automatic rotation of Windows local accounts

Showing results for 
Search instead for 
Do you mean 
Reply
Contributor III
Posts: 24
Registered: ‎07-19-2016
#1 of 6 3,905

automatic rotation of Windows local accounts

Hello,

 

We want to use the Infrastructure Service to manage the local Administrator account on all of our Windows endpoints.

 

We've added the Windows endpoints and their local Administrator accounts into the Infrastructure Service, and assigned the necessary permissions.  Our admins can now log in to their Centrify portal, and from there they can log in to each endpoint with the local Administrator account.  Is there a way to automatically rotate the password after each login, so each time someone logs in to a system it's using a new password?  Can this be done WITHOUT using workflows?  Our technicians have to constantly log in to many of our users' computers, so it would be infeasible for them to have to wait for an approval each time they need to log in.  Can we use multiplexed accounts for this, even though these aren't service accounts?

 

Thanks in advance for any guidance.

 

Charles

Centrify Guru I
Posts: 2,430
Registered: ‎07-26-2012
#2 of 6 3,901

Re: automatic rotation of Windows local accounts

[ Edited ]

@charles2,

 

Welcome to the Centrify forums.

To give you the best prescription, can you answer a few questions?

  • Endpoints:  Are these clients or servers? Is it exclusively Windows?  We have LAPM for Mac too.
  • How are your admins logging in?  Are they actually "checking-out" the password?  Note that Centrify allows for secure access via RDP/SSH as the shared account without exposing the admin to the password.

 Some answers to your questions:

  1. Is there a way to automatically rotate the password after each login, so each time someone logs in to a system it's using a new password?
    Yes, absolutely.  You can set this up via policy.  Remember, what makes sense is to rotate the password after a human being has seen it, not to rotate the password after each "proxied" login;
    This is achieved via policies.  They can be set at the global level, domain, database, system or individual account level(*).
    For Global > Admin Portal > Settings > Infrastructure > Security Settings
    sec-set.JPG
    When setting these, make sure that you enable password history; especially if you have VMs and you'll do snapshot restoration.  This way you can retrieve the password that applied in a particular interval of time.
  2. Can this be done WITHOUT using workflows?
    Yes, but must importantly, you may be mixing two concepts here; access request and policy.  Note that Centrify has a robust RBAC and entitlement system.  You can have your independent department employees and contractors with limited functionality and visibility only to the accounts that they need to perform their duties.  
    For example;  I may want helpdesk users to have access to the password of local Windows clients, plus automatic rotation; but in the case of Servers, I may want to grant access to local Administartor accounts without the need of workflow for secure access, but request it for password checkout, viceversa or combinations of this. 
    There are 2 types of CPS rights that grant visibility to all options:  Privilege Service Administrator and Privilege Service Power User.  Their experience looks like this:
    psa.JPG
    However, you may want helpdesk users to have limited functionality, like below using the Privilege Service User entitlement.  Note the limited options, plus the flexibility:
    psu.png
    When a user needs to do secure access or password checkout, they can have a combination of "non-workflow" accounts and accounts that require approval:
    checkout-flow.png
    It's also possible to set up the system so they only see only the accounts they have functional need to see.
  3. Can we use multiplexed accounts for this, even though these aren't service accounts?
    I think this is another instance of mixing concepts.  Multiplexed accounts exist to provide the assurance that for a managed Windows Service or Scheduled task we can "swap" the managed service/task credential without worrying about replication delays and potential downtime.
    @Gautam wrote an interesting article covering multiplex accounts.

 

Please answer the questions and let us know how else we can help.

 

(*) As of 17.9

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Contributor III
Posts: 24
Registered: ‎07-19-2016
#3 of 6 3,886

Re: automatic rotation of Windows local accounts

R.P,

 

Thank you for the prompt and informative response; I really appreciate the level of detail you provided!

 

In answer to your questions --

1)  I'm currently working exclusively with Windows clients (servers will fall into scope of CPS later).

2)  The admins are accessing the clients by initiating RDP connections from their CPS portal, so they do not see/know the passwords.

 

 

I have a follow-up question.  After configuring the CPS global security setting for password roation interval, how do I override that setting for an individual account?  When I go to the policy settings for an account, I don't see an option to set the password rotation interval.

 

Thank you again for your help.

 

 

Charles

Centrify Guru I
Posts: 2,430
Registered: ‎07-26-2012
#4 of 6 3,869

Re: automatic rotation of Windows local accounts

@charles2,

 

Here you go:

 

1)  I'm currently working exclusively with Windows clients (servers will fall into scope of CPS later).

These things are good to know.  I'm not sure if you're familiar with the Mac local account password management feature available in the platform, but in addition to using CPS, in a near future, you'll be able to manage local passwords of current Windows versions within the Devices section.  This means that you'll have two options:

a) Use the Windows LAPM feature from "Devices" - this way you can have a set users that can manage just the password, but they have no CPS interaction.  Another benefit is that the LAPM feature will be able to rotate the endpoint's password regardless of being inside or outside the organization.  (Great for BYOD or non-domain joined).  This one is about the password, and not secure RDP access.

b) What you can do today with CPS -   Although great, assumes connectivity.

 

2)  The admins are accessing the clients by initiating RDP connections from their CPS portal, so they do not see/know the passwords.

I'm afraid I gave you innacurate information.  I meant you can do this at the "Global, Database, Domain and System levels" (today);

 

Do you see a need for us to do an override at the local level in the future?  Happy to consider, but you have to give me a handful of examples of today's model not working.

 

Just so you know, I'm starting a series of articles focusing on our "vault" in the Community Tech Blog, there are a couple up and I'll get to them as I have all the labs proven out:

 

 

R.P

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Contributor III
Posts: 24
Registered: ‎07-19-2016
#5 of 6 3,838

Re: automatic rotation of Windows local accounts

R.P,

 

Thank you again for your response.

 

I went ahead and set a global password roataion period in Settings | Infrastructure | Security Settings.  But is there a way to force the password to get rotated after each checkout/checkin, even if the global rotation period has not elapsed?  For example, if the global rotation period is 2 days, and an admin checks out a password and checks it back in after one hour, is there a way to make that password rotate at checkin instead of waiting for 2 days?  I realize that I can prevent the admins from being able to see the password, but having it auto-rotate at checkin would give us an additional layer of protection.  Thanks again.

 

Charles

Highlighted
Centrify Guru I
Posts: 2,430
Registered: ‎07-26-2012
#6 of 6 3,824

Re: automatic rotation of Windows local accounts

[ Edited ]

@charles2,

 

But is there a way to force the password to get rotated after each checkout/checkin, even if the global rotation period has not elapsed?  

 

If the password is managed by Centrify and it is checked out (e.g. an administrator has seen it), by default, when it's checked-in, it will be automatically rotated.  This should be happening automatically.  You should be able to verify this with the activity feed (Infrastructure Dashboard) or using password history if you have it enabled.

 

Here's a flow diagram with an example.

 

The preconditions are:

  1. Note the rotation interval (90 days) and the checkout lifetime (60 mins)
  2. Note that the password is set to managed, if it's not managed, it won't work.

Sequence

3.  The password is checked out at 3.55

4.- The password is checked-in within seconds

5.- The system rotates the password a minute later.

 

 

 flow.png

 

Password History

pass-hist.JPG

Note that this is not going to work for secure access (since the password is not exposed to the user).

 

Does this make sense?

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: