NetWrix Privileged

Account Manager Version 4.1

Administrator Guide

NetWrix Privileged Account Manager

Page | ii

Table of Contents

1. Introduction ....................................................................................................................................... 1

2. Deploying ........................................................................................................................................... 2

2.1 System Requirements .................................................................................................................. 2

2.1.1 Management Server .............................................................................................................. 2

2.1.2 Configuring Windows Components ...................................................................................... 3

2.1.3 Client Computers ................................................................................................................... 4

2.2 Planning ........................................................................................................................................ 4

2.3 Installing the Management Server ............................................................................................... 5

2.3.1 Default Installation Folders, Virtual Directory, and Startup Shortcuts ................................. 5

2.4 Configuring the Product Database ............................................................................................... 6

2.5 Assigning Security Roles ............................................................................................................... 7

2.6 Configuring Administration Settings ............................................................................................ 8

2.7 Configuring Folders and Password Maintenance ........................................................................ 8

2.7.1 Creation of Child Folders ....................................................................................................... 8

2.7.2 Configuring Password Maintenance Settings........................................................................ 9

3. Using Account Manager ................................................................................................................... 10

3.1 Accessing Account Manager ...................................................................................................... 10

3.2 Adding New Managed Accounts ................................................................................................ 11

3.2.1 Adding an Account .............................................................................................................. 11

3.2.2 Adding a Set of Accounts ..................................................................................................... 12

3.3 Obtaining an Account Password ................................................................................................ 13

3.4 Viewing Audit Information ......................................................................................................... 13

3.4.1 Viewing Reports on Accessing Account Password .............................................................. 14

3.4.2 Viewing Advanced SSRS Reports ......................................................................................... 14

4. Contacting NetWrix .......................................................................................................................... 14

5. Disclaimer ......................................................................................................................................... 15

NetWrix Privileged Account Manager

Page | 1

1. Introduction NetWrix Privileged Account Manager (also known as Account Manager or PAM) is an easy-to-deploy

Web-based application that provides a secure facility for management of shared administrative

accounts (referred to as managed accounts in this guide) in your organization. With the help of

Account Manager you can:

• Provision, deprovision, and automatically update the account passwords;

• Synchronize account passwords and Windows Services\Scheduled Tasks running under those accounts;

• Audit access to all managed accounts.

This document is intended to assist you to deploy and use the product.

For more information about Account Manager and sample scenarios of use, see http://www.netwrix.com/privileged_password_management.html

NetWrix Privileged Account Manager

Page | 2

2. Deploying

The process of deploying the product includes the following steps:

• Considering system requirements

• Planning

• Installing

• Configuring the product database

• Assigning security roles

• Configuring administration settings

• Configuring password maintenance settings

2.1 System Requirements

The computer on which you install Account Manager is referred to as the management server, while the computers from which you access the management server are referred to as client computers. These computers must comply with the system requirements listed below.

2.1.1 Management Server

The management server can run any of the following operating systems: Windows XP, Windows 2003 Server, Windows 2003 Server R2, Windows Vista, Windows 7, and Windows 2008 Server R2.

You must install and configure the following additional software:

• Internet Information Services

At least one active IIS website must run. By default, the IIS configuration includes Default Web Site. If you have deleted or disabled the IIS websites, it is necessary to get at least one of them up and running.

• ASP .NET

• .NET Framework 3.5

NetWrix Privileged Account Manager

Page | 3

2.1.2 Configuring Windows Components

This section describes procedures you should complete on the management server to properly configure the required Windows components. These procedures depend on the actual Windows version the management server runs on.

You must be logged on as an administrator, be a member of the Administrators group or have a local administrator role in order to complete the following procedures.

To configure Windows components on Windows XP:

1. Open Add or Remove Programs in Control Panel.

2. Click Add/Remove Windows Components.

3. Select Internet Informational Services (IIS) and click Details.

4. Ensure that the Common Files and Internet Information Services Snap-In check boxes are selected, and then click OK to let Windows install the required components.

To configure Windows components on Windows 2003 Server:

1. Open Add or Remove Programs in Control Panel.

2. Click Add/Remove Windows Components.

3. Select Application Server and click Details.

4. If you use a 32-bit edition of Windows, ensure that the ASP .NET check box is selected.

5. Ensure that the Common Files and Internet Information Services Snap-In check boxes are selected, and then click OK to let Windows install the required components.

To configure Windows components on Windows Vista / Windows 7:

1. Open Turn Windows Features on or off in Control Panel.

2. Select the Internet Information Services check box, and then expand the Internet Information Services node.

3. Expand the Web Management Tools node, and ensure that the following check boxes are selected: IIS6 Management Compatibility (and all its child boxes); IIS Management Console; IIS Management Service.

