Download pdf - Securing Privileged Accounts With Hitachi Id Pam

8/3/2019 Securing Privileged Accounts With Hitachi Id Pam

1/20

Securing Privileged Accounts

withHitachi ID Privileged Access Manager

2014 Hitachi ID Systems, Inc. All rights reserved.
http://hitachi.com/http://hitachi-id.com/


2/20

Privileged Access Manager is a system for securing access to privileged accounts. It works by regularlyrandomizing privileged passwords on workstations, servers, network devices and applications. Randompasswords are encrypted and stored on at least two replicated credential vaults. Access to privilegedaccounts may be disclosed:

To IT staff, after they have authenticated and their requests have been authorized. To applications, replacing embedded passwords. To Windows workstations and servers, which need them to start services.

Password changes and access disclosure are closely controlled and audited, to satisfy policy and regulatoryrequirements.

Contents

1 Privileged Access Management 1

2 Technical Challenges 2

3 Functional Requirements 3

4 Randomizing Privileged Passwords 4

5 Access Disclosure 5

5.1 Frequent Users: Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

5.2 Occasional Users: Workflow Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65.3 Concurrency Controls Checkin/Checkout . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

5.4 Alternatives to Password Disclosure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

5.5 API for Progammatic Access Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5.6 Updates to Service Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

6 Strong Authentication 12

7 Auditing and Regulatory Compliance 13

8 Hitachi ID Privileged Access ManagerArchitecture 14

8.1 Network Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

8.2 Push and Pull Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

8.3 Hitachi ID Privileged Access ManagerHost Platform . . . . . . . . . . . . . . . . . . . . . . 15

8.4 Supported Target System Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

i


3/20

Securing Privileged Accounts With Privileged Access Manager

1 Privileged Access Management

In a typical enterprise-scale organization there are thousands of servers, workstations and network devices.

Normally, there is a single, shared administrator password for every type of device. For example, onepassword may be used for each workstation of a given type or for every server with a given configuration.This is convenient for data center and desktop support staff: if they need to perform maintenance or anupgrade on a workstation or server, they know how to log in.

Such static and well-known privileged passwords create both operational challenges and security problems:

When administrator login IDs are shared by multiple IT users, there is no audit log mapping adminis-trative changes to individual IT staff. If an administrator makes a change to a system that causes amalfunction, it can be difficult to determine who caused the problem.

When the same privileged account and password exists on many systems, it is hard to coordinatepassword changes. As a result, privileged passwords are rarely changed and are often known toex-employees.

Hitachi ID Privileged Access Managersecures privileged accounts on an enterprise scale:

It periodically randomizes every privileged password. Users must sign intoPrivileged Access Managerwhen they need to use a privileged account. Multi-

factor authentication can be required. Privileged Access Managerlaunches login sessions on behalf of users, without displaying passwords

single sign-on. Logins to privileged user accounts can be recorded, including screen capture and keyboard logging.

This creates strong accountability and forensic audit trails.

2014 Hitachi ID Systems, Inc.. All r ights reserved. 1


4/20


2 Technical Challenges

The obvious solution to the security vulnerability of static and shared privileged passwords is to change

these passwords so that each one is unique and changes regularly. Doing this can be technically challeng-ing, however:

There are thousands of privileged passwords:

Clearly automation is required to manage them.

There are passwords on many kinds of systems:

The automation must include many integrations, with different kinds of systems (Windows, Unix, SAP,mainframe, Oracle, etc.).

The majority of privileged passwords are on PCs and laptops.

Workstation passwords present special challenges:

Workstations may be powered down.

Workstations may be disconnected from the network.

Workstations may not be reachable from a central data center because they are behind firewalls.

Connectivity to servers.

Servers may not be up 100% of the time.

Servers may not be reachable from a single data center network segment. Specifically, they maybe on different network segments, blocked off from the password management system by one or

more firewalls.

Secure, reliable storage.

Once automation is implemented to regularly change passwords, technical challenges regarding theirstorage must be addressed. The password storage system must:

Be secure. An insecure storage system, if compromised, would allow an intruder to gain admin-istrative access to every device in the IT infrastructure.

