Netwrix Newsletter, September 2007: Management and Protection of Privileged Accounts. Can Security Be Easy to Use?

Welcome to the September issue of our monthly newsletter. This month, we are introducing Privileged Account Manager, the new product from Netwrix, which protects privileged user accounts, shared among multiple members of the IT team. It also simplifies maintenance and enforces regulatory compliance.

How to Keep Privileged Accounts Safe? How to Share Them Securely?

It's a matter of fact: Every IT team needs to use large numbers of user identities and passwords for managing servers, network devices, databases, etc. It is very simple if the organization is small and you are the only systems administrator. But it becomes difficult as soon as two or more people start to work with these accounts.Privileged accounts, such as that of the domain administrator or service account, allow very powerful, usually unlimited access to system and data, and if they are not properly secured and maintained, they represent a very high risk to an organization's security.

How many servers and devices are accessible under your "favorite" password, such as "Qwerty123" or just left in a factory-default state forever? Is it secure? Obviously not... Of course, you can utilize many passwords, writing them down on a whiteboard in your server room or storing them in shared spreadsheets. But how would you force all members of your team to use these tools? Bet on it; someone will change accounts without updating a spreadsheet anyway, and this will happen daily.

Another point to consider is Regulatory Compliance standards, such as SOX and GLBA. These impose strict password management rules: password strength and the need to change them periodically, usually every three months or so. Moreover, access to protected data must be controlled and accessible to auditors to determine who accessed it and when. Routine control, updates, and reporting may require significant efforts and productivity tradeoffs. With hundreds of systems and devices, 100%-secure and compliant management of shared privileged accounts can become a real challenge. You will simply spend most of your time maintaining your passwords or even hire a dedicated person who will do this!

To address this problem, we designed a new product, Privileged Account Manager (SIM), to help organizations maintain and protect their privileged shared accounts of all types, from Active Directory and servers to routers and database systems. The backbone of the product is a secure facility for controlling access to account passwords. Users of this system will be able to perform provisioning, access passwords, and de-provision shared administrative accounts, all under centralized control and auditing.

Privileged Account Manager enforces a "check-out" concept: When someone wants to access a password, he or she needs to check-it out from the system and then check it back in when they are done using.

The centralized "check-out" system has several major advantages:

  • All operations are logged for reporting and analysis. You can determine who accessed which passwords and when it happened;
  • When a password is checked in, the system changes it to prevent further usage until it is checked out again;
  • You can define password access rules to control who can use specific passwords based on their roles.

Moreover, Privileged Account Manager will perform automatic maintenance of accounts: change passwords based on your schedule, and update account information in all affected places, such as service accounts, scheduled tasks, etc. The product discovers all of these places automatically to determine where accounts are used; there is no need to thoroughly remember them anymore.

Register for your free evaluation: