Skip to main content

Infrastructure Auto-discovery - Hitachi ID Privileged Access Manager

Finding and Auto-configuring Servers

In organizations with large numbers of servers or other systems (e.g., databases, routers, etc.), clearly it is desirable to auto-discover and auto-maintain a list of systems and lists of accounts to manage on each managed system, rather than manually adding and maintaining thousands of separate target systems and accounts.

To auto-discover systems, most organizations pull data from an Active Directory or LDAP directory. The same data can be imported from multiple CSV or SQL sources -- for example, from the corporate CMDB or from Cisco ACS (for network devices). Computer objects or equivalent records discovered in the inventory system are classified based on their attributes and automatically managed (or not) and attached to appropriate managed system policies, which specify password change frequency, access control rules, access disclosure methods, etc.

A second auto-discovery process probes each managed system to find accounts that should be managed. On most systems, a list of local users and groups is generated. Specifically on Windows systems, this process also lists services, scheduled jobs, IIS objects (e.g., anonymous users, application pools, etc.) and DCOM objects and see what accounts are used to run each of them. Import rules determine which of these accounts will be managed by Hitachi ID Privileged Access Manager (e.g., based on account attributes, group membership, security IDs, account/service relationship, etc.) and which managed system policies to assign to each managed account.

Alternatives to Active Directory- or LDAP-driven computer object lists include DNS queries or zone transfers, IP port scans of specific subnets and data imports from an inventory management system.

Privileged Access Manager also includes an automated mechanism to inform programs that store a copy of passwords of new password values. A plug-in program is provided to connect to Windows servers after each password change and automatically update Service Control Manager, Windows Scheduler, IIS or DCOM with new password values.

The Privileged Access Manager auto-discovery process is massively multi-threaded. It is able to list, classify and probe over 10,000 systems per hour. The entire process is usually scheduled to run daily.

Finding and Auto-configuring Workstations

In organizations that deploy the Privileged Access Manager local workstation service, there is no need to manually configure client devices in the Privileged Access Manager database. Instead, the local workstation service is installed on devices through one of several means:

  1. By being made a part of the standard PC software image.
  2. By being distributed through a system such as SMS.
  3. By being distributed using an Active Directory Group Policy Object (AD GPO).

Once installed, the Privileged Access Manager local workstation service automatically starts and registers itself, along with all local user accounts with the central Privileged Access Manager server cluster.

The software installation MSI package is constructed on the Privileged Access Manager server and includes information about the Privileged Access Manager server URL, what managed system policies PCs should be attached to, etc. This means that software installation can be fully automated and does not present a user interface.

A similar approach is used to deliver .tar format installation packages to Unix and Linux systems.

Read More:

  • Network Architecture:
    How user PCs, servers, network devices, multiple, replicated Privileged Access Manager nodes and other elements interact on the network.
  • Replicated Credential Vault:
    Replicated storage of passwords to privileged accounts in multiple, physically distant, encrypted vaults.
  • Included Connectors:
    Systems on which Privileged Access Manager can discover accounts, randomize passwords and launch login sessions.
  • Infrastructure Auto-discovery:
    Automatically finding and classifying workstations, servers, applications and network devices as well as privileged accounts and services on each one.
  • Non-target integrations:
    Integrations between Privileged Access Manager and IT infrastructure where it may not be managing passwords or privileged access -- such as e-mail systems, incident management applications and more.
  • Workflow Requests and Approvals:
    Enabling users to request and approve one-off access to sensitive accounts.
  • Concurrent Access to Accounts:
    Limiting how many administrators can simultaneously manage a system and keeping administrators informed of one-anothers activity.
  • Single Sign-on Mechanisms:
    Options for connecting users to privileged accounts, through credential injection, trust manipulation and temporary group membership, all without displaying passwords from the vault.
  • Server requirements:
    Sizing, configuration and number of servers on which to deploy Privileged Access Manager.
  • Scalability:
    Scaling to manage passwords across millions of devices.
  • Emergency access:
    Access to Privileged Accounts During Emergencies.
  • Language Support:
    A list of languages supported in the web portal.
page top page top