Preview only show first 10 pages with watermark. For full document please download

Isa - Quest Software

Rating
Date

October 2018
Size

2MB
Views

3,754
Categories

Computers & electronics Software Computer utilities General utility software

Transcript

Quest One Privileged Account Management Information Security Administrator (ISA) Version 2.4 Quest One Privileged Account Management ISA Manual Table of Contents 1.0 Introduction ................................................................................................................................ 5 2.0 Conventions Used in this Guide .......................................................................................... 5 3.0 Getting Help ................................................................................................................................ 5 3.1 Online User Manuals .................................................................................................................... 5 3.2 Help Bubbles .................................................................................................................................. 6 3.3 Customer Portal ............................................................................................................................ 6 3.4 Contacting Customer Support ................................................................................................... 6 4.0 TPAM Definitions ....................................................................................................................... 6 4.1 Terms .............................................................................................................................................. 6 4.2 User Types ..................................................................................................................................... 7 4.3 Permission Types .......................................................................................................................... 8 5.0 Permission Hierarchy .............................................................................................................. 9 6.0 Accessing TPAM ....................................................................................................................... 11 7.0 Permission Based Home Page ........................................................................................... 13 7.1 Recent Activity Tab .................................................................................................................... 13 7.2 Approvals Tab.............................................................................................................................. 14 7.3 Pending Reviews Tab ................................................................................................................. 15 8.0 Managing Your Own Account ............................................................................................. 15 8.1 User Time Zone Information .................................................................................................... 16 9.0 Application Navigation ......................................................................................................... 17 9.1 Tab Format .................................................................................................................................. 17 9.2 Filter Tab ...................................................................................................................................... 19 9.3 Listing Tab.................................................................................................................................... 20 9.4 Feedback Area ............................................................................................................................. 20 10.0 Configuring Managed Systems .......................................................................................... 21 10.1 System Details Tab ................................................................................................................ 22 10.2 Systems Connection Tab (PPM ISAs only)........................................................................ 25 10.3 System Management Details Tab (PPM ISAs only) ........................................................ 30 10.4 Affinity Tab .............................................................................................................................. 33 10.5 Ticket Systems Tab ............................................................................................................... 34 10.6 Collections Tab........................................................................................................................ 35 10.7 Setting Permissions for PSM and PPM Functionality for Systems ................................ 36 10.8 Adding A System .................................................................................................................... 39 10.9 Managing A System ............................................................................................................... 41 10.10 Clearing a Stored System Host Entry (PPM ISAs only) ................................................. 41 10.11 Testing a System (PPM ISAs only) ..................................................................................... 42 10.12 Duplicating a System ............................................................................................................ 42 10.13 List Systems ............................................................................................................................ 42 11.0 Managing Accounts ................................................................................................................ 43 11.1 Account Details Tab ............................................................................................................... 45 11.2 Account Reviews Tab (PPM ISAs only) .............................................................................. 48 11.3 Account Custom Information Tab ....................................................................................... 48 11.4 Account Management Tab .................................................................................................... 49 11.5 Account Ticket System Tab .................................................................................................. 51 11.6 Managing Services in a Windows Domain Environment (PPM ISAs only) ................. 52 11.7 Accounts Management Logs Tab ........................................................................................ 54 11.8 Account Management Passwords Tab (PPM ISAs only) ................................................ 54 11.9 Account Collections Tab ........................................................................................................ 56 11.10 Setting Permissions for PSM and PPM Functionality for Accounts ............................... 57 2 Quest One Privileged Account Management ISA Manual 11.11 PSM Details General Tab (PSM ISAs only) ....................................................................... 57 11.12 PSM Session Authentication Tab (PSM Customers Only) .............................................. 61 11.13 PSM File Transfer Tab (PSM Customers Only) ................................................................. 61 11.14 PSM Review Requirements Tab (PSM Customers Only) ................................................ 62 11.15 Adding an Account ................................................................................................................. 63 11.16 Managing an Account ............................................................................................................ 63 11.17 Duplicating an Account ......................................................................................................... 64 11.18 Quest One Privileged Command Manager (PSM Customers licensed for PCM only)64 11.19 Account Current Status......................................................................................................... 64 11.20 Manual Password Management (PPM ISAs only) ............................................................ 65 11.21 Password Management (PPM ISAs only) ........................................................................... 66 11.22 Managing Services in a Windows Domain Environment (PPM ISAs only) ................. 67 11.23 List Accounts ........................................................................................................................... 69 11.24 List PSM Accounts (PSM ISAs only) ................................................................................... 70 12.0 Managing Secure File Storage (PPM ISAs only) ........................................................ 71 12.1 Adding a File for Storage ...................................................................................................... 71 12.2 File Ticket System Tab .......................................................................................................... 73 12.3 File Collections Tab ................................................................................................................ 74 12.4 Setting Permissions for Files ............................................................................................... 74 12.5 Updating a Stored File .......................................................................................................... 74 12.6 Reviewing File History and Activity .................................................................................... 75 13.0 Retrieving a Password (PPM ISAs only) ....................................................................... 76 13.1 Viewing Past Passwords ........................................................................................................ 78 14.0 Retrieving Files (PPM ISAs only) ..................................................................................... 79 15.0 Session Management (PSM ISAs only) .......................................................................... 80 15.1 Replaying a Session Log ....................................................................................................... 80 15.2 Monitoring a Live Session..................................................................................................... 82 16.0 Reports........................................................................................................................................ 83 16.1 Report Time Zone Options ................................................................................................... 83 16.2 Report Layout Options .......................................................................................................... 84 16.3 Adjustable Column Widths ................................................................................................... 85 16.4 Report Export Options........................................................................................................... 85 16.5 Activity Report ........................................................................................................................ 85 16.6 ISA User Activity .................................................................................................................... 86 16.7 PSM Accounts Inventory (PSM ISAs only) ........................................................................ 86 16.8 Password Aging Inventory (PPM ISAs only) ..................................................................... 86 16.9 File Aging Inventory (PPM ISAs only) ....................................................................................... 87 16.10 Release-Reset Reconcile (PPM ISAs only) ............................................................................... 87 16.11 User Entitlement..................................................................................................................... 87 16.12 Password Update Activity (PPM ISAs only) ...................................................................... 89 16.13 Password Update Schedule (PPM ISAs only) ................................................................... 89 16.14 Password Testing Activity (PPM ISAs only) ...................................................................... 90 16.15 Password Test Queue (PPM ISAs only) ............................................................................. 90 16.16 Expired Passwords (PPM ISAs only)................................................................................... 91 16.17 Passwords Currently In Use (PPM ISAs only) .................................................................. 91 16.18 Password Requests (PPM ISAs only).................................................................................. 91 16.19 Auto-Approved Releases (PPM ISAs only) ........................................................................ 92 16.20 Password Release Activity (PPM ISAs only) ..................................................................... 92 16.21 File Release Activity (PPM ISAs only) ................................................................................ 93 16.22 Windows Domain Account Dependencies (PPM ISAs only) ........................................... 93 16.23 Auto Approved Sessions (PSM ISAs only) ........................................................................ 93 16.24 PSM Session Activity (PSM ISAs only)............................................................................... 93 16.25 PSM Session Requests (PSM ISAs only) ........................................................................... 94 3 Quest One Privileged Account Management ISA Manual © 2012 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 email: [email protected] Refer to our Web site (www.quest.com) for regional and international office information. Trademarks Quest, Quest Software, and the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software’s trademarks, please see http://www.quest.com/legal/trademarks.aspx. Other trademarks and registered trademarks are property of their respective owners. Third Party Contributions Quest One Appliance-Based Privileged Account Management Solutions contain some third party components. Copies of their licenses may be found at http://www.quest.com/legal/third-party-licenses.aspx. 4 Quest One Privileged Account Management ISA Manual 1.0 Introduction Total Privileged Access Management (TPAM) is a robust collection of integrated modular technologies designed specifically to meet the complex and growing compliance and security requirements associated with privileged identity management and privileged access control. The Privileged Password Manager (PPM) module provides secure control of administrative accounts. TPAM is a repository where these account passwords are stored until needed, and released only to authorized persons. Based on configurable parameters, the PPM module will automatically update these passwords. The Privileged Session Manager (PSM) module provides a secure method of connecting to remote systems, while recording all activity that occurs to a session log file that can be replayed at a later time. All connections to remote systems are proxied through Privileged Account Management (PAM) appliance ensuring a secure single access point. 2.0 Conventions Used in this Guide Element Bold Italics Text Note! Tip! Alert! 3.0 Convention Where ever this symbol is displayed it means there is new functionality or an entirely new feature being discussed. Elements that appear in the TPAM interface such as menu options and field names. Used to highlight additional information pertinent to the process being described. Used to provide best practice information. A best practice details the recommended course of action for the best result. Important information about features that can affect performance, security or cause potential problems with your appliance. Getting Help 3.1 Online User Manuals To access online user manuals click the Documents list located in the upper right hand corner of the application. The manuals that are available to you are based on your user type and the permissions assigned to your userid. 5 Quest One Privileged Account Management ISA Manual 3.2 Help Bubbles Throughout the application you will also notice help bubbles ( ) next to many of the fields in the application. If you hover the mouse over the bubble a pop up window provides a brief explanation about what the field is used for. 3.3 Customer Portal The Quest Software Customer Portal is where you can find product updates, user manuals, WebEx Demos and FAQ’s. To access the Portal you will need a username and password from the Quest Software Technical Support group. To login go to https://hq01.e-dmzsecurity.com/edmzcust. 