4. Under Internet Information Services, expand the World Wide Web Services node, expand the Security node, and then select the Windows Authentication check box.

5. Click OK to let Windows install the required components.

NetWrix Privileged Account Manager

Page | 4

To configure Windows components on Windows 2008 Server /2008 Server R2:

1. Start Server Manager.

2. In the console tree, select Roles, and then in the details pane, click Add Roles.

3. On the Select Server Roles page of the Add Roles wizard that starts, select the Web Server

(IIS) check box and click Next.

4. Ensure, that the ASP.NET, Windows Authentication, IIS6 Management Compatibility and

all its child check boxes are selected.

5. Click Next, and then click Install.

2.1.3 Client Computers

You can access the PAM Web service from any network computer that meets the following minimum system requirements:

• Silverlight-compatible operating system and browser (such as Internet Explorer 6.0 or later)

• Microsoft Silverlight 4.0 or later

2.2 Planning

The following checklist helps you get ready for a smooth and trouble-free deployment of PAM.

Item Description and Notes

Management Server It is not recommended to install the management server on domain controllers.

Management account When installing the product, you will be prompted to specify a user account to be used to run the scheduled task, connect to SQL Server (if you use Windows Authentication for accessing SQL) and get access to domain computers on which managed accounts are in use. This account must have domain administrator rights.

Microsoft SQL Server The product requires Microsoft SQL Server. It can be installed on any available network computer. The following SQL Server versions are supported:

• Microsoft SQL Server 2005, including Express Edition • Microsoft SQL Server 2008, 2008 R2

NetWrix Privileged Account Manager

Page | 5

2.3 Installing the Management Server

To install the management server:

1. Run the installation package pamfull_setup.msi (for Standard Edition) or pamfree_setup.msi (for Freeware Edition).

2. On the Welcome page, click Next, and follow the on-screen instructions to proceed with the wizard.

3. On the Specify web site and virtual directory page, specify the names of the Web site and Virtual directory for IIS running on the management server. Click Next.

4. On the Management Account page, specify a User account to be used to access remote domain computers. Click Next, and then click Install to start the installation process.

5. On the Completion page, select the Start NetWrix Privileged Account Manager check box, and click Finish.

2.3.1 Default Installation Folders, Virtual Directory, and Startup

Shortcuts

The product and related components are installed in the following folders:

• On management server: %ProgramFiles%\NetWrix\Privileged Account Manager.

Commonly, the default value of %ProgramFiles% is set to C:\Program Files on 32-bit systems, and to C:\Program Files (x86) on 64-bit systems.

The PAM Web service is installed in the PAM virtual directory (Default Web site) in Internet Information Services running on the management server.

The product installation adds the following shortcuts to the Start menu (that let you run PAM):

• Start > All Programs > NetWrix > Privileged Account Manager > Privileged Account Manager — for Commercial Edition.

• Start > All Programs > NetWrix Freeware > Privileged Account Manager > Privileged Account Manager — for Freeware Edition.

NetWrix Privileged Account Manager

Page | 6

2.4 Configuring the Product Database After completing the product installation process, you should configure the product database using

the Privileged Account Manager Configuration Wizard that automatically starts.

If this wizard does not start automatically, run it on the management server using this startup shortcut: Start > All Programs > NetWrix > Privileged Account Manager > Configuration Database Settings

To complete the configuration wizard:

1. On the Welcome page, click Next.

2. On the Select SQL Server page, select one of the following options and click Next:

• Install and configure SQL Express: select this option if you have no SQL Server in your environment

• Use existing SQL Server instance: select otherwise

3. When prompted, specify the settings used for accessing SQL Server and its databases (the use of default values is recommended). Click Next, and then click Finish.

NetWrix Privileged Account Manager

Page | 7

2.5 Assigning Security Roles The product uses the role-based security model that allows you to assign access permissions to

users based on their roles rather than on their individual identities. A role is a category of users who

share the same security privileges. There are four security roles in PAM:

Security Role Description Predefined Members

System Administrator Provides complete and unrestricted access to all features and permissions to configure all settings for the product.

The Domain Administrator and Enterprise Administrator groups in the management server domain.

Account Manager Allows adding, removing and managing of accounts and PAM folders.

—

Account Operator Allows obtaining current passwords for all managed accounts.

—

Report Viewer Allows viewing the PAM reports.

—

You can assign new roles, remove members from roles, and change current roles of specific

accounts.

To assign a new security role:

1. In the product main window, expand the Security Roles node, and select the role to modify.

2. In the details pane, click Add Member.

3. In the Add Role Member dialog box, enter the account name in Domain\Login format, specify an optional description, and click OK.

