Going Beyond Local Account Management:
Service Account Discovery, Correlation and Propagation
President & CEO
Continuing from last
The Good News and Bad News
The developers of Microsoft Windows created a well-organized framework
for the storage and retrieval of service accounts that is consistent
from Windows NT to Windows 2012. This means that applications written
for this platform pretty much use the same methodologies for the
management of credentials. The Microsoft platform also provides remote
management APIs (interfaces) that allow credentials and their
references to be managed in a consistent manner.
Having stated that the Microsoft platform has a consistent structure
does not mean it is simple to manage; I am only stating that it is consistent. The platform itself has
an enormous number of services to manage and with each
new version of the
operating system we have had to develop ever more sophisticated
discovery, correlation and propagation engines.
The story on managing correlation and propagation on non-Windows
systems such as Linux is a whole different kettle of fish. First, there
is no ubiquitous remote management API, no (consistent) framework for
the storage of credential usage, and applications are free to install
and put their configuration files wherever they wish. There is also no
consistent central repository to review that tells you what is on that
machine and where it is installed. It is for this and many other
reasons that companies choose Windows rather than Linux simply because
of standardization and remote management. By the way, this is not a
Linux only problem since many cross platform products such as Oracle
11g and many other Oracle and IBM products have a completely arbitrary
and frankly bizarre way of installing themselves and maintaining their
All is Not Lost
But, all is not lost and we have developed connectors for these
non-Windows based services. These connectors do provide the full
discovery, correlation and propagation features, but because there is
no remote management API, we provide remote management connectors for
these platforms such as IBM WebSphere and Oracle WebLogic. Similarly,
we also provide these same types of remote management connectors for
JAVA and other middleware repositories.
We also have a remote CLI capabilities, files search and replace (great
for CONF files), and SSH/Telnet command files.
In Practice: Windows… A
Dream to Manage
Because we have a rich and mature set of engines for Windows, the
discovery, correlation and propagation process is a breeze. Almost
everything is fully automated; credentials and their use are displayed
as trees. Changing passwords and where they are being used is also
simple and takes less than a minute to configure once and for all.
Since everything is in the box, there is no need for professional
services to customize our software.
In Practice: Linux and
Others… Easy, But Secret Sauce Must Be Known
Managing credentials and their use on non-Windows machines does not
require professional services or customization of ERPM; however, it
does require some knowledge of the platform, and where and how
credentials are stored. You also need to know the method used by the
services to change credentials for services/daemons.
Because all of the propagation settings are user configurable, you
simply enter the configuration settings for your platform(s) and you
are done once and for all.
Both Windows and non-Windows platforms sometimes have applications that
store their service credentials in plain text files. This practice
makes auditors and regulators go insane with panic when/if they
discover this practice.
We have implemented the following solutions to address this issue:
1) Push credential change whereby our product finds and changes the
clear text credentials automatically and periodically in the background
for these clear text files, or patches binary files containing clear
2) Pull credentials where you update your code that uses the clear text
files and have it pull credentials directly and in real time from our
application. This method uses our SDK (free) that provides APIs for
pretty much every platform out there.
3) In cases where the password storage mechanism uses encryption, we
have already incorporated decryption, scanning, change, and re-crypt
for many technologies such as .NET. For other technologies you can use
If you have been tasked with changing credentials on a regular basis,
but have given up because these changes have caused outages due to the
complexity and scope of not only changing credentials, but also where
they are being used; there is an automated solution that does the
job quickly and at scale with minimal to no human interaction: Enterprise Random Password Manager (ERPM).
By the way, deployment of this product and the ability to do
propagation to service accounts at scale - reliably - is generally a
one to two week process initially. Why? Extensive automation and
deep domain specific knowledge embedded within the ERPM product make
this seemingly impossible task for humans, an easy task for our product.
you think? Email me at: Phil@liebsoft.com.
You can also follow me on Twitter: @liebsoft
or connect with me via LinkedIn.
New in Identity Week
Featured commentary on our Identity
Week blog this month includes:
- The Status and Future of Software
Development. Throughout the past several decades we’ve seen
quite an evolution in the field we now refer to as software
development, as you’d expect. The dilemma we face in software
development today is, with technology all around us, there is so much
that can be done, but not enough time to do it all. The complexity of
technologies, and their problems interacting reliably and at scale, is
becoming a serious challenge...
Compliance and the Privileged Account Principle. Two
common drivers compel organizations to invest in new IT security and
management technologies – data breaches and failed compliance audits.
Companies such as mine – we develop privileged identity management
(PIM) products – receive new customers seeking to rectify both such
incidents. Preventing data breaches is an obvious impetus for investing
in a PIM product, but for many people, the tie in with regulatory
compliance is less clear...
Events / Press /
- How to get
promoted in IT security. Help Net Security.
Not only has landing a job become more difficult; it's also getting
harder to get promoted once you have the job. Here are some tips to
getting ahead in today's competitive, cutting-edge world of IT
Lights Out Management Without Putting Your Organization's Lights Out
Permanently. Continuity Central. Intelligent Platform
Management Interface (IPMI) technology underpins lights out management
(LOM) in IT departments around the world. LOM allows an IT
administrator or IT security manager to manipulate and manage servers
using remote control - even switching on the machines when they are
‘off’. LOM is a potent technology which has its uses; however it also
poses some potential risks which every enterprise must be aware of.
updates identity management software. Finextra. Lieberman
Software has launched new functionality that allows ERPM to provide
secure check-in/check-out of privileged credentials directly through
the McAfee ePolicy Orchestrator (McAfee ePO) web-based interface, and
provides identity and configuration data enrichment for ePO.
Tech Tip of the Month
Remotely Create, Update and Remove Services
Has a vendor sent you an updated Services executable that needs to be
installed across a large group of machines?
Do you have an internally developed application that requires installed
services, but doesn’t have an install package?
Do you have obsolete services defined on Windows hosts in your
environment, but no time to go clean them up?
In addition to modifying Windows Services, Service Account Manager can create
or remove services. Here's