Finding and classifying fixed assets

In organizations with large numbers of servers or other systems (e.g., databases, routers, etc.), it is desirable to automatically discover and manage and the list of integrations in Hitachi ID Privileged Access Manager and the list of accounts to manage on each managed system, rather than manually adding and maintaining thousands of separate target systems and accounts.

To automatically discover systems, most organizations pull data from an Active Directory or LDAP directory. The same data can be imported from multiple CSV or SQL sources -- for example, from the corporate CMDB or from Cisco ACS (for network devices). Computer objects or equivalent records discovered in the inventory system are classified based on their attributes and automatically managed (or not) and attached to appropriate managed system policies, which specify password change frequency, access control rules, access disclosure methods, etc.

A second auto-discovery process probes each managed system to find accounts that should be managed. On most systems, a list of local users and groups is generated. Specifically on Windows systems, this process also lists services, scheduled jobs, IIS objects (e.g., anonymous users, application pools, etc.) and DCOM objects and see what accounts are used to run each of them. Import rules determine which of these accounts will be managed by Privileged Access Manager (e.g., based on account attributes, group membership, security IDs, account/service relationship, etc.) and which managed system policies to assign to each managed account.

Alternatives to Active Directory- or LDAP-driven computer object lists include DNS queries or zone transfers, IP port scans of specific subnets and data imports from an inventory management system.

Privileged Access Manager also includes an automated mechanism to inform programs that store a copy of passwords of new password values. A plug-in program is provided to connect to Windows servers after each password change and automatically update Service Control Manager, Windows Scheduler, IIS or DCOM with new password values.

The Privileged Access Manager auto-discovery process is massively multi-threaded. It is able to list, classify and probe over 10,000 systems per hour. The entire process is usually scheduled to run every 24 hours.

Import rules automatically onboard discovered systems and accounts

Privileged Access Manager allows administrators to define three types of import rules:

  1. Target system import rules -- determine which systems which were discovered (e.g., because they appeared in AD, LDAP or a CSV file) should be managed at all. In other words, convert systems which were merely discovered (known to exist) to target systems (with which Privileged Access Manager will communicate).

    Target systems are assigned credentials, which may be inherited from the source system (e.g., use AD credentials to connect to Windows systems), may be provided by a template system or may be returned by a lookup process in a plug-in program.

    Target systems are regularly probed to find accounts, security groups, services and service account dependencies. The output of these probes are visible in reports and used to drive further import rules (below).

  2. Managed system import rules -- determine which target systems (above) should be attached to or removed from which managed system policy.

  3. Managed account import rules -- determine which accounts that appeared in a target system probe (local accounts or domain-level, as AD domains are also probed) should be managed.

Import rules are based on all available data. For example, target system import rules are based on attributes of the discovered system, provided by the source system (AD, CMDB, etc.). Managed system import rules are based on the same attributes plus data from the system itself -- IP addresses, MAC addresses, etc. Managed account import rules are based on the same attributes as the managed system where the account was discovered, plus account attributes -- ID, description, group memberships, services running in the security context of the account, etc.

Import rules can be to manage or unmanage a system or account. For example, an import rule can be written to automatically unmanage a system which has been unresponsive for a given number of days.

The most important part of configuring and managing Privileged Access Manager is developing, testing and monitoring the execution of import rules.

Local agents on laptops, that call home

In organizations that deploy the Privileged Access Manager local workstation service, there is no need to manually configure client devices in the Privileged Access Manager database. Instead, the local workstation service is installed on devices through one of several means:

  1. By being made a part of the standard PC software image.
  2. By being distributed through a system such as SMS.
  3. By being distributed using an Active Directory Group Policy Object (AD GPO).

Once installed, the Privileged Access Manager local workstation service automatically starts and registers itself, along with all local user accounts with the central Privileged Access Manager server cluster.

The software installation MSI package is constructed on the Privileged Access Manager server and includes information about the Privileged Access Manager server URL, what managed system policies PCs should be attached to, etc. This means that software installation can be fully automated and does not present a user interface.

A similar approach is used to deliver .tar format installation packages to Unix and Linux systems.