Working with PAM360 Agent

Notes:

  1. PAM360 agent will work only on Redhat versions up to 7.9, and CentOS.
  2. For Go agent, from build 5301, the AMD64 version is supported for Ubuntu, Centos, RedHat, Debian, and other Linux flavors, and the ARM64 version is supported for Redhat.
  1. Overview
  2. Communication between the PAM360 Server and the PAM360 Agent
  3. Steps to Install the PAM360 Agents

    3.1 Prerequisite

    3.2 Downloading PAM360 Agents

    3.3 Installing Windows/Windows Domain Agent - 32bit, 64bit and C#

    3.4 Installing Linux Agent - 32bit, 64bit and Go

    3.5 Configuring Agent Settings

  4. Discovering Local Accounts using the PAM360 Agent
  5. Finding Tasks Awaiting Execution by the PAM360 Agent
  6. Self-Service Privilege Elevation

1. Overview

By deploying the PAM360 agent, you can establish connection with remote resources that are not connected to the PAM360 server and manage them from PAM360. PAM360 agent is available for Windows, Windows domain, and Linux servers. The agent package is available for download in the PAM360 web interface and it contains the necessary executable/configuration files, and an SSL certificate to use for the HTTPS communication between the agent and the PAM360 web server. During installation, you must supply a unique Agent Key (copied from the PAM360 UI) for each agent in the target machine. You can also keep an Agent Key active for a specified number of hours and use it for multiple installations.

The PAM360 agent is useful in the following cases:
  • When PAM360 server runs in a Linux system and password reset has to be carried out for a Windows machine.
  • If the target systems are in a Demilitarized Zone(DMZ) or a different network to which PAM360 server does not have direct connectivity.
  • If the required administrative credentials are not stored locally in the PAM360 server to execute remote password resets.
  • To change the password of domain accounts without the domain controller's admin credentials.

2. Communication between the PAM360 Server and the PAM360 Agent

All password-related communication between the PAM360 server and the agent is carried out securely over HTTPS. Since the agent always initiates the connection, the communication is one-way. The agent residing in the target machines only needs access to the PAM360 web interface, thereby only the PAM360 web server needs to be available for the agent. Since the agent uses the outbound traffic to reach the login page of PAM360, there is no need to punch firewall holes or create VPN paths to allow inbound traffic for the server to reach all the deployed agents.

The agent will periodically ping the PAM360 web server through HTTPS to check if any operation is pending for execution. By default, the agent pings the server once every 60 seconds but the interval can be changed according to requirements. Once the agent contacts the PAM360 web server, the server will trigger the list of tasks to be carried out by the agent in the remote resource. Once the tasks have been executed, the agent will notify the results to the PAM360 web server.

Note: Since the tasks are triggered by the web server only upon contact from the agent, the time taken for successful task execution will depend on how quickly the agent can connect with the PAM360 web server.

3. Steps to Install PAM360 Agents

3.1 Prerequisite

Before installing the agent, ensure that the account that you use to install the agent in the remote host has sufficient privileges to carry out password modifications.

3.2 Downloading PAM360 Agents

  1. Navigate to Admin >> PAM360 Agents.
  2. Agent packages are available for both 32-bit and 64-bit versions of the following operating systems:
    • Windows
    • Windows Domain
    • Linux
  3. Click the required agent package.

  4. In the pop-up that appears, copy the Agent Key using the copy icon beside it. This Agent Key is necessary to install the PAM360 agent in the target system and it can be used one time only. Once the Agent Key is supplied for an installation, it will become invalid.
  5. To keep a single key active for a specified amount of time, select the option Allow the key to be active for: X hours and specify a number of hours. Now, the same Agent Key can be used for any number of agent installations within the specified time.

    Notes:

    1. Please do not share this key as it might cause the unauthorized use of the agent.
    2. Navigate to the <PAM360 Installation Folder>/conf/system_properties.conf directory and mention the following command to extend the key validity up to 999 hrs.
      • agent.gpo.time=999
  6. Click Download Agent. Once the agent package zip file is downloaded, unzip the contents.

