- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
- Understanding Azure service accounts - Fri, Mar 31 2023
How do you manage your privileged account credentials? Do all your administrators belong to the Domain Admins group, or do they operate as standard users most of the time? How about the root accounts on your Linux and/or macOS servers? What about your service accounts—what is their security context, and how do you manage password security?
We have other pain points to consider—what kind of role-based access control (RBAC) do you have in your environment? Who has accountability for administrative actions? What type of centralized command and control do you have?
It seems to me that any enterprise business must implement a "key vault" solution nowadays. To that point, let's have a look at Password Manager Pro (henceforth referred to as PMP) from ManageEngine.
Password Manager Pro feature overview
Fine-grained password policies in Active Directory are great, but they don't affect privileged accounts running on other operating systems and directory service environments. PMP’s first standout feature is its ability to host a centralized password vault for disparate enterprise systems and software:
- Cisco IOS, CatOS, and PIX devices
- Generic LDAP directory servers
- HP iLO
- HP ProCurve devices
- Juniper Netscreen devices
- Linux local accounts
- Microsoft Active Directory
- Microsoft SQL Server
- Oracle Database
- Oracle MySQL Server
- Sybase ASE
- UNIX local accounts (AIX, AS400, HP-UX, macOS, Sun Oracle)
- VMware ESXi
In fact, let me share with you ManageEngine's architectural diagram (reference). It's a great way to familiarize yourself with the PMP components, as well as its service firewall ports.
Password Manager Pro architecture and traffic flow
Study the previous diagram: By default, PMP uses PostgreSQL as its database back end, but you can alternatively use MySQL or Microsoft SQL Server (note: The SQL Server options require the PMP Enterprise license).
You'll want to make firewall exceptions from within your network perimeter for your managed devices and services as well as for the PMP bits. Note that you can build fault tolerance by deploying a read-only PMP secondary server. The PMP Enterprise license also opens up its application programming interface (API), with which you can link your line-of-business code and administrative automations to the PMP credential vault. Pretty cool stuff!
Setup workflow
You can download a free PMP trial by visiting the ManageEngine website. I found the PMP technical documentation to be better than average as well. As I stated, the single, 80-ish MB installation package deploys a Java-based web server that uses PostgreSQL as its back-end data store.
As shown in the following composite screenshot, you can obtain metadata about and manage the PMP server directly from the Windows Server notification area.
Manage the PMP service from the notification area
Double-clicking the notification area icon launches your default web browser and connects you to your new PMP management console. PMP includes a self-signed SSL/TLS certificate; you'll certainly want to replace that with your own as soon as possible.
The PMP dashboard, shown in the following screenshot, neatly summarizes the product configuration workflow:
The Password Manager Pro web administration console
Here is the PMP configuration workflow in a nutshell:
- Specify your SMTP e-mail server's DNS hostname or IP address so PMP can leverage two-factor authentication and send notifications.
- Set up your PMP users. These identities represent your company's systems administrators, but can also represent service accounts, temporary contractor accounts, and so forth.
- Set up the privileged account credentials that you want to manage. You can perform an Active Directory import, CSV file import, or define credential (user) entries manually.
- Configure disaster recovery (DR) by regularly backing up your PMP database and exporting credential definitions as encrypted HTML files.
In fact, ManageEngine's architectural diagrams are so good I'd like to share one more with you (reference) rather than attempt a Visio replication. Check this out:
PMP logical administrative diagram
As you can see, PMP uses a role-based access control (RBAC) model. Each sub-administrative group can accomplish limited tasks with your business's precious credential database.
Moreover, there's an important setting in the web console's General Settings page called Allow users to retrieve password for which auto logon is configured. This means you can restrict the ability of some PMP users to view the plain text passwords for your credential.
This password hiding, of course, means that PMP must have a browser-based direct connection scheme. That's true—I'm getting a bit ahead of myself. Let's check that out.
PMP in practice
ManageEngine hosts a live demo PMP instance that you should try out ASAP. You can log in as Administrator, Password Administrator, Password Auditor, or Password User to test role capabilities within the application.
For example, the following screenshot walks you through the case in which an outside contractor needs temporary SSH access to one of your Cisco IOS-based routers.
PMP from a restricted admin's point of view
- 1: Each user can organize the credentials for which they have access to suit their convenience.
- 2: The credential entries clearly show the kind of resource.
- 3: Depending on your privilege level, you can change the credential's properties or reset the password.
- 4: If the credential supports direct connection, you can use RDP, SSH, or Telnet directly from the PMP console to do so. In this scenario, the PMP console serves as a gateway.
Of course, you should log into the demo instance as a "full" administrator to see how one makes the sausage, as it were. For example, you can define one or more password policies and then deploy them to your stored connections. PMP can even automatically change account passwords on your schedule! (You may need to install an agent on the managed node for this to work.)
The following screenshot demonstrates how granular your PMP password policies can be. This is good news for administrators who need consistent password policy on different operating systems and devices to conform to industrial/governmental regulatory compliance requirements.
Defining a password policy in PMP
Wow—there is so much I could show you; I feel we're barely scratching PMP's surface. Check out the following ManageEngine resources if you want deeper product knowledge:
Wrap-up
It seems to me that if you work for a managed service provider (MSP), then PMP is a no-brainer purchase. Conveniently, ManageEngine does sell an MSP version that supports full multi-tenancy.
Besides the free demo edition we've already seen, here's the edition breakdown that shows you what's available. Of course, check the ManageEngine website for full details.
- Standard: Supports the basic credential vault
- Premium: Supports remote password synchronization, alerts, notifications, and rich reporting
- Enterprise: Supports SQL Server (clustered or non-clustered), API access, and integration with other ticketing and security information and event management (SIEM) solutions
Password Manager Pro pricing depends on your edition as well as whether you want a yearly subscription or perpetual license model, and how many administrators need access to PMP. As of fall 2016, a perpetual license of Password Manager Pro Enterprise Edition for 10 administrators costs $7,488 USD.
Subscribe to 4sysops newsletter!
As I said, I'm a big fan of this solution, and heartily recommend it to MSPs as well as systems administrators who have heterogenous environments and heavy compliance requirements.
excellent….