Privileged Accounts Discovery

(Feature available only in Enterprise Edition)

Password Manager Pro provides the option to automatically discover the IT assets in your environment and enumerate the privileged accounts associated with them, thus helping enterprises to secure all their privileged identities in quick time. It also helps randomize the passwords of the accounts upon discovery and thereafter in periodic intervals. Password Manager Pro discovers flavors of Windows, Linux, VMware and Network devices. It also discovers the service accounts associated with Windows domain accounts.

This feature automates privileged accounts addition and reduces the entire process to a few steps.

  1. Step 1: Discover Resources (IT Assets)
  2. Step 2: Add Discovered Resources into Password Manager Pro
  3. Step 3: Privileged Accounts Discovery

How Does Password Manager Pro Discover the Resources?

Pre-requisite:

The following are mandatory:

  • Microsoft .Net framework 4.5.2 or above must be installed.
  • Microsoft Visual C++ 2015 redistributable must be installed.

The following table explains how PMP goes about discovering the resources:

Windows

WMI API is used to connect with the domain controller and fetch all the IT assets that are connected to it.

Linux

For Linux devices, TELNET must be configured.

VMware

For VMware, VSphere API is used for assets discovery

Network devices

SNMP versions , namely - V1, V2C, V3 are used for discovering the network devices.

How to Discover the Privileged Accounts?

Step 1: Asset Discovery

The first step is to discover the IT assets present in your environment. As mentioned above, Password Manager Pro can automatically discover the IT assets available in your environment.

  1. Windows
  2. Network Devices
  3. VMware
  4. Linux

A) Windows

You can import the computers in your domain and add them as resources in Password Manager Pro. Password Manager Pro automatically discovers and lists all the Windows domains from the Windows domain controller of which the running Password Manager Pro is part of. You need to select the required domain and provide domain controller credentials.

To discover Windows devices,

  • Navigate to "Resources" tab.
  • Click the button "Discover Resources".
  • In the UI that opens, select "Windows" from the options on the left hand side.
  • Choose the domain name from the drop down list from which the assets are to be imported.
  • We recommend you to give one or more secondary domain controllers, which would be useful when the primary is down.
  • If you have secondary domain controllers, specify their DNS names in comma separated form. One of the listed secondary domain controllers will be used. When you use SSL mode make sure the DNS name specified here matches the CN (common name) specified in the SSL certificate for the domain controller.
  • For each domain you can configure whether the connection is through SSL or Non SSL. Password Manager Pro strongly recommends encrypted communication via SSL for enhanced security.
  • Specify the DNS name of the domain controller along with a valid user credential (user name and password) which is having read permission in that domain controller. (If you want to discover users from multiple domains, you may enter the username as <DomainName>\<username>. For example, if you want to discover DOMAIN A users by giving DOMAIN B username/password, you need to enter the username as <DOMAIN B>\username).
    • To import domain controller's certificate into Password Manager Pro machine's certificate store: (you can use any procedure that you normally use to import the SSL certificates to the machine's certificate store. One example is given below)

    • In the machine where Password Manager Pro is installed, launch Internet Explorer and navigate to Tools >> Internet Options >> Content >> Certificates.
    • Click "Import".
    • Browse and locate the root certificate issue by your CA.
    • Click "Next"and choose the option "Automatically select the certificate store based on the type of certificate" and install.
    • Again click "Import".
    • Browse and locate the domain controller certificate.
    • Click "NEXT" and choose the option "Automatically select the certificate store based on the type of certificate" and install.
    • Apply the changes and close the wizard.
    • Repeat the procedure to install other certificates in the root chain.
  • There is also a provision to use an user account which is already stored in Password Manager Pro. This step will help Password Manager Pro to gain access and fetch the user accounts present in the specified domain name.

Note: Password Manager Pro server can now communicate with this particular domain controller over SSL. Repeat these steps for all domain controllers to which you want Password Manager Pro to communicate over SSL. Note that the DNS name you specify for the domain controller should match the CN (common name) specified in the SSL certificate for the domain controller.