Be reliable. A disk crash or facility interruption affecting the password storage system wouldmake every administrator ID unavailable.

Include fine-grained access controls. Only the right administrators should get access to the

right passwords, after proving their identity.

Log access disclosure. Access to privileged accounts must be logged, to create accountability.



5/20


3 Functional Requirements

A privileged access management system needs a set of well-integrated features to function:

1. It must randomize passwords regularly sensitive passwords should be unique and short-lived.

2. It must be able to disclose passwords to or inject passwords into sessions on behalf of appropriateusers and software agents, but only under the right circumstances:

(a) To IT staff, if they have been assigned appropriate access rights.

(b) To IT staff who have not been assigned permanent access rights, but have been granted one-time permission.

(c) To programs that start services (Windows Service Control Manager, Scheduler, IIS and others)so that they can start services after a password change.

(d) To applications, to replace embedded passwords in programs and scripts.

3. Both a static access control model and a dynamic authorization workflow are required.

4. The system must log both password updates and disclosure. Failed updates can be used to identify

infrastructure problems while logs of access disclosure create accountability.

5. The system should be able to control concurrent disclosure of a given password for example to limit

the number of people concurrently able to manage a server.



6/20


4 Randomizing Privileged Passwords

Hitachi ID Privileged Access Managersecures sensitive passwords by periodically randomizing them:

1. On push-mode servers and applications:

(a) Periodically for example, every night between 3AM and 4AM.

(b) When users check passwords back in, after they are finished using them.

(c) When users request a specific password value.

(d) In the event of an urgent termination of a system administrator.

2. On pull-mode laptops and similarly configured devices:

(a) Periodically for example, every day.

(b) At a random time-of-day, to prevent transaction bursts.

(c) Opportunistically, whenever network connectivity happens to be available from the workstationto a central server.

Privileged Access Managercan enforce multiple password policies. There is a global password policy as

well as sets of password rules in each managed system policy.

Password policies specify the complexity of both randomly chosen and manually selected passwords. Inaddition to mandating character types (lowercase, uppercase, digits, punctuation), the policy can specifyminimum and maximum password lengths, prohibit the use of dictionary words, etc. These features are

relevant to manually-chosen passwords.



7/20


5 Access Disclosure

Hitachi ID Privileged Access Manager is designed to not only randomize and securely store privileged

passwords, but also to connect users and programs to privileged accounts after appropriate authenticationand authorization. It includes the following access disclosure capabilities:

1. To users, via a web interface, subject to access control policy.

2. To users who do not have pre-authorized access rights, after approval.

3. To applications, in order to replace embedded passwords, using an API (application programminginterface) where applications authenticate using an OTP (one time password) and may only connectfrom a pre-defined range of IP addresses.

4. To service launching programs, such as the Windows Service Control Manager, by writing new pass-

word values to the appropriate locations after a successful password change.

Note that all disclosure is subject to SSL encryption, strong, personal authentication, access controls orworkflow approval and audit logs.

5.1 Frequent Users: Access Controls

The most common form of access control in the Hitachi ID Privileged Access Manageris based on managedsystem policies. These policies are named collections of managed systems containing privileged accountswhose passwords may be randomized and access to which is controlled.

Managed systems may either be attached to a policy explicitly (e.g., attach workstation WKSTN01234 to

policy RGWKSTNS) or implicitly, using an expression. Expressions may be based on the operating systemtype, IP address, MAC address or workstation name (e.g., attach every workstation running Windows XPin subnet 10.1.2.3/24 to policy X)

Managed system policies are configured with operational and access control rules, including:

1. Which accounts passwords to randomize on attached systems.

2. How often to change passwords.

3. How to compose random passwords (e.g., length, complexity, etc.).

4. What actions to take after successful or failed attempts to disclose a password.

5. What access disclosure methods to offer users who wish to sign into privileged accounts on attached

systems (e.g., launch remote desktop, launch SSH, temporarily place user in security groups, displaycurrent password to user, etc.).

Privileged Access Managerusers are organized into user groups, either explicitly or implicitly. In a typicaldeployment, users are assigned to Privileged Access Manageruser groups by virtue of their membership in

Active Directory or LDAP groups. Groups of users are then assigned specific rights with respect to specific



8/20


managed system policies. For example, every user in group A may launch RDP sessions to privilegedaccounts on systems in policy B.

Business rules, such as segregation of duties between different sets of users, can also be enforced. Thisis done by examining, managing and limiting group membership on reference systems, such as ActiveDirectory or LDAP, that can be simultaneously assigned to the same user.

5.2 Occasional Users: Workflow Approval

Hitachi ID Privileged Access Manager includes the same authorization workflow engine as is used inHitachi ID Identity Manager. Workflow enables users to request access to a privileged account that wasnot previously or permanently authorized. When this happens, one or more additional users are invited (viae-mail or SMS) to review and approve the request. Approved requests trigger a message to the requests

recipient, including a URL to Privileged Access Managerwhere he or she can re-authenticate and checkout access.

The workflow process is illustrated by the following series of steps:

1. User UA signs in and requests that the then-current password to login account LA on system S bemade available to user UB at some later time T. UA may or may not be the same person as UB.

2. Privileged Access Manager looks up authorizers associated with LA on S.3. Privileged Access Managermay run business logic to supplement this authorizer list, for example

with someone in the management chain for UA or UB. The final list of authorizers is LA. There are Nauthorizers but approval by just M (M N) is sufficient to disclose the password to AZ.

4. Privileged Access Managersends e-mail invitations to authorizers LA.5. If authorizers fail to respond, they get automatic reminder e-mails.

6. If authorizers continue to fail to respond,Privileged Access Managerruns business logic to find re-placements for them, effectively escalating the request and invites the replacement authorizers as

well.7. Authorizers receive invitation e-mails, click on a URL embedded in the e-mail invitation, authenticate

themselves to the Privileged Access Managerweb login page, review the request and approve orreject it.

8. If any authorizers reject the request, e-mails are sent to all participants (UA, UB and AZ) and therequest is terminated.

9. If M authorizers approve the request, thank-you e-mails are sent to all participants. A special e-mailis sent to the recipient UB with a URL to an access disclosure page.

10. UB clicks on the e-mail URL and authenticates toPrivileged Access Managerand displays the pass-word.

11. UB clicks on a button to check-out privileged access.12. UB then may click on a button to do one of the following (the options available will vary based on

policy):

(a) Display the password.(b) Place a copy of the password in the operating system copy buffer.(c) Launch an RDP, SSH, vSphere or similar remote control session to the server in question.

In other words, display of a sensitive password is not a mandatory or even recommended part of thesolution.



9/20


5.3 Concurrency Controls Checkin/Checkout

Hitachi ID Privileged Access Managercan be configured to control the number of users who can simulta-neously connect to a given privileged account. This is done using a checkout/checkin process, in a manner

similar to checking a book out of a library and returning it later.

1. Rather than simply granting access to a privileged account, a user may be required to check outaccess. Checkout is subject to policy control:

(a) A counter is incremented whenever access is checked out, indicating that one more person isallowed to sign into the account in question.

(b) The number of users who may concurrently access an account is limited for example, up to twoat a time.

(c) The time interval during which a user may be allowed to sign into an account is limited forexample, no more than two hours.

2. Users are asked to check-in access rights when they are done using a privileged account.

(a) The accounts checkout counter is decremented.

3. If the maximum allowed checkout time has elapsed, Privileged Access Managermay automaticallyperform a checkin. This normally causes the accounts password to be re-randomized.

4. Checkout and checkin supports coordination among IT workers:

(a) Privileged Access Managercan notify users who have already checked out access to an accountof subsequent checkouts (e.g., via e-mail or SMS).

(b) Privileged Access Managercan inform users who request a new checkout about already-active

checkouts.

5. Passwords are normally randomized whenever the checkout counter returns to zero. This ensuresthat access does not persist after the last user disconnects from a privileged account.

5.4 Alternatives to Password Disclosure

Hitachi ID Privileged Access Managercontrols access by users and programs to privileged accounts on

systems and applications. By default, that means that when a user is authorized to connect to a privilegedaccount, the user is able to launch a login session directly to that account without ever seeing its password.

Display of current password values can be enabled through Privileged Access Managerpolicy configurationbut is not normally recommended.

Access disclosure options include:

1. IT staff can directly launch Terminal Services (RDP), SSH (PuTTY), VMWare vSphere, SQL Studio,web browser/form login and other connections to target systems from the Privileged Access Managerweb user interface, without displaying a password value.



10/20


2. IT staff can use an ActiveX control embedded in thePrivileged Access Managerweb portal to place acopy of a sensitive password into their Windows copy buffer, again without displaying the passwords.This password is automatically cleared from their copy buffer after a few seconds.

3. Privileged Access Managercan dynamically attach a recipients Active Directory domain login ID toa local security group on a target system and later remove it. This eliminates the need to disclosepasswords even to a software agent on the recipients workstation.

4. Privileged Access Managercan temporarily place a users public SSH key into the target accounts.ssh/authorized_keys file.

5. Where password display is required (e.g., a target system is currently offline), JavaScript in thePrivileged Access Managerweb portal removes it from the screen after a few seconds.

A policy defined for each set of managed systems inPrivileged Access Managerdetermines which of these

access disclosure mechanisms is available. For example, password display may be allowed for Windowsworkstations, since they may be inaccessible over the network, but RDP sessions with injected passwords

may be mandatory on Windows servers.

5.5 API for Progammatic Access Disclosure

Hitachi ID Privileged Access Managerincludes an API that enables applications to disclose passwords andeliminates the storage of static, plaintext passwords. Privileged Access Managerperiodically randomizesservice passwords, while applications use the API to retrieve passwords as/when required.

ThePrivileged Access ManagerAPI is accessed using SOAP over HTTPS.

For example,Privileged Access Managermay randomize an Oracle DBMS login password every 24 hours.

Web applications which use the password to establish database connections can periodically sign intoPrivileged Access Manager with their own credentials (see below) and retrieve the current Oracle loginpassword.

An important design consideration when implementing a privileged password retrieval API is how the client

which requests password disclosure (the web application in the above example) authenticates itself tothe API service. Privileged Access Managersecures this process with a combination of ACLs, one-timepasswords and IP subnets:

1. API clients have their own IDs, used to sign intoPrivileged Access Manager.

2. These IDs are attached to console user groups and assigned ACLs, allowing them to disclose somepasswords but not others.

3. API client login IDs are assigned one-time passwords (OTPs). In effect, the password used by theclient software to sign into the Privileged Access ManagerAPI changes to a new, random string oneach API connection.

4. API client login IDs are bound to IP subnets. An API client can only sign into the API service from agiven IP range.



11/20


Wrapper code is provided for the SOAP API for a variety of platforms / programming languages, such as.NET, Java, Linux/C, etc. This wrapper code manages several functions:

1. Storing the one time password (OTP) used to authenticate to the API.

2. Serializing access to the API, to support use of the OTP.

3. Keeping cached copies of passwords previously retrieved from the API, along with data about howlong to retain those copies and how long they should be assumed to be valid. This makes the systemmore performant (due to less frequent API calls) and more reliable (continued operation even if the

API is temporarily unavailable).

4. Encrypting the above, sensitive data so that its not visible even to locally privileged users.

Encryption of the OTP and of cached passwords implies an encryption key. The API wrappers support avariety of methods to produce this key, including:

1. A static key (e.g., embedded into the application or configuration file) useful during development ordebugging.

2. A key generated from characteristics of the machine on which the application runs, such as its MACaddresses, IP addresses, hostname, etc.

3. A key generated from characteristics of the program which is calling the API (i.e., a cryptographichash of the program itself).

Hitachi ID Systems is happy to add platform bindings for this wrapper code based on customer demand(i.e., we add support for the programming language and runtime that customers need as required, and

usually at no additional cost).

This wrapper is also provided in command-line form, suitable for retrieving passwords efficiently and se-curely from Privileged Access Manager(with local, encrypted caching) and injecting those passwords onthe command-line, into configuration files or into the input of scripts.

5.6 Updates to Service Passwords

On the Windows operating system, service programs are run either using the SYSTEM login ID, whichpossesses almost every privilege on the system (and consequently can do the maximum harm) and whichhas no password or using a real users login ID and password, in order to execute with reduced privileges.This means that on each Windows workstation and server there are a number of service accounts, each

with its own password, which are used to run service programs such as web servers, backup agents, anti-virus software, etc.

Service account passwords differ from administrator passwords in that they are stored in at least two places:

1. Hashed, in the security database e.g., the local SAM database or Active Directory, just like all users.

2. Reversibly encrypted, in the registry or elsewhere, where the program that starts the service (e.g.,

Service Control Manager or similar) can retrieve it when it needs to start the service.



12/20


Other Windows components besides the Service Control Manager also store passwords twice:

1. Virtual directories used to access web content from the IIS web server.

2. Programs scheduled to be run by the Windows Scheduler.

Third party programs may also require passwords to be stored outside the Security Accounts Manager(SAM) database.

Of the above passwords, all but those used in IIS are static and may represent a security vulnerability.

Hitachi ID Privileged Access Managercan be configured to secure service account passwords. This meanstwo things, depending on the mode of operation:

1. In pull mode, the Privileged Access Manager workstation service periodically scrambles service ac-count passwords locally, in coordination with the central Privileged Access Managerserver cluster.

2. In push mode,Privileged Access Managerservers periodically connect to Windows servers or ActiveDirectory in order to change the passwords of service accounts.

In both cases,Privileged Access Managermust notify the program that launches services the subscriber of the new password value, so that it can successfully launch the service at the time of the next systemrestart or when an administrator manually stops and restarts the service in question. In some cases,for example when domain accounts are used to run services, an immediate restart may be required or

advisable, due to Kerberos token expiry.

Privileged Access Managerincludes extensive automation to discover subscribers and subscriber-to-service-account dependency. This allows Hitachi ID Systems customers to review what services are run in the se-curity context of what named users, on what systems. This is particularly helpful where services run in the

security context of domain accounts, since multiple services on multiple servers may rely on the same ser-vice account and may therefore require notification of the same new password in a quick and fault-tolerantfashion.

Privileged Access Managerincludes several processes that support safe and secure changes to service

account passwords:

1. Auto-discovery of subscriber/account dependencies for a variety of subscriber types: IIS, Scheduler,SCM, DCOM, at various OS and subscriber versions.

2. A white-list mechanism (usually table driven, but a plug-in is available for more complex scenarios) socustomers can control which service accounts should have their passwords randomized and when.

3. Built-in tools to notify known subscribers of new password values.

4. A transaction manager that can retry notifications to off-line subscribers.

The above are primarily used when managed systems are integrated with Privileged Access Manager in"push mode" i.e., there is no locally installed software on the target system and Privileged Access Managerinitiates all connections remotely, over the network, directly or via a co-located Privileged Access Manager

proxy server.

2014 Hitachi ID Systems, Inc.. All rights reserved. 10


13/20


In case push mode is inappropriate for example because the relevant services (remote registry, WMI, etc.)are disabled or firewalled or because the end system is offline or inaccessible due to name resolution orIP routing issues (NAT, etc.), a pull mode service can be installed on the managed system, which performsessentially the same functions but with much simpler connectivity (call home over HTTPS) and no need for

network accessible services on the local system.

Pull mode is normally used on laptops and in some cases desktop PCs, but works on any system runningany version of the Windows OS.

Any problems encountered in updating a service password can and should be configured to trigger an exittrap program on the Privileged Access Managerserver, to notify an administrator of an imminent problemwhen the service in question is next started.

Both the discovery and notification mechanisms described above are extensible. This means that customerswho have other types of subscribers for example, third party job schedulers can add small programsthat discover their account dependencies and notify them of new service account passwords. These aretypically command-line programs (Windows executable or script) that run on the Privileged Access Manager

server. For pull mode, the equivalent form of extensibility is provided via deployment-specific DLLs.



