Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Shared superuser accounts – typically system-defined in operating systems, databases, network devices and elsewhere – present significant risks.

Published byJodie McKinney Modified over 8 years ago

Similar presentations

Presentation on theme: "“Shared superuser accounts – typically system-defined in operating systems, databases, network devices and elsewhere – present significant risks."— Presentation transcript:

1

2

3

4

5 “Shared superuser accounts – typically system-defined in operating systems, databases, network devices and elsewhere – present significant risks when the passwords are routinely shared by multiple users.” Gartner MarketScope for Shared-Account/Software-Account Password Management, 2009

6 Mainframes –UID=0, Line-of-business –RACF Special, … Applications –Setup, Admin, App Local –Web Service Accounts, … VM Environments –Administrator –Root Server, Desktop & Network OS –Administrator, Domain/Local –Root, Super user, Admin, … Databases (DBA + Apps) –SA, Sysadmin –SYS, … Middleware –Proxy Accounts –Gateway Accounts, …

7 Manual Processes –Error-Prone –“Like Painting the Golden Gate Bridge…” Or, Never Changed

8

9

10

11 ERPM Architecture

12 Password Recovery Console

13 Audited Password Check Out

14 Dashboard Drill Down

15 Shared Hardware Host Operating System Hosted Virtualization HypervisorHypervisor Virtual Machine #1 Virtual Machine #1 OS Applications Virtual Machine #2 Virtual Machine #2 OS Applications Virtual Machine #n Virtual Machine #n OS Applications Every privileged identity – in every host OS, guest OS, and application – presents a potential security threat if unsecured.

16 Document that You Have Measures In Place To… FISMA NIST Special Publication 800-53 R. 3 Defense Contractors, Information Processors HIPAA Providers, Insurance Plans, Employers, Health Care Clearinghouses NERC Transmission Service Providers / Owners / Operators, Generation Owners / Operators, Load Serving Entities, … PCI-DSS Entities that store, process, or transmit credit card data US NRC Regulatory Guide 5.71 Operators, Vendors, Contractors Identify and track the location of privileged account credentials AC-2 AC-4 B.R5.1. (Implicit) 7.2.1 Appendix A, B.1.2 Appendix A, B.1.3 Appendix A, B.1.4 Enforce rules for password strength, uniqueness, change frequency AC-2 45§164.308(5)(D) 45§164.312(2)(i) B.R5.3.1. B.R5.3.2. B.R5.3.3. 8.5.5 8.5.8 8.5.9 Appendix A, B.1.2 Delegate so that only appropriate personnel can access AC-3 AC-6 45§164.308(3)(i) 45§164.308(3)(B) 45§164.308(3)(C) 45§164.312(a)(1) B.R5.1. B.R5.2. B.R5.2.1. B.R5.2.3. 2.1 6.3.6 7.7.1 8.5.4 8.5.6 Appendix A, B.1.2 Appendix A, B.1.3 Appendix A, B.1.5 Appendix A, B.1.6 Audit and alert to show requesters, access history, purpose, duration, etc. AU-3 AU-9 45§164.308(5)(C) B.R5.1.2. 10.2 Appendix A, B.1.2 Appendix A, B.1.3

17

18

19

20

21 Grant Access to Privileged Credentials within SCOM/SCCM Interface Update SCOM Credentials Provide Trouble Ticket Integration with SCSM

22

23 Right-Click to Recover Passwords in SCCM, SCOM

24

25 Privileged Identity Incident in SCSM

26

27

28

29

30

31

32

33

34

35

36 $password = Get-LSPasswordWithReason $token devpat3 DomainName TestUser “Adding machine to domain” $DomainCredential = New-Object System.Management.Automation.PSCredential TestUser $password Add-Computer –DomainName DomainName –Credential $DomainCredential Set-LSPasswordCheckIn $token devpat3 DomainName TestUser “Added machine to domain ”

37 $LocalAccounts = Get-LSListWindowsAccountsForSystem $token devpat3 # create a new empty array to store our local admin accounts $LocalAdmins = @() foreach ($account in $LocalAccounts) { # this will add only the accounts that have admin permissions to the list for job creation if ($account.Privilege -eq 2) { $LocalAdmins = $LocalAdmins + $account; } Foreach ($LocalAdmin in $LocalAdmins) { # this creates a new job for each local admin account on the system, will not create the account if it is not found, sets the password to a random 14 character string, and schedules the job to run immediately. New-LSJobWindowsChangePassword $token devpat3 $LocalAmdin.AccountName $false 14 - RunNow }

38

39

40

41

42

43

44

45

46

47

48 Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com. Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.