3.4 Contacting Customer Support Quest Software's world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink www.quest.com/support Email at [email protected] You can use SupportLink to create, update, or view support requests 4.0 TPAM Definitions 4.1 Terms 4.1.1 System A system is a host computer, network device, or work station for which one or more account passwords will be maintained. It is also referred to as the managed system. 4.1.2 Collection In v2.4 collections can A collection is a logical association of systems. also include Accounts and Files. Permissions can be granted to a collection. All systems contained in the collection, or added to it, will inherit those permissions. A system can belong to multiple collections. A System cannot be in the same collection as any of its Accounts or Files. 4.1.3 UserID A UserID is defined as a user of the TPAM appliance. At the time the UserID is created the interface (Web or CLI/API) must be determined and cannot 6 Quest One Privileged Account Management ISA Manual change. There are different types of UserID’s (Basic, UserAdmin, Auditor, Administrator and Cache User). See section 4.2. 4.1.4 Group A Group is a logical association of UserIDs. Groups are a mechanism for easing the burden of assigning Access Policies on systems or collections to users. Access Policies that are assigned to a group are inherited by all members in the group. When a user is added to a group, they will immediately receive all permissions assigned to the group, and all permissions received through the group are revoked when a user is removed from the group. Users can be members of multiple groups. 4.1.5 Managed Account This is the account on the remote system to which a proxied connection can be made and/or whose password is being stored and maintained through the PPM portion of TPAM. For example, “root” is likely to be a managed account on many of the managed UNIX systems. 4.2 User Types 4.2.1 Basic A Basic user type can be assigned permissions for various functions throughout the application, such as requestor, reviewer, etc. 4.2.2 Administrator The Administrator is the most powerful user type for the TPAM User Interface. This user type can create and delete systems, users, groups, and collections. The administrator user type may also assign access policies to any user – including themselves. An administrator may view all reports. It is recommended that this user type be assigned carefully. The Administrator may not delete or disable their user ID. 4.2.3 Auditor The auditor user type permits the individual to view reports, session logs and system information, but not to make any changes to data or view passwords. The Auditor may not delete or disable his own account. Auditors may also review completed password and session requests. 4.2.4 User Administrator This user type has the authority to manage Basic user types. User Administrators can disable and enable users, unlock user accounts, and update account information. The User Administrator does not have the ability to add users to groups or manage permissions. CLI/API user accounts cannot be managed by a User Administrator. 4.2.5 Cache User If your company opted to purchase cache servers along with TPAM you will be setting up cache user types. A cache user can only retrieve passwords through the cache server that they are assigned to. A cache user will not have access to the TPAM interface. 7 Quest One Privileged Account Management ISA Manual 4.3 Permission Types 4.3.1 Denied This user role was created so that collection permissions could be assigned to a user and then if there are specific entities within this collection that the user should not have access to the Denied permission can be set for these entities. If you are Denied for a System but have access to a specific Account/File on that System you will still be able to access the Account/File, because Account or File holds precedence over System. 4.3.2 Information Security Administrator (ISA) The role of ISA is intended to provide the functionality needed for security help desk personnel, and as a way to delegate limited authority to those responsible for resource management. An ISA permission with a Type of Session allows the user to add and update all aspects of PSM Only systems, PSM only accounts, and for PSM supported platforms. An ISA permission with a Type of Password allows the user to add and update systems and accounts for all platforms except those that are PSM only. A user must be assigned an Access Policy with a Type of both Password and Session and permission of ISA to be able to assign access policies to other entities. The ISA permission does not allow the user to delete a system. 4.3.3 Approver An Approver can be set up to approve password, session and or file requests. An approver can also be set up to only approve sessions that are requesting specific commands. 4.3.4 Requestor A Requestor can be set up to request password, session, and or file requests. A requestor can also be set up to only request sessions that run specific commands. Note! A user requesting a session that has an interactive proxy type must also have an access policy assigned to them that include password/requestor for that account. 4.3.5 Privileged Access (PAC) An individual that must go through the request process for passwords, files, and sessions but once they submit the request it is automatically approved, regardless of the number of approvers required. Note! If you have Session /PAC permissions but do NOT have Password/PAC Permissions on an account, you will only be able to start a session that is configured for one of the automatic proxy connection types, since you do not have permissions to access the password. 8 Quest One Privileged Account Management ISA Manual 4.3.6 5.0 Reviewer The reviewer role permits the individual to view reports on specific systems to which they have been granted reviewer rights. A Session/Command Reviewer can also replay sessions and review/comment on these sessions. If the user has Password Reviewer permissions they can review a password release that has expired and comment on that password release. Permission Hierarchy Because TPAM allows groupings of Users (Groups) and remote systems (Collections), it is possible - even likely, that a user could appear to have multiple conflicting permissions for a particular system, account, and or file. To prevent this, TPAM implements a precedence of permissions. The precedence, in order of decreasing priority is: An An An An An An An An Access Access Access Access Access Access Access Access Policy Policy Policy Policy Policy Policy Policy Policy assigned assigned assigned assigned assigned assigned assigned assigned to to to to to to to to a a a a a a a a User for an Account/File (most specific) User for a System User for a Collection containing Accounts or Files User for a Collection of Systems Group for an Account /File Group for a System Group for a Collection containing Accounts or Files Group for a Collection of Systems (least specific)(*) (*) This category includes Users who are assigned to any of the “Global XXX” Groups. The Groups grant their respective permissions to an internally-maintained “All Systems” collection. Note! A single “Denied” Access Policy assignment at any level overrides all other permissions at that level. When any of the permissions are changed, for instance by adding or removing a user from a group, the precedence is recalculated, and if necessary, the permissions for the user are changed to reflect the new level that results. 9 Quest One Privileged Account Management ISA Manual In the scenario shown above, the groups and users have been assigned Access Policies which grant the permissions specified. In this situation, the precedence of permissions will be applied and the effective permissions would be as follows: • • User A has Approver permission on System C through the Group to System assignment. User A has been assigned Reviewer rights on System A, Account B1, and File C1 via Group A to Collection B assignment. These Review rights on File C1 take precedence over the Approve rights on System C because assignment to a Collection containing an Account or File is more specific 10 Quest One Privileged Account Management ISA Manual • • • • • • than a collection containing just the System. User A may still Approve requests to all accounts on System C and all of C’s files with the exception of File C1. Users A, C, and D have Request rights on System A, Account B1, and File C1 through Group B. Note that as with above, the Group B to Collection B assignment of Request rights for User A on File C1 override the Approver rights from Group A. Since User A is in both Groups A and B he has both Review and Request rights on all the items in Collection B. Assignments at the same hierarchy level are combined. User B has been Denied access to System B, which includes all Accounts and Files thereon. Even though the Group A to Collection B assignment User B grants Review to Account B1 on System B, User B is still denied access because the User to Collection assignment trumps the Group to Account in a Collection assignment. If User B had instead been assigned the Review permission directly (as opposed to through Group A) to Account B1 that would have replaced the Denied assignment on System B, but only for that one account. User B also has Review rights on all Accounts and Files on System A and File C1 on System C. User C has been granted explicit ISA rights on Account B1. This User to Account assignment supersedes both policies User C received via the Group to Collection assignments, but only for Account B1. User C still has Review and Request permissions to System A and File C1. User D has been granted ISA rights over Collection A. This assignment takes precedence over D’s Request permission on System A which is through the Group B to Collection B. D still retains the Request permissions on Account B1 and File C1 from the Group assignment, however that removes D’s ISA permissions on Account B1 (although D still has ISA permissions over any other accounts on System B). Where there is more than one permission granted at the same level of the permission hierarchy those permissions are combined, as long as one of those permissions is not “Denied”. If a User is in 3 different groups (A, B, and C) with policies to the same System (A grants Approver, B grants Reviewer, and C grants Requestor) the user has all three permissions in effect on that system. However, if Group B has Denied permissions instead of Reviewer that takes precedence over all other "Group to System" assignments for that User on that System. 6.0 Accessing TPAM To access TPAM, point your browser to TPAM’s IP address or FQDN followed by /egp or /par. For example, if the IP address for TPAM has been configured as 192.168.1.100 1, the URL would be https://192.168.1.100/egp/. Connectivity To communicate with the TPAM appliance and successfully initiate a session your computer will need to be able to pass traffic on ports 443 (HTTPS) and 22 (SSH). 1 For additional information and instruction on the initial configuration of the appliance, see the “Quest One Privileged Account Management Configuration and Administration Manual”. 11 Quest One Privileged Account Management ISA Manual If TPAM will be accessed via Microsoft Internet Explorer® (IE), there are two important setting changes to verify or change in the IE configuration: Pop-Up Blocker When the /par website is accessed, the initial instance of the browser will be closed and a new window will open without menu or title bars. Browsers that are configured to block popups often interpret this as a pop-up and the page will not be displayed. Be sure to add the URL for TPAM to the list of allowed pop-ups. Tip: Holding the Ctrl key will temporarily allow pop-ups. User Authentication Settings It may also be necessary to modify the User Authentication option of the IE Security Settings. The recommended setting is “Prompt for user name and password”. A setting of “Automatic logon…” may attempt to pass the username and password from the workstation or domain to TPAM. This will cause logon failures and may lockout the user’s TPAM account. 12 Quest One Privileged Account Management ISA Manual 7.0 Permission Based Home Page Your home page is based on the user type and permissions assigned to your user id in the TPAM application. You can return to the home page from anywhere in the TPAM application by clicking the home icon located on the far left side of the menu ribbon. Note! The screen shots in this manual represent a UserID that has been assigned a Global ISA Access Policy. The screens that you see when you log into the par interface may or may not have all of these options depending on your permissions. The first tab that displays is the default message of the day which is configured through paradmin interface. To immediately approve a session, password or file request click the blue links. 7.1 Recent Activity Tab The recent activity tab shows all your activity in the TPAM for the last 7 days. 13 Quest One Privileged Account Management ISA Manual 7.2 Approvals Tab The Approvals tab will show any requests (Password, File or Session) that require your approval. Once they are approved or denied you will still see the request in this list until the release duration expires. By clicking on the request id you will be taken directly to the appropriate Requests Approval Detail tab so that you can approve or deny the request. To use the auto-refresh option check the box and enter the number of minutes you would like the screen refreshed. 14 Quest One Privileged Account Management ISA Manual 7.3 Pending Reviews Tab If you are an eligible reviewer for any post password releases or sessions you will see the Pending Reviews tab on your home page. Any password releases or sessions that are pending review will be seen on this tab. By clicking on the request id you will be taken directly to the Password Release Review Details or Session Review Details tab. To use the auto-refresh option check the box and enter the number of minutes you would like the screen refreshed. 8.0 Managing Your Own Account Any user may change their password and update individual account details using the My Info menu option. To reset your own password, select My Info  Change Password from the menu. Enter the existing password, the new password desired, and confirm the new password. User passwords are subject to the requirements of the Default Password Rule. 15 Quest One Privileged Account Management ISA Manual Other individual account information can also be self managed, such as contact information and full name. Select My Info  User Details from the menu to make modifications to your own account information. A user may not modify the UserID, Last Name, or First Name fields. 8.1 User Time Zone Information You can edit your time zone information through the My Info  User Details menu option. The TPAM administrator will also be able to edit your time zone. If you are in the same time zone as the server and follow the same Daylight Saving Time (DST) rules the first radio button should be selected. If you are in a different time zone and/or follow different DST rules and do not want to follow server time, the second radio button should be selected, and the appropriate time zone chosen from the list. With this option most dates and times that the user sees in the application or on reports will be converted to your local time. If a date or time still reflects server time it will be noted on the screen. 16 Quest One Privileged Account Management ISA Manual Note! It the Sys-Admin has disabled User Time zone changes in the paradmin interface the User Time Zone Information block shown above will be visible only for Administrator users. Example: TPAM appliance is located in New York, NY on Eastern Time. The user is located in Los Angeles, CA, which is on Pacific Time. If the user chooses to set their time zone to Pacific Time, any requests, approvals, etc that they make will be reflected in Pacific Time to them, and they will have the option to view some reports in their local time zone. If the TPAM Administrator is in the Eastern Time zone the admin will see this user’s transactions stamped with the Eastern Time. Alert! If you are in Daylight Saving Time (DST) you must remember to check the DST box and uncheck it when it is over. This box does NOT automatically get changed for you. You will be automatically redirected to the User Details page when attempting a new transaction if: • The server has undergone a DST transition since your last activity. • The time zone on the server has been changed since your last activity. • The server has had a patch applied that has rendered your current time zone obsolete according to Microsoft’s time zone updates. You will be able to see the server time on the bottom left of your screen and your local GMT offset (if different from the server) in the middle bottom of the screen. You will see the time listed in reference to GMT (Greenwich Mean Time), using notation to indicate the number of hours ahead or behind GMT. So for example US Eastern Standard Time is 5 hours behind GMT, or GMT -05:00, New Delhi, India is 5 ½ hours ahead or GMT +05:30. 