Lieberman Software
PRIVILEGED IDENTITY MANAGEMENT NEWS LINE
  Follow us on Twitter  Follow us on LinkedIn  Blog  Lieberman Software on YouTube
September 2012        

Top of Mind

Common Local Administrator/Root Accounts - Everything other than Windows

Philip  Lieberman
President & CEO
Lieberman Software


Continuing From Last Month...

Managing non-Windows local accounts is also easy and fast since we have built-in protocol connectors (i.e. SSH, Telnet, OLEDB, IPMI, 3270) and a large inventory of preconfigured XML response files for handling pretty much everything with a network connection from just about every vendor.

Machine list management is similarly rich compared to Windows in that all of the typical machine list sources are accessible such as AD, LDAP, databases, and more. Gaining initial Superuser access for these other platforms for password change is agentless and achieved by a combination of preloaded alternate administrator lists containing well known accounts and passwords, as well as the ability to import known account/password pairs for each system if there is no commonality of initial accounts.

One of the really cool features of managing non-Windows systems is that we can handle new operating systems and devices in generally less than five minutes. This bit of magic is accomplished by the “Remote Command Builder” that you will find under the Cross-Platform Support Library submenu of E/RPM. Essentially the command builder allows you to do an actual logon and other common actions and see what comes back from your host. You can then take the XML files generated by the command builder and replace the actual user name and password field with variable arguments…and you are done.

So how fast can you change local Superuser accounts in say, Linux?  You can pick up the machine lists from LDAP in a couple of minutes.  If you are using well known credentials for the root accounts you can load those into our alternate admins dialog, or if each machine has its own password, you can upload a CSV file containing the pre-seeded credentials. From this point, you simply ask E/RPM to logon and change the credentials. We have measured speeds of over 1000 system password changes per minute using only one host running E/RPM. With this type of speed, you could randomize and secure over 100,000 Linux based devices in less than 2 hours.

What Happens Next

Each randomization of a set of systems generates a job within E/RPM that will be marked as complete. If some of the systems were not changed, the job will be set to retry the missed machines in the list until a limit of retries is reached.

If you want to regularly randomize all of the local account on all your platforms, you can open the completed jobs that you just created, and set the frequency of running to pretty much whatever you want such as every 30 days, 90 days, 3rd day of each month, or on demand such as from the web site, where you can trigger randomization of groups of system Superuser accounts when you wish.

Checking out passwords that have been randomized is similarly simple. You can configure users, groups, certificates, roles and more to have scope of access that will control who has access, when, and to which systems. All of the password release controls are under the Delegation menu of E/RPM.

Auto-Roll Technology

We have worked really hard to keep you from having to maintain compliance with privileged accounts and one of the crown jewels of this technology is known as auto-roll technology. The feature creates a scheduled job every time your user checks out a password. The created job will automatically change the password whether or not your user checks in the password without any human interaction. This feature assures that credential disclosure is always a limited time event.

Summary

Changing local administrator credentials on both Windows and non-Windows systems is a very easy thing to set up and execute within E/RPM and most changes can be accomplished enterprise-wide in a day or less; bringing your company into compliance, and with automatic scheduling, there is little to nothing you need to do to keep the passwords all different on all systems as well as automatically changed after disclosure. 

All this means deployment of E/RPM and its ability to maintain continuous compliance for local Superuser credentials is a piece of cake to set up and maintain. Imagine, completing an identity management project in a week…it can be done with our technology!

What do you think? Email me at: Phil@liebsoft.com. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.
 
Cast Your Vote for Lieberman Software!

Lieberman Software has a number of entries in the 2012 Community Choice Awards. Please take a moment to vote for us in the following categories:

Windows IT Pro:
  • Best Deployment/Configuration Product Lieberman Software User Manager Pro Suite
  • Best Management Suite Lieberman Software User Manager Pro Suite
  • Best Security Product – Lieberman Software Enterprise Random Password Manager
  • Best System Utility – Lieberman Software Service Account Manager
  • Best Task Automation Product – Lieberman Software Task Scheduler Pro
  • Best Vendor Tech Support – Lieberman Software
SQL Server Pro:
  • Best Security/Auditing/Compliance Product   Lieberman Enterprise Random Password Manager

What's New in Identity Week

Featured commentary on our
Identity Week blog this month includes:
  • How To Handle Password Spreadsheets. Let’s face it. Despite the best efforts of us in the IT security industry, the top solution for managing passwords is the trusty old sticky note. Write down your password on the note and hide it somewhere you can easily find it (hopefully not on your monitor)...

Events / Press / Analysts
  • 20% of IT staff admit to accessing unauthorised executive data. ComputerworldUK. Almost 40% of IT staff can get unauthorised access to sensitive information, and 20% admit to accessing executives' confidential data, according to research. IT professionals are allowed to roam around corporate networks unchecked, according to a survey of more than 450 IT professionals by security software firm Lieberman Software.

Tech Tip of the Month

Automatically Manage Expired or Inactive User Accounts

Account Reset Console provides an automated password management system to identify accounts with expired or near-expired passwords, or that have been inactive for a certain number of days. Here's how.

Lieberman Software Corporation respects your right to privacy, and believes any information you provide us should be protected from disclosure to others. For more information, please read our privacy policy. You are receiving this email because you have granted us permission to contact you. If you do not wish to receive email messages from Lieberman Software in the future, please click here.
Lieberman Software Corporation
1900 Avenue of the Stars, Suite 425
Los Angeles, CA  90067
                 www.Liebsoft.com    |    (01) 310-550-8575  |   newsletter@liebsoft.com