14/20


6 Strong Authentication

Hitachi ID Privileged Access Managercan be configured to take advantage of an existing directory of users

for identification, authentication and authorization of users:

1. Users may sign into Privileged Access Manager with their Active Directory or LDAP login ID andpassword.

2. Users may be required to authenticate with a two-factor technology, such as an RSA SecurID token.

3. User membership in Privileged Access Managersecurity groups and consequently user privileges,

may be based on user membership in AD or LDAP groups.

Externalizing user identification, authentication and authorization can significantly reduce the administrativeoverhead of managing aPrivileged Access Managerdeployment and is recommended.

Privileged Access Manageralso supports multi-step authentication. For example, a user may be required

to type their AD password and then a PIN which was sent to their mobile phone via SMS.

Administrators (IT staff) authenticate to the Privileged Access Managerweb GUI as follows:

By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).

By answering security questions.

Using a security token (e.g., SecurID pass-code).

Using a smart card with PKI certificate.

Using Windows-integrated authentication.

Using a SAML or OAuth assertion issued by another server.

By typing a PIN that was sent to their mobile phone via SMS.

Using a combination of these mechanisms.



15/20


7 Auditing and Regulatory Compliance

Hitachi ID Privileged Access Managerlogs and can report on every disclosure of access to every privileged

account. This means that the time interval during which a user was connected to a privileged account orduring which a password was disclosed to a program or person is always recorded, is retained definitelyand is visible in reports.

Privileged Access Manageralso logs all attempts by users to search for managed systems and to connectto privileged accounts, even if login attempts were denied. This means that even rejected attempts and

requests to access privileged accounts are visible in reports.

Privileged Access Manageralso logs auto-discovery and auto-configuration process status as well as man-ual changes to its own configuration. This means that the health of systems on the network can be inferredfromPrivileged Access Managerreports.

Exit traps can be used to forward copies ofPrivileged Access Managerlog entries to another system (e.g.,

an SIEM, typically via SYSLOG) for analytics and tamper-proof archive.

Privileged Access Managerincludes event reports, which make it possible to see, among other things:

What users launched login sessions to what accounts. How often access to any given account was granted. When and how often passwords were changed on target systems.

How often users attempted to sign intoPrivileged Access Manager. What the results of those authentication attempts were.

Reports are also included to examine the set of discovered / managed systems and accounts.

Privileged Access Managerstatus and process trends are visible in dashboards. For example, how manycheckouts are currently active, how many systems are currently under management, how many requestsare pending approval, etc. are all visible in a dashboard.

Included reports can also be used to find anomalous activity. For example, there are reports on popularcheckouts by system, account, requester and approver. This can be used to identify users with unusuallyhigh (are they hacking?) or low (are they getting any work done?) activity. Reports can also be based ontime of day. For example, a regularly scheduled report (every morning) can enumerate all checkouts madebetween 6PM and 6AM and send that data to a security officer.

The Privileged Access Manager schema is well documented and the database is a standard, relationalSQL back-end. This makes it possible for Hitachi ID Systems customers to write custom reports usingoff-the-shelf programs such as Crystal Reports or Cognos BI.

By recording administrative access to key systems and in some cases by requiring multiple people toapprove such access before it happens, Privileged Access Managercan both limit and record access tosensitive systems that contain privacy-protected or financial data. These controls assist in complying withregulations such as HIPAA, SOX, PCI and more.



16/20


8 Privileged Access Manager Architecture

8.1 Network Architecture

Figure 1 illustrates the network communication paths in a typical Hitachi ID Privileged Access Managerdeployment, wherePrivileged Access Managerpushes passwords to fixed target systems servers, appli-

cations, network devices, etc.

Figure 1: Privileged Access ManagerPush-Mode Network Architecture Diagram

In the diagram:

1. Three distinct physical sites are shown, each surrounded by a dotted-line border.

2. Two Privileged Access Managerservers are deployed, to two different sites. Real-time replicationprovides for resiliency in the event of a hardware failure on a single server or a complete outage ateither site.

