Enterprise Password Managers

Rich RumbleSecurity Samurai
OSCP certified, need I say more?
Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
This article is an adjunct to personal password managers article.

Local Admin Passwords
SHIPS is a centralized password administration, targeted at the local administrator passwords of PC's and Servers. The goal of SHIPS is to create unique local admin passwords, that don't have to be known to anyone other than those who are delegated access.
LAPS from Microsoft is very similar to SHIPS, however the storage mechanism for the passwords is in Active Directory as opposed to SHIPS's server/db model. Passwords are stored in plain-text in a restricted and extended AD attribute. That attribute, much like Bit-Locker keys, is well protected.

Rotating these accounts is configurable in the above products, you can have the passwords changed at a scheduled interval or even after the next logon occurs from that account. Depends on the product above. Both products create unique passwords for each account, no more shared passwords.

Full Featured Password Suites - Enterprise
There are many products that offer to do more than just the local passwords, they can manage the 3rd party logins as well. Some with autofill functionality (see my other article), others feature authentication workflows. A authentication workflow is where you don't have access to a resource but want it, you use the Password Access Manager software to request the access. An automated workflow may approve/deny you, or a more manual workflow may require another person to take action with the request. Many people may know the concept if they have used SharePoint, and have been denied access to a certain area, page or site. Often there is an additional option on the access denied page to request access.

In addition to the workflows, the enterprise PM's add a level of auditing and accountability you don't have when sharing accounts ordinarily. If you or I were to logon to a computer with the Local Admin account, all the logs say is *someone* logged on with the local account-x, you and I know the password so each of us could deny we logged on if asked. PM's add their own audit logs to the mix, and they know that it was YOU that logged on using the local account because YOU made the request, and since the password is rotated often, you could not have known the password otherwise. The PM logged you (jdoe) using the credential "account-x", to access "PC-007" at 1-1-2017 06:02:58.

There are too many differentiating factors to get into, but below are about 30 solutions that are for the enterprise:
Here is some Gartner info on Privileged access management:
http://itsecurityleaders.com/wp-content/uploads/2015/09/BeyondTrust-Privileged-Account-Management-Research-Solutions-2015-Gartner-Market-Guide.pdf (2015)
https://www.gartner.com/technology/media-products/newsletters/beyondtrust/1-3B8FB2Z/gartner.html (2016)
Rich RumbleSecurity Samurai
OSCP certified, need I say more?

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.