49

50

Download ppt "“Shared superuser accounts – typically system-defined in operating systems, databases, network devices and elsewhere – present significant risks."

Similar presentations

3/29/2017 1:10 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.

3/29/2017 1:10 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.
Agenda Human Process + System Automation Better together Demos Identify self service opportunities Enable cloud through automation Key Takeaways.

Agenda Human Process + System Automation Better together Demos Identify self service opportunities Enable cloud through automation Key Takeaways.
Experiences with Service Manager and Orchestrator.

Experiences with Service Manager and Orchestrator.
Contains: Monitoring configuration: MPs, rules, monitors, discoveries, etc. Configuration & inventory data Performance data State data Alerts.

Contains: Monitoring configuration: MPs, rules, monitors, discoveries, etc. Configuration & inventory data Performance data State data Alerts.
Fluffy’s Safe Right? If you want to limit a user’s functionality, don’t make them an administrator.

Fluffy’s Safe Right? If you want to limit a user’s functionality, don’t make them an administrator.
UD-B302 Lighting, HVAC, … 75% IT 25% PCs, Laptops, Monitors $28b Network $18b Servers $14b Printers $13b $90b Telecom $10b Other $7b Commercial Energy.

UD-B302 Lighting, HVAC, … 75% IT 25% PCs, Laptops, Monitors $28b Network $18b Servers $14b Printers $13b $90b Telecom $10b Other $7b Commercial Energy.
Agenda Orchestrator - Components Orchestrator – For the ConfigMgr Admin.

Agenda Orchestrator - Components Orchestrator – For the ConfigMgr Admin.
DV-B306 One with Windows More Apps in More Places Modern Managemen t.

DV-B306 One with Windows More Apps in More Places Modern Managemen t.
The system requirements for System Center components are all not consistent I don’t know in what order I should upgrade System Center components.

The system requirements for System Center components are all not consistent I don’t know in what order I should upgrade System Center components.
-ConfigMgr Scripting history -Introduction to the ConfigMgr SP1 & PowerShell -Scenarios & Demos.

-ConfigMgr Scripting history -Introduction to the ConfigMgr SP1 & PowerShell -Scenarios & Demos.
Who are we? Cloud & Datacenter Management (STB) Server & Tools Business (CDM) Cloud & Datacenter Management Tier 1 & Monitoring Team supporting over.

Who are we? Cloud & Datacenter Management (STB) Server & Tools Business (CDM) Cloud & Datacenter Management Tier 1 & Monitoring Team supporting over.
4/15/2017 10:16 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.

4/15/ :16 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.
DV-B307 Personal & flexible  App and OS personalization roam across Windows  Syncs are smart and logins are fast  Application or OS reconfiguration.

DV-B307 Personal & flexible  App and OS personalization roam across Windows  Syncs are smart and logins are fast  Application or OS reconfiguration.
Agenda Overcome flat budgets Coping with relentless growth Meeting increasing business demands Managing escalating complexity Maintaining service levels.

Agenda Overcome flat budgets Coping with relentless growth Meeting increasing business demands Managing escalating complexity Maintaining service levels.
3 5 Cisco UCS™ Manager (Read / Write Configuration Interfaces) UCS Manager GUI and CLI Cisco UCS Fabric Interconnects (Read Only / Cut Through Interfaces)

3 5 Cisco UCS™ Manager (Read / Write Configuration Interfaces) UCS Manager GUI and CLI Cisco UCS Fabric Interconnects (Read Only / Cut Through Interfaces)
Service Manager Operations Manager Configuration Manager Data Protection Manager Virtual Machine Manager App Controller Orchestrator Active Directory.

Service Manager Operations Manager Configuration Manager Data Protection Manager Virtual Machine Manager App Controller Orchestrator Active Directory.
About me About this session Agenda Computer User.

About me About this session Agenda Computer User.
AI-B301 Topics A quick note: There is a lot of information in this session, too much in fact! Slides are heavy and designed for you to review. We’ll.

AI-B301 Topics A quick note: There is a lot of information in this session, too much in fact! Slides are heavy and designed for you to review. We’ll.
Something special about Benjamin Session Objectives and Takeaways.

Something special about Benjamin Session Objectives and Takeaways.
Patch Deployment Patch Creation Vulnerability Scanning Vulnerability Intelligence.

Patch Deployment Patch Creation Vulnerability Scanning Vulnerability Intelligence.

Similar presentations

Ads by Google