NetWrix Privileged Account Manager Version 4.1 User Guide
Table of Contents 1. Introduction... 1 1.1 About Security Roles... 1 2. Configuring Product... 2 2.1 Configuring Child Folders... 2 2.2 Configuring Password Maintenance Settings... 3 3. Using Account Manager... 4 3.1 Accessing Account Manager... 4 3.2 Adding New Managed Accounts... 5 3.2.1 Adding an Account... 5 3.2.2 Adding a Set of Accounts... 6 3.3 Obtaining an Account Password... 7 3.4 Viewing Audit Information... 8 3.4.1 Viewing Reports on Accessing Account Password... 8 3.4.2 Viewing Advanced SSRS Reports... 8 4. Contacting NetWrix... 9 5. Disclaimer... 9 Page ii
1. Introduction (also known as Account Manager or PAM) is an easy-to-deploy Web-based application that provides a secure facility for management of shared administrative accounts (referred to as managed accounts in this guide) in your organization. With the help of Account Manager you can: Provision, deprovision, and automatically update the account passwords; Synchronize account passwords and Windows Services\Scheduled Tasks running under those accounts; Audit access to all managed accounts. This document is intended to assist you to use the product. The set of activities you can perform with PAM depends on your security role. 1.1 About Security Roles The product uses the role-based security model that allows IT administrator to assign access permissions to users based on their roles rather than on their individual identities. A role is a category of users who share the same security privileges. There are four security roles in PAM: Security Role Description Predefined Members System Administrator Account Manager Account Operator Report Viewer Provides complete and unrestricted access to all features and permissions to configure all settings for the product. Allows adding, removing and managing of accounts and PAM folders. Allows obtaining current passwords for all managed accounts. Allows viewing the PAM reports. The Domain Administrator and Enterprise Administrator groups in the management server domain. Page 1
2. Configuring Product To configure all settings of the product, you must be a member of the System Administrator role (see Product Administrator Guide). This section describes only the product settings you can configure if you are a member of the Account Manager role. 2.1 Configuring Child Folders Account Manager allows you to store managed accounts into virtual folders. By default, the product provides the Accounts root folder (see the screenshot on page 4). Under Accounts, you can create any hierarchic structure of child folders. To each child folder or even any individual account, you can apply specific password maintenance policy or let the account inherit policy settings from the parent folder. The password maintenance policy comprises such settings as maximum duration of the account checkout, schedule of the password changes, etc. To create a child folder, open the product main window and under Accounts, select a parent folder. Perform the following steps: 1. In the details pane, go to the Operations on this folder list. 2. Select Add Child Folder, and click Go. 3. In the Add Child Folder dialog box, specify the child folder name and click OK. Page 2
2.2 Configuring Password Maintenance Settings To configure password maintenance settings applied to a folder, please go to the product main window. Under Accounts, select that folder, and then perform the following steps: 1. In the details pane, go to the Operations on this folder list. 2. Select Change Password Settings, and click Go. 3. In the Password Maintenance dialog box, specify the appropriate settings, and click OK. This dialog provides the following control elements: Inherit password maintenance settings from parent folder: Inherits all settings from parent folder. When selected, other settings in this dialog take no effect. Change password after check in: Causes PAM to change the account password each time it is checked in. Maximum password checkout duration: Specifies the duration (in minutes) of the password check out operation. The account is automatically checked in after this time period has elapsed. Automatically change password every: Specifies the password changes schedule. You can also configure password maintenance settings applied to an individual account using the following procedure: 1. In the product main window, go to Accounts, and select the folder where the account resides. 2. In the details pane, select the account under Details and open the Password Maintenance tab. 3. Click Edit, and then complete the Password Maintenance dialog box. Page 3
3. Using Account Manager This section discusses a basic scenario that includes the following steps: Accessing the product Web interface Adding new managed accounts Obtaining an account password Viewing audit reports 3.1 Accessing Account Manager You can access the product Web interface from any network client computer with a Silverlightcompatible operating system, and Microsoft Silverlight 4.0 and Internet Explorer 6.0 or later installed. To access the product Web interface: On a client computer, in Internet Explorer, open the page at http://%account Manager%, such as http://web.mycompany.com/pam You will be prompted to specify a user account used to access PAM. This account must belong to PAM security roles (see About Security Roles earlier in this paper). The product main window is in the following screenshot: To access the product functionality, use links in the left pane: Accounts: Provides all operations on managed accounts (available for System Administrator, Account Manager, and Account Operator). Security Roles: Assigns the PAM security roles to specific User accounts (available only for System Administrator). Audit Reports: Provides access to the product audit reports (available for all roles). Administration: Sets up the product administration settings (available only for System Administrator). Page 4