3. The Privileged Access Managerservers run on Windows 2008 or later. This platform provides thewidest possible range of client software, making Privileged Access Managereasy to integrate with

many kinds of target systems.

4. Stored passwords are encrypted (using AES). The encryption key is kept in the registry of eachPrivileged Access Manager server and is itself encrypted using a key embedded in the PrivilegedAccess Managersoftware.

5. EachPrivileged Access Managerserver has a complete, local copy of the entire password databasealong with all configuration information.



17/20


6. Data replication traffic between the two servers is encrypted, making it resistant to snooping or tam-pering by a man-in-the-middle attacker.

7. Periodically, each Privileged Access Manager server connects to target systems and pushes newpasswords to them. The protocol used depends on the type of target system, with two examplesshown: LDAPS or NTLM for Windows servers, SSH to Unix or Linux servers and an encrypted TCP/IPconnection to Unix targets that do not have an SSH service but do have a local Privileged AccessManager listener.

8. Some target systems may be unreachable directly, because of intervening firewalls. These may becontacted indirectly using a Privileged Access Managerproxy server, co-located with the target sys-

tem. In this scenario, communication from the primary Privileged Access Managerserver to the targetsystem is via an arbitrarily-numbered TCP/IP connection and AES encryption using a shared key. Theconnection is forwarded to the target system by the proxy, using that target systems native protocol.

9. Privileged Access Manager clients, such as IT workers or applications that use Privileged AccessManagerin place of embedded passwords, connect to Privileged Access Managerover HTTPS. Sincemultiple Privileged Access Managerservers are available and each of them contains a full data set,

this connection can be load balanced.

8.2 Push and Pull Modes

Hitachi ID Privileged Access Managersupports both server passwords, in push mode, and workstationpasswords, in pull mode:

When managing passwords on servers,Privileged Access Managernormally operates in push mode. Thismeans that periodically the Privileged Access Managerserver will initiate communication with each targetsystem, using connectors installed on the Privileged Access Managerserver and randomize privilegedpasswords on that target system.

The new password(s) will be encrypted and archived in the Privileged Access Managerservers replicatedstorage, where IT staff may retrieve them.

When managing passwords on laptops, Privileged Access Managermay be configured to operate in pullmode. This means that a local agent is installed on each mobile PC and this agent periodically contactsthe centralPrivileged Access Managerserver, over HTTPS, to request new administrator passwords.

Once the local password has been set, a confirmation is sent to the Privileged Access Manager server,which stores the new value. The new password(s) are encrypted and archived in the Privileged AccessManagerservers replicated storage, where IT staff may retrieve them.

Pull mode is often preferable for mobile devices because a server (i.e., Privileged Access Manager) has no

way of knowing where or when they will next be attached to the network and may be unable to initiate aconnection to the mobile device, due to firewalls, NAT, closed ports or other security measures.

8.3 Privileged Access Manager Host Platform

Hitachi ID Privileged Access Managermust be installed on a Windows 2008R2 or 2012 server.



18/20


Installing on a Windows server allows Privileged Access Manager to leverage client software for mosttypes of target systems, which is available only on the Wintel platform. In turn, this makes it possiblefor Privileged Access Managerto manage passwords and accounts on target systems without installing aserver-side agent.

The Privileged Access Managerserver must also be configured with a web server. Since the PrivilegedAccess Managerapplication is implemented as CGI executables, any web server will work. The PrivilegedAccess Managerinstallation program can detect and automatically configure IIS or Apache web servers,but other web servers can be configured manually.

Privileged Access Manager is a security application and should be locked down accordingly. Please referto the Hitachi ID Systems document about hardening Privileged Access Managerservers to learn how todo this. In short, most of the native Windows services can and should be removed, leaving a very smallattack surface, with exactly one inbound TCP/IP port (443):

1. IIS is not required (Apache is a reasonable substitute).

2. No ASP, JSP or PHP are used, so these engines should be disabled.

3. .NET is not required on the web portal and in most cases can be disabled on IIS.