  • You can import specific set of Resources, Resource Group or OU's by specifying their names in comma separated values.
  • If you want to import only a particular resource, enter the required resource name(s) in comma separated form.
  • Similarly, you can choose to import only specific resource groups or OUs from the domain. You can specify the names in the respective text fields in comma separated form.
  • Password Manager Pro periodically queries the AD and keeps the resources in sync. You can set your own synchronization interval available in the given list.Whenever new resource get added to the AD, there is provision to automatically add them to Password Manager Pro and keep the resource database in sync. Enter the time interval at which Password Manager Pro has to query the AD to keep the resource database in sync. The time interval could be as low as a minute or it can be in the range of hours/days.
  • Click "Save". Soon after hitting this "Save" button, Password Manager Pro will save all the resources from the selected domain.
  • Click on "Fetch Groups and OU's" and save the process.
Service Accounts Discovery

When discovering Windows accounts, Password Manager Pro will also automatically fetch the service accounts associated with services present in the domain members. The Windows service accounts discovery and enumeration of the same in the inventory takes place as explained below:

  • Initially, Password Manager Pro will create a Windows domain resource with the domain name. For example, if the domain name is "Password Manager Pro", then the resource name created will also be "Password Manager Pro - Domain Controller."
  • Then, Password Manager Pro will try to fetch all the available Windows member servers that are available under the specified OU or groups.
  • After importing the available resources, the corresponding local accounts associated with those resources will also be fetched.
  • Finally, the service accounts will be fetched for the imported resources.

These service accounts will be mapped to the resource group that contains the resources where service accounts are used. The resource group will be created in the form "DomainName_MemberServerGroup." For example, if the domain name is given as Password Manager Pro, the resource group name will be PMP_MemberServerGroup. If the resource group with that name already exists, resource will be added to that resource group.

Network Devices

Prerequisite - Create discovery profiles

Before proceeding with discovering network devices, you should create discovery profiles. The profiles help Password Manager Pro to use common details for discovering multiple devices. For network devices - SNMP communities v1, v2c and v3 are supported. You can configure the SNMP port by using the Edit option.

  • Navigate to "Resources" tab.
  • Click the button "Discover Resources".
  • In the UI that opens, select "Network Devices" from the options in the left hand side.
  • Click "Add profile" beside 'Profile' text field, to initiate the profile configuration process.
  • The profile creation process for each of the protocols has been explained below:

SNMP - V1, V2c

    For creating a profile for devices making use of SNMP V1 and V2c,

  • Enter the new profile name. This name uniquely identifies the profile.
  • Enter a description about the profile for your reference.
  • Select the SNMP version in the Version drop down list - > Version V1 or V2c as applicable.
  • Enter the Read community - this is mandatory. Optionally, you can specify the Write community.
  • Save the profile.

SNMP V3:

For creating a profile for devices making use of SNMP V3,

  • Enter the new profile name. This name uniquely identifies the profile
  • Enter a description about the profile for your reference
  • Select the SNMP version in the Version drop down list - > Version V3
  • Enter the SNMP Port number
  • User Name: Enter the name of the user (principal) on behalf of whom the message is being exchanged.
  • Context Name: An SNMP context name or "context" in short, is a collection of management information accessible by an SNMP entity. An item of management information may exist in more than one context. An SNMP entity potentially has access to many contexts. In other words, if a management information has been defined under certain context by an SNMPv3 entity, any management application can access that information by giving that context name. The "context name" is an octet string, which has at least one management information.
  • Authentication Protocol & Password: Select any of the authentication protocols either MD5 or SHA and enter the password. MD5 and SHA are processes which are used for generating authentication/privacy keys in SNMPv3 applications.
  • You can either enter the password manually or use an user account stored in Password Manager Pro.
  • Priv Protocol: Select the required privacy protocol and also specify the Priv Password.
  • Save the profile.

To discover network devices,

  • Navigate to "Resources" tab.
  • Click the button "Discover Resources".
  • In the UI that opens, select "Network Devices" from the options on the left hand side.
  • There are three different options to discover the network devices:
    • You can discover a single device by specifying the host name or IP address.
    • At present, PMP supports IPV4 format only. The IP address or host name should be entered as shown in the following example. (Ex: 192.168.1.1, cisco2611)

    • Discover multiple devices present in a IP range
    • You can also discover the IT assets in bulk by specifying the IP address range. PMP will automatically discover all the IT assets present in the specified IP address range. At present, PMP supports IPV4 format only. The range should be entered in the following format: (Ex: 192.168.1.1 - 192.168.1.15)

  • Select the required discovery profile(s) and click the Discover button.
  • In some rare cases, the device which is to be discovered may stop responding. In such scenarios, Password Manager Pro will try to re-establish the communication with that specific device continuously even when the device is in a non-responsive state. You can set the maximum time within which the devices must be discovered. You can specify up to 999 seconds.
  • To avoid time-delay in such situations, you can set the number of retries (maximum 5) up to which Password Manager Pro should keep attempting to discover the devices.
  • Password Manager Pro will start discovering the network devices and you can view the discovery status in the discovery status tab.

