- Pulseway 9.2: Remote monitoring with workflow automation - Thu, May 18 2023
- ENow Active Directory Monitoring & Reporting - Tue, May 16 2023
- Auditing and restricting NTLM authentication using Group Policy - Thu, May 11 2023
ManageEngine PAM360 overview
The misuse of privileged access and compromising of credentials is a favorite among hackers as an attack vector. When an attacker can compromise credentials and privileged access, it provides legitimate, high-level access to business-critical systems. This can lead to the total compromise of your business environment. ManageEngine PAM360 is a web-based privileged access management (PAM) solution that protects your enterprise against these dangers.
ManageEngine PAM360 provides a comprehensive set of tools to help protect against privilege misuse in the enterprise and, by extension, protect sensitive information from compromise. It offers many key benefits and features to organizations looking at controlling access to privileged accounts, including:
- Strict access to privileged accounts
- Centralized control
- Tools to maintain regulatory compliance
- Workflow automation
- Enhanced visibility across often complex environments
- Reputation management for online resources
- Event correlation
Enterprise credential vault
ManageEngine PAM360 enables automatically scanning your network and onboard assets in the environment. ManageEngine PAM360 imports the accounts into its AES-256 encrypted account vault, which is accessible with role-based permissions for granular PAM.
Secured remote access
Providing secure remote access and sharing access between users without the end user knowing the password is complicated, if not impossible, with traditional tools. With ManageEngine PAM360, admins can allow privileged users to launch connections to resources across the environment using a simple web browser connection. The connections are secured using encrypted passwordleqss tunnels.
Use just-in-time (JIT) privilege escalation
If an underprivileged user needs privileged access for a time, you can allow them to access resources in the environment using higher privileges without giving them a privileged password. It can be allowed for a certain period and then revoked as needed. In this way, privileged access is not carte blanche.
Session monitoring for privileged access
ManageEngine PAM360 allows admins to monitor, shadow, and terminate privileged sessions. These sessions can be captured to video and archived for forensics purposes and to satisfy compliance regulations.
Application credentials security
Instead of hardcoding credentials in software and applications, ManageEngine PAM360 allows organizations to make use of secure APIs for application-to-application communication. It helps to mitigate backdoors resulting from credential hardcoding.
SSH key management
With ManageEngine, PAM360 allows the discovery of SSH devices in the network and enumeration of the keys on those devices. It also allows the creation and deployment of new SSH key pairs to devices as well as the automation of periodic key rotation.
SSL certificate management
With ManageEngine PAM360, you can integrate with GoDaddy, Let's Encrypt, and other certificate authorities to allow complete protection of your SSL certificates.
Ticketing system integration
You can bolster your approval workflows with ManageEngine PAM360 by integrating with your organization's ticketing system. Create workflows requiring ticket status validation to grant privileged access.
DevOps protection
Integrate password security into the DevOps pipeline. This allows protecting CI/CD pipelines against credential-based attacks.
Reporting
ManageEngine PAM360 allows robust reporting and schedulable reports, giving visibility to user access and activity data. It provides audit trails and meets security mandates.
Context-aware event correlation
With the extensive range of events and user behavior that happens across a typical enterprise environment, it can be challenging, if not impossible, to correlate anomalous behavior. Blind spots can develop. ManageEngine PAM360 allows context-aware event correlation.
Privileged user behavior analytics
ManageEngine PAM360 allows leveraging AI and ML to detect anomalies in the environment tied to suspicious or potentially harmful activity with privileged user behavior analytics.
One great feature of ManageEngine PAM360 is that it is agentless. However, there is an agent you can deploy that enables establishing connections to remote resources that are not connected to PAM360. The agent is also required if:
- PAM360 runs on a Linux server, and password reset tasks need to be carried out against Windows
- Systems reside in a DMZ and do not have direct connectivity from PAM360
- If credentials are not stored locally to execute remote password resets
- To change the passwords of domain accounts without DC administrator account credentials
Requirements and installation
ManageEngine PAM360 supports Windows and Linux systems. The installation wizard is very straightforward, so I'm not posting screenshots of the installation wizard. However, the process is quick and easy to get the ManageEngine PAM360 solution installed on a Windows Server 2019 VM.
After installing, log in to the web interface using the default admin/admin credentials. There are a few initial configuration steps you will want to complete, including:
- Configuring the mail server—Set up the mail server connection for notifications, etc.
- Adding users—You can import users using Active Directory or LDAP import, or a CSV file. Then assign roles to your users.
- Adding resources—You can assign resources using Active Directory import, manual import, or using a CSV file.
