03:15 PM

Top-Down Password Protection

New tools can corral administrator-level access, but plan ahead to avoid costly downtime.

No Easy Pieces
Implementing a privileged account management system isn't a trivial process, and companies make a couple of common mistakes, says Adam Bosnian, VP of products and strategy at password management vendor Cyber-Ark Software. The first blunder companies make is confusing password management with identity management, Bosnian says. Privileged passwords are a manageable problem that can be solved in weeks or months. On the other hand, identity management for all users is a massive undertaking that can stretch out for years and doesn't address the risk posed by weak security of the most powerful accounts in the company.

The second mistake Bosnian mentions almost could be considered a feature: When all privileged passwords are changed as part of a company-wide system rollout, some people lose access they've always had. Even in companies with the best security practices in place, there are employees who need privileged access or have undocumented exceptions to normal job roles. While this can cause an immediate failure of some business processes, it also provides an opportunity to clean up such special cases and ensure that they're handled through proper channels in the future.

Beyond Access Control
Many vendors offer unique features that do more to control access to privileged accounts. For example, Cyber-Ark's just-announced Privileged Identity Management Suite version 5.0 will include the option of creating passwords that aren't presented to users.

Because employees often write down and share passwords, Cyber-Ark's Privileged Session Manager component and similar tools from other vendors can be configured to act as a sort of single-sign-on portal for servers. When an administrator requests access to a system, PSM proxies the actual connection and passes the credentials to the host system transparently, logging in the administrator directly.

PSM also can be configured to record the session between the administrator and the server. This recording can be saved for later review in case there are concerns about the actions taken by the administrator.

Sometimes, it's not a very good idea to store a service's password in a clear text configuration file--in fact, the Payment Card Industry Data Security Standard requires that such embedded passwords be eliminated before the applications are placed into production. Most vendors offer an API that can be used to replace such clear text passwords with a library call that accesses the password vault dynamically at runtime. They even include defenses to validate that an approved application is requesting a password, and not an intruder running the API code.

Another barrier to controlling privileged passwords is finding them.

Phil Lieberman, president of Lieberman Software, says this makes changing passwords almost impossible for many companies. If they change a password without understanding everywhere it may be used, things will break. Most servers have several service accounts, used by processes running on the server to access server or network resources. While most privileged account managers can be configured to change these passwords, doing so without informing the service of the change will result in downtime and lots of scratching of heads.

6 Things To Look For
Password Account Managers
1. Ability to auto-discover
every system and network application that uses privileged accounts
2. Support for high uptime
through redundancy and simple disaster recovery
3. Agentless design
that uses a server's native protocols to interactively log in and make password changes, with no preinstallation or configuration required
4. Workflow management
to accommodate password-use exceptions in emergency situations
5. Role-based control and single-sign-on
tie-in to simplify the granting of rights to administrators
6. In-depth report capability
that can produce extensive reports suitable for presentation to auditors
While all privileged account managers can scan a network or Windows domain looking for systems to manage, Lieberman Software's Enterprise Random Password Manager extends its discovery of passwords to manage beyond typical operating system accounts. ERPM scans standard service configuration locations, and even entire servers, looking for instances of known passwords, and it can keep these password storage locations in sync with managed credentials, rotating them as required by policy.

Most privileged password managers enable organizations to build a workflow around access to passwords. This allows a company to specify which users need approval before accessing passwords, and can automatically route these requests to managers for approval. Hitachi ID Systems' Privileged Password Manager can automatically escalate unapproved requests, searching out additional approvers in cases where the originals fail to respond in a timely manner.

The workflow can be configured to require multiple approvers, implementing a true separation of duties. Workflow can be especially useful for providing access to employees who might not normally need access, such as during a disaster or when regular admins are unavailable.

Once you start relying on a system to provide critical access to all your other systems, your password manager must be rock solid. Besides internal redundancies, look for systems that provide for multiple layers of fault tolerance. Clustering also is a feature to look for, as is the ability to distribute agents throughout your network. These agents spread out the work of setting and checking passwords on the systems throughout your network, preventing bottlenecks and providing extra redundancy.

Passwords are still our first line of security, keeping outsiders out and insiders away from functions they shouldn't touch. The ever-increasing complexity of both networks and organizations makes managing these passwords ever more difficult, and accountability legislation such as Sarbanes-Oxley places high stakes on getting this right.

Avi Baumstein is an information security analyst at the University of Florida's Health Science Center.

3 of 3
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-08-30
The IPsec SA establishment process on Innominate mGuard devices with firmware 8.x before 8.1.7 allows remote authenticated users to cause a denial of service (VPN service restart) by leveraging a peer relationship to send a crafted configuration with compression.

Published: 2015-08-30
Buffer overflow in the HTTP administrative interface in TIBCO Rendezvous before 8.4.4, Rendezvous Network Server before 1.1.1, Substation ES before 2.9.0, and Messaging Appliance before 8.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vect...

Published: 2015-08-30
Cross-site request forgery (CSRF) vulnerability in the web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2015-08-29
Use-after-free vulnerability in the CanvasRenderingContext2D implementation in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to execute arbitrary code by leveraging improper interaction between resize events and changes to Cascading Style Sheets (CSS) token...

Published: 2015-08-29
The add-on installation feature in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to bypass an intended user-confirmation requirement by constructing a crafted data: URL and triggering navigation to an arbitrary http: or https: URL at a certain early point i...

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.