Hitachi ID Privileged Access Manager - Introduction and Advanced Concepts

Introductory and advanced Hitachi ID Privileged Access Manager training is available.

Topics in this course include:


Install the software

  • Install replica

Targets and auto-discovery

  • AD target (source of profiles)
  • AD target (source of computers)
  • Configure the system to omit disabled accounts (for login)
  • Configure the system to "manage" all AD groups (for ACLs)
  • Run and troubleshoot psupdate
  • Log viewer

Manual targets and intro to policies

  • Configure a manual WinNT target
  • Configure a manual Linux target
  • Configure a simple MSP for these two targets
    • password policy and randomization schedule
    • account names to include
    • plug-ins to support (cmd-line/putty + RDP)
    • checkout limits
  • Configure a simple User Class for a few users
  • Link the MSP to the User Class to get ACLs
  • Run psupdate to get passwords randomized
  • Show logs and reports that illustrate what happened

Basic user experience

  • Sign into the UI with AD creds
  • Checkout access
  • Checkout launch RDP to one system
  • Checkout launch SSH to one system
  • Run reports to show that this activity was captured

Infrastructure auto-discovery and import rules

  • Introduce a bunch of fake computers on AD
  • Introduce the simulator for WinNT targets
  • Show the 'discovered systems' and 'system attributes' data that gets loaded into PAM
  • Define some import rules
  • Run through and troubleshoot discovery/import/management
  • Use the simulator to introduce daily evolution of the infrastructure
  • Show that the system responds during PSUPDATE with appropriate discovery and management/unmanagement
  • Discuss "unmanage" rules -- e.g., for systems that have been offline for too long.

Ongoing support and maintenance

  • Show the HiPAM dashboard
  • Implement exit traps for various types of failures
    • replication problems
    • psupdate problems
    • failed authentication and authorization
  • Show and use reports:
    • who checked out what?
    • who got rejected?
    • who is busy vis-a-vis the system?

Introduce pull mode

  • Motivation
    • laptops
    • mobility, NAT, firewalls, powerdown, etc.
    • scalability (tens of thousands of systems)
  • Configure and deploy MSI to a WinXP and a Win7 client

Workflow for one-off requests

  • Discuss scenarios: where/when to use workflow
  • Request attributes and attribute validation
  • Selecting authorizers (focus on userclass, not plug-ins)
  • Consensus (N of M) and veto power
  • Automatic reminder e-mails
  • Automatic escalation after non-response
  • Early escalation (e.g., if authorizer is out of office)
  • Reports and dashboards: what's going on in the workflow engine?
  • The roles of workflow and delegation managers

Service accounts on Windows

  • Intro to the Windows security model (why do we have to manage these darned things?)
  • Cases where service accounts are already managed by Windows (IIS, SCM in some cases)
  • Server-local accounts
  • Domain-level accounts and special challenges due to Microsoft "best practices"
  • Using updsvcpass
  • Reports to find service accounts and see how they are used

Embedded accounts and passwords

  • Intro to the problem of embedded passwords in programs and scripts
  • Alternative solution approaches:
    • modify the app to use an API to fetch a current password
    • leave the password where it lies and push new values into the cfg file or similar
  • Security catch-22:
    • authenticating users into the API?
    • caching passwords and securing the cache
  • Introduce the HiPAM API:
    • API-enabling users
    • OTP in authentication
    • IP subnet filtering (CIDR masks)
  • The need for an API wrapper
    • Generating key material with which to obscure cached passwords and OTPs
    • Caching and serialization
    • Simplifying use of the API
  • Give them a sample .NET and a sample Java API wrapper (we have both)

Session monitoring

  • Basic concepts
  • Limiting scope by system (attaching to MSP)
  • Limiting scope by user (enable/disable via plug-in)
  • Limiting scope by data type (settings at the MSP level)
  • Boundary conditions (temporary trust and password display, where users can skip the ActiveX to launch a login)
  • Sizing considerations (10kbytes/active screen/second)
  • Privacy protection (right-to-search; right-to-playback) -- leverage user classes and workflow again.
  • Demonstration (show a session being recorded and played back)