9.0 Application Navigation This section provides an overview how to navigate through the user interface. 9.1 Tab Format One of the first things the user will notice is that upon selecting an action from the main menu bar the data will be displayed through multiple tabs. 17 Quest One Privileged Account Management ISA Manual Once a specific System, Account, Collection, etc is selected all of the details about this entity can be viewed by clicking on the different tabs along the top of the page. Tabs which do not apply to a given system are disabled. For example, the Connection and Management Details tabs do not apply to a system unless the Enable Automatic Password Management option is checked. 18 Quest One Privileged Account Management ISA Manual 9.2 Filter Tab This tab was developed for companies that are managing a large number of systems, accounts collections and groups. By entering specific criteria on the Filter tab, the user will be able to quickly get to the piece of data that they need to review or edit without searching through thousands of records. The Max Rows to Display list allows you to limit the number of records returned even if there are more that meet this criteria. The Default Filter Settings has choices of Clear, Save and No Action. If Save is selected then every time the user selects the menu item they will land on the Listing tab and the same filter will be applied until a new filter is saved or if the filter is cleared. The saved filters are on a user by user basis, that is if user dlynch saves a filter it has no effect on a filter saved by glucas. Once your filter criteria have been entered click the Listing tab to get the results of your filter. 19 Quest One Privileged Account Management ISA Manual 9.3 Listing Tab The results from your Filter will be listed in the Listing tab. Notice that in the example above 2 records actually met the Filter criteria that was entered and the user choose to only display 50 rows. If 120 records had met the filter criteria only 50 would have been displayed but it would have said Displaying 50 out of 120 rows meeting filter criteria, warning the user that was all that was returned in the Listing tab. Once you find the record that you want to work with click the row once to highlight the row on the screen and then click the tab where you want to go next. Note! If you are already displaying the Listing tab, clicking the tab label (circled area below) a second time will refresh the listing from the database based on the current criteria. 9.4 Feedback Area The feedback area is located in the bottom center of each window. This area was created to notify the user what transaction was last completed. As soon as the user selects a new “entity” i.e. system, account, collection, from the listing then the Feedback area will be cleared and remain empty until a new transaction occurs. 20 Quest One Privileged Account Management ISA Manual 10.0 Configuring Managed Systems If your System Administrator has set the “Restrict ISA System Creation” global setting to “Yes”, you will not be allowed to add systems. Selecting Systems & Accounts  Systems  Add System or Systems & Accounts  Systems  Manage Systems will lead to the configuration pages for managed systems. If modifying an existing system, first select the desired system by entering criteria on the Systems Management Filter tab, clicking on the Listing tab, clicking on the System Name you are looking for and then clicking on any of the additional tabs to edit the system configuration. Below is a description of all the configuration fields on the various tabs. As a PSM ISA you will NOT be able to access the Connection or Management Details tabs (except for e-DMZ SPCW systems). 21 Quest One Privileged Account Management ISA Manual 10.1 System Details Tab 10.1.1 System Name This is the descriptive name of the system. Typically, the hostname will be used. Within the TPAM, the system name must be unique. The name can be 1-30 characters long, but cannot include empty space (i.e. spaces, carriagereturns, etc.). 10.1.2 Network Address The IP Address (i.e. 192.168.0.15) or DNS Name (server1.domain.bigco.com) of the system. It is imperative that this information is entered correctly, as the back-end automation procedures will use this address to connect to the remote system to proxy and record the session activity and setting or checking of the password for the managed account(s). 10.1.3 ISA Policy You will see this list option when adding a System if your userid is assigned an Access Policy that contains an ISA permission. From this list you can select which ISA policy should be applied for your access to this new system once it has been saved. If you have ISA access granted via a single Access Policy it will be pre-selected. 22 Quest One Privileged Account Management ISA Manual Alert! If you select Do not Assign an ISA Policy and do not assign the System to a Collection that you have access to, you will NOT have any access to the system after it is saved. 10.1.4 Platform Choose the appropriate platform for the operating system running on the remote host. For PSM this field is primarily descriptive, since it is the proxy connection type that actually determines how the session will be established. However, if the passwords for this system will be managed by PPM, then it is very important that this be entered correctly, as the PPM uses it to determine the most secure and reliable way to manage the passwords on the remote system. Note! If you are only a PSM ISA the platform list will only contain PSM enabled platforms. Note! A system added to TPAM with a platform type not supported by PSM will appear in the list of systems on TPAM, and the accounts defined for that system will appear in the TPAM accounts list for the system – however, the option to allow sessions will be disabled. 10.1.5 Password Rule Select the desired password rule to serve as the default for all accounts defined for the system. If the selection is not changed (or if no other rules have been defined in TPAM) the Default Password Rule will be selected. The password rule will govern the construction requirements for new passwords generated by PPM. Password rules are managed by Sys-Admin users in the parconfig interface. 10.1.6 Maximum Duration This is the maximum duration for a password release on the account. If this is overridden by an Access Policy assignment, the lower of the two durations will be used. The default duration that the requestor will see for any new password request is 2 hours, or the maximum duration, whichever is less. 10.1.7 Contact E-mail Allows support personnel to receive email notifications from TPAM. Alerts or warnings are sent when the condition of the remote system is not as expected. This field can be left blank, in which case errors will be logged but notifications will not be sent. The email address in this field will be the one notified when Manually managed account passwords are scheduled to be changed. 10.1.8 Description The description field may be used to provide additional information about the system, special notes, business owner, etc. 10.1.9 Enable Automatic Password Management? (PPM ISA’s only) Tells TPAM whether to automatically manage remote system account passwords, based upon configuration parameters for each system. Auto- 23 Quest One Privileged Account Management ISA Manual management includes automatic testing and changing of the passwords. Checked = Yes, Unchecked = No. This option is available at both the system and account levels, therefore it is possible to allow TPAM to auto-manage one account on a specific system, while another account on the same system is not auto-managed. However, if the option is unchecked at the system configuration level, no accounts on the system can be auto-managed. If the appliance has exceeded the number of PPM managed systems that were licensed this option will not be able to be checked for any new systems until you check the Disable PPM Functionality checkbox on another managed system. 10.1.10 Disable PPM Functionality (Only ISA’s with both PPM and PSM Permission) This checkbox sets the system to “PSM only” which means you cannot use any of the PPM features on this system such as password change history, release logs, password checking and changing, and releasing passwords. The reason for this is product licensing. You are not limited to the number of “PSM only” systems you can add, but we will limit the number of managed (PPM) systems you can add based on the number of licenses you purchased. 10.1.11 Approver Escalation You have the ability to send an escalation to a specific e-mail address if no approvers have responded to a Password/File request within X minutes. You can enter multiple e-mail addresses by separating them with a comma up to the field maximum of 255 characters. 10.1.12 Delegation Prefix (specific platforms only) This field can be used to preface the commands that PPM uses to manage passwords for this system. The delegation prefix can also be used to specify an absolute path to the command that PPM uses to manage password for the system. 10.1.13 Computer Name(specific platforms only) This field is designated for the system’s computer name and is required for proper password management. If it is not populated, TPAM will attempt to determine the system’s computer name when the system is tested and update the field. The Computer Name field is also used with TPAM’s Autologon feature. You have the option to have TPAM log the user into the remote system using the WORKSTATION\USERID format. This will prevent any incorrect logon if the Default domain is saved as the DOMAIN name versus the Local Workstation. If a Domain user is selected from the Session Authentication screen in PSM details, the user credentials will be passed as DOMAIN\USERID. You will notice with both options that the DOMAIN field is grayed out at login. 24 Quest One Privileged Account Management ISA Manual 10.1.14 System Location Information There are six customizable fields that you can use to track location information about each system. These custom fields are enabled and configured by the System Administrator in the paradmin interface. If these fields have not been enabled the system location section of this page will not appear at all on the Details tab. 10.2 Systems Connection Tab (PPM ISAs only) Note! PSM ISA’s will only see this tab for SPCW systems Fields available for connection settings will differ according to the platform type of the managed system. 25 Quest One Privileged Account Management ISA Manual 10.2.1 Alternate Port Most non-Windows platforms allow alternate ports to be configured for communication of standard protocols, such as SSH, Telnet, or database ports. TPAM now supports the ability to specify these system specific ports via the Connection tab. 10.2.2 Domain Name (specific platforms only) When the system platform being created represents a central authority such as Active Directory, BokS, or PowerPassword, the domain name must be specified. This name cannot be an alias, simple name, or NetBIOS name, but must be the fully qualified DNS name of the domain. 10.2.3 NetBIOS Domain Name (Windows domains only) Windows domain systems (Active Directory, NT Domain, or eDMZ SPCW) also include the NetBIOS Domain Name field. Specify the name of the domain in NetBIOS format. 10.2.4 Alternate Address (specific platforms only) When the system platform being created represents a central authority such as Active Directory, BokS, or PowerPassword, the alternate address field can 26 Quest One Privileged Account Management ISA Manual contain the network address of an alternate authority (i.e. another domain controller) for redundancy. 10.2.5 Functional Account The Functional Account defines the account that will be used to manage the accounts on the managed system. This account must be defined and configured on the managed system as defined in the appropriate Client Setup Instructions. The credential defines whether SSH will use a predefined key (DSS) to authenticate or a standard password. DSS is the preferred and more secure way of managing accounts on systems that support SSH. You have the option to let PPM manage the functional account. The auto-change parameters for this password may then be configured via the Account Details tab, as with any other account. This helps to secure the managed system, by not maintaining a “static” password on a functional account. Alert! After a system is “saved” for the first time, any changes in the system parameters will not automatically be applied to the functional account, unless the “Propagate to All Accounts” switch on the Management Details tab has been checked. The auto manage function will never be propagated to the functional account. It must be manually set. 10.2.6 PSM Functional Account (eDMZ SPCW platform only) The PSM functional account is used to provide secure communication during the session and file transfer during a session. If the PSM enabled account on the system is configured to use a proxy type of RDP through SSH, the PSM Functional account will be used during this connection. 10.2.7 Account Credentials When using DSS key authentication, a function is available to permit specific configuration of the public/private keys used. Avail. System Std. Key – will use the single standard SSH keys (either Open SSH or the commercial key) stored centrally in TPAM. You have the ability to have up to three active keys simultaneously. These keys are configured in the paradmin interface. Use the list to select the key you want to retrieve. 27 Quest One Privileged Account Management ISA Manual Note! When using the System Std. Keys you cannot specify which key will be used. You may download one or all available keys to put on the remote system, but TPAM will attempt to use all currently active keys when communicating with the remote system. Use System Specific Key – will allow the generation and download of a specific SSH key to be used with this system only. The key must first be button, and then downloaded in generated using the either Open SSH or Sec SSH (commercial) format. 10.2.8 Enable Password (Cisco and ProxySG only) Some systems may require the use of very specific accounts for access (ex. Cisco PIX requires the use of “pix” as the ID, Cisco routers use “cisco” as the Id, etc.) If the managed device is Cisco device, the password for the Enable Password must also be specified in the configuration. 10.2.9 SID / Service_Name (Oracle DB only) Specifies either the Security ID (SID) or the service name for Oracle databases, and should match the setting in SQLNET.ORA at the database server. 10.2.10 Connection Timeout The connection timeout value determines the amount of time in seconds that a connection attempt to the managed system will remain active before being aborted. In most cases, it is recommended to use the default value (20 seconds). If there are problems with connection failures with the system, this value can be increased (for example, connections to Windows systems are often slower than SSH connections and may require a significantly higher timeout value). 10.2.11 Server O/S (BoKs platform only) Select the O/S running on the server from the list. 10.2.12 Expert Password (CheckPoint SB only) Setting up an Expert Password will allow configuration access to the system. 28 Quest One Privileged Account Management ISA Manual 10.2.13 Non-Privileged Functional Account (Windows Active Directory only) If this box is checked any password changes for accounts on this system will use the account’s current password to log in and make the password change instead of using the functional account password. 10.2.14 Authentication Method (Cisco Router TEL only) Username/Password is used when a username is needed when connecting to the system. Line Definition is used when there is no username to be specified, it is simply a password on the terminal connection. 