3.3 Installing Windows Agent/Windows Domain Agent - 32bit, 64bit and C#

The following are the commands to be executed in the target system for Windows and Windows Domain agent.

  1. Install
  2. Start
  3. Update
  4. Stop

Note: You need administrative privileges in the target system to execute the above commands.

3.3.1 Using Command Prompt
(C# Agent is applicable from build 5301 and later only)

The following steps are applicable for Windows Agent/Windows Domain Agent - 32bit, 64bit and C#.

1. To Install the Agent as a Windows Service

  1. Open a command prompt and navigate to the PAM360 agent installation directory.
  2. Execute the command AgentInstaller.exe install <Agent Key copied from the PAM360 UI>.
  3. The Windows agent will be installed and the PAM360 agent service will start automatically.

2. To Start the Agent as a Windows Service

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command AgentInstaller.exe start.
    3. Previously installed PAM360 agent service will start now.

3. To Update the Windows Agent

In case the PAM360 agent was previously installed by a different admin user, use this command to update the user account under which the agent server will be added as a resource. The agent server will be added as a resource under the new admin user without the need to uninstall and reinstall the agent. However, the new admin will not have access to the accounts that were previously under the agent server. To gain access to the accounts, the previous admin has to transfer the ownership of the resource to the new admin.

  1. Open a command prompt and navigate to the PAM360 agent installation directory.
  2. Execute the command AgentInstaller.exe update <Agent Key copied from the PAM360 UI>.
  3. The agent will be added as a resource in the new user account.

4. To Stop the Agent the Windows Service

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command AgentInstaller.exe stop.
    3. Now the PAM360 agent service will stop and it will be uninstalled.

3.3.2 Using PAM360 Agent Installer
(C# Agent is applicable from build 5301 and later only)

The following steps are applicable for Windows Agent/Windows Domain Agent - C# only.

Prerequisite: Ensure if the agent installed folder has complete permission for both the privileged account and the user account.

After downloading the C# agent, extract the folder and navigate to PAM360Agent >> bin.

1. To install the Agent in windows or Windows Domain:

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. The PAM360 Agent Installer wizard appears on the screen.
  3. Select the Install option.
  4. Mention the Installation Key and Installation Path. Click Next.

  5. In the Configurations page, enter the required details and select Manage Passwords and/or Self-Service Privilege Elevation under Modules.
    1. If you choose Manage Passwords, a service will be added that will request the server periodically to verify and/or reset the password of accounts.
    2. If you choose Self-Service Privilege Elevation, a Self-Service Privilege Elevation module will be added. To learn more about configuring Self-Service Privilege Elevation, click here.

  6. In the Operations page, check if the first two conditions are met and click Install.


You have now successfully installed the C# agent.

Notes:

  1. By default, all the files/applications(.exe, .msc, .msi, .cmd and .bat) will have "Run as PAM360 Privilege Account" in the right-click menu. But the privilege elevation works only for those files/applications that are configured in PAM360.
  2. When Self-Service Privilege Elevation is installed, the agent information will not be available in the services console.

2. To Start the Agent as a Windows Service:

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. The PAM360 Agent Installer wizard appears on the screen.
  3. Click the Operations icon.
  4. Right-click the three dots beside Agent Service Status and click Start.
  5. From here, you can also Stop, Restart the agent and Go to the Service Console.

3. To Update the Agent in Windows or Windows Domain:

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. The PAM360 Agent Installer wizard appears on the screen.
  3. Select the Reinstall option.
  4. Mention the Installation Key and Installation Path. Click Next.

  5. In the Configurations page, mention the required details and click Next.

  6. In the Operations page, check if the first two conditions are met and click Next to reinstall the agent.


You have now successfully reinstalled the C# agent.

4. To Uninstall the Agent in Windows or Windows Domain:

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. In the wizard that appears, select Uninstall and click Next.

  3. In the Configurations page, select the Modules (Manage Passwords and/or Self-Service Privilege Elevation) you want to uninstall and click Next.
  4. In the Operations page, check if the first two conditions are met. Click Uninstall.


