“Shared superuser accounts – typically system-defined in operating systems, databases, network devices and elsewhere – present significant risks.

Slides:

Advertisements

Similar presentations

3/29/2017 1:10 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.

Advertisements

Agenda Human Process + System Automation Better together Demos Identify self service opportunities Enable cloud through automation Key Takeaways.

Experiences with Service Manager and Orchestrator.

Contains: Monitoring configuration: MPs, rules, monitors, discoveries, etc. Configuration & inventory data Performance data State data Alerts.

Fluffy’s Safe Right? If you want to limit a user’s functionality, don’t make them an administrator.

UD-B302 Lighting, HVAC, … 75% IT 25% PCs, Laptops, Monitors $28b Network $18b Servers $14b Printers $13b $90b Telecom $10b Other $7b Commercial Energy.

Agenda Orchestrator - Components Orchestrator – For the ConfigMgr Admin.

DV-B306 One with Windows More Apps in More Places Modern Managemen t.

The system requirements for System Center components are all not consistent I don’t know in what order I should upgrade System Center components.

-ConfigMgr Scripting history -Introduction to the ConfigMgr SP1 & PowerShell -Scenarios & Demos.

Who are we? Cloud & Datacenter Management (STB) Server & Tools Business (CDM) Cloud & Datacenter Management Tier 1 & Monitoring Team supporting over.

4/15/ :16 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.

DV-B307 Personal & flexible  App and OS personalization roam across Windows  Syncs are smart and logins are fast  Application or OS reconfiguration.

Agenda Overcome flat budgets Coping with relentless growth Meeting increasing business demands Managing escalating complexity Maintaining service levels.

3 5 Cisco UCS™ Manager (Read / Write Configuration Interfaces) UCS Manager GUI and CLI Cisco UCS Fabric Interconnects (Read Only / Cut Through Interfaces)

Service Manager Operations Manager Configuration Manager Data Protection Manager Virtual Machine Manager App Controller Orchestrator Active Directory.

About me About this session Agenda Computer User.

AI-B301 Topics A quick note: There is a lot of information in this session, too much in fact! Slides are heavy and designed for you to review. We’ll.

Something special about Benjamin Session Objectives and Takeaways.

Patch Deployment Patch Creation Vulnerability Scanning Vulnerability Intelligence.

Agenda Advanced Query Techniques Agenda Taming SQL Performance issues.

Not what you are looking for? Head to another session now!

Devices & Experiences Users Want Applications and data across devices, anywhere Controlled access to data with seamless authentication.

Windows Store apps Provisioning Installation.

Leader in Cloud Services Enablement and Desktop Virtualization 900+ employees worldwide 100+ patents granted or pending 200+ partnerships include Microsoft,

Session Objectives and Takeaways Scenario End UserAdministrator Art needs to quickly install an application to edit a diagram that he needs to update.

IM-B201 Traditional Virtualized Private Cloud Public Cloud  Windows  Linux  UNIX  Windows  Linux  UNIX  Windows  Linux  Windows  Linux.

Boot processCapable of USB boot Firmware USB boot enabled. (PCs certified for use with Windows 7 or Windows 8 can be configured to boot directly.

Customizing the Browser Browser Management Deployment MethodsApp Compat.

LinuxUNIX Red HatSUSECentOSUbuntuDebianOracleAIXHP-UXSolaris Configuration Manager * * * * * * Endpoint Protection No Plans.

Not what you are looking for? Head to another session now!

Hats off to MS Research! Wake-on-LAN in ConfigMgr.

Global Foundation Services (GFS) Malware Protection Center Microsoft Security Response Center (MSRC)

What are add-ins Types of add-ins Creating add-ins Demos.

MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management.

“With System Center 2012, we have much more granular insight into and control over the services we’re delivering to the business. This is critical.

IM-B401 Dashboard Samples shown today can be found at

Your Application:.NET Application Performance Monitoring First mile: internal synthetic transactions Mid-mile: Global Service Monitor Last mile: client-side.

IM-B391 Agenda Getting Metrics Out From Database Servers.

Pre-Talk Q&A piecing it together fabric design and configuration.

REQUIREMENTS WORKING SOFTWARE Misunderstood requirements Conflicting priorities Unmet user expectations Can’t get actionable feedback Disparate management.

Co-facilitator Denver user group Blog at  Code examples from this presentation.

Microsoft NDA Confidential Enabling users to be productive, responsibly Finding the right balance Devices & Experiences Users Want Applications and.

Online Snapshots Disk-Based Backup Active Directory Tape-Based Backup SC DPM Up to Every 15 minutes Disaster Recovery with offsite replication and.

SD-B309 Session Objectives And Takeaways Check us out on Visit our blog: Watch us:

DC-B312 BitLocker Improvements in Windows 8 MBAM 2.0 Investment Areas and Key New Features Deploying MBAM 2.0MBAM 2.0 End User Experience.

Five issues, commonly addressed on the forums and mailing lists Boundaries Client identity Business hours and maintenance windows Deployment type.

Enabling users to be productive, responsibly Finding the right balance Devices & Experiences Users Want Applications and data across devices, anywhere.

Amit Virmani Software Design Engineer Madhu Jujare Software Design Engineer.

Integrated Platform Virtual applications work like installed applications Virtual applications use Windows standards No dedicated drive letter.

Not what you are looking for? Head to another session now!