10.2.15 Allow Functional Account to be Requested for Password Release If this box is checked then Requestors on this system can make a request to release the password for the functional account. If this box is not checked the functional account passwords are not available for release to a requestor and will only be accessible to an ISA. 10.2.16 Custom Command (Mainframe platforms only) If there is a special command that needs to be entered prior to being prompted for authentication credentials, it is specified by placing the command in the custom command field. 10.2.17 Use SSL? (specific platforms only) Check this box if communications between TPAM and the device requires the SSL option. 10.2.18 Tunnel DB Connection Through SSH (database platforms only) Database tunneling through SSH provides the ability to securely connect to a remote database. 29 Quest One Privileged Account Management ISA Manual Enter the Account Name that you will use to connect to the remote system. If SSH is not listening on port 22 please provide the correct port you want the connection forwarded to. For DBMS accounts, SSH tunneling only uses public key and not manual passwording for establishing the SSH connections. Alert! Make sure that the default of “AllowTCP Forwarding” is set to Yes in the SSH Configuration file of the managed system. 10.3 System Management Details Tab (PPM ISAs only) The System Management Details tab lists options that once set will be inherited by all accounts set up on this system. These options can be overridden at the account level. 30 Quest One Privileged Account Management ISA Manual 10.3.1 Password Check and Reset Options The automatic password testing function may be enabled or disabled for managed systems by using the Check Password and Don’t Check Password radio buttons. If enabled, the option to have the password automatically reset when a mismatch is found is also available. By default Reset Password on Mismatch will be selected. When auto reset is disabled only a notification email will be sent when a password mismatch is encountered (assuming the system contact email field is populated). Change Password after any release indicates whether the password for the account should be automatically reset by PPM following a release to any user (including ISA users). The option is enabled by default. If disabled, the password will not be changed after releases, but will still be changed based upon the Change Frequency settings. 10.3.2 Change Frequency This specifies the interval at which the password will be automatically changed, regardless of whether or not the password has been released. Typically, this will be set to the value specified in your company’s security policy, which defines password expiration age. Available choices are: • First Day of the Month – the password will be changed every month, on the first day of the month • Last Day of the Month – the password will be changed every month, on the last day of the month 31 Quest One Privileged Account Management ISA Manual • • Every n Days – this allows you to specify the frequency with which the password will be changed. The n value can be between 1 (changed every day) and 999. None - no scheduled changes. 10.3.3 Change Time Allows you to specify the time of day when automatic password changes will take place. This should be set to a time when the system is not scheduled to be down for regular maintenance and when system activity is not at its peak. The change time will take place when the TPAM server reaches this time and not the time in your local time zone. 10.3.4 Default duration for ISA releases of password (can only be entered by Admin) The duration for ISA release may be specified up to a maximum of 7 days. This is the amount of time that will transpire between the initial ISA retrieval and the automatic reset of the password (if enabled). 10.3.5 Allow ISA to enter Duration on Release (can only be checked by Admin) If this checkbox is checked, an ISA may enter a release duration other than the default when retrieving a password. The duration must be >0 and <= the max of either ISA Duration (Mgt Details tab) or Max Release Duration (Details tab). This column was added to the System and Account Imports and Batch Updates. This flag is also a value that can be pushed to Account and pulled from System 10.3.6 Propagating Auto Password Management and Management Detail Settings Default change settings can be configured differently between systems and the defined accounts for those systems. If the desire is to ensure consistency throughout this parent-child relationship, it is possible to push the configuration of the default change settings from the system object to all child objects defined for the system. Using the check boxes, select the desired level of propagation of the current system settings: Push Defaults to All Accounts and Enable auto management on All Accounts. To push auto management to all accounts you must first check Push Defaults to All Accounts and then you will be able to check the Enable auto management on All Accounts flag if you so choose . The currently configured default change settings and auto-manage properties will be changed accordingly on the child objects when the button is clicked. This is a one-time synchronization and may still be changed at the account level. The functional account defined for the system will not receive the Enable Auto Management on All Accounts setting during a push. The automanage property must be manually enabled for the functional account. 32 Quest One Privileged Account Management ISA Manual 10.4 Affinity Tab The Affinity option will allow you to optimize performance of session recording and playback and password checking and changing if you have opted to purchase one or more DPA servers along with your TPAM appliance. This tab will not be enabled until you save the system. 10.4.1 PSM DPA Affinity Settings (PSM ISAs Only) Use the PSM DPA Affinity Settings to optimize session recording and playback. The default setting will be Allow PSM sessions to be run on any defined DPA. The default DPA Server name will be LocalServer which is the local TPAM appliance. If your company purchased and configured additional DPA’s to optimize performance you will see these listed in the DPA Server Name column. Enter the Priority number next to each DPA and click the button. The priority numbers used in the Affinity settings only have meaning in relation to each other. For example, 1,2,3 has the same meaning to the system as 98,99,100. When the appliance goes to figure out which DPA to use it looks at them in order of priority from lowest to highest and picks the 1st one that has an open slot. A value of 0 (zero) is simply "more important" than any higher value. If you want to make it so that a particular DPA is 33 Quest One Privileged Account Management ISA Manual never used for session recording for a given system, then the priority should be empty (NULL), not zero. 10.4.2 PPM DPA Affinity Settings (PPM ISA’s only) Use the PPM DPA Affinity Settings to optimize password checking and changing. The default setting will be Use local PPM appliance for password checks and changes. If you want to use one of your DPAs for password checking and changing on this system select the Selected DPA affinity radio button, enter the Priority number next to each DPA, and click the button. Note! The password checking and changing functionality requires DPA v3.0+ 10.5 Ticket Systems Tab The options available on this tab will be predetermined by how Ticket Systems were configured in the paradmin Interface. If no Ticket Systems have been configured and enabled in the paradmin interface the Ticket System tab will be inaccessible. Any changes to the settings on this page are recorded in the System Activity Log. These options will be the defaults for any Accounts or Files added to the system. 34 Quest One Privileged Account Management ISA Manual 10.5.1 Require Ticket Number from: Check this box if you want to require ticket number validation every time a password or file request is submitted for this system. If multiple Ticket Systems are enabled they will be listed in the list for selection. You can specify the ticket system or allow entry of a ticket number from any system that is enabled. If this box is not checked users will still be able to enter a Ticket Number on a request, but will also be able to create a request without a Ticket Number entered. 10.5.2 Ticket required for: If Ticket Validation is required then all requestors will be required to provide a ticket number. You also have the option to require users making requests through the CLI or API to supply a ticket number prior to retrieving a password or file. As an ISA you cannot determine if a ticket is required for ISAs, so this checkbox is disabled. 10.5.3 Send Email to: If any of the ISA, CLI or API required boxes are left unchecked you also have the option of entering one or more e-mail addresses (up to 255 characters) that will receive an e-mail when an ISA, CLI or API user releases or retrieves a password or file without supplying a ticket. 10.5.4 Propagation You have the option of pushing the Ticket System settings out to all Accounts Files. When a new account or file is created it will take on the and Ticket System settings of the parent system. Note! These checkbox values are a onetime update each time they are checked and the Save Changes button is selected. After that there is no forcing of the settings to remain in synch. The settings on the Accounts can be overridden. 10.6 Collections Tab Systems may be assigned membership to one or more collections. The collections list shows all for which the user holds the ISA role. By assigning the system to collections, the system automatically inherits user and group permissions that have been assigned at the collection level. To modify collection membership, simply click the Not Assigned or Assigned radio buttons next to each collection name and click the button. Note! An ISA can only assign systems to a collection if they have both PPM and PSM ISA permissions on the system and the collection. Note! If a collection is tied to either AD or Generic Integration the system’s membership status in that collection cannot be changed. 35 Quest One Privileged Account Management ISA Manual 10.7 Setting Permissions for PSM and PPM Functionality for Systems Select Systems & Accounts  Systems  Manage Systems from the menu. Once you select the system you want to modify click on the Permissions tab. With the addition of Access Policies in v2.4 the Permissions tab has changed. Note! You must be both a PPM and PSM ISA over a system to be allowed to assign an Access Policy to it. Without PPM and PSM both, you will only be able to view the permission assignments. 36 Quest One Privileged Account Management ISA Manual Select the Filter criteria you want and click the Results tab. 37 Quest One Privileged Account Management ISA Manual On this tab you can assign users and or groups an Access Policy for this System. First, select an Access Policy from the Access Policy list on the right upper side of the window. You will see that default Access Policies have been created to reflect the old PAR and EGP Roles that existed prior to v2.4.Also if you are an existing customer prior to v2.4, Access Policies will be created for any unique permissions that you had set up for account aliases. When you select an Access Policy from the list the detailed permissions describing this Access Policy will be displayed in the rows below. The buttons in the Access Policy Details area perform the following actions: Scrolls the currently selected User or Group into view Applies the currently selected policy to the current row. Assigning a policy of “Not Assigned” removes the current assignment. Applies the currently selected policy to all selected rows in the list. You will be asked to confirm the assignment if more than 10 rows will be affected. Removes the currently selected policy from all selected rows in the list. If a row is not currently set to the selected policy it will not be changed. You will be asked to confirm the assignment if more than 10 rows will be affected. Removes unsaved edits from the current row. Removes unsaved edits from all currently selected rows. This icon ( ) next to any row in the list simply means that row has been edited since the last save changes occurred. You can “Shift+Click” to select a range of rows. The first row you click on will be surrounded by purple dashed lines. The next row that you “Shift-Click” on will cause all the rows in between the original row and current row to be highlighted. 38 Quest One Privileged Account Management ISA Manual If you are already on the Results tab clicking the Results tab label will refresh the list from the database based on your filter criteria and apply any unsaved changes you may currently have. When you are finished assigning/unassigning Access Policies click the button. Note! You may re-filter and re-retrieve the results list without losing existing edits. As the Results tab is reloaded any Groups or Users that you have already edited will reflect their edited policy assignment. When you click the Save Changes button all of the Access Policy assignment changes you have done for the system will be saved. The appliance will save these in batches, informing you of the number of assignments added, removed, or changed for each batch. 10.8 Adding A System If your System Administrator has set the “Restrict ISA System Creation” global setting to “Yes”, you will not be allowed to add systems. 39 Quest One Privileged Account Management ISA Manual Select Systems & Accounts  Systems  Add System from the menu. After completing all required fields for the new system (see section 10.0), click the button to accept. To start adding accounts to the system or view/edit the functional account you can click the the Account listing for that system. button and you will be taken to 10.8.1 Adding a System Using a Template Templates may be used to quickly create new systems with a given set of default values via the web interface, CLI or API. Select Systems & Accounts  Systems  Add System from the menu. Click the button. Select a Template from the Listing tab and click the Details tab to enter the System Name. Note! A PSM ISA will only be able to select from templates that have all PPM functions disabled. A PPM ISA will not be able to see templates that are PSM only. If the fields are not locked, make any other changes to the individual fields as needed before saving. Alert! The System IP address is copied from the template and must be changed. 10.8.2 ISA Policy You will see this list option when adding a System if your userid is assigned an Access Policy that contains an ISA permission. From this list you can select which ISA policy should be applied for your access to this new system once it has been saved. 40 Quest One Privileged Account Management ISA Manual Alert! If you select Do not Assign an ISA Policy and do not assign the System to a Collection that you have access to, you will NOT have any access to the system after it is saved. 10.8.3 Adding a System When there is a Default Template If the administrator has set a template as a “default” template, every time you add a system it will automatically use this template. 10.9 Managing A System Select Systems & Accounts  Systems  Manage Systems from the menu. After selecting the system you want to modify using the Filter and Listing tabs, make the necessary changes to the system information and click the accept. button to 10.10Clearing a Stored System Host Entry (PPM ISAs only) The button removes the host entry from TPAM’s knownhosts file. An example of the necessity for this would be a situation in which the SSH package on a managed system has been reinstalled, or the OS itself may be reinstalled. A test of the system would indicate that the host key entry does not 41 Quest One Privileged Account Management ISA Manual match, and will prevent password authentication because of a perceived “man in the middle” attack. 10.11Testing a System (PPM ISAs only) To test connectivity to the system you have configured in TPAM, click the button. 