To remove a member from a security role:

1. Perform Step 1 from the previous procedure. 2. In the details pane, select the account to remove, and click Delete.

To change an account role:

1. Perform Step 1 from the previous procedure. 2. In the details pane, select the account whose role you want to change, and click Move. 3. In the Move Role Member dialog box, select the account new role, and click OK.

NetWrix Privileged Account Manager

Page | 8

2.6 Configuring Administration Settings The product administration settings comprise the license information, the product database

settings, and the password generation policy used when resetting the managed account passwords.

You can configure these settings under the Administration node in the program main window.

To change the product license information:

1. Expand Administration and click License. 2. In the details pane, click Change License. 3. Select Enter license information, and then enter the appropriate information you have

obtained from NetWrix.

To change the password generation policy:

1. Expand Administration and click Password Policy. The current password generation settings are displayed in the table under Allowed character categories.

2. To change the password generation settings, click Edit and complete the Password Policy – Default dialog box.

To view the currently used product database settings:

Expand Administration and click Database.

From the product main window, you can only view the product database settings. For

information on how to change them, see Configuring Product Database earlier in this guide.

2.7 Configuring Folders and Password Maintenance Account Manager allows you to store managed accounts into virtual folders. By default, the product

provides the Accounts root folder (see the screenshot on page 10). Under Accounts, you can create

any hierarchic structure of child folders. For each child folder or even any individual account, you

can apply a specific password maintenance policy or let the account inherit policy settings from the

parent folder. The password maintenance policy comprises such settings as maximum duration of

the account checkout, schedule of the password changes, etc.

This section explains how you can create child folders and how to configure the password

maintenance policy.

2.7.1 Creation of Child Folders

To create a child folder, open the product main window and under Accounts, select a parent folder.

Perform the following steps:

1. In the details pane, go to the Operations on this folder list.

2. Select Add Child Folder, and click Go.

3. In the Add Child Folder dialog box, specify the child folder name and click OK.

NetWrix Privileged Account Manager

Page | 9

2.7.2 Configuring Password Maintenance Settings

To configure password maintenance settings applied to a folder, please go to the product main

window. Under Accounts, select that folder, and then perform the following steps:

1. In the details pane, go to the Operations on this folder list. Select Change Password Settings, and click Go.

2. In the Password Maintenance dialog box, specify the appropriate settings, and click OK.

This dialog box provides the following control elements:

Inherit password maintenance settings from parent folder: Inherits all settings from the parent folder. When selected, other settings in this dialog box take no effect.

Change password after check in: Causes PAM to change the account password each time it is checked in.

Maximum password checkout duration: Specifies the duration (in minutes) of the password check out operation. The account is automatically checked in after this time period has elapsed.

Automatically change password every: Specifies the password changes schedule.

You can also configure password maintenance settings applied to an individual account using the

following procedure:

1. In the product main window, go to Accounts, and select the folder where the account resides.

2. In the details pane, select the account under Details and open the Password Maintenance tab.

3. Click Edit, and then complete the Password Maintenance dialog box.

NetWrix Privileged Account Manager

Page | 10

3. Using Account Manager This section discusses a basic scenario that includes the following steps:

Accessing the product Web interface

Adding new managed accounts

Obtaining an account password

Viewing audit reports

3.1 Accessing Account Manager You can access the product Web interface from the management server or from any network client computer that meets the appropriate system requirements.

To access the product Web interface, do one of the following:

On a client computer, open the page http://%Account Manager% (such as http://web.mycompany.com/PAM) in Internet Explorer.

On the management server, use the program startup shortcut (see Default Installation Folders, Virtual Directory, and Startup Shortcuts).

You will be prompted to specify a user account used to access PAM. This account must belong to PAM security roles (see Assigning Security Roles earlier in this guide).

The product main window is in the following screenshot:

To access the product functionality, use the links in the left pane:

Accounts: Provides all operations on managed accounts, such as adding accounts, deleting accounts, and obtaining an account password.

Security Roles: Assigns the PAM security roles to specific Windows accounts.

Audit Reports: Provides access to the product audit reports.

Administration: Sets up the product administration settings (License information, password generation policy, and the product database settings).

NetWrix Privileged Account Manager

Page | 11

3.2 Adding New Managed Accounts By default, the list of managed accounts is empty. To start using the product, you must have at least

one managed account. Managed accounts can reside into the Accounts folder of PAM or into any

child folder of Accounts.

You can add an individual account or import a set of accounts that meet the specific criteria.

3.2.1 Adding an Account

PAM provides the Configure Managed Account wizard designed to add and configure an existing

domain or local managed account.

You can add managed accounts to the Accounts folder (or to any of its child folders) in the PAM main window.

To start the Configure Managed Account wizard from the product main window, do one of the

following:

To add an account to the Accounts folder, click New Managed Account.