You have now successfully uninstalled the C# agent.

3.4 Installing Linux Agent - 32bit, 64bit and Go
(Go Agent is applicable from build 5301 and later only)

The following are the commands to be executed in the target system for the Linux agent.

  1. Install
  2. Start
  3. Update
  4. Stop
  5. Remove

Notes:

  1. You need root privileges in the target system to execute the above commands.
  2. PAM360 agents (32bit, 64bit) supports the Linux flavors with default OpenSSL library only.
  3. Go Agent supports all Linux flavors.

1. To Install the Agent as a Linux Service:

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command sh installAgent-service.sh/bash installAgent-service.bash install <Agent Key copied from the PAM360 UI> (bash command applicable for Go Agent only).
    3. The Linux agent will be installed and the PAM360 agent service will start automatically.

2. To Start the Agent as a Linux Service:

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command sh installAgent-service.sh/bash installAgent-service.bash start (bash command applicable for Go Agent only).
    3. Previously installed PAM360 agent service will start now.

3. To Update the Linux Agent:

In case the PAM360 agent was previously installed by a different admin user, use this command to update the user account under which the agent server will be added as a resource. The agent server will be added under the new admin user without the need to uninstall and reinstall the agent. However, the new admin will not have access to the accounts that were previously under the agent server. To gain access to the accounts, the previous admin has to transfer the ownership of the resource to the new admin.

  1. Open a command prompt and navigate to the PAM360 agent installation directory.
  2. Execute the command sh installAgent-service.sh/bash installAgent-service.bash update <Agent Key copied from the PAM360 UI> (bash command applicable for Go Agent only).

4. To Stop the Agent Running as a Linux Service:

    1. Open a command prompt and navigate to PAM360 agent installation directory.
    2. Execute the command sh installAgent-service.sh/bash installAgent-service.bash stop (bash command applicable for Go Agent only).
    3. The Linux agent service will be stopped.

5. To Uninstall the Agent as a Linux Service:

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command sh installAgent-service.sh/bash installAgent-service.bash remove (bash command applicable for Go Agent only).
    3. The Linux agent will be uninstalled and removed.

3.5 Configuring Agent Settings

Open the agent.conf file available in the downloaded agent package. The following are the parameters listed in the conf file, some of which can be modified to suit your needs:

  • AgentType: This denotes the type of agent i.e., agent with PAM360 features.
  • ServerName: This is the server/IP Address which the PAM360 agent will try to reach to contact the PAM360 server.
  • ServerPort: This indicates the port in which the PAM360 server is running. If you have changed the default port of PAM360 to any other port such as 443, the same port number must be updated here.
  • ScheduleInterval: By default, the agent pings the server once in every 60 seconds. To configure the time interval at which the agent should ping the PAM360 web server, modify the time interval value in seconds.
  • UserName: This is the admin user account under which the agent server will be added as a resource.
  • OSType: Denotes the OS which the agent belongs to - Windows/Windows Domain/Linux.

PAM360 allows the restriction of user accounts that are added via agents (C# and Go) during account discovery, using regex patterns. To do the same, use the below UserQuery and accountFilter commands:

  • UserQuery: To filter the accounts in Linux (Go Agent).

    UserQuery = awk -F: '&#36;1 ~ /&#94; *admin/ {print&#36;1 }' /etc/passwd // to discover accounts that starts with admin.


  • accountFilter: To filter accounts in Windows/Windows Domain (C# Agent).

    accountFilter = &94;*admin // to discover accounts that starts with admin.

    Note: Windows Domain agent will not automatically add user accounts unless you specify the pattern in the account filter.


  • fetchDisabledAccount: To fetch disabled accounts in Windows/Windows Domain (C# Agent).

    fetchDisabledAccount = True

The commands UserQuery, accountFilter and fetchDisabledAccount are applicable from build 5301 and later only.

Once any of the above parameters are modified, restart the agent service.

4. Discovering Local Accounts using the PAM360 Agent

When the agent is started for the first time on the target machine, it will automatically add the machine as a resource in PAM360 and discover the local accounts. After discovery, you can reset the passwords of the local accounts. To learn more about resetting passwords using the PAM360 agent, click here.