10.12Duplicating a System To ease the burden of administration and help maintain consistency, systems can be duplicated. This allows the administrator to create new systems that are very similar to those that exist, while only having to modify a few details. To duplicate a system, select Systems & Accounts  Systems  Manage Systems from the menu. Select the system to duplicate from the Listing tab and click the button. A new system object will be created and the system settings page will be displayed. Make the necessary changes to the system settings, and click the button. The new system will inherit collection membership, permissions, affinity and ticket system settings from the existing system. 10.13List Systems Certain data may be exported from TPAM to Microsoft® Excel® or CSV format. This is a convenient way to provide an offline work sheet and also to provide data that may be imported into another TPAM – for example, to populate a lab appliance with data for testing, without making the lower level changes that restoring a backup would cause. Systems are exported using the Systems & Accounts  Systems  List Systems menu selection. Choose the criteria for the list of systems, which can be filtered to produce a specific subset of data, or the full list of systems. System Templates will not be included in the Listing. With the introduction of Access Policies in v2.4 the PAR and EGP Permissions tabs on the System Listing have been replaced with a single Permissions tab that displays the Access Policy assigned to each user for the system. Note! PPM ISAs will not see any “PSM Only Systems”, or systems with a platform of PSM Web Access, or e-DMZ SPCW in the listing. 42 Quest One Privileged Account Management ISA Manual Use the Filter tab to enter your listing criteria and the Layout tab to select the data set you want exported in your file. Click the or to download your file. System Templates will not be included in the Listing. 11.0 Managing Accounts Accounts on remote systems can be managed manually from TPAM. Selecting Systems & Accounts  Add Account or Systems & Accounts  Accounts  Manage Accounts will lead to the configuration pages for accounts. If modifying an existing account, first select the desired account by entering criteria on the Filter tab, clicking on the Listing tab, clicking on the Account Name you are looking for and then clicking on any of the additional tabs to edit the collection. Below is a description of all the fields on the various tabs. 43 Quest One Privileged Account Management ISA Manual Using the Filter and Listing tabs, select the account to manage. 44 Quest One Privileged Account Management ISA Manual 11.1 Account Details Tab 11.1.1 Account Name This is the descriptive name of the account. Within TPAM, all the account names on one system must be unique. The name can be 2-30 characters long, but cannot include empty spaces. 11.1.2 Account is Locked (PPM ISAs only) This checkbox gives Administrators and PPM ISA’s the ability to “lock” and “unlock” an account. When an account is locked passwords for that account cannot be retrieved, released or changed. Password requests or session requests can be submitted but the password or session will not be available until the account is unlocked. 11.1.3 Password Enter the active current password for the account. If no password is specified (left blank), PPM will store the value “default initial password” as the password for the account. 11.1.4 Password Rule (PPM ISAs only) Select the desired password rule to serve as the default for the account. If the selection is not changed (or if no other rules have been defined in TPAM) the Default Password Rule will be selected. The password rule will govern the construction requirements for new passwords generated by PPM. If the account resides on a Windows system, two additional options are provided: 45 Quest One Privileged Account Management ISA Manual 11.1.5 Change password for Windows Services started by this account? If this is the Administrator account, or another functional account that runs system services, this option will ensure that the password change is also applied to each service the account runs. 11.1.6 Use this account’s current password to change the password? This may be necessary on Windows XP and Windows Server 2003 where Encrypting File System or other third-party security products are used, and rely on authentication certificates stored in that account’s personal store. If the system is configured with a “non-privileged functional account” then this setting will default for all accounts added to this system. 11.1.7 Description This is a free text field where additional descriptive information may be entered. Alert! For accounts on LDAP/LDAPS and Novell managed systems you must enter the actual account name in this field. 11.1.8 Password Management (PPM ISAs only) By default, the property of the parent system is inherited at the account level as either None or Automatic. If Manual is selected then the primary contact account level will receive an email when it is e-mail at the system and time to manually reset the password. The contact will keep receiving this email at regular intervals based on how this is configured by the Sys-Admin in the Auto Management Agent settings, until the password has been confirmed to be reset in PPM. If Automatic or Manual, the change frequency and postrelease reset details should be specifically configured for the account on the Management Details tab. Alert! The Reset Password option relies on the PPM change agent. If the change agent is not running, the password will not be reset. The Manual Password e-mail notification relies on the Man Pwd Change Agent, if it is not running no email notifications will go out to reset the password. 11.1.9 Ignore System Access Policies? (PPM ISAs only) If this box is checked and saved any Access Policies assigned to the System will not apply to this account. For users of TPAM prior to v2.4 this takes the place of the Alias Access Only setting. Alert! If this box is checked the account will not be able to be requested unless it is in a collection (with appropriate access assigned) or user/group permissions are assigned directly to the account. 11.1.10 Approvals Required (PPM ISAs only) The default value is 1, indicating that one single approval will allow the password release to the requestor (dual control release). This value can be 46 Quest One Privileged Account Management ISA Manual changed to force multiple approvers to approve each release request. Setting a value of zero will disable dual control for the account and PPM will autoapprove any request for release and make the appropriate log entry. 11.1.11 Maximum Duration (PPM ISAs only) This is the maximum duration for a password release on the account. If this is overridden by an Access Policy assignment, the lower of the two durations will be used. The default duration that the requestor will see for any new password request is 2 hours, or the maximum duration, whichever is less. 11.1.12 Notification E-mail (PPM ISAs only) The e-mail address specified in this field will receive notification of certain password releases. This would apply to releases by ISA users and CLI/API users under all circumstances, and authorized requestors when dual control is not required (number of approvals set to zero). This e-mail address also receives notification if a manually managed password needs to be changed. Multiple email addresses can be specified by entering each email address separated by a comma, up to a maximum of 255 characters. Any time there is a change made to the notification email address field, an email will automatically be sent to the old email address with a notification that this change has occurred. 11.1.13 Simultaneous Privileged Release (PPM ISAs only) This field allows an Admin or a PPM ISA to grant more than one Privileged Access User (PAC) to request and retrieve a password/session during the same or overlapping time period. Note! If another Requestor already has the password checked out the PAC users will have to wait for that release window to expire before they can gain access. 11.1.14 Override Individual Accountability (PPM ISAs only) The System Administrator must have this global setting turned on in order for you to check this flag on an account. When the Override Individual Accountability box is checked more than one requestor will be able to request this password at the same time or during an overlapping duration. Any changes made to the Override Individual Accountability checkbox at the account level will be logged in the Activity Log. On the Account Management tab, if the account has the Change Password after any Release box checked, and the password is retrieved then the password will be changed at the end of each requestors request duration. If the Do not automatically change the password while a release is active box is checked, the password will not be changed until the last requestors’ release duration has expired. If the System Administrator decides to change the Global Setting from allowing account override to no longer allowing it, any Accounts that had been 47 Quest One Privileged Account Management ISA Manual checked to override individual accountability will have their checkboxes cleared. The button allows you to quickly navigate to the System on which a specific account resides. 11.2 Account Reviews Tab (PPM ISAs only) The account review settings that were on the Account Details tab in prior releases are now located on a sub-tab titled Reviews. 11.2.1 Post Release Review Requirements These settings give you the ability to set review requirements for password releases. Enter the number of reviews required. Select the radio button to choose eligible reviewers. If you select Any Authorized Reviewer (excluding Requestor) any user assigned to an Access Policy with Review Password permissions or is a member of a Group with a Review Password permission is eligible to complete the review as well as all Auditors. If you want someone to receive an e-mail notification if the review is not completed within X hours, fill out the hour threshold and e-mail address. The password release is not eligible for review until the release duration has expired. Once the password release has expired all eligible reviewers will receive an e-mail notification that there is a password release to review. 11.3 Account Custom Information Tab There are six customizable fields that you can use to track information about each account. These custom fields are enabled and configured by the System Administrator in the paradmin interface. If these fields have not been enabled then this sub-tab will not be visible. 48 Quest One Privileged Account Management ISA Manual 11.4 Account Management Tab The location of this tab has changed in v2.4. This is now a sub-tab of the Details tab. 11.4.1 Check Password If the Check Password box is selected the password for this account will be checked by PPM. The check schedule is configured through the paradmin interface and it can be run as often as daily. 49 Quest One Privileged Account Management ISA Manual 11.4.2 Reset Password on Mismatch This option is only available if the Check Password box is checked. If this option is checked the password will be changed when a mismatch condition is found. 11.4.3 Don’t Check Password If the Don’t Check Password box is selected the password for this account will not be checked daily by PPM. Care should be used selecting this option because a mismatch between the stored password and the actual password will go undetected. 11.4.4 Change Password after any release This option indicates whether the password for the account should be automatically reset by PPM following a release to any user (including ISA users). The option is enabled by default. If disabled, the password will not be changed after releases, but will still be changed based upon the Change Frequency settings. 11.4.5 Do Not Automatically Change the Password while a Release is Active This is a flag that the admin or PPM ISA can check so that a password will not be automatically changed by PPM while it still has an active release request open. For example if a release request for a session or password is open (has not been canceled, expired or closed) and the password has already been accessed by the requestor then any scheduled changes will be skipped. The exception to this rule is if an ISA pulls the password and the Change Password After Any Release box is checked then the password will be changed. 11.4.6 Change Frequency This option instructs PPM to generate a new password and change it on the managed system for this account only based on the time criteria selected. 11.4.7 Change Time This option specifies the time of day that the automated password changes should occur for this account. 11.4.8 Next Change Date This option indicates the date that the next scheduled password change is to occur. This date may be changed to alter the current change schedule. 11.4.9 Default duration for ISA releases of password (view only) This option specifies the amount of time after an ISA user has released the password before it will be changed. This option will be disabled if the Change password after any release option is disabled. Maximum value is 7 days. Minimum value is 15 minutes. Configurable in 15 minute increments. 11.4.10 Allow ISA to enter Duration on Release (view only) If this checkbox is checked, an ISA may enter a release duration other than the default when retrieving a password. The duration must be >0 and <= the max of either ISA Duration (Mgt Details tab) or Max Release Duration (Details tab). This column was added to the System and Account Imports and Batch Updates. 50 Quest One Privileged Account Management ISA Manual 11.4.11 Pull Defaults From System When checked, the default values for password change frequency, change time, ISA release change parameters, and whether or not the password will be checked will be pulled from those settings at the system level and populated at the account level. This is a onetime action and does not prevent any of these settings from being modified again. This is a good way to ‘reset’ an account’s parameters at any time. This action can be performed as many times as desired. 11.5 Account Ticket System Tab The location of this tab has changed in v2.4. This is now a sub-tab of the Details tab. The options available on this tab will be predetermined by how Ticket Systems were configured in the paradmin interface and at the System level. If no Ticket Systems have been configured and enabled in the paradmin interface the Ticket System tab will be inaccessible. 11.5.1 Require Ticket Number from: Check this box if you want to require ticket number validation every time a password or file request is submitted for this system. If multiple Ticket Systems are enabled they will be listed in the drop down list for selection. You can specify the ticket system or allow entry of a ticket number from any system that is enabled. If this box is not checked users will still be able to enter a Ticket Number on a request. 11.5.2 Ticket required for: If Ticket Validation is required than all requestors will be required to provide a ticket number. You also have the option to require users making requests through the CLI or API to supply a ticket number prior to retrieving a password or file. As an ISA you cannot determine if a ticket is required for ISAs, so this checkbox is disabled. 51 Quest One Privileged Account Management ISA Manual 11.5.3 Send Email to: If any of the ISA, CLI or API required boxes are left unchecked you also have the option of entering one or more e-mail addresses (up to 255 characters) that will receive an e-mail when an ISA, CLI or API user releases or retrieves a password or file without supplying a ticket. 11.5.4 Propagation You have the option of pulling the Ticket System settings for the Account from the System defaults. To set the account at the System defaults check this box and click the button. To override the system settings, uncheck this box, edit the settings and click the button. Note! If someone goes in at the System level and decides to push the system settings out to all the accounts, the settings saved here will be overridden with whatever is set at the system level at that time. 11.6 Managing Services in a Windows Domain Environment (PPM ISAs only) If the account managed by PPM is a Windows domain account (the system is defined as Active Directory or Windows NT Domain), services running on domain member systems using this account can also be managed in terms of password changes. The prerequisite for domain members systems to have these service account password changed is that each system must be configured in TPAM and the domain functional account must be properly privileged on that system (i.e. member of local Administrators group). 