Latest posts by Brandon Lee (see all)
- Windows Server 2019 Storage Migration Service - Mon, Jan 27 2020
- Configure Windows Server 2019 container host with PowerShell - Thu, Jan 23 2020
- Devolutions Password Hub: Password manager for Windows, macOS, Linux, Android, and iOS - Tue, Jan 21 2020
Security involves many important aspects of enterprise infrastructure. This includes the credentials that are used to access various systems in production infrastructure. Privileged accounts, or those accounts that contain some type of administrative permissions, are especially important to control, audit, and manage. This can become difficult with many different servers, users, and clients accessing various systems.
How can administrators secure privileged accounts and manage them such that permissions are limited and security is bolstered? Securden's Privileged Account Manager promises to manage and control privileged account access across your environment; it offers automated password management as well. Let's take a look at the Privileged Account Manager solution and see how well it allows your business to control sensitive accounts, monitor their use, and provide just-in-time access for users. Additionally, what other features are provided by the solution?
Securden Privileged Account Manager provides privileged password management for your organization across physical, virtual and cloud environments. It automatically discovers and consolidates all passwords in a central repository. Organizations can enforce controls on who can access which passwords.
- Privileged Account Manager serves as a robust remote access solution.
- Users can launch a direct connection to remote machines, devices, databases, and applications without seeing the underlying password. Passwords are not revealed, but access is granted.
- Workflows for access can be enforced. Users will have to request access to a machine, device, database, or application.
- Administrators grant time-limited access, which is terminated at the end of the allotted period, and the underlying password is reset.
- After connections are launched, the product records the entire session. All user activities are captured in video recordings, which can be played back anytime.
- The product automates the entire lifecycle of password management.
Let's dive a little deeper into the features and functionality provided by the Securden Privileged Account Manager (PAM).
Features and functionality ^
What problems in the enterprise does Securden aim to solve? Notably, many security breaches are the result of stolen credentials, including passwords that allow privileged access. According to Securden, 80% of security breaches are a result of this type of breach of access. Securden helps to strengthen your privileged account security and make it exponentially more difficult for threats coming from both inside and outside to compromise privileged accounts in your environment.
Securden helps to solve three high-level objectives for your environment:
- Protect privileged accounts and mitigate security risks – Securden's solution allows you to have a centralized solution to store, manage, and control access to all privileged accounts. In addition to passwords, this can include keys, certificates, and documents.
- Improve operational efficiency – Privileged accounts are often managed without enforcement of centralized control. This can lead to numerous security vulnerabilities, given the way they are usually managed. Securden enables you to consolidate accounts, provide access controls, enforce policies, and eliminate account lockouts.
- Ensure compliance and enforce policies – Privileged account access is an area that is greatly scrutinized by most compliance regulations. Securden enables enforcing policy-based controls and audit trails, and generating reports.
Securden PAM offers a number of features for managing privileged account passwords, including both those on-premises and those in the cloud. So it is able to support your hybrid cloud initiatives by bringing your privileged account management under one solution for both types of environments. Its features include:
- Privileged account discovery – Automatically discover privileged accounts that exist in Windows, Linux, and Mac clients as well as other devices, databases, and applications.
- Manage shared admin passwords – Share admin and firecall accounts with complete control and auditing. Link access and actions to individuals.
- Protect your SSH keys – SSH keys are very sensitive in nature. Securely store SSH keys, track when and where they are used, and associate them with Unix devices for authentication and remote access.
- Windows account management – Manage the entire scope of Windows accounts, including domain, service, and local accounts. You can also manage the dependencies of the service accounts.
- Manage application passwords – Do you have hardcoded passwords in applications? Securden enables you to eliminate this practice of hard-coding passwords in config files, scripts, and other code by using APIs instead.
- Randomize passwords automatically – Randomizing passwords is a great way to improve the security of your environment. Weak passwords or passwords that never change can easily lead to compromise. Securden allows you to randomize passwords periodically for your administrative, service, and application accounts.
- Secure remote access – Do you copy and paste login credentials to critical systems? Securden enables you to launch secure, remote sessions in a single click without copy/paste operations.
- Access without revealing passwords – Grant remote access to devices, databases, and applications without showing the passwords to users or third parties who may need access.
- Privileged session recording – Record privileged sessions and continuously monitor activities. You can also playback the sessions as videos.
- Active Directory integration – Active Directory is one of the most common identity sources in the enterprise datacenter today. With Securden, you can integrate with Active Directory authentication for numerous purposes, including onboarding and automatic offboarding.
- Approval workflows – You can enforce just-in-time access in your environment with request–release approvals for IT staff. Passwords are automatically reset after time-limited access.
- Audit and compliance reporting – This feature enables you to track which individual IT staff has access to which account, and monitor and report privileged account access activity.
Privileged Account Manager provides a suite of tools that enable controlling accounts and passwords in your environment. The suite offers a secure way to provide access to resources without revealing passwords. How is it licensed?
Licensing for the Privilege Accounts Manager is simply based on the number of users. Securden can work up a quote for your particular environment, given the number of users you will be managing with the Privileged Account Manager.
Now, let's take a look at the Privileged Account Manager installation process and see how the solution is installed and configured.
According to the official installation documentation, Securden has the following system requirements:
- Hardware: 4 GB RAM, 2 GB hard disk space. For storing session recordings, 25 GB disk space.
- Operating Systems: In general, Windows 7 and above. Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows 8, Windows 10.
- Database: PostgreSQL bundled with the product; supports MS SQL Server 2008 and above.
- Web interface: Internet Explorer 10 and above and other standard browsers such as Chrome, Firefox, Edge, and Safari.