C) VMware

Prerequisite - Create discovery profiles

Before proceeding with discovering VMware devices, you should create discovery profiles. The profiles help Password Manager Pro to use common details for discovering multiple devices.

  • Navigate to "Resources" tab.
  • Click the button "Discover Resources".
  • In the UI that opens, select "VMware" from the options in the left hand side.
  • Click "Add profile" to initiate the profile configuration process.
  • Enter the new profile name. This name uniquely identifies the profile.
  • Enter a description about the profile for your reference.
  • Enter the port VMware port, the user name and password to establish communication with the virtual device.
  • You can either enter the password manually or use an user account stored in Password Manager Pro.
To discover VMware,
  • As mentioned above in Network Devices discovery part, you can discover a single VM device by specifying the host name or IP address OR multiple devices present in an IP range OR discover multiple devices whose details are present in a flat file.
  • Select the required discovery profile(s) and click the Discover button.
  • Enter the VMware port number and user name.
  • In some rare cases, the device which is to be discovered may stop responding. In such scenarios, Password Manager Pro will try to re-establish the communication with that specific device continuously even when the device is in a non-responsive state. By default the maximum timeout is fixed as 60 seconds within which the devices must be discovered.
  • Choose your list of profiles and click on Discover button. Password Manager Pro will start discovering the network devices and you can view the discovery status in the discovery status tab.

D) Linux

To discover Linux devices,

  • Password Manager Pro uses TELNET as the remote connection mode to discover the Linux/Unix type of devices.
  • As mentioned above in Network Devices discovery part, you can discover a single VM device by specifying the host name or IP address OR multiple devices present in an IP range OR discover multiple devices whose details are present in a flat file.
  • You can set the maximum time-out period up to 999 seconds, within which the devices must be discovered.
  • Enter the Telnet port number.
  • Choose your list of profiles and click on Discover button. Password Manager Pro will start discovering the network devices and you can view the discovery status in the discovery status tab.

Track discovery status

  • After initiating the discovery operation, PMP allows you to track the status of the operation in real-time.
  • The list of discovery operations, which are currently running in the background can be found in the 'Discovery Status' tab. Using the same tab, you can also track down the history of discovery scans which were performed earlier.
  • For any Discovery operation, you can find its Task name, Time invoked, Completed At and Discovery Status.
  • Password Manager Pro also provides an option to stop any discovery operation which is currently in progress.
  • Click any Task Name to view the entire list of IT assets discovered during that particular task.

Step 2: Add Discovered Resources

In the Discovery Status window, Password Manager Pro provides you an option either to add all discovered resources or add selected resources into the inventory.

  • In the Discovery Status window, upon click a task name, the Discovery Task Status will pop up.
  • Click on Add all discovered resources, to add the entire set of resources into Password Manager Pro inventory and Click OK button.
  • If you want to add only particular resources into the Password Manager Pro inventory, select those resources and click on Add selected resources

Step 3: Privileged Accounts Discovery

After successfully discovering the IT assets, the next step is to discover the privileged accounts associated with those IT assets. You can discover the privileged accounts associated with each resource individually as well as in bulk.