To add an account to a child folder of Accounts, select that folder (in the left pane) and in the right pane, click Add Account. Then click Wizard.

To complete the wizard, perform the following steps:

1. On the Welcome page, click Next.

2. On the Specify Managed Account page, perform the following steps and click Next:

From the Account Type list, select the account type (Generic, Windows Domain or Windows Local).

In Account Name, specify the name in Domain\Login or Computer\Login format, respectively.

You can add only existing accounts from the domain where the management server is installed.

3. For Windows Domain accounts, on the Specify Systems page (optionally), specify a list of computers for which windows services or scheduled tasks will run under this account.

4. On the Final Notice page, click Finish.

NetWrix Privileged Account Manager

Page | 12

3.2.2 Adding a Set of Accounts

The product provides the Account Discovery feature that allows you to import (add) a set of

managed accounts meeting the specific criteria. For example, you can import domain accounts from

a specific Organizational Unit or local accounts that reside on specific machines.

To add a set of managed accounts, perform the following steps:

1. In the product main window, go to Accounts and select the folder to add accounts to. 2. In the details pane, go to the Operations on This Folder list, select Discover New Accounts,

and click Go. The Account Discovery dialog box opens:

3. To add domain accounts, perform the following steps: 1) Select Import domain accounts from. 2) To import an explicitly specified set of accounts, select List or file, click Edit List, and

then specify the accounts list in the Domain Accounts List dialog box. 3) To import accounts from an OU, select Organizational Unit, specify the OU

distinguished or canonical name, and optionally, select the Filter by account names check box (optionally), and specify the name filter (such as Adm*).

4) Optionally, to specify computers on which windows services or scheduled tasks under managed accounts run, select the Discover Systems check box, and enter the semicolon separated list of IP addresses or ranges.

4. To add local accounts, perform the following steps: 1) Select Import local accounts from. 2) To import an explicitly specified set of accounts, select List or file, click Edit List, and

then specify the accounts list in the Local Accounts List dialog box. 3) To import accounts from specific computers, select Computers, and enter the

semicolon separated list of IP addresses or ranges. 4) Optionally, select the Filter by account names check box, and specify the account

name filter.

NetWrix Privileged Account Manager

Page | 13

3.3 Obtaining an Account Password At any moment you can obtain the current password of a specific managed account.

To get the managed account password:

1. In the left pane, under Accounts, click the folder where the managed account resides, and then select it in the details pane, under Managed Accounts.

2. Under Details, open the Password Access tab, click Check out and let the product retrieve or generate the account password.

3. To view password, click Show. The product displays the password next to Current password.

You can log on to the managed computers and perform administrative tasks using this password. Once you have completed administrative activities, click Check in to stop the managing account and allow other PAM users to access the account information. Note that the account password can be reset after you check it in (for details, see Configuring Password Maintenance Settings earlier in this guide).

3.4 Viewing Audit Information PAM provides two types of audit reports: reports on all attempts to access the password

information for specific managed account, and a set of advanced reports managed by Microsoft SQL

Server Reporting Services (hereafter SSRS). The SSRS reports on the following events are available:

Automatic updates of password

Use of password by specific account

Use of password by specific requestor

Automatic check-ins of password

Rarely used accounts

Unused accounts

This section explains how to view the PAM reports.

NetWrix Privileged Account Manager

Page | 14

3.4.1 Viewing Reports on Accessing Account Password

To view reports on attempts to access the password information for specific managed account,

perform the following steps:

1. In the left pane, under Accounts, click the folder where that account resides, and then select it in the details pane, under Managed Accounts.

2. Under Details, open the Audit Trail tab. A sample report for the EMTEST2008\JSmith account is shown below:

3.4.2 Viewing Advanced SSRS Reports

To view SSRS-based reports, perform the following steps:

1. In the product main window, expand the Audit Reports node.

2. Under this node, click the link to view the report and click View report in the details pane. The report opens in a separate window.

4. Contacting NetWrix

If you have any questions please feel free to contact the NetWrix support team.

NetWrix provides unlimited phone and email support for customers who purchase the commercial version (including evaluation). In addition, on the NetWrix Support Forum, a limited support is provided for customers who use the freeware version.

NetWrix Privileged Account Manager

Page | 15

5. Disclaimer

The information in this publication is furnished for information use only, does not constitute a commitment from NetWrix Corporation of any features or functions discussed and is subject to change without notice. NetWrix Corporation assumes no responsibility or liability for any errors or inaccuracies that may appear in this publication.

NetWrix is a registered trademark of NetWrix Corporation. The NetWrix logo and all other NetWrix product or service names and slogans are registered trademarks or trademarks of NetWrix Corporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks and registered trademarks are property of their respective owners.

© 2011 NetWrix Corporation. All rights reserved. www.netwrix.com