At the time of this writing, I am installing Securden 6.4.8.
- Size of the installer: 134 MB
Note you can install Privileged Account Manager on the same server as Windows Privilege Manager.
Installation of Privileged Account Manager is straightforward. The “Next, Next, Finish” process enables you to install the product and log in to the console in just a couple of minutes.
Optionally, for additional security, you can deploy a jump host to route all connections to target devices, instances and application from a central, hardened server. This eliminates direct connection between endpoints and target devices. If the target resources are distributed across networks, deploying jump hosts will come in handy. The jump host could be a Windows server or a Linux machine. From scalability perspective too, you can choose to deploy multiple application servers on the jump hosts and distribute the load.
After installing, you can browse to the Privileged Account Manager management page by the URL listed in the Finish dialog box.
One of the first steps you take in configuring your PAM environment is discovering your accounts. You can automatically add them from Active Directory, manually add them, or import them from a file. The purpose of this exercise is to centralize all your accounts to the Securden PAM platform, so that it becomes the keeper of all password information and auditing in your environment. This provides many benefits in terms of control, visibility, and auditing.
Choose the type of account you want to import. If you click Discover Accounts, you will be asked to click which type of account you want to discover. Here, I am clicking the Windows option. Other options include Mac OS and Linux, which are heavily present in many environments.
When Windows is chosen, you can connect your PAM environment to Active Directory to make the discovery of accounts en masse easy. This comprises specifying the IP/FQDN of your domain controller and connection authentication information.
After configuring the connection information and clicking the Next button, you can choose your entire domain or limit the scope of the query to a specific OU. Here, we choose to target a specific OU. Click Add.
Click Import to import your accounts after making your selections.
When the discovery process is complete, you will see a list of your accounts that were discovered, including hard-to-manage local accounts that exist on domain-joined servers/workstations.
After you get your accounts added from the domain, you will start to get relevant information in the PAM console. In the PAM interface, you may wonder what the difference is between Accounts and Users. Accounts are those objects you discover for managing via the PAM, including all the security benefits, auditing, reporting, and so on. Users are accounts that are actually able to log in to the Privileged Account Manager interface. Users can be imported from Active Directory, added manually, or imported the same as the accounts.
The Dashboard view gives a great overview of your accounts, including domain accounts, service accounts, dependencies, and so on. Additionally, from a security standpoint, you can see non-compliant passwords and password expiration status. I found this view to be a great high-level look at any security hotspots you may have in your environment.
Just to get a glimpse of all this product can do, if you navigate to the Admin tab, you can see much of the functionality, capabilities and configuration options. You can set up account types, create account policies to link to different account types, jump servers, set up two-factor authentication, and much more.
You can integrate Securden PAM with your existing enterprise applications such as ticketing systems, SIEM solutions, federated identity management solution for single sign on such as Okta, G Suite, Microsoft ADFS, OneLogin, PingIdenity, Azure AD SSO and others.
One of the nice features provided with Securden PAM is the ability to enable your users to connect to various resources with a user account, while ensuring users cannot see the password they are connecting with. There are many use cases I can imagine with this feature, including allowing contractors access to certain resources without disclosing passwords, and many other scenarios.
A really slick feature I like is the ability to record the session that is launched as a video file. Let's say you want to monitor those same contractors who are performing work. Are they doing what they say they are? You can record the session and find out.
One of the gems of this solution is the just-in-time management capabilities it offers. You can provide time-limited privileged access, with a full approval workflow built in. This means you set up the approvers needed to grant the request.
Have you ever wondered about the effects of changing an account password? Are there services tied to the account? Securden PAM makes discovering and having visibility into these dependencies easy. This simplifies service account management across environments with many dependencies.
In PAM, the Folders construct allows you to do some really interesting things with your accounts. You can create folders as they align with business units, or other structures that make sense for your business. Below, I have created a “Test Folder” containing the CLOUD\dbuser account.
Remote Password Reset allows for automatic resets of passwords on users in designated folders where Securden will reset the password automatically.
Below is a screen shot of the options you get when selecting the Reset Periodically option for accounts contained in the folder.
For extra security, you can set up jump servers to funnel all connections from your users through specific connection boxes. This allows further control of connections in your environment and helps to ensure and bolster configurations for compliance regulations.
Auditing is built into the solution for keeping track of user activity. This is great for cybersecurity incident investigation and compliance reporting. With Securden PAM in your environment and proxying connection requests between different servers, it knows about all user activity. With the Audit feature, you can easily view specific user activities and view session recordings.
The auditing capabilities are not just available ad hoc via the Audit dashboard. Detailed reporting is available that allows you to create professional audit reports on the fly. These include:
- Account Access
- Account Activity
- Password Compliance
- Password Expiry
- User Access
- User Activity
Impressions and wrapping up ^
I was only able to cover a few of the high-level features contained in the Windows Privilege Manager and Privileged Account Manager solution from Securden. Most likely, as I did, you get the impression this product can do A LOT. To get a better feel for the product yourself, I encourage you to download a trial of Privileged Account Manager and become familiar with the solution in your lab environment.
Overall, the features and capabilities are impressive. For most, using Privileged Account Manager will lead to a quick time to value. In even small environments, keeping up with user accounts and managing access to resources can become a challenge. Ultimately, your security depends on managing your user accounts and privileged access effectively. Using Securden Privileged Account Manager, you can do this in an automated and intelligent way.
In my next article I will take a look at Securden's complimentary product, Windows Privilege Manager, and see how it enables bolstering access security, auditing, and monitoring even further.