Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager is a system for securing access to privileged accounts.
Course Contents:
- Introduction
- Install the software
- Install replica
- Targets and auto-discovery
- AD target (source of profiles)
- AD target (source of computers)
- Configure the system to omit disabled accounts (for login)
- Configure the system to "manage" all AD groups (for ACLs)
- Run and troubleshoot psupdate
- Log viewer
- Manual targets and intro to policies
- Configure a manual WinNT target
- Configure a manual Linux target
- Configure a simple MSP for these two targets
- password policy and randomization schedule
- account names to include
- plug-ins to support (cmd-line/putty + RDP)
- checkout limits
- Configure a simple User Class for a few users
- Link the MSP to the User Class to get ACLs
- Run psupdate to get passwords randomized
- Show logs and reports that illustrate what happened
- Basic user experience
- Sign into the UI with AD creds
- Checkout access
- Checkout launch RDP to one system
- Checkout launch SSH to one system
- Run reports to show that this activity was captured
- Infrastructure auto-discovery and import rules
- Introduce a bunch of fake computers on AD
- Introduce the simulator for WinNT targets
- Show the 'discovered systems' and 'system attributes' data that gets loaded into PAM
- Define some import rules
- Run through and troubleshoot discovery/import/management
- Use the simulator to introduce daily evolution of the infrastructure
- Show that the system responds during PSUPDATE with appropriate discovery and management/unmanagement
- Discuss "unmanage" rules -- e.g., for systems that have been offline for too long.
- Ongoing support and maintenance
- Show the HiPAM dashboard
- Implement exit traps for various types of failures
- replication problems
- psupdate problems
- failed authentication and authorization
- Show and use reports:
- who checked out what?
- who got rejected?
- who is busy vis-a-vis the system?
- Introduce pull mode
- Motivation
- laptops
- mobility, NAT, firewalls, powerdown, etc.
- scalability
- Configure and deploy MSI to a WinXP and a Win7 client
- Motivation
- Workflow for one-off requests
- Discuss scenarios: where/when to use workflow
- Request attributes and attribute validation
- Selecting authorizers (focus on userclass, not plug-ins)
- Consensus (N of M) and veto power
- Automatic reminder e-mails
- Automatic escalation after non-response
- Early escalation (e.g., if authorizer is out of office)
- Reports and dashboards: what's going on in the workflow engine?
- The roles of workflow and delegation managers
- Service accounts on Windows
- Intro to the Windows security model (why do we have to manage these darned things?)
- Cases where service accounts are already managed by Windows (IIS, SCM in some cases)
- Server-local accounts
- Domain-level accounts and special challenges due to Microsoft "best practices"
- Using updsvcpass
- Reports to find service accounts and see how they are used
- Embedded accounts and passwords
- Intro to the problem of embedded passwords in programs and scripts
- Alternative solution approaches:
- modify the app to use an API to fetch a current password
- leave the password where it lies and push new values into the cfg file or similar
- Security catch-22:
- authenticating users into the API?
- caching passwords and securing the cache
- Introduce the HiPAM API:
- API-enabling users
- OTP in authentication
- IP subnet filtering (CIDR masks)
- The need for an API wrapper
- Generating key material with which to obscure cached passwords and OTPs
- Caching and serialization
- Simplifying use of the API