- Share and manage—You can share resources and resource groups with the desired users/user groups.
Initial configuration of ManageEngine PAM360
ManageEngine PAM360 features
ManageEngine PAM360 has a tremendous number of features. While we can't cover them all in an overview post, let's look at features that stand out in the product.
Privileged access management (PAM)
At the heart of the ManageEngine PAM360 solution is the ability to provide privileged access to users in the environment. It allows an easy way to share access with underprivileged users in the environment without disclosing passwords. It enables limiting how long and under what circumstances the user can connect to the privileged resource.
For example, let's suppose you have a server in the environment that houses a business-critical service. You need a junior administrator to administer the services on the Windows server from time to time. Using ME PAM360, you can grant access to the server and have full visibility, an audit trail, and session logging without sharing a high-level account's sensitive password.
After you import resources into ManageEngine PAM360, under the account details, click More Actions > Share > With Users.
Sharing password resources with users
To share credentials with a specific user, you can search for the user, and under Actions, click Grant.
Grant permissions to a specific user
Once access has been shared, log in with the user with whom the resource has been shared.
Log in as user who has access to shared password
The shared resource is now available to the user. The user can now interact with the resource with the account permissions made available with the resource share.
User now has access to connect to shared resource
Shared resource does not allow password viewing
Connect via Windows Remote Desktop
The end user can access the resource, in this case a Windows Server, using a web browser connection.
Remote Desktop Session through a browser for shared resources
With ManageEngine PAM360, when you share resources with end users, you have full session recording capabilities that allow recording the actions taken by the end user once access is granted.
Configure screen recording sessions
Configuring access control workflow
One of the features that works well with ManageEngine PAM360 is controlling the Password Access Control workflow. You can configure approval requirements for privileged access. The settings include configuring approval administrators, excluded users, auto-approval settings, and other miscellaneous settings.
Configure access control workflow in ManageEngine PAM360
Below, you can configure the auto-approval settings for privileged access requests in ManageEngine PAM360. You can configure auto-approvals to occur during certain days and times of the day.
Configuring auto approval for privileged access request
Managing passwords, SSH keys, and certificates
Another component of the ManageEngine PAM360 solution is password management. The password management feature is a built-in solution in PAM360. In addition, each end user has access to their password manager to store personal passwords.
One of the great features built into PAM360 is the ability to import passwords from other solutions, such as KeePass. It makes migrating password management to ManageEngine extremely easy.
Import passwords from KeePass and other sources
In addition to managing passwords, you can manage SSH keys as well.
Manage SSH keys with PAM360
With ManageEngine PAM360, you can manage SSL certificates with the solution and even integrate with SSL Certificate Authorities such as Let's Encrypt, GoDaddy, DigiCert, GlobalSign, and the SSL Store. It even has a built-in vulnerability scan.
Manage certificates with ManageEngine PAM360
ManageEngine provides an excellent platform for managing sensitive information such as passwords, SSH keys, and SSL certificates for your organization. I found the interface to be intuitive, and the workflows to get information added were not cumbersome, as I have seen in other solutions.
Other great features
There are a few other great features to highlight briefly. One of those features includes built-in auditing of all actions and activities connected with ManageEngine PAM360. You have visibility into who, what, where, when, and how in the environment related to privileged access management.
Full audit trail of all activities in ManageEngine PAM360
From a reporting perspective, there is a wide variety of built-in reports that cover:
- Password inventory
- Password expiry
- Policy compliance
- Password activity
- Ungrouped passwords
- Password access control
- Passwords out of sync
- Unshared passwords
Reporting features of ManageEngine PAM360
However, one feature worth noting is not included in the trial version that I was using to test—Analytics Plus. With advanced analytics, you can have AI and ML work for you to spot unusual account activity and have extended features and capabilities related to receiving notification of suspicious activity.
ManageEngine PAM360 Advanced Analytics
Impressions and final thoughts
Overall, the experience installing, configuring, and using ManageEngine PAM360 was very good. This overview only scratched the surface of what the solution can do. However, it gives an idea of the various features and capabilities that are included in the platform. For organizations looking to take control of their privileged access management and tighten security, there is no question that ManageEngine PAM360 will help with that endeavor.
Subscribe to 4sysops newsletter!
It is a true enterprise solution, and the cost reflects that. Pricing starts at $7,995 annually for 10 administrators. ManageEngine solutions are very well known and generally deliver market-leading capabilities with top-notch features. The ManageEngine PAM360 product is no exception. You can download a free 30-day free trial version of PAM360 here.
