- SecretsManagement module for PowerShell: Save passwords in PowerShell - Tue, Dec 22 2020
- Finding nested Active Directory groups faster with PowerShell - Tue, Sep 15 2020
- Monitoring Active Directory with the PowerShell module PSADHealth - Mon, Jan 20 2020
So how does it work? Securden discovers endpoints, servers, and users in the network all from an easy-to-understand web dashboard. You can import accounts from Active Directory, local server accounts, and others like SQL. You can push agents to endpoints all through the console with relative ease. The agent then steps in and handles the elevation of privileges going forward. All users can then run as standard users, and they can request time-limited privileges to run applications, commands, and other activities whenever required.
Administrators can review privilege requests and grant approval on a case-by-case basis in advance or set auto approvals for certain privileges. Securden adds a "Run with Securden Privilege" option in the menu for users to gain admin rights. There's also an option for apps and commands that do not interact with the Windows GUI.
Administrators have full control over the elevation process and can revoke permissions anytime as needed. At the end of the approved time, Securden will automatically terminate all the applications opened with admin privileges. It can notify users when elevated session permissions will expire shortly before the end of an approved time limit. Additionally, Securden can report on the activities a user executes during an elevated session.
In addition to all of this, Securden can act as a password vault and enforce password policies with advanced features such as randomizing passwords at periodic intervals and automatically taking care of propagating the changes across dependencies as well.
So let's dive in and take look at some of the features in depth.
Installation is a breeze because Securden comes with everything bundled and does not require installation of any specific software separately. Securden is self-contained in one installer file. The requirements to run the tool are not excessive, but these are minimums, and you'll want to throw more resources at this tool so it runs efficiently.
- Hardware: 4 GB RAM, 2 GB hard disk space
- Operating systems: Windows Server (2008 R2, 2012, 2012 R2, 2016), Windows 8, or Windows 10
- Database: PostgreSQL bundled with the product; supports MS SQL Server 2008 and above
- Web interface: IE 10 and above, Chrome, Firefox, and Safari
I downloaded the tool, read the included quick start guide (which is very clear and easy to follow), and then installed the tool with the defaults. Five minutes later, I was up and running with a local web server installed and configured.
After logging into the console, it immediately presented me with a "getting started page" that was super easy to understand and navigate.
The first thing Securden recommends is to discover users, groups, and endpoints. So that's what I did. In my lab, I'm running three servers, one acting as a domain controller (DC) and two members servers all running Server 2012 R2 and patched up to this month. We can target the discovery process toward a group, an organizational unit (OU), specific nodes, user accounts, or group accounts. The screen capture below is my search for any folders named "users." It's probably not immediately obvious, but Securden can import many different kinds of accounts, such as local accounts, SQL accounts, domain accounts, and Azure accounts.
After performing a few look-ups and importing the data, my discovery summary showed the following results:
After importing data, you need to organize it. Securden does this by creating folders. You then can apply settings and policies to those folders. I found this effortless in my small test domain. The folders are useful for setting password change frequency on a large scale for different account groups, reporting, and for sharing config access among Securden users.
I mentioned earlier that Securden can manage many different account types. One interesting feature is that you can create password policies and apply them to different account types. For example, you can require that all Azure accounts have 25-character passwords and different forms of complexity. You can then assign a different policy for Windows domain users and another for SQL Server accounts. The part I found really interesting is that the "types" of accounts are totally configurable, which means you can create your own "types" and assign policies to each type as you wish.
Assign password policies to different account types ^
Once we've organized our accounts and assigned password policies to the various account types, Securden can start rotating passwords automatically behind the scenes. It can record the new passwords in its database for safekeeping based on the frequency we prescribed per folder.
Managing service accounts ^
Securden can also manage the accounts and associated passwords for things like services, scheduled tasks, and IIS app pools controlled by an "account," meaning a username and password. One interesting aspect of Securden's account management is that it can handle dependencies. So for example, whenever the password of a domain account changes, Securden takes care of propagating the change across all dependencies that also use that account. This way, you can always have complete visibility and control over service accounts and dependencies.
Privilege management ^
I have spent a lot of time on setup and password management, but probably the most powerful piece of the Securden software suite is the ability to remove local admin privileges in bulk from many accounts. We can use the software console to remove admin privileges for everyone, or you can choose which accounts to remove admin access for individually.
If you have a large number of accounts you wish to remove access for, you can also use group policy to do the work for you. However, you can't use GPOs to remove access for local accounts and application accounts like in SQL.
For Securden to remove access to local accounts and elevate privileges for applications, you need to deploy agents. Just like earlier, the console makes it dead simple to browse for nodes and push agents to those nodes. I pushed agents to two servers, and the installs were lightning quick. Deploying agents is literally a button click and you're done!
The software also has robust reporting features. For example, maybe you want to see a report of all nodes that have an account with local admin access. The term "Reports" is a bit of a misnomer because the reports are really dashboards that are dynamic and interactive as opposed to static page reports. These reports are rich with detail and graphics, and all of them allow you to drill down deeper into each report.
Once you've removed existing admin access from PCs or servers and installed the agent, the process to gain administrative access is very simple. Users without admin access will have a new prompt in their right-click menu called "Run with Securden privilege." They can select that menu option, and the software will send an email to the Securden admins requesting elevated access.
The admin then approves the request, which then generates an email back to the user who requested access. It includes an access code the user can now enter to get elevated access for a period of time. Users can also go to a self-service portal to preselect admin access for a particular application.
Securden allows you to deploy a secondary server with a few clicks to which users can connect to get uninterrupted access, in the event of the primary server going down.
I have taken you through a very brief tour of the Securden privilege management tool. If I had to describe this software to a friend, I would say this software can control local admin privileges on all the nodes in your network and you can configure the software in just a few hours!
The software itself has a super-clean interface and is easy to understand. The included documentation was a little thin at times but was surely adequate to get me started. Moreover, the software is pretty slick, and it is fairly intuitive to figure out how to configure most of the features without consulting the manual every two minutes.
Overall, this product is well done and fairly simple to use considering the complexity possibilities involved with removing local admin rights across a domain full of computers. I literally set up this software in my test domain in just a few hours. Installing this product in a larger environment should not take much more time and effort than what I spent setting this software up for demonstration. If you are struggling with local admin accounts on PCs and servers, this product is definitely worth a look.
Subscribe to 4sysops newsletter!
Securden offers a 30-day free trial.