At present, PMP supports privileged account discovery for the following Resource types:

Windows

Domain, local and service accounts

Cisco

  • Cisco Cat OS
  • Cisco iOS
  • Cisco PIX

Linux

  • HP UNIX
  • Linux
  • Mac
  • Solaris
  • IBM AIX

Netscreen

Juniper NetScreen ScreenOS

Sybase

Sybase ASE

MS SQL

MS SQL Server

MYSQL

MYSQL Server

Oracle

Oracle DB Server

Privileged account discovery can be initiated from four places in PMP GUI:

  • In "Resources" tab, upon clicking a resource, you will see the button "Discover Accounts". This helps discover the accounts that are associated with that particular resource. You can use this option whenever you want to discover new accounts are added under that resource.
  • In "Resources" tab, under "Resource Actions", you will see an option "Discover Accounts". You can select multiple resources and click this option to discover the accounts that are part of all the selected resources.
  • In "Groups" tab, under "Bulk Configuration", you will see an option "Discover Accounts". You can select multiple resource groups and click this option to discover the accounts that are part of all the selected resource groups.
  • In "Resource Groups" tab, under "Actions", you will see an option "Periodic Account Discovery". You can click this and create a scheduled task to periodically discover the accounts that are part of the resources belonging to the resource group.

Accounts Discovery: Pre-requisite

Supply credentials for remote synchronization

To discover and enumerate the privileged accounts (including local admin accounts) from the resources, you need to supply the credentials to enable Password Manager Pro to fetch the accounts. You can do this by clicking the "Edit" button against each resource. This step has to be repeated for all resources whose accounts are to be discovered.

  • Navigate to "Resources" tab.
  • Click the "Resource Actions" icon against WindowsDomain resource and select "Configure password reset" from the drop down.
  • In the pop-up form that appears, select the Domain Admin account as the 'Administrator Account'.
  • As mentioned in the table above, Password Manager Pro supports only certain specific resource types for privileged accounts discovery. If any of your device is not supported, but is similar to the other supported types, you may select that resource type (similar one) and try discovering the accounts.
  • When discovering resources, Password Manager Pro fills the resource type field also. However, check the resource type field and ensure that the correct type is chosen. Otherwise, change the type.
  • Click "Save".

Discover Privileged Accounts of Individual Resources

After completing the above step as a pre-requisite, you can discover accounts of individual resources.

  • Navigate to "Resources" tab.
  • Click the required resource and click the Discover Accounts button to fetch the user account of that particular resource.

Randomize Passwords After Discovery

After Account discovery, it is recommended to reset the passwords of newly discovered accounts. When accounts are discovered, Password Manager Pro can only fetch the user account name. It cannot fetch the actual password. However, Password Manager Pro can very well carry out password change - that means, it can randomize the passwords upon discovery in accordance with the password policy. The new passwords will then be available in Password Manager Pro too.

To randomize passwords after discovery,

  • Navigate to "Resources" tab.
  • Select the resource(s) whose passwords are to be reset, click the "Resource Actions". button and select "Discover Accounts" from the drop down.
  • In the dialog box that opens, select the checkbox "Randomize passwords after discovery".
  • You can send notification about randomization to password owners. There is also provision to notify other users and specific email ids.
  • Click "Save".

Discover privileged accounts of resources in resource groups

You can also discover the privileged accounts that are part of multiple resources in resource groups.

  • Navigate to "Groups". tab.
  • Select multiple resource groups and click the "Bulk Configuration" button, you will see an option "Discover Accounts". Click this option to discover the accounts that are part of all the selected resource groups.
  • After discovering the accounts, consider randomizing the passwords of the newly discovered accounts.

Note: You can also discover the privileged accounts in the agent mode.‚Äč

Automated periodic discovery of privileged accounts

You can automatically discover the privileged accounts of the resources at periodic intervals. This can be configured at resource group level.

  • Navigate to the "Groups" tab.
  • Click the "Actions" icon against the resource group and select "Periodic Account Discovery" from the drop down.

Once

Now or Later

Days

Perform on a specific day repeatedly starting from a particular date and time (maximum allowed days 999)

Monthly

On a particular day and time every month

Never

To stop schedule

  • Password Manager Pro also provides you an option to notify the existing Password Manager Pro users/ specified email IDs once the account discovery process is completed.
  • The scheduled account discovery process will be reflected in the audit trails for security purposes.
  • As explained below, you have the option to randomize passwords.
  • Click the "Schedule" button.

Note:If you are using Password Manager Pro MSP edition, discovery option for the client organization can be enabled from the general settings.

  • Navigate to Admin >> Settings >> General Settings
  • In the UI that opens, select "User Management" from the options on the left hand side
  • Select the checkbox "Enable Discovery in Client Organization".
  • Click "Save".

©2014, ZOHO Corp. All Rights Reserved.

Top