3.2 Adding New Managed Accounts By default, the list of managed accounts is empty. To start using the product, you must have at least one managed account. Managed accounts can reside into the Accounts folder of PAM or in any child folder of Accounts. You can add an individual account or import a set of accounts that meet specific criteria. To perform operations described in this section, you must be System Administrator or Account Manager. 3.2.1 Adding an Account PAM provides the Configure Managed Account wizard designed to add new managed domain or local accounts. You can add managed accounts to the Accounts folder (or to any of its child folders) in PAM main window. To start the Configure Managed Account wizard from the product main window, do one of the following: To add account to the Accounts folder, click New Managed Account. To add account to a child folder of Accounts, in the left pane, select that folder, and in the right pane, click Add Account, and then click Wizard. To complete the wizard, perform these steps: 1. On the Welcome page, click Next. 2. On the Specify Managed Account page, do the following, and click Next: From the Account Type list, select the account type (Windows Domain or Windows Local). In Account Name, specify the name in Domain\Login or Computer\Login format, respectively. You can add only existing accounts from the domain where the management server is installed. 3. For Windows Domain accounts, on the Specify Systems page, optionally, specify a list of computers on which windows services or scheduled tasks will run under this account. 4. On the Final Notice page, click Finish. Page 5
3.2.2 Adding a Set of Accounts The product provides the Account Discovery feature that allows you to import (add) a set of managed accounts meeting the specific criteria. For example, you can import domain accounts from a specific Organizational Unit or local accounts that reside on specific machines. To add a set of managed accounts, perform the following steps: 1. In the product main window, under Accounts, select the folder to which to add accounts. 2. In the details pane, from the Operations on This Folder list, select Discover New Accounts, and click Go. The Account Discovery dialog box opens. 3. To add domain accounts, do the following: 1) Select Import domain accounts from. 2) To import an explicitly specified set of accounts, select List or file, click Edit List, and then specify the accounts list in the Domain Accounts List dialog box. 3) To import accounts from an OU, select Organizational Unit, specify the OU distinguished or canonical name, and optionally, select the Filter by account names check box, and specify the name filter, such as Adm*. 4) Optionally, to specify computers on which windows services or scheduled tasks under managed accounts run, select the Discover Systems check box, and enter the semicolon separated list of IP addresses or ranges. 4. To add local accounts, do the following: 1) Select Import local accounts from. 2) To import an explicitly specified set of accounts, select List or file, click Edit List, and then specify the accounts list in the Local Accounts List dialog box. 3) To import accounts from specific computers, select Computers, and enter the semicolon separated list of IP addresses or ranges. 4) Optionally, select the Filter by account names check box, and specify the account name filter. Page 6
3.3 Obtaining an Account Password At any time you can obtain the current password of a specific managed account. To get the managed account password: 1. In the left pane, under Accounts, click the folder where the managed account resides, and then select it in the details pane, under Managed Accounts. 2. Under Details, open the Password Access tab, click Check out and let the product retrieve or generate the account password. 3. To view password, click Show. The product displays the password next to Current password. You can log on to the managed computers and perform administrative tasks using this password. Once you have completed administrative activities, click Check in to stop the managing account and allow other PAM users to access the account information. Note that the account password can be reset after you check it in (for details, see Configuring Password Maintenance Settings earlier in this guide). Page 7
3.4 Viewing Audit Information PAM provides two types of audit reports: reports on all attempts to access the password information for specific managed account, and a set of advanced reports powered by Microsoft SQL Server Reporting Services (hereafter SSRS). The SSRS reports on the following events are available: Automatic updates of password Use of password by specific account Use of password by specific requestor Automatic check-ins of password Rarely used accounts Unused accounts This section explains how to view the PAM reports. To view audit information, you must be at least a member of the Report Viewer security role. 3.4.1 Viewing Reports on Accessing Account Password To view reports on attempts to access the password information for specific managed account, perform the following steps: 1. In the left pane, under Accounts, click the folder where that account resides, and then select it in the details pane, under Managed Accounts. 2. Under Details, open the Audit Trail tab. A sample report for the EMTEST2008\JSmith account is shown below: 3.4.2 Viewing Advanced SSRS Reports To view SSRS-based reports, perform the following steps: 1. In the product main window, expand the Audit Reports node. 2. Under this node, click the link to view the report and click View report in the details pane. The report opens in a separate window. Page 8
4. Contacting NetWrix If you have any questions please feel free to contact the NetWrix support team. NetWrix provides unlimited phone and email support for customers who purchase the commercial version (including evaluation). In addition, on the NetWrix Support Forum, a limited support is provided for customers who use the freeware version. 5. Disclaimer The information in this publication is furnished for information use only, does not constitute a commitment from NetWrix Corporation of any features or functions discussed and is subject to change without notice. NetWrix Corporation assumes no responsibility or liability for any errors or inaccuracies that may appear in this publication. NetWrix is a registered trademark of NetWrix Corporation. The NetWrix logo and all other NetWrix product or service names and slogans are registered trademarks or trademarks of NetWrix Corporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks and registered trademarks are property of their respective owners. 2011 NetWrix Corporation. All rights reserved. www.netwrix.com Page 9