Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Top-Down Password Protection

New tools can corral administrator-level access, but plan ahead to avoid costly downtime.

They're Here To Help
Enter a new breed of privileged account management systems. These systems promise to control access to high-level systems and automate password safeguards. While these systems are effective so far, adoption is slow, in part because of price. Access control system pricing typically starts at around $15,000 to $25,000.

At first glance, management of privileged accounts and passwords seems like a problem that an identity management system could solve. Sometimes it can, but identity management is aimed at a different problem: managing the life cycle of accounts tied to actual humans. User accounts need to be created and destroyed as users are hired and terminated, with their access to resources granted or denied based on job roles.

Identity management tools are typically tied to ERP or human resources systems, so changes in employment status trigger matching changes to computer access. They typically implement single sign-on via connectors to applications and directories but can't interface with the more limited systems that form the infrastructure of a network. These tools are built to handle large numbers of users with similar access needs and thus aren't suited to the more specialized needs of accounts that aren't tied to individual employees.

Where identity management systems provide a one-size-fits-all approach to user passwords, privileged account managers provide a custom-fit match to the needs of nonidentity accounts. The standard privileged account management feature set includes generation of a unique, complex, random password for each account and the ability to automatically log in to the client system and change the password.

Nearly all privileged account management systems employ an agentless design, where they use the server's native protocols, such as SMB, Telnet, or SSH, to interactively log in and make password changes, with no preinstallation or configuration of the managed systems required.

When authorized users need access to a privileged account, they can log in to a Web portal and request the password for a particular system. After verifying the user's right to view that password, the system provides it and logs the fact that the user has accessed the password. After the user has finished with the password, the system generates a new password, logs in to the client system, and resets the password (see diagram, "A Stronger Front Line", below). In this way, the user no longer has access without again requesting it through the privileged account manager.

The most secure setup comes from using identity-managed single sign-on to authenticate the individual's access to the privileged account management system, combining the identity-based access control of identity management with the tight control and auditing of privileged account management.

Besides controlling access to servers and accounts, privileged password managers provide enhanced accountability. Since high-privilege accounts aren't tied to individual users--often just to "root" or "Administrator"--there normally isn't a way to tell who actually accessed a system and made a particular change. By logging every time an administrator requests a password, privileged account managers provide an independent log of all access to servers using the administrative accounts.

A Stronger Front Line
diagram: A Stronger Front Line
The privileged account manager discovers all systems (desktops, servers, routers, etc.) on the network and sets unique passwords for them. System admins use the privileged account manager to access administrator accounts. The privileged account manager logs the details of each session and creates a new unique password when the admin has finished.

To further enhance accountability, the systems can be configured so that no other user can access a specific password while it's checked out to another admin. The password is only made available for use after the first user has checked it back in or a specific time has elapsed, and the password automatically changed.

This can be especially useful to meet audit requirements, and most applications can produce extensive reports suitable for presentation to auditors. The logs also can be useful for demonstrating that corporate password policies are being followed in areas of complexity and change intervals.

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...