We introduce the next version of Indeed Privileged Access Manager software for access control of privileged users. The new Indeed PAM 1.2 version has not only the revision of the existing functionality, but also new features, as well as tools to automate administration processes. They are designed to increase the flexibility and convenience for administrators and users. More about improvements permitting mechanism, added features and tools, see below.
СONTROL OF CONNECTED RESOURCES
Indeed PAM 1.2 has a new feature to control local devices and resources in a Remote Desktop Session. Indeed PAM connection policies are used to provide a common interface for configuring permissions of connected devices and resources. The function makes it possible to forward devices from the user’s local PC to a remote session and it works with the following devices and resources:
- Disk drives.
FILE TRANSFER CONTROL (SHADOW COPY)
A new technology has been developed to track transferred files for better control over RDP sessions. All events related to the movement of files from mapped drives to the target resource are recorded, and the files themselves are copied to the storage. This process is invisible for the user. Administrators can view the list of files transferred to the target resource and gain access to the saved copy.
Indeed PAM has redesigned the target resource access scenario. Now the user will be able to open an RDP or SSH session on behalf of his own account, which was not added to the system as a privileged one. Previously, access was provided only using system-managed accounts, now this is not a prerequisite. For these sessions, all types of logging are available.
ACCESS SCHEDULE REDESIGN
Scheduled access mechanism has been updated. Now, you can specify the exact start and end time of the permission validity. For example, a permission will take effect from 09:00 on 10.10.2019 and will end at 21:00 on 10.10.2019. In the previous version, the permission always started at 00:01 and stopped at 23:59. This model imposed restrictions on the issuance of permissions, which must be valid at night. The new model does not have such restrictions and employees can get permission which will be valid, for example, from 23:00 on 10.10.2019 to 02:00 on 11.10.2019.
The access schedule settings are also available. For example, a permission will take effect at 09:00 on 10.10.2019 and will end at 21:00 on 15.10.2019. However, the employee will be able to use the permission only in the interval, say, from 23:00 to 02:00, but daily during the permission validity.
ACCOUNTS SECURITY GROUPS
For better control over privileged accounts, a new Groups section was added to their properties. The section displays which security groups user account belongs to. Feature is supported for Active Directory Accounts and Local Accounts (Windows OS and Unix/Linux OS).
SAVING HISTORICAL DATA IN RECORDED SESSIONS
The properties of the session now store the names of the user, account and resource at the time of opening the session. If the administrator renames one of the indicated entities in the future, both new names and old values will be shown in the session properties.
In the session profile, service messages about changes will be displayed, which will let you know which user attributes have been changed. This feature will protect against unscrupulous administrators who can distort information about sessions, as well as avoid confusion during the regular renaming of resources and accounts.
CLI UTILITY FOR INDEED PAM
Utility has been developed to automate the administration of Indeed PAM. The tool allows you to perform the following operations:
- Bulk permission creation.
- Bulk permission revocation.
- Import resources into Indeed PAM database.
For these operations, you need a prepared. CSV file with a list of users, accounts and resources. The utility is made as a console application, which allows you to run it in both manual and automatic mode.
INDEED PAM GATEWAY LOAD BALANCING
HAProxy balancing support has been introduced to provide fault tolerance and load balancing. Active sessions are now distributed to the required number of hosts on which Indeed PAM Gateway is installed. This update simplifies horizontal scaling of the solution.