52 Quest One Privileged Account Management ISA Manual To specify these systems for automatic password changes at the services level, select the Dependents tab. Enter your Filter criteria and click the Results tab. The Results page will display all available Windows systems. Select those with dependencies on the domain level account by clicking the Dependent radio button next to each System Name. When the password for the managed domain account (i.e. Administrator) is changed, PPM will also enumerate the services on each selected dependant system and change the password for all services being run by the domain account. In the example used in the figures above, ‘Administrator’ is a domain account, specified on a domain controller called Saturn. The system Jupiter is defined as a dependant system to this account, indicating that there are services running on Jupiter using the domain Administrator account. When the password for ‘Administrator’ is changed by PPM, each system defined as dependant, such as Jupiter, will have the password changed for any service using the domain Administrator password. 53 Quest One Privileged Account Management ISA Manual 11.7 Accounts Management Logs Tab By clicking on the Logs Tab the user can view detailed history on the password for the account. There is a Filter tab to allow the user to specify the date range or exact date of activity you are looking for. 11.7.1 Change Log This allows you to view the password change history. 11.7.2 Test Log This allows you to view the log of password test activity. 11.7.3 Release Log This allows you to view the log of password release activity. 11.7.4 Dependent Change Log If the account exists on a Windows Domain Controller and could have other systems dependencies there will be DA (domain account) Change Log tab that will show the change activity for the account on the dependent systems. This tab becomes enabled when a change log record is selected that has associated dependent changes. 11.7.5 Change Agent Log This tab will show associated change agent log records for the selected entity but only for changes that occur after a v2.3+ upgrade. 11.8 Account Management Passwords Tab (PPM ISAs only) 11.8.1 Current Password tab The location of this tab has changed in v2.4. This is now a sub-tab of the Passwords tab. 54 Quest One Privileged Account Management ISA Manual The Current Password tab retrieves the password for the account. Enter the Release Reason in the text box provided. If required enter the Ticket System and Ticket Number. Click the Password tab to see the current password. If your System Administrator has decided to configure Reason Codes for your environment, you will see them available in the list here. Reason codes give you a quick way to submit a request without having to type in a detailed reason. You may be required to enter a reason code, they may be optional or they may be disabled. If the ISA needs to access the current password on behalf of another person they should enter the original requestors name in the Proxy Release For field. Proxy releases can be reported on in Password Release Activity Report. The ISA will be able to enter a longer/shorter duration for the release if the Allow ISA to enter Duration on Release flag is checked on the Account Management tab. The password will be displayed for a maximum of 20 seconds. For convenience, the password may also be copied into the user’s clipboard. This can be done using the mouse and dragging the password, then right-clicking and selecting “Copy”. 55 Quest One Privileged Account Management ISA Manual Tip! An easy and quick way to copy the password into the clipboard is to click in the displayed password text box then use Ctrl+A followed by Ctrl+C. 11.8.2 Account Management Past Password Tab The location of this tab has changed in v2.4. This is now a sub-tab of the Passwords tab. To view past passwords for an account click the Past Passwords tab. Use the Filter tab to narrow the date range of the passwords you are looking for and then click the Past Passwords tab next to the Filter tab. This allows you to select a password that was valid for a specific period of time. This is especially important if the managed system has been restored from a backup and the password that was effective at the time of the backup is required. To view the password for each logged activity, click a row in the results and then click the Password tab. 11.9 Account Collections Tab With the addition of account level permissions in v2.4, accounts can now be members of a collection. See section 10.6 for details on assigning Collection membership. Note! An account cannot belong to the same collection as its’ parent system, or vice versa. 56 Quest One Privileged Account Management ISA Manual 11.10 Setting Permissions for PSM and PPM Functionality for Accounts In v2.4 you can now assign permissions at the Account level. Select Systems, Accounts, & Collections  Accounts Manage Accounts from the menu. Once you select the account you want to modify click the Permissions tab. Refer to section 10.7 for details on how the Permissions tab works. 11.11PSM Details General Tab (PSM ISAs only) The options for configuring sessions are as follows: Enable PSM Sessions? Turn on/off the ability of users to access this account as a recorded session through PSM. All subsequent options are contingent upon this being checked. Proxy Connection Type (platform dependent) Select the type of remote connection compatible with the configuration of the remote system. Note! When choosing any of the proxy methods listed below that use Automatic Login, the password is not automatically reset after the session is completed because the password is never displayed to the user. 57 Quest One Privileged Account Management ISA Manual • • • • • • • • • • • RDP-Automatic Login Using Password – Connect to the system using RDP (Terminal services protocol) client and automatically login using the password retrieved from the local or remote TPAM. This ensures that the password is never displayed or known to the user. RDP-Interactive Login – Connect to the system using an RDP client to which PSM does not provide automatic login. If the password is managed by PPM, it will be displayed on the screen when the session is started, otherwise the user must know the account password when the authentication dialog is presented. VNC-Interactive Login – Establish a connection to the remote system using the VNC client. The user must know the VNC password for the system. If the password is managed by PPM, it will be displayed on the screen when the session is started, otherwise the user must know the account password when the authentication dialog is presented. VNC Enterprise- Interactive Login - Establish a connection to the remote system using the VNC Enterprise client. The user must know the VNC password for the system. If the password is managed by a PPM, it will be displayed on the screen when the session is started, otherwise the user must know the account password when the authentication dialog is presented. Telnet-Interactive Login – Connect to the system using the Telnet protocol, to which PSM does not provide automatic login. If the password is managed by a PPM, it will be displayed on the screen when the session is started, otherwise the user must know the account password when the authentication dialog is presented. Telnet-Automatic Login Using Password – Connect to the system using the Telnet protocol and automatically login using the password retrieved from the local or a remote TPAM. This ensures that the password is never displayed or known to the user. SSH-Automatic Login Using DSS Key – Connect to the system using SSH and authenticate via DSS private key. The private key must be previously uploaded to TPAM for this purpose. SSH - Interactive Login – Establish an SSH session to the remote system and allow the user to manually enter the password. If the password is managed by a PPM, it will be displayed on the screen when the session is started, otherwise the user must know account password when the authentication prompt is presented. SSH – Automatic Login Using Password (for UNIX systems only) – Connect to the system using SSH and automatically login using the password retrieved from the local or remote TPAM. RDP Through SSH – Automatic Login Using Password (for eDMZ SPCW systems only) Connect to the system using RDP client via the SSH protocol and automatically login using the password retrieved from the local or remote TPAM. RDP Through SSH – Interactive Login (for eDMZ SPCW systems only) Connect to the system using RDP client via the SSH protocol and allow the user to manually enter the password. If the password is managed by PPM, it will be displayed on the screen when the session is started, otherwise the user must know account password when the authentication prompt is presented. 58 Quest One Privileged Account Management ISA Manual • • • • SQLPlus – Automatic Login Using Password - Connect to the system using the SQLPlus client and automatically login using the password retrieved from the local or remote TPAM. SQLPlus –Interactive Login - Establish a connection to the remote system using the SQLPlus client. The user must know the SQLPlus password for the system. If the password is managed by PPM, it will be displayed on the screen when the session is started, otherwise the user must know the account password when the authentication dialog is presented. SQL Window – Automatic Login Using Password - Connect to the system using the Sql Window Client and automatically login using the password retrieved from the local or remote TPAM. SQL Window – Interactive Login - Establish a connection to the remote system using the SQL Window client. The user must know the SQL Window password for the system. If the password is managed by PPM, it will be displayed on the screen when the session is started, otherwise the user must know the account password when the authentication dialog is presented. Custom Connection Profile You have the ability to create and assign Custom Connection Profiles to an account. The connection profile can be used to override the default connection parameters. Post Session Profile You have the ability to create and assign Post Session Profiles to an account. The post session file is used to add additional steps at the end of a session request. Color Depth (proxy type dependent) This is a setting for the number of possible colors displayed in the sessions you record. You can select a color depth setting of 8 (256 colors) or 16 (65,000 colors) for recording your sessions. For a VNC connection there are color options of 0 (Very Low) through 3 (Auto Select/Full Color). Required # of Approvals This indicates the number of approvers required for each session request. If the system/account is managed by PPM it is possible to have a different value configured in PSM for this system/account. In the event of such a conflict, the value set on PPM for dual control requirement may override the value set here. This will occur only for connection types that use interactive login (where the password will be displayed). Maximum Simultaneous Sessions (proxy type dependent) Specifies the maximum number of simultaneous sessions that may be established for the system/account. This option only exists for accounts configured to auto-authenticate the user. If the password is provided by TPAM for interactive logon then only one concurrent session will be allowed to preserve individual accountability. 59 Quest One Privileged Account Management ISA Manual Default Session Duration This is the Session Duration that is displayed by default when requesting a session. It can be changed within the limits set by the Max Password Duration and the Access Policy session duration. TPAM will not automatically disconnect the session unless indicated by the global setting. Session Exceeding Duration Notification Allows email notifications to be sent to the primary contact specified for the system if a session exceeds the maximum session time for the request. Configurable parameters are: frequency (in minutes) of notifications; and threshold time (in minutes) before initial notification is sent for a session. Both values must be non-zero for notifications to be sent. Session Start Notification When the user starts the session this contact will receive an e-mail notification. Enable Clipboard? If this box is checked the user will be able to use the clipboard function for copy/paste of text during a session. Enable Console Connection? If this box is checked the user will be able connect to the console of the system they are connecting to. This is an RDP only feature. Record All Sessions This box will be checked by default. If you do NOT want any sessions recorded for this account, UNCHECK the box. Unchecking the box will also mean that this will be an option at the account alias level. Enable File Uploads? If this flag is checked file uploads will be allowed during sessions through this account. This box will be checked by default. Enable File Downloads? You have the ability to download a file from a managed system to the local pc/network drive during a session. Check the box to enable this option. 60 Quest One Privileged Account Management ISA Manual 11.12PSM Session Authentication Tab (PSM Customers Only) Authentication Credential Storage Method • • • • • Password Managed by Local TPAM – select this option if the local TPAM appliance is managing this account. Use Remote TPAM CLI – select this option if the account is managed by another TPAM appliance, and specify the CLI UserID to be used to retrieve the password. The remote TPAM CLI ID now has the capability of using domain accounts for authentication during a session. Access to the public key for the CLI ID will be required, and must be supplied to TPAM. When this method of password retrieval is used, the number of approvals specified on the remote TPAM is ignored and access to the password is not limited to a single release. Use DSS Key – select this option if an authentication key is used for the account instead of a password. You have the additional options of using a system standard DSS Key (TPAM 2.1 allows you to configure up to 3 active keys) or having TPAM generate a pair of keys for you. Not Stored-Specify password during session – select this option if the account’s password is not stored or managed by any TPAM. When this option is used the password must be specified when the session is initiated. Use Windows Domain Account - select this option if the account’s password is not stored or managed by any TPAM. The named account is a placeholder for the domain account TPAM will be using to authenticate to the system. Through this method you can connect to a system using a domain account instead of a local account. On the Session Authentication tab the user name used to log in to the remote session must be added as an account associated with a Windows Active Directory System. 11.13PSM File Transfer Tab (PSM Customers Only) You have the ability to transfer files during a session from the client to the host. The File Transfer tab is where you can configure this. 61 Quest One Privileged Account Management ISA Manual File Transfer Method (platform dependent) Based on the system platform select Windows File Copy, Secure Copy (SCP) or SCP using the TPAM Functional Account. File Transfer Share Enter the share where the files will be located. If you select Same as Session Authentication then it will use the same credentials as the session (account name and password or key). If you select Specify at file transfer time you will be prompted to provide the account name and password at the time of file transfer. button. The test Account To test the file transfer, click the Name is required when the Specify at file transfer time radio button is selected. The test Password is required when either the Specify at file transfer time radio button is selected or the authentication method indicates the password is not stored. Alert! There is a 100mb size limit on any files that you transfer. 11.14 PSM Review Requirements Tab (PSM Customers Only) You have the ability to configure review requirements for recorded sessions. This is to facilitate the need to make sure all recorded sessions are audited by someone within your company. See descriptions of the fields below to configure the reviews. 62 Quest One Privileged Account Management ISA Manual Reviews Required This number indicates the number of reviewers required to review the recorded session. The default is set to 0. Until the specified number of reviews are attached to a session, the review requirements have not been met. Selecting the Reviewer Select whether you want a specific Group, User, Auditor or Any Authorized Reviewer to be eligible to review the session. Any Authorized Reviewer is any user that is assigned an access policy which contains a Review Session permission or is a member of a Group with Review Session permission and all Auditors. Review Escalation The e-mail will be sent if the required review/reviews have not been completed within the specified time after the requested session duration. You can enter multiple e-mail addresses by separating them with a comma. If the review requirements are met prior to the expiration of the escalation time after the session then the escalation notification will not be sent. 11.15Adding an Account Select Systems & Accounts  Accounts  Add Account from the menu. Enter your filter criteria to select the system you want to add the account on and click the System tab. Select the system or system template and click the Detail tab. After completing all required fields for the new account (see 9.1 for a description of all fields), click the button to accept. 11.16Managing an Account Select Systems & Accounts  Accounts  Manage Accounts from the menu. After completing all required fields for the new account (see 9.1 for a description of all fields), click the button to accept. 63 Quest One Privileged Account Management ISA Manual The button allows you to quickly navigate to the System on which a specific account resides. 11.17Duplicating an Account To ease the burden of administration and help maintain consistency, accounts can be duplicated. This allows the ISA to create new accounts that are very similar to those that exist, while only having to modify a few details. To duplicate an account, select Systems, Accounts, & Collections  Accounts  Manage Accounts from the menu. Select the account to duplicate from the Listing tab and click the button. A new account will be created and the account details tab will be displayed. Make the necessary changes to the account parameters, and click the button. The duplicated account will NOT inherit permissions and collection assignment from the master account. Note! The duplicated account will only inherit PSM settings, if the user selects the PSM Details tab before saving the duplicated account. 11.18Quest One Privileged Command Manager (PSM Customers licensed for PCM only) Using PCM you have the capability to specify by account what commands a user can execute during a session. If your Administrator has configured Access Policies that are command specific you can assign these access policies to a system/account if you have both PPM and PSM ISA permissions over the entity. When the user requests a session for a specific account the Access policy will control what commands can be executed during that session. 11.19Account Current Status The button on the bottom of the Account Management and the Retrieve Password pages gives Administrators and ISAs the most up to date information on an account in a central location. After clicking the button you will see the following page. 64 Quest One Privileged Account Management ISA Manual Here you see information on the account such as open password requests, open session requests, scheduled password resets and past reset results. You'll also see if the current password has been released by the system or if it was manually entered by a user. Passwords manually entered prior to TPAM 2.1.711 are not reported but any password set after TPAM 2.1.711 should be reported properly as to whether that password is known by any user. 11.20Manual Password Management (PPM ISAs only) Accounts that are not auto-managed by PPM may still take advantage of the secure storage and release mechanisms, as well as the logging and reporting functions of TPAM. Password changes for such system accounts can be accomplished in two ways – PPM generated passwords and User generated passwords. If the system is auto-managed then PPM will generate the password and attempt to set it on the managed system. If the system is not managed then PPM will generate the password and display it for the user to set on the target system and then require the user to indicate whether or not the password was set successfully on the target system. Also for a non-managed account, if the correct password is known and is known to be incorrect in TPAM, then the correct password can be keyed into the New Password field of the account details. PPM Generated Passwords – To take advantage of the password generating ability of PPM, passwords can be generated for non auto-managed systems. From the button. Account Listing tab select an account and click the Because the system is not managed by PPM, it is not possible for TPAM to reset the 65 Quest One Privileged Account Management ISA Manual password on the system itself. A new password will be generated. The results of the password reset will automatically appear on the screen. See below. Change the password for the account on the remote system manually to the new password assigned by PPM. When the password has been reset, click the button. If there are problems encountered changing the password, click the button – PPM will discard the new password and perform a rollback to the previously stored password. User Generated Passwords – If the password for the non-managed account is to be maintained independently of PPM, it is desired to keep the password stored in TPAM synchronized manually, from the Listing tab select the account and click the Details tab. Enter the new password in the Current Password field and save the changes. This method is useful if the system belongs to another party, is not accessible to TPAM, or is otherwise not eligible for auto-management. Password Release Notification – When a non-managed account’s password has been released to a user, the defined system contact email address for the system will receive a notice when the release duration has expired. This provides the opportunity to have the password manually reset if desired. Early expiration of the release duration will not change the time of notification. 11.21Password Management (PPM ISAs only) Password Management allows TPAM Administrators and PPM ISA’s to do a “mass” forced reset of account passwords that are auto-managed and not a collection account. This screen also gives you a central location in which to view the current password status for all passwords. Select Systems & Accounts  Password Management on the main menu. Use the Filter tab to enter your search criteria and then click the Listing tab. 66 Quest One Privileged Account Management ISA Manual In v2.4 we added a Change Schedule Filter on the Password Management page that allows you to filter based on the reason for a scheduled password change. Managed Password Reset To force a reset of all passwords managed by PPM that are not a synchronized password, click the All checkbox at the top of the page and then click the button. To individually select which PPM managed account passwords you want reset check the checkbox on each individual account and click the for more than button to reset just one account password. This one account or the will schedule the password reset in the Change queue. To view the change history select the individual account and click the Logs tab. Non Managed Password Reset To reset a password for a system/account not managed by PPM (manual or not button. A new managed) select the individual row and click the password will be generated and presented to you on the screen. Indicate whether the password update on the non managed system was successful or if it failed by clicking the appropriate button. 11.22Managing Services in a Windows Domain Environment (PPM ISAs only) If the account managed by PPM is a Windows domain account (the system is defined as Active Directory or Windows NT Domain), services running on domain member systems using this account can also be managed in terms of password changes. 67 Quest One Privileged Account Management ISA Manual The prerequisite for domain members systems to have these service account password changed is that each system must be configured in TPAM and the domain functional account must be properly privileged on that system (i.e. member of local Administrators group). To specify these systems for automatic password changes at the services level, select the Dependents tab. Enter your Filter criteria and click the Results tab. 68 Quest One Privileged Account Management ISA Manual The Results page will display all available Windows systems. Select those with dependencies on the domain level account by clicking the Dependent radio button next to each System Name. When the password for the managed domain account (i.e. Administrator) is changed, PPM will also enumerate the services on each selected dependant system and change the password for all services being run by the domain account. In the example used in the figures above, ‘Administrator’ is a domain account, specified on a domain controller called Saturn. The system Jupiter is defined as a dependant system to this account, indicating that there are services running on Jupiter using the domain Administrator account. When the password for ‘Administrator’ is changed by PPM, each system defined as dependant, such as Jupiter, will have the password changed for any service using the domain Administrator password. 11.23List Accounts Accounts are exported using the Systems & Accounts  Accounts  List Accounts menu selection. Choose the criteria for the list of accounts. 69 Quest One Privileged Account Management ISA Manual In v2.4 we added password review requirement information to the listing. Use the Filter tab to enter your listing criteria and the Layout tab to select the data set you want to view. 11.24List PSM Accounts (PSM ISAs only) PSM accounts can be listed and exported using the Systems & Accounts  Accounts  List PSM Accounts menu selection. Choose the criteria for the list of accounts, which can be filtered to produce a specific subset of data, or the full list of accounts. 70 Quest One Privileged Account Management ISA Manual Use the Filter tab to enter your listing criteria and the Layout tab to select the data set you want to view. 12.0 Managing Secure File Storage (PPM ISAs only) In addition to the secure storage and release capabilities for passwords, TPAM facilitates the same secure storage and retrieval controls for files. This functionality can be used for many file types, but its intent is to securely store and control access to public/private key files and certificates. 12.1 Adding a File for Storage To add a new file for secure storage, select Systems & Accounts  Files  Add File from the menu. Enter your filter criteria to find the system you want and click the System tab. Select the desired system, then click the Details tab. 71 Quest One Privileged Account Management ISA Manual Define the File Display Name, which can be more descriptive than the actual filename. This is the name users will see when requesting access to stored files. Click the your local file. button. This will bring up another window where you can select The number of Approvals Required to release the file contents indicates the level of approval control desired. This parameter will accomplish the exact same results as the similar parameter for stored passwords The Maximum Duration parameters limit the amount of time an approved user may release the contents of the stored file. A release Notification email address will receive a notification whenever the file is retrieved without dual control. Enter any desired text in Description field. Click the button to store the file. 72 Quest One Privileged Account Management ISA Manual 12.2 File Ticket System Tab Tab to configure Ticket System Integration for the file. The options available on this tab will be predetermined by how Ticket Systems were configured in the paradmin interface and at the System level. If no Ticket Systems have been configured and enabled in the paradmin interface the Ticket System tab will be inaccessible. Require Ticket Number from: Check this box if you want to require ticket number validation every time a file request is submitted for this system. If multiple Ticket Systems are enabled they will be listed in the list for selection. You can specify the ticket system or allow entry of a ticket number from any system that is enabled. If this box is not checked users will still be able to enter a Ticket Number on a request. Ticket required for: If Ticket Validation is required than all requestors will be required to provide a ticket number. You also have the option to require CLI and API users to supply a ticket number prior to requesting a file. Send Email to: If any of the ISA, CLI or API required boxes are left unchecked you also have the option of entering one or more e-mail addresses (up to 255 characters) that will receive an e-mail when an ISA, CLI or API user releases or retrieves a file without supplying a ticket. Propagation You have the option of pulling the Ticket System settings for the File from the System defaults. To set the file at the System defaults check this box and click the button. To override the system settings, uncheck this box, edit the settings and click the button. Note! If someone goes in at the System level and decides to push the system settings out to all the files, the settings saved here will be overridden with whatever is set at the system level at that time. 73 Quest One Privileged Account Management ISA Manual 12.3 File Collections Tab In v2.4 Files can now be members of a collection. Refer to section 11.9 for detail on assigning collection membership Note! A file cannot belong to the same collection as its parent system, or vice versa. 12.4 Setting Permissions for Files Prior to v2.4 the permissions for files were based on the permissions set at the System level. In v2.4 you can now assign permissions at the File level. Select Systems, Accounts, & Collections  Accounts Manage Files from the menu. Once you select the file you want to modify click the Permissions tab. Refer to section 15.8 for details on assigning permissions. 12.5 Updating a Stored File To make changes to an existing stored file, select Systems, Accounts, & Collections  Files  Manage Files from the menu. Enter your search criteria on the Filter tab and click the Listing tab. Select the file from the Listing tab and click the Details tab. 74 Quest One Privileged Account Management ISA Manual Changes may be made to the description, number of approvals required for release, email notification, and maximum release duration. Additionally, a new file may be uploaded to replace the existing stored file, such as when a new key file or certificate file exists but the desire is to maintain the same display name. The display name for the file cannot be modified. 12.6 Reviewing File History and Activity To view file history select Systems, Accounts, & Collections  Files  Manage Files from the menu. Enter your search criteria on the Filter tab. Click the Listing tab to select the file you are looking for. Click the File History tab. This report will show the history of all physical files that have been associated with the file display name as well as the dates the file was originally stored and replaced. The older files, though no longer associated with the display name, remain on the appliance and may be accessed by and administrator using the filename link. Older files may also be deleted from history. 75 Quest One Privileged Account Management ISA Manual The Logs tab for stored files will show the activity associated with accessing the file. The Current File tab will allow you to retrieve the file if you have ISA permission for the file. Type a release reason in the text box and then click the button. 13.0 Retrieving a Password (PPM ISAs only) To quickly retrieve a password go to Retrieve  Retrieve Password. Once you enter your filter criteria click the Listing tab. 76 Quest One Privileged Account Management ISA Manual The location of this tab has changed in Select the account from the Listing tab. v2.4. This is now a sub-tab of the Passwords tab. The Current Password tab retrieves the password for the account. Enter the Release Reason in the text box provided. If required enter the Ticket System and Ticket Number. Click the Password tab to see the current password. If your System Administrator has decided to configure Reason Codes for your environment, you will see them available in the list here. Reason codes give you a quick way to submit a request without having to type in a detailed reason. You may be required to enter a reason code, they may be optional or they may be disabled. If the ISA needs to access the current password on behalf of another person they should enter the original requestors name in the Proxy Release For field. Proxy releases can be reported on in Password Release Activity Report. The ISA will be able to enter a longer/shorter duration for the release if the Allow ISA to enter Duration on Release flag is checked on the Account Management tab. 77 Quest One Privileged Account Management ISA Manual The password will be displayed for a maximum of 20 seconds. For convenience, the password may also be copied into the user’s clipboard. This can be done using the mouse and dragging the password, then right-clicking and selecting “Copy”. 13.1 Viewing Past Passwords To view past passwords for an account click the Past Passwords tab. Use the Filter tab to narrow the date range of the passwords you are looking for and then click the Past Passwords tab next to the Filter tab. This allows you to select a password that was valid for a specific period of time. This is especially important if the managed system has been restored from a backup and the password that was effective at the time of the backup is required. 78 Quest One Privileged Account Management ISA Manual To view the password for each logged activity, click a row in the results and then click the Password tab. 14.0 Retrieving Files (PPM ISAs only) To quickly retrieve a file go to Retrieve  Retrieve File. Select the file from the Listing tab. Click the Current File tab. Enter the Release Reason button. You will be prompted to save the file in the text box and click the or open it immediately for viewing. 79 Quest One Privileged Account Management ISA Manual 15.0 Session Management (PSM ISAs only) The session management menu provides access to session logs and the ability to playback previous sessions to systems. This answers the critical question “what did they do” with respect to auditing access to privileged accounts. All user actions, whether performed via keyboard or mouse are recorded. 15.1 Replaying a Session Log Select Session Mgmt  Session Logs from the menu. Note! If the session log is stored on an archive server there may be a delay while TPAM retrieves the log from its remote storage location. 80 Quest One Privileged Account Management ISA Manual The remote access session will be displayed and played back in real time. The playback session may be paused and resumed, moved ahead or back at increased speed, or continuously played at various speeds. Using the session playback controls To manipulate the playback of a session, the controls at the bottom of the session replay window allow the speed of the playback to be changed, ranging from ½ normal speed to 16 times normal speed. Replay may be paused at any point. The session playback toolbar contains both session information and playback controls: • Session system – The name of the remote system to which the session was established. • Session UserID – The name of the remote account used to access the system during the session. • Slider control – Displays the current position of playback, and when the session is paused allows a new position to be selected. To reposition 81 Quest One Privileged Account Management ISA Manual session replay, pause the session and position the slider control to the desired spot. Resume playback using the pause control. The session playback will move at maximum speed to the desired playback position. Note! The session time position is based on network packet timestamps. This means that the playback control slider may appear to move in an uneven fashion depending on the ‘data density’ of each packet, especially for very short recorded sessions. If for some period time there is a minimal amount of activity followed by a flurry of dialog box openings and keystroke input, this would cause the uneven control slider movement. Longer session files tend to provide a smoother control slider movement. • • • • • • • • • Session time position – Shows the time position being displayed in relation to the session length: current position / total session time. Pause control – When green the session is playing. When red the session is paused. To pause or resume playback simply click the control. Loop button – selecting this button will set the session to replay over and over. .5x – The session will be played at ½ normal speed. 1x – The session will be played at normal speed (real time). 2x – The session will be played at 2 times normal speed. 4x – The session will be played at 4 times normal speed. 8x – The session will be played at 8 times normal speed. 16x – The session will be played at 16 times normal speed. If a file was transferred during the session you are replaying you can view information about that file on the File Transfers tab. 15.2 Monitoring a Live Session You have the ability to monitor a session as it is being recorded. The user running the session has no indication that their session is being watched. To monitor a live session select Session Mgmt  Session Logs from the menu. Use the filter criteria to limit the list of session logs to those desired. 82 Quest One Privileged Account Management ISA Manual Any live sessions will display Connected in the Status column. Select the session button. Any user that has you want to view and click the permission to playback a session log has permission to monitor a session for that account. 16.0 Reports TPAM includes a number of pre-defined reports to aid in system administration, track changes to objects, and provide a thorough audit trail for managed systems. All reports are accessed via the Reports menu. The reports can be filtered by criteria that are specific to each report type. Note! Access to different reports is based on the user’s permissions. Only TPAM Administrators and Auditors have access to all reports. 16.1 Report Time Zone Options There are time zone filter parameters on most of the reports so that the user can choose to view the report data in their local time zone or the server time zone. These filter parameters will only be visible if the user is configured with a local time zone. 83 Quest One Privileged Account Management ISA Manual This filter affects not only the data reported but also the filter dates used to pull the data. For example, the server is at GMT time and the user is in Athens, Greece (GMT +2). When the user enters a date range of 9/16/2009-9/17/2009 with the local time zone option, the report will pull transactions that happened on the server between 9/15/2009 22:00 through 9/17/2009 21:59. All reports that use the local time zone filter now have an extra column indicating the GMT offset that was used to generate the report. This value will either be the current GMT offset of the server or the user. This column will also appear in reports that are exported using excel or csv. 16.2 Report Layout Options The user can select which columns they want to display on the report by clicking on the Report Layout tab. Also the user can decide which column they want the report sorted by clicking the radio button in the Sort Column. Also note the Max Rows to Display list. This limits the number of rows that are returned on the report even if there are more rows that meet this filter criteria. 84 Quest One Privileged Account Management ISA Manual 16.3 Adjustable Column Widths The user can adjust the column size of any column on a report by hovering their mouse over the column edge and holding down the left mouse button and dragging the mouse to adjust the column width. 16.4 Report Export Options In addition to exporting the report to an Excel formatted file, the user can also export the file in a CSV (comma separated value) file format. Alert! If you expect your report results to be over 64,000 rows you must use the CSV export option. The Export to Excel option will only export a maximum of 64,000 rows! 16.5 Activity Report The activity report contains a detailed history of all changes made by your user id in TPAM. 85 Quest One Privileged Account Management ISA Manual 16.6 ISA User Activity The ISA user activity report shows an audit-trail report containing detailed records of all activities performed by your userid with ISA permissions. 16.7 PSM Accounts Inventory (PSM ISAs only) The PSM accounts inventory report will show a list of all accounts that are PSM “enabled”. 16.8 Password Aging Inventory (PPM ISAs only) The password inventory report will display a list of all managed systems, and all accounts on those systems that are managed by PPM. 86 Quest One Privileged Account Management ISA Manual 16.9 File Aging Inventory (PPM ISAs only) Similar to the password inventory report, the file inventory report will display a list of secure stored files and the systems for which they are managed. 16.10Release-Reset Reconcile (PPM ISAs only) The purpose of the Release-Reset Reconciliation report is to provide auditable evidence that passwords have been reset appropriately after being released. The report can be filtered by date or date range, and sorted by system name, RequestID, or first release date. 16.11 User Entitlement In v2.4 we merged the Password, EGP and File User Entitlement reports all into one User Entitlement report, with additional filters. This report provides a mechanism to review and audit individual users’ permissions for systems, accounts, commands and files on an enterprise scale. Based upon selected filter criteria, the report will show 87 Quest One Privileged Account Management ISA Manual each user and their permissions to each system, whether based upon Collection, Group, or individual assignment. To reduce the size of the report for large organizations where numerous systems belong to collections, use the filters provided such as “Show Only Effective Permissions”. Note! The Permission Types filter will be grayed out based on your PPM or PSM ISA permissions. Turning on the checkboxes or radio buttons for the options will have the following effects on the report: • Expand Collections to show all Systems, Accounts, & Files? When checked the report will expand any retrieved Collection-level permissions to show all the Systems, Accounts, and Files in the collection. Permissions are indicated as being at the Collection level by the presence of the Collection Name as well as the Permission Source column. When not checked only the Collection itself is shown. • Expand Groups to show all Users? When checked the report will expand any retrieved Group to show all users within this group. Permissions are indicated as being at the Group level by the presence of a Group name as well as the Permission Source column. When not checked only the Group itself is shown. 88 Quest One Privileged Account Management ISA Manual • • • Expand Access Policies to show policy permissions details? When checked this will expand the Access Policy for each row to show the Permission Type (Password, Session, etc.) and Permission Name (Requestor, Approver, etc.) for all detail rows for each Access Policy. When not checked only the Access Policy Name is displayed. Show All Permissions When this radio button is selected the report will show all possible policies for each assignee (User or Group) to each entity (System, Account, File, or Collection) with the effective permission indicated. Show Only Effective Permissions When this radio button is selected the report will show only the effective permission for each assignee to each entity. Alert! If you select any of the Expand … options you must fill in at least one of the text filters with a non-wildcard value. For very large data sources the expansion of Collections, Groups, and/or Access Policies can very easily create a report beyond the retrieval and display capabilities of a web browser. For large datasets (10’s of thousands of accounts or thousands of large collections to expand) it is recommended to rely on the Data Extracts for unfiltered versions of the Entitlement Report. 16.12Password Update Activity (PPM ISAs only) The password update report shows an audit-trail report containing detailed records of all password modifications to all systems managed by PPM. 16.13 Password Update Schedule (PPM ISAs only) The password update schedule report will show all currently scheduled password changes and the reason for the change – such as a change due to default change settings or in response to a password release, etc. 89 Quest One Privileged Account Management ISA Manual 16.14 Password Testing Activity (PPM ISAs only) The password testing activity report shows the results of automated testing of each managed account’s password. 16.15 Password Test Queue (PPM ISAs only) The password test queue report will list all accounts currently queued for password tests. This is a useful report to view when troubleshooting performance related issues. A high number of queued password tests can impact system response time if the check agent is running. This report does not provide a mechanism for exporting data but does provide for deleting passwords from the test queue. So if there is some known reason why a large group of password tests will fail such as a network outage, that group can be filtered out in the report and then deleted. An alternative would be to just stop the check agent. 90 Quest One Privileged Account Management ISA Manual 16.16 Expired Passwords (PPM ISAs only) This report allows you to report on currently expired passwords, or passwords that are going to expire within a certain date range. You can also filter based on whether the system/account has password management enabled or set to manual. In v2.4 we added a Reason Code column to the report. 16.17Passwords Currently In Use (PPM ISAs only) This report defines “In Use” as passwords that: • Have been retrieved by the ISA/CLI/API that have not yet been reset • Passwords that have been requested and retrieved, but not yet reset • If password has been manually reset from the account details or password management pages but not yet reset by PPM. • If the password has been manually entered on the Account Details page but not reset by PPM. • If the account is created either from the TPAM interface or as a result of Batch Import Accounts and is assigned a password by the user (as opposed to allowing the system to generate a random password). • Passwords manually changed prior to TPAM 2.1.711 will not show as IN USE 16.18Password Requests (PPM ISAs only) This report allows you to view all password requests within a specified time period and view details relating to the request. Selecting a row in the report, and clicking on the Responses, Reviews and Releases tab will give you additional details on the request. In v2.4 we added a Reason Code column to the report. 91 Quest One Privileged Account Management ISA Manual 16.19Auto-Approved Releases (PPM ISAs only) Password and stored file releases made by requestors that did not require dualcontrol approval (auto-approved requests) may be reviewed in the Auto Approved Releases and Auto Approved File Releases reports. 16.20 Password Release Activity (PPM ISAs only) The password release activity report displays a history of password releases, based upon filter criteria selected for the report. The reason text and ticket system information is also provided in the report. column to the report. 92 In v2.4 we added a Reason Code Quest One Privileged Account Management ISA Manual 16.21 File Release Activity (PPM ISAs only) The file release report is essentially identical to a password release report, but will show the release activity associated with stored files. Reason Code column to the report. In v2.4 we added a 16.22 Windows Domain Account Dependencies (PPM ISAs only) This report shows which managed domain accounts have dependencies on other systems. 16.23Auto Approved Sessions (PSM ISAs only) This report lists all sessions that were auto approved because the account had no approvals required for session requests. 16.24PSM Session Activity (PSM ISAs only) This report shows the details on any sessions that occurred within a specified time period or for a specific system/account. column to the report. 93 In v2.4 we added a Reason Code Quest One Privileged Account Management ISA Manual 16.25PSM Session Requests (PSM ISAs only) This report allows you to view all session requests within a specified time period and view details relating to the request. Selecting a row in the report, and clicking on the Responses, Reviews and Releases tab will give you additional details on the In v2.3.765 we added a “Reviews Required” column to this report. In request. v2.4 we added a Reason Code column to the report. 94

Isa - Quest Software

Rating

Date

Size

Views

Categories

Share

Transcript