- Local Computer Privileged Identity Management – local computer admin accounts are primary targets for hackers. EmpowerID connects to your servers and then, after evaluation, begins to control membership via RBAC and ABAC policies.
- Privileged Account Discovery and Password Rotation – privileged accounts and their passwords require special dispensation and management. Here we take a quick look at how EmpowerID does this.
- Windows Service and IIS App Pool Identities – these systems have their own sets of complexities and challenges but, once connected, EmpowerID handles these automatically.
Local Computer Privileged Identity Management
Because local computer administrator accounts effectively “own the machine”, and have full access to all local resources, including databases, they are a primary target for hackers.
This initial local admin hack then provides the springboard from which additional attacks take place.
Such access not only represents a potential audit risk for regulations (such as SOX, HIPPA, PCI-DSS, FINMA, MAS, FISMA, and NERC) but poses increased risks for your entire network and contents.
To prevent this, first, EmpowerID inventories your servers to discover, monitor, and control local users and groups, including local administrators.
EmpowerID then uses role and attribute-based access control (RBAC and ABAC) policies to:
- Control membership to the local administrators group.
- Allow for access requests through the IT Shop.
One additional function that EmpowerID offers is that all privileged identities can be assigned to policies that automate the rotation of their passwords. In accordance with such policies, and across your entire connected and managed system, EmpowerID resets passwords and updates the vaulted information.
Privileged Account Discovery and Password Rotation
EmpowerID’s Computer Identity Management automatically discovers and manages local privileged accounts and groups on all your server systems, including Windows, Linux and Unix, and VMware ESXi.
Once identified, these privileged identities can be recertified, assigned to owners, and managed throughout their entire lifecycle.
In the same manner as with Local Privileged Account Discovery, passwords can be set to rotate on a schedule thereby reducing the window of opportunity in which hackers can compromise a password.
Windows Service and IIS App Pool Identities
For Windows servers, EmpowerID can drill-down to a deeper level and inventory and manage the identities that are used for Windows Services and IIS Application Pools.
Typically, these identities are undermanaged and use static passwords. Not only does that raise two red flags, but this is further exacerbated by two additional challenges:
- the challenge of knowing which systems these identities are actually on
- the efforts required to update these systems following a password change.
EmpowerID handles these special identities and challenges automatically.
It does so by automating system updates each time the password is rotated. Moreover, admins can also assign vaulted privileged identities to Services and IIS App Pools through web-based workflows and set them on a rotation schedule to close this critical vulnerability.
As mentioned previously, with EmpowerID, all privileged identities can be assigned to policies that automate the rotation of their passwords.
Through its extensive network of connectors, EmpowerID can then automatically reset the passwords in your entire managed system and update vaulted information, as required.