[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Enterprise Password Managers

Published on
5,128 Points
Last Modified:
Rich Rumble
OSCP certified, need I say more?
Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
This article is an adjunct to personal password managers article.

Local Admin Passwords
SHIPS is a centralized password administration, targeted at the local administrator passwords of PC's and Servers. The goal of SHIPS is to create unique local admin passwords, that don't have to be known to anyone other than those who are delegated access.
LAPS from Microsoft is very similar to SHIPS, however the storage mechanism for the passwords is in Active Directory as opposed to SHIPS's server/db model. Passwords are stored in plain-text in a restricted and extended AD attribute. That attribute, much like Bit-Locker keys, is well protected.

Rotating these accounts is configurable in the above products, you can have the passwords changed at a scheduled interval or even after the next logon occurs from that account. Depends on the product above. Both products create unique passwords for each account, no more shared passwords.

Full Featured Password Suites - Enterprise
There are many products that offer to do more than just the local passwords, they can manage the 3rd party logins as well. Some with autofill functionality (see my other article), others feature authentication workflows. A authentication workflow is where you don't have access to a resource but want it, you use the Password Access Manager software to request the access. An automated workflow may approve/deny you, or a more manual workflow may require another person to take action with the request. Many people may know the concept if they have used SharePoint, and have been denied access to a certain area, page or site. Often there is an additional option on the access denied page to request access.

In addition to the workflows, the enterprise PM's add a level of auditing and accountability you don't have when sharing accounts ordinarily. If you or I were to logon to a computer with the Local Admin account, all the logs say is *someone* logged on with the local account-x, you and I know the password so each of us could deny we logged on if asked. PM's add their own audit logs to the mix, and they know that it was YOU that logged on using the local account because YOU made the request, and since the password is rotated often, you could not have known the password otherwise. The PM logged you (jdoe) using the credential "account-x", to access "PC-007" at 1-1-2017 06:02:58.

There are too many differentiating factors to get into, but below are about 30 solutions that are for the enterprise:
Here is some Gartner info on Privileged access management:
http://itsecurityleaders.com/wp-content/uploads/2015/09/BeyondTrust-Privileged-Account-Management-Research-Solutions-2015-Gartner-Market-Guide.pdf (2015)
https://www.gartner.com/technology/media-products/newsletters/beyondtrust/1-3B8FB2Z/gartner.html (2016)
Author:Rich Rumble

Featured Post

HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

Join & Write a Comment

The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month