4. No ODBC or DCOM are required inbound, so these services should at least be filtered.

5. File sharing should be disabled.

6. Remote registry services should be disabled.

7. Inbound TCP/IP connections should be firewalled, allowing only port 443 and possibly terminal ser-vices (often required for some configuration tasks).

EachPrivileged Access Managerserver requires a database instance. SQL 2008R2 or SQL 2012 are themost common options, but Oracle database is also supported.

Privileged Access Manageris designed to be secure. It is protected using a multi-layered security architec-

ture, which includes running on a hardened OS, using file system ACLs, providing strong application-leveluser authentication, filtering user inputs, encrypting sensitive data, enforcing application-level ACLs andstoring log data indefinitely.

Privileged Access Managernever requires plaintext passwords to be stored in configuration files or scripts

and does not store plaintext passwords anywhere. Privileged Access Managerdoes not ship with a defaultadministrator password one must be typed in at installation time.

These security measures are illustrated in Figure 2.

8.4 Supported Target System Types

Hitachi ID Privileged Access Managersupports management of passwords on laptops, which may be mo-bile, have dynamic IP addresses, get unplugged, etc. This is done using client software, which works bypulling new, passwords from the Privileged Access Managerserver cluster. Client software is availablefor:



19/20


CGI UserInterfaces

Web Server

Services

Identity CacheHitachi ID

Services

CPU Storage NICs

File system Networking

Input, output filteringApplication-level ACL

Server-local session stateRandom session/page keys.

Locked down.No Asp, COM, DDE, etc.,

Current SPs.

Input, output filteringApplication-level ACL

Caller authenticationEncrypted I/O.

Sensitive data encryptedor hashed.

All traffic in/outis encrypted.

Hardened at currentpatch levels;

most servicesdisabled.

Installed in a physicallysecure facility. Alarmed

and monitored.

Application

Operating System

Hardware

Figure 2: Network architecture security diagram

1. Windows 2000, XP, Windows Vista/7/8, 2003, 2008 and 2008R2.

2. Unix (various vendors) and Linux (IA86).

The Windows pull-mode service includes plug-ins to notify operating system components of new serviceaccount passwords. Plug-ins are provided for the Windows Service Control Manager, Windows Schedulerand IIS.

Push mode agents, installed on the Privileged Access Managerserver and designed to write new pass-words to fixed-address target systems, are included for:



20/20


Directories: Servers: Databases:

Any LDAP, AD, NDS,eDirectory, NIS/NIS+.

Windows 20002012,Samba, NDS, SharePoint.

Oracle, Sybase, SQL Server,DB2/UDB, ODBC, Informix.

Unix: Mainframes: Midrange:Linux, Solaris, AIX, HPUX,24 more variants.

z/OS with RAC/F, ACF/2 orTopSecret.

iSeries (OS400), OpenVMS.

ERP: Collaboration: Tokens, Smart Cards:

JDE, Oracle eBiz,PeopleSoft, SAP R/3, SAPECC 6, Siebel, BusinessObjects.

Lotus Notes, Exchange,GroupWise, BlackBerry ES.

RSA SecurID, SafeWord,RADIUS, ActivIdentity,Schlumberger.

WebSSO: Help Desk: HDD Encryption:

CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.

BMC Remedy, BMC SDE,ServiceNow, HP ServiceManager, CA Unicenter,Assyst, HEAT, Altiris, Clarify,

Track-It!, RSA Envision, MSSCS Manager.

McAfee, CheckPoint,BitLocker, PGP.

SaaS: Miscellaneous: Extensible:

Salesforce.com, WebEx,Google Apps, MS Office365, SOAP (generic).

OLAP, Hyperion, iLearn,Cach, Success Factors,VMWare vSphere. CiscoIOS, Juniper JUNOS, F5,iLO cards, DRAC cards,RSA cards, etc.

SSH, Telnet, TN3270,HTTP(S), SQL, LDAP,command-line.

0 1401 - 1 Street SE Calgary ABCanada T2G 2J3 Tel: 1 403 233 0740 Fax: 1 403 233 0725 E-Mail: sales@Hitachi-ID com
http://hitachi-id.com/http://hitachi-id.com/