In organizations with large numbers of servers or other systems (e.g., databases, routers, etc.), clearly it is desirable to auto-discover and auto-maintain a list of systems and lists of accounts to manage on each managed system, rather than manually adding and maintaining thousands of separate target systems and accounts.
To auto-discover systems, most organizations pull data from an Active Directory or LDAP directory. The same data can be imported from multiple CSV or SQL sources -- for example, from the corporate CMDB. Computer objects or equivalent records discovered in the inventory system are classified based on their attributes and automatically managed (or not) and attached to appropriate managed system policies, which specify password change frequency, access control rules, access disclosure methods, etc.
A second auto-discovery process probes each managed system to find accounts that should be managed. On most systems, a list of local users and groups is generated. Specifically on Windows systems, this process also lists services, scheduled jobs, IIS objects (e.g., anonymous users, application pools, etc.) and DCOM objects and see what accounts are used to run each of them. Import rules determine which of these accounts will be managed by Hitachi ID Privileged Access Manager (e.g., based on account attributes, group membership, security IDs, account/service relationship, etc.) and which managed system policies to assign to each managed account.
Alternatives to Active Directory- or LDAP-driven computer object lists include DNS queries or zone transfers, IP port scans of specific subnets and data imports from an inventory management system.
Privileged Access Manager also includes an automated mechanism to inform programs that store a copy of passwords of new password values. A plug-in program is provided to connect to Windows servers after each password change and automatically update Service Control Manager, Windows Scheduler, IIS or DCOM with new password values.
The Privileged Access Manager auto-discovery process is massively multi-threaded. It is able to list, classify and probe over 10,000 systems per hour. The entire process is usually scheduled to run daily.
In organizations that deploy the Privileged Access Manager workstation service, there is no need to manually configure client devices in the Privileged Access Manager database. Instead, the workstation service is installed on devices through one of several means:
Once installed, the Privileged Access Manager workstation service automatically starts and registers itself, along with all local user accounts with the central Privileged Access Manager server cluster.
The software installation MSI package is constructed on the Privileged Access Manager server and includes information about the Privileged Access Manager server URL, what managed system policies workstations should be attached to, etc. This means that software installation can be fully automated and does not present a user interface.
A similar approach is used to deliver .tar format installation packages to Unix and Linux workstations.