged accounts. These recordings are both a forensic audit trail and a knowledge sharing resource.
  • Password History:
    Privileged Access Manager captures a full history of passwords for privileged accounts. This is useful when recovering servers and databases from backup media.
  • Audit Logs and Reports:
    Login sessions to privileged accounts are logged by Privileged Access Manager and visible in reports. This makes administrators accountable for changes they may make to systems and applications.
  • Eliminate Embedded Passwords:
    Privileged Access Manager allows organizations to eliminate static, plaintext passwords embedded in applications. An API allows applications to secure acquire credentials to other applications on demand.
  • Change Service Account Passwords:
    Privileged Access Manager periodically changes passwords for accounts used to run Windows services and notifies appropriate OS components, such as service control manager and scheduler, of the new password value.
page top page top