Privileged Account Management Manual

Documentation for Privileged Account Management features in Passwordstate - Account Discoveries, Password Resets and Password Validations.

Overview

Passwordstate can automate the management of privileged accounts, by discovering accounts on your network, resetting the account passwords and performing “heartbeats” on these passwords so you can be sure the passwords are in sync. Below is a list of account types that Passwordstate natively manages:

• Microsoft Active Directory, Local Administrator Windows Accounts, Windows Scheduled Tasks, Windows Services, IIS Application Pools, SQL Accounts, COM+ Components, Office 365 and Microsoft Entra ID Accounts
• Cisco Routers and Switches
• Linux Accounts - including root (CentOS, Debian, Fedora, Mac OS X, Mint, Open SUSE, Oracle Linux, Oracle Solaris, RedHat Linux, Scientific Linux, Solaris, SUSE Enterprise Desktop, SUSE Enterprise Server, Ubuntu)
• MySQL Accounts
• Oracle Accounts
• MariaDB Accounts
• Palo Alto Firewalls
• PostgreSQL Accounts
• HP iLO out of band management cards
• HP H3C switches and routers
• HP Procurve switches and routers
• F5 BIG-IP Load Balancers
• IBM's IMM out of band management cards
• Dell's iDRAC out of band management cards
• VMWare ESX Accounts
• Juniper Junos devices
• Juniper ScreenOS firewalls Accounts
• Fortigate Firewall Accounts
• SonicWALL Firewall Accounts

Custom Powershell Reset Scripts

If you have a system that is not natively supported in the list above, you have the ability to write your own custom scripts and use them in Passwordstate to manage the accounts on those systems. This feature also allows you to add in your custom operating system with a logo of your choice. You can also clone existing scripts and modify them to add in functionality if desired.

Custom Powershell “Dependency” Scripts

Passwordstate has a feature where you can add in custom PowerShell scripts to perform task of your choice, as a dependency when a password has been successfully updated. For example, you may want to update some documentation or send some information about the newly reset password to the API of your Help Desk software. Or maybe you need to use the new password on another application so you will automate the newly reset password being sent to that 3rd party software.

When creating a custom script of this nature, you can use a number of built-in variables to pull information from Passwordstate and insert this data into your scripts. These variables can be found in section PowerShell Script Variables of this guide.

SSH Templates

If you have a system that is not natively supported in the list above, that uses SSH as the communication protocol, there is a feature where you can build your own scripts based off SSH Templates. This allows you to simply issue a series of commands in sequential order, or all on one line to perform the password reset. You then set your own “success” and “error” conditions. This means you do not need to write the entire reset script, but as long as you know the native commands to perform a password reset on that system, as if you were doing it right within the SSH shell, you can build your own reset scripts easily.

Password Heartbeat/Validation/Discovery

Passwordstate allows you to perform ‘validation’ tasks to ensure the passwords stored in Passwordstate are accurate compared to what is being used on remote hosts. You’re also able to ‘discover’ many different types of accounts on devices on your network, and Passwordstate does all this without the need to install any agents on those remote devices. Examples of what Passwordstate can discover are Local Windows or Linux accounts, accounts on Windows services or IIS Application pools, or maybe local accounts on your Fortigate firewall or Cisco switch.

When running a discovery job, you can put it into “Simulation” mode, and this will report back to you what it finds0, but it won’t add any data into Passwordstate. It’s a good way to validate what accounts are being discovered without fear of affecting any production system. If you want, you can have the password reset immediately with a strong random password of your choice, a static password of your choice, or maybe you want to add the account into Passwordstate without doing a password reset at all, the choice is yours.

No Agents Required

Click Studios designed the Password Reset, Heartbeat and Discovery features to make use of Microsoft’s PowerShell scripting capabilities, to eliminate the need to install custom agents on remote Hosts. These Reset, Heartbeat & Validation features can also be used on Hosts in non-trusted domains.

Note: If you do have strict firewalling between various networks, or manage client’s infrastructure over the Internet, there is also a Remote Site Agent which can be deployed which can communicate securely over HTTPS with additional encryption to protect your data. This agent can execute all these Password Resets, Discovery and Validation scripts on those remote networks and report the results back into your core Passwordstate website, so it’s all centrally managed within one console. See section Remote Site Locations for more information.