Directory Services Restore Mode (DSRM) Password Security

Directory Services Restore Mode (DSRM) Password Security

Your domain controller's Directory Services Restore Mode (DSRM) password is among the most powerful logins on any Windows network. With this highly privileged password, a user can restart your domain controller in Directory Services Restore Mode, copy and change the Active Directory database, and reboot the server – all completely anonymously.

DSRM passwords cannot be secured through scripts and other ad-hoc methods. Because each password update requires manual use of command-line utilities, these powerful logins are left unchanged in most organizations. And, DSRM password secrets are often shared among IT staff and improperly secured – maintained on printed lists, spreadsheets, or in password vaults that lack auditing controls and real attribution.

In addition to the vulnerabilities caused by shared, anonymous access to DSRM passwords, your organization could suffer prolonged service outages should authorized IT staff fail to get immediate, audited access to Directory Services Restore Mode whenever you encounter problems with Active Directory.

Secure Directory Services Restore Mode (DSRM) Passwords

Fortunately Enterprise Random Password Manager (ERPM) deploys and automatically updates highly secure Directory Services DSRMRestore Mode passwords on each of your domain controllers according to schedules that you define.

And, whenever authorized IT staff requests access to Directory Services Restore Mode passwords, ERPM provides an audit trail showing the requester, target system and account, date and time, and purpose of each request.

Grant Faster, Audited Access to Directory Services Restore Mode

When IT personnel need DSRM access for emergency Active Directory maintenance, ERPM immediately grants the required credentials, according to predefined workflows, through an encrypted web console.

ERPM also gives you flexible, easily configured options to configure multi-factor authentication of individuals requesting DSRM passwords, as required by leading IT regulatory standards.

Learn More

For more information on how ERPM can help secure privileged identities everywhere on your network contact an account manager.