Demos Components Resources Generic Command Execution SQL Profiles Application Hosts Service Settings Lifecycle Create Template Customize Deploy Service.

Software Update Groups Update Deployments Assign updates to clients Define when, where, how, who Update Packages.

Agenda Data center challenges Main central themes facing every IT decision maker today Overcome flat budgets Cope with relentless growth Meet increased.

Lost Data and Files Recovery Planning Distributed Workforce System Failures Traditional approaches to machine recovery don’t meet the needs of a.

Session Objectives And Takeaways Our Service Why Use the Portal?

WS-B327 Dynamic, policy-driven network (re)configuration Consistent, profile- based deployment of SDN traffic policies through distributed.

Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at.

On Premises Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service) Storage Servers.

A way to develop software that emphasizes communication, collaboration, and integration between development and IT operations teams.

DC-B301 Agenda Can you afford not to Migrate? What is USMT 5.0?

ConfigMgr Environment 2007 Hierarchy 2007 Hierarchy (Simplified View)

Stop following incidents Register and analyze Describe your tasks step by step Make it part of your DNA If you know what you did the last month you.

High Density Virtualization Low Density or No Virtualization All features Unlimited virtual instances Processor-based license All features Two virtual.

Session Objectives And Takeaways Agenda Monitor and manage servers 30+ Azure Hosted Services 10 global data center facilities & 6 domains 110+

Data Application Operation Infrastructure Create Secure & Protect Replicate & Distribute Archive Files Databases Compliance Data Rich Content.

Agenda Is your company using Windows Azure? Dev vs Ops and the Modern Application.

Microsoft /20/2018 9:26 AM THR2063 Automate password changes for Windows Services, Administrator, Root Accounts & SSH Keys Jonathan Sander Lieberman.

Presentation transcript:

“Shared superuser accounts – typically system-defined in operating systems, databases, network devices and elsewhere – present significant risks when the passwords are routinely shared by multiple users.” Gartner MarketScope for Shared-Account/Software-Account Password Management, 2009

Mainframes –UID=0, Line-of-business –RACF Special, … Applications –Setup, Admin, App Local –Web Service Accounts, … VM Environments –Administrator –Root Server, Desktop & Network OS –Administrator, Domain/Local –Root, Super user, Admin, … Databases (DBA + Apps) –SA, Sysadmin –SYS, … Middleware –Proxy Accounts –Gateway Accounts, …

Manual Processes –Error-Prone –“Like Painting the Golden Gate Bridge…” Or, Never Changed

ERPM Architecture

Password Recovery Console

Audited Password Check Out

Dashboard Drill Down

Shared Hardware Host Operating System Hosted Virtualization HypervisorHypervisor Virtual Machine #1 Virtual Machine #1 OS Applications Virtual Machine #2 Virtual Machine #2 OS Applications Virtual Machine #n Virtual Machine #n OS Applications Every privileged identity – in every host OS, guest OS, and application – presents a potential security threat if unsecured.

Document that You Have Measures In Place To… FISMA NIST Special Publication R. 3 Defense Contractors, Information Processors HIPAA Providers, Insurance Plans, Employers, Health Care Clearinghouses NERC Transmission Service Providers / Owners / Operators, Generation Owners / Operators, Load Serving Entities, … PCI-DSS Entities that store, process, or transmit credit card data US NRC Regulatory Guide 5.71 Operators, Vendors, Contractors Identify and track the location of privileged account credentials AC-2 AC-4 B.R5.1. (Implicit) Appendix A, B.1.2 Appendix A, B.1.3 Appendix A, B.1.4 Enforce rules for password strength, uniqueness, change frequency AC-2 45§ (5)(D) 45§ (2)(i) B.R B.R B.R Appendix A, B.1.2 Delegate so that only appropriate personnel can access AC-3 AC-6 45§ (3)(i) 45§ (3)(B) 45§ (3)(C) 45§ (a)(1) B.R5.1. B.R5.2. B.R B.R Appendix A, B.1.2 Appendix A, B.1.3 Appendix A, B.1.5 Appendix A, B.1.6 Audit and alert to show requesters, access history, purpose, duration, etc. AU-3 AU-9 45§ (5)(C) B.R Appendix A, B.1.2 Appendix A, B.1.3

Grant Access to Privileged Credentials within SCOM/SCCM Interface Update SCOM Credentials Provide Trouble Ticket Integration with SCSM

Right-Click to Recover Passwords in SCCM, SCOM

Privileged Identity Incident in SCSM

$password = Get-LSPasswordWithReason $token devpat3 DomainName TestUser “Adding machine to domain” $DomainCredential = New-Object System.Management.Automation.PSCredential TestUser $password Add-Computer –DomainName DomainName –Credential $DomainCredential Set-LSPasswordCheckIn $token devpat3 DomainName TestUser “Added machine to domain ”

$LocalAccounts = Get-LSListWindowsAccountsForSystem $token devpat3 # create a new empty array to store our local admin accounts $LocalAdmins foreach ($account in $LocalAccounts) { # this will add only the accounts that have admin permissions to the list for job creation if ($account.Privilege -eq 2) { $LocalAdmins = $LocalAdmins + $account; } Foreach ($LocalAdmin in $LocalAdmins) { # this creates a new job for each local admin account on the system, will not create the account if it is not found, sets the password to a random 14 character string, and schedules the job to run immediately. New-LSJobWindowsChangePassword $token devpat3 $LocalAmdin.AccountName $false 14 - RunNow }

Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.