Architecture of Enterprise Random Password Manager

Enterprise Random Password Manager (ERPM) is an n-tiered, software-based, agent-less adaptive privilege management solution that's proven on the world's largest and most complex enterprise networks.

ERPM is installed on your choice of Microsoft or Oracle databases to leverage your organization’s trusted processes for database management, monitoring, and high availability – giving you unmatched transparency and control.

Data Security

ERPM encrypts the information it stores about systems, users and access at multiple points. Credentials and system data are stored in an AES-256 encrypted SQL Server or Oracle database. ERPM also provides the option for hardware-based encryption, at FIPS 140-2 Levels 2 and 3, when used with any PKCS #11 device. In addition to storing passwords and system details in an encrypted database, ERPM provides secure and delegated storage of important documents and files from within the data store. 

Management Console Application

The Management Console Application provides centralized administration for ERPM. This is where management sets, system lists, users, groups and role-based access workflows are configured and managed. The Management Console application must be installed on Windows Server 2008 (NT 6.0), or Windows Server 2008 R2 (NT 6.1). At least 128 MB of memory is recommended and at least 50 MB of free disk space must be dedicated to the program.

Web Application

The Web Application provides secure, audited, delegated, remote retrieval of the managed privileged account passwords. This component requires Microsoft Internet Information Services (IIS) 6.0 or later with Active Server Page (ASP) server extensions enabled. The Web Application also requires COM+ to be enabled on the web server. Many web client platforms have been tested for compatibility with the Web Application including Internet Explorer 5, 6, 7 and 8, Firefox, Konquerer and Opera. As the application is written in classic ASP and not in Java or similar languages, there are no requirements for plug-ins or a specific browser type. A mobile version of the Web Application is included with ERPM.

Database Options

The Management Console Application requires access to a SQL Server or Oracle database to store internal data. The construction of the required tables, views, stored procedures, and security roles are handled automatically by the application.

Hardware resources permitting, all three components of ERPM may be placed onto a consolidated or shared server. There are safeguards built into the solution to prevent unauthorized access, and the data it is protecting and managing. If possible, however, dedicated hardware is recommended for the Management Console Application. If this is not possible, virtualized platforms are the secondary recommendation to provide a dedicated environment.

The Database and Web Application can be on shared hardware and even shared instances of the Database or application pool. For the Web Application, it is recommended that a separate application pool within IIS be created to host the application’s website.

For optimal security and performance, three dedicated systems are recommended. Add to this configuration high availability and the minimum configuration will grow to five or six systems: two for clustered/mirrored Database, one or two for Management Console, two or more for Network Load Balancing (NLB) hosted Web Application. Additionally, if zone processing is configured for geographically or security dispersed environments, an additional server will be required for each zone processor. 

Multi-Tier Architecture

The ERPM multi-tier architecture with remote Zone Processing assures reliable discovery and policy enforcement over high-latency network links. This architecture maintains responsive protection and reporting even across unreliable networks, while minimizing expensive WAN bandwidth.

Zone Processors are scheduling services deployed remotely to manage systems in the associated region. They communicate back to a centralized database for all of their job information. By installing specialized deferred processors at remote sites, all enterprise password management operations can be conducted on the managed systems' local network, rather than utilizing one centralized console for the entire enterprise. Only SQL traffic is transmitted back to the central database from the zone processor, effectively minimizing bandwidth usage over already saturated WAN links.

Zone processing results in improved Service Level Agreements (SLAs), an imperative of large, multinational enterprises. Dedicating a process on a local machine to privileged account management provides failover and load balancing capabilities that increase network responsiveness. Zone processing also helps organizations more effectively meet regulatory compliance mandates that require shared account password updates to be completed within a limited period of time.


ERPM is provided as a software application for on-premise deployment, or as an application in the Microsoft Azure marketplace for cloud deployments. It can also be deployed "headless" or programmatically via PowerShell cmdlets or SOAP-based web services.

Learn More

Contact us to learn more about how Lieberman Software can help you secure your organization's privileged accounts.