Password management
for administrative accounts

Monitoring the use of privileged accounts and maintaining the secret of administrative passwords

Indeed Privileged Access Manager

Privileged accounts essentially involve significant information security risks: compromising of privileged access to the system might lead to severe financial and reputational loss of the company. However, the administrative accounts are routinely protected with password authentication, which is obviously disadvantageous: passwords can be mined or passed to another person without proper authorization. Also, passwords have to be changed promptly when an employee is dismissed. Such problems with administrative access pose a significant threat to the company security. It is necessary to use special Privileged Access Management class solutions to eliminate this risk. The first step to the problem solution is implementation of automatic management for passwords of privileged accounts.

Task description

The tasks of password management for privileged accounts can be formulated as follows:

    • Passwords should be hidden from the employees. In other words, there should be an opportunity to grant an administrative access to the system without revealing the password itself.
    • Passwords should be automatically changed to a randomly generated values on a regular basis. This allows to increase the security level and alleviate the risks of using the password in explicit form.
    • There must be an opportunity to grant access rights granularly and to revoke those at any moment. There must be an opportunity to grant an administrative access to explicitly defined servers only.

Solution

To solve the mentioned tasks, the Indeed Privileged Access Manager (Indeed PAM) software suite is used. The suite stores privileged accounts centrally and manages them.

Indeed Privileged Access Management has the following features.

Password Management Functions

    • Granting an administrative access (or session) without revealing the privileged account password
    • Regular change of passwords for privileged accounts
    • An opportunity to grant administrative access to the defined resources (servers) only.

Supported account types

    • Microsoft Active Directory
    • Windows OS accounts
    • Linux OS accounts (passwords and SSH-keys)
    • Accounts for access to networking equipment

Supported protocols

    • RDP
    • SSH

Search for privileged accounts

The Indeed PAM contains a module that searches for privileged accounts, registers those in the system and prompts to get those under control.

Regular automatic change of passwords for privileged accounts

The Indeed PAM regularly changes the passwords of privileged accounts to a random value, complying with the requirements to both the complexity of passwords and the interval between password changes.

General architecture scheme of Indeed PAM to solve the password management task is given below.

General architectural authentication scheme Indeed PAM

The following modules provide for password management in the Indeed PAM:

Indeed PAM Server

This is the core component the of Indeed PAM infrastructure. It is a web application, operating in the Internet Information Services (IIS) server environment. The Indeed PAM server provides for centralized management of system users, user account data and security policies.

Access Server

The access server is the central part of the privileged access granting scheme. The server provides for access policy compliance, starts an administrator session at the target resource and also carries out text and video recording of sessions.

Connectors to the target systems

The connectors are used for integration to target systems, such as Windows or Linux servers. The connectors are also used to search for privileged accounts and change their passwords to a random value on a regular basis.

Event log

The system registers all the events initiated by users or administrators in the system web interface, as well as all the attempts to gain privileged access rights. Log viewing, report generation and printout are performed in the administrator console. You can configure the system so that an email notification is sent to an administrator or a user upon certain system events.

Privileged account registry

The registry contains credentials for privileged access. The data in the registry is stored in encrypted form. The following database types are supported: SQL DBMS and Microsoft Active Directory.

LEARN MORE
ASK A QUESTION IN A LIVE CHAT ON OUR WEBSITE
  • What questions does the product solve?
  • What are the infrastructure requirements?
  • How to run a pilot?
  • How much does the implementation cost?
industry about us
In the report from March 21, 2016 by KuppingerCole Indeed Identity was mentioned as “a specialist vendor” in access management market segment that delivers solutions for authenticating users, encrypting messages, and securing information on mobile phones.
KuppingerCole
Europe’s leading Analysts on the topics of Information Security in the era of Digital Transformation
"Indeed Identity is the company of professionals in the field of information security. They provide top-level solutions for PKI management and access control to corporate resources. We recommend this company as a reliable partner."
Sergey Yeliseyev
X-Infotech Owner, Business Development Director, Government eID solutions
Indeed Identity has been the Softline important partner for a very long time. Together, we realized a number of successful projects in many economic spheres. International corporations choose Indeed ID due to reliable software, competitive prices and great service.
Michael Lisnevsky
Softline group, Head of regional promotion of information security