5. Finding Tasks Awaiting Execution by the PAM360 Agent

Follow the below steps to find the tasks have been triggered by the user but awaiting execution by the PAM360 agent.

  1. Click the bell icon in the top panel of the interface for viewing Notifications.
  2. Under Agent Alerts, you will find the agent related statuses:
    • The number of password reset and password verify actions triggered.
    • Status of password reset actions triggered earlier.
    • Status of password verify actions triggered earlier.

  3. The notifications are user-specific i.e., users will be notified of only those tasks that they have triggered.

6. Self-Service Privilege Elevation for Windows and Windows Domain
(This feature is applicable from build 5304 and later for C# Agent only)

PAM360 allows administrators to configure Self-Service Privilege Elevation to the target machines. This allows users to run certain types of files/applications (.cmd, .exe, .msc, .msi, and .bat) with elevated account privileges without sharing the password of the higher privilege account.

6.1  Setting up Self-Service Privilege Elevation

First, install C# agent with Self-Service Privilege Elevation in the target machine and follow the below steps:

  1. Log in to PAM360 and navigate to Admin >> Manage >>Allowed Apps/Scripts. Here, all the applications that are allowed for Privilege Elevation are listed.
  2. Click Add to add a new application/file to the list.
    1. In the Application/File List pop-up, enter the Application Name and Application File Name along with the extension (.cmd, .exe, .msc, .msi, and .bat).
    2. Mention the SHA256SUM Value of the application to be added. Click here to know how to get the hash value of a file/application or use this application.
    3. Click Save. You have successfully added the application to the Application/File List.
  3. Now, navigate to Resources >> All My Passwords >> Resources to view the list of all the resources added in PAM360.
  4. Click the Resource action icon against one of the owned resources and click Configure Self-Service Privilege Elevation.


  5. Note: The DNS name of the resource should not be empty.

  6. In the pop-up that appears,
    1. Select the Account Type.
    2. If you choose the Account Type as Domain Account, select the Domain Name and Account Name. This will allow the user to run the files/applications using the selected Domain Account with elevated account privileges.

    3. If you choose the Account Type as Local Account, select the Account Name.

    4. Notes:

      1. Here, selected account will be used for Self-Service Elevation in the Agent installed resources.
      2. When access control is enabled for an account in the resource where Self-Service Privilege Elevation is configured, Self-Service Privilege Elevation will take precedence over password access control.
  7. Mention the name of the files/applications that the user is allowed to access with elevated account privileges under Allowed Apps/Files.
    (Example: cmd.exe, services.msc, etc)

    Note: .exe, .msc, .msi, .cmd and .bat are the file types that are currently available for users to access with elevated account privileges.

  8. Click Configure. Now, you have successfully configured Self-Service Privilege Elevation.
  9. Click Clear to reset the configurations of Self-Service Privilege Elevation.
  10. To delete an application from the Application/File List, navigate to Admin >> Manage >> Manage Applications. Select the desired application(s) and click Delete.
  11. Navigate to Reports >> Query Reports >> Resources and search "Resources with self-service privilege elevation configuration" under Report Name to find all the resources configured with self-service privilege elevation.
  12. Navigate to Reports >> Custom Reports to find two new custom reports namely:
    • Authorized App Privilege Elevated
    • Unauthorized App Elevation Triggered
    These reports allow the administrators/users with privileges to generate reports based on authorized and unauthorized self-service elevation events. To know more about creating a custom report, click here.

6.2  Using Self-Service Privilege Elevation

  1. Login as any user in a resource where you have configured Self-Service Privilege Elevation.
  2. Right-click on the file/application (.exe, .msc, .msi, .cmd and .bat) which is configured by administrator to open as a privilege user and select Run as PAM360 Privileged Account.

  3. In the pop-up that appears, mention the Reason for elevation(mandatory) and click Elevate.

Now, PAM360 will allow users to run the application/file in the elevated privilege chosen by the administrator.

 

Top