UNIVERSITY PASSWORD SAFE VERSION 21.1ot UNIVERSITY Password Safe Foundations Table of Contents Unit 1| Laying the Foundation 4 Lesson 11| Introduction and Overview 5 Lesson 2 | Deployment Overview 2 Unit 2 | Discovering Your Environment 16 Lesson 1 | Functional Accounts and Password Policies "7 Lesson 2 | Discovering and Adding Systems cece Bh Lesson 3 | Smart Rules and Directory Queries 2 Unit 3 | Managing AcceSS o.oo ecee eee ssn eneeneneeen eee ee ee 40 Lesson 1 | Onboarding Systems a Lesson 2 | Onboarding Managed Accounts 44 Lesson 3 | Creating Access Policies . s7 Lesson 4 | Mapping End Users and Groups 60 Lessons | Requesting, Approving, and Viewing Sessions ..................64 Unit 4 | Accessing Systems 79 Lesson1| Mapping Dedicated Admin Accounts 80 Lesson 2 | Managing Service Accounts 89 Lesson 3 | Managing Database Accounts 24 Lesson 4 | Configuring Remote Apps for Windows .. ceccsnssssees 100 Appendix A | Glossary 108 Appendix B | Managing Unix and Linux Systems 109 Appendix C| Managing Cloud Platforms ...........0.scccccssseesinssseee WT Appendix D | Creating Functional Accounts 124 Appendix E| Sample Remote Applications ... ces eeennen BT ‘Contact BeyondTrust | https://ideas.beyondwust.com | +1 877-826-6427 Version 2.1Ta Password Safe Foundations BeyondTrust Unit 1| Laying the Foundation UNIVERSITY Unit 1 | Laying the Foundation Welcome to BeyondTrust University's Password Safe Foundations training course. This course is designed for administrators who will set up and maintain your BeyondTrust software. BeyondTrust is the worldwide leader in Privileged Access Management, offering the most seamless approach to preventing data breaches related to stolen credentials, misused privileges, and compromised remote access. Our extensible platform empowers organizations to easily scale privilege security as threats evolve across endpoint, server, cloud, DevOps, and network device environments. BeyondTrust unifies the industry's broadest set of privileged access capabilities with centralized management, reporting, and analytics, enabling leaders to take decisive and informed actions to defeat attackers. Our holistic platform stands out for its flexible design that simplifies integrations, enhances user productivity, and maximizes IT and security investments. BeyondTrust gives organizations the visibility and control they need to reduce risk, achieve compliance objectives, and boost operational performance. We are trusted by 20,000 customers, including half of the Fortune 109, and a global partner network. Learn more at www.beyondtrust.com. Contact BeyondTrust | https:/ideas beyondtrust.com | +1 877-826-6427 Version 211 4(a Password Safe Foundations BoyondTrust Unit 1| Lesson 1 | Introduction and Overview UNIVERSITY Lesson 1 | Introduction and Overview ‘This 15-hour course gives you foundational knowledge to configure and administer a successful BeyondTrust Password Safe deployment. ‘The course is divided into three units: Unit 1: Laying the Foundation ~ establish a foundation from which the rest of the class will build. You will see an overview of the general functionality of Password Safe, as well as the BeyondInsight interface. Unit 2: Managing Access ~ detail the necessary configuration for onboarding systems, accounts, and users. Unit 3: Accessing Systems - learn how to manage accounts for Windows, Linux, and databases, and configure remote Windows and web-based applications for access through Password Safe. Contact BeyondTrust | https://ideas beyondtmast.com | +1 877-026.6427 Version 21(a Password Safe Foundations BeyondTrust Unit 1| Lesson 1| Introduction and Overview UNIVERSITY Why Password Management? Some of the most compelling reasons for the practice of password management include: + Control access to them + Allow and remove access + Make them easy to access Keep an audit trail of access Rotate the passwords Keep users from seeing the password if possible Recent breaches exploiting privileged credentials have brought to light the imperative to improve control and accountability over access to shared accounts. Your organization's stance on privileged password management determines how you ensure accountability of shared privileged accounts to meet compliance and security requirements without impacting administrator productivity. As the amount and value of electronic data is on the raise, breaches are becoming increasingly common. Shared passwords area primary attack vector Dangerous Practices Some of the most common practices that put passwords at risk include the following: Keeping passwords in a spreadsheet Keeping passwords in copies of desktop password managers Keeping passwords in a document on a “protected share” Avoiding changes because it's hard to update the database + Making the passwords the same across accounts Hardcoding passwords into scripts 80% of breaches are the result of privileged credential abuse or misuse. Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-826-6427 Version 211 7Password Safe Foundations Unit 1 | Lesson 1 | Introduction and Overview What is Password Safe? Password Safe is an encrypted repository of enterprise passwords that ensures accountability and helps meet compliance and security requirements while improving productivity. Key features include: + Automated Discovery - Password Safe leverages a distributed network discovery engine to scan, identify and profile all assets. Dynamic categorization of all assets and accounts enables auto- onboarding, and the ability for access policies to self-adjust according to environmental changes. + Secure SSH Key Management - Password Safe greatly simplifies the management and secures the use of SSH keys for better control, accountability and security over Unix and Linux systems by storing and automatically rotating SSH keys. + Application-to-Application Password Management - Password Safe eliminates hard-coded or embedded application credentials, simplifying management for IT and better securing the organization from exploitation of those credentials. + Enhanced Privileged Session Management - Password Safe privileged session management uses standard desktop tools such as PuTTY and Microsoft Terminal Services Client, ensuring administrators can leverage commonly used management tools without the need for plugins. + Adaptive Access Control - Password Safe enables the dynamic assignment of just-in-time privileges via the Advanced Workflow Control engine. Policies can be extended to block password access to some managed resources unless the request originated from the corporate network, or only allow access to certain vendor accounts if they originate from the vendor network. It is important to remember that Password Safe is not designed to be a personal password manager to store an individual user's passwords for websites or other resources. Contact BeyondTrust | https://ideas. beyondtrust.com | +1 877-826-6427 Version 211 8(a Password Safe Foundations BeyondTrust Unit 1| Lesson 1| Introduction and Overview UNIVERSITY Supported Platforms Password Safe supports a number of platforms out-of-the-box including a number of operating systems, directory services, network devices, database platforms, virtual infrastructure, and more. Password Safe also provides a custom platform utility to accommodate most infrastructure an organization would look to manage. ‘The most up-to-date list of natively supported platforms is available at beyondtrust.com/docs. fay eta g Password Safe Supported Platforms ‘Theflonng ptf cn be abides managed syn Passo Sle Database (aManagezble) Bi) sae ysnageaie) oe ssa. sever Check ax sak Ciro See Facbook Poses. ese ‘oot Spon ASE Forinet Gouge Trade Germ torn Ineo ro Ofc 68 aogesie) io 00) espace Pao Ato Neo Way Manages sone pore spare web AP Contact BeyondTrust | https//ideas beyondtrust.com | +1 677-826-6427 Version 211 9Ta Password Safe Foundations BeyondTrust Unit 1| Lesson 1| Introduction and Overview UNIVERSITY How Does It Work? At a high-level, Password Safe works as a proxy between end-users and applications and the credentials it secures across the infrastructure. Password Safe is applicable to practically any server, endpoint, network device, application, directory resource and database, on-premises, virtual, or in the cloud. End-users can request, approve, and review credential access via a web-based portal, while applications can programmatically request access via API. Password Safe provides advanced workflow and policy to granularly control and provide accountability for privilege password, SSH key, and session management combined with robust auditing and reporting capabilities. [2 i ee i ¥ > > 0 Contact BeyondTrust | https:/ideas beyondtrust.com | +1 877-826-6427 Version 211 10ts Password Safe Foundations BeyondTrust Unit 1| Lesson 1| Introduction and Overview UNIVERSITY Password Safe provides seamless proxy functionality for session management. Users authenticate to Password Safe to request secured access to a target resource. The native desktop tool on the user's device connects to Password Safe, which proxies the connection on through to the target resource. The result is a secured connection initiated by the end-user, using native tools, but controlled via the hardened Password Safe. No client is needed on the end-user side. @ ed BR 27B<& Password Safe may also be configured to record these proxied sessions. Since only the underlying protocol traffic is captured, these recordings are much more efficient than recording streaming video or taking screen shots. When using RDP, the captured data averages 350KB per minute, while SSH averages recording file sizes of only 25KB per minute. Keep in mind the level of activity being conducted over the session may substantially vary the recording size and bitrate. Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-826-6427 Version 211 a(a Password Safe Foundations BeyondTrust Unit 1 | Lesson 2 | Deployment Overview UNIVERSITY Lesson 2 | Deployment Overview Deployment Options Password Safe is available as an appliance-based deployment for ease of deployment and the additional security offered by the appliance hardening applied at the factory. Appliances are available in both physical and virtual form factors. By default, AES256 is used for stored passwords/drive encryption and Password Safe uses FIPS 140-2 approved cryptographic modules for core components. All connections are secured via HTTPS/TLS with protection between the role-based end-user web portal and the underlying database. Separation of duties is enforced through an RBAC model which may leverage both local and LDAP/AD groups and users. High Availability High Availability is supported in both Active/Passive and Active/ Active configurations. Each appliance must be using the same versions of software. Active-Passive « Two synced appliances « Warm spare appliance + Requires identical form factor + Automatic failover requires a few minutes Active-Active + Near-seamlless experience + Supports any combination of form factor + Requires separate SQL Always On environment + Can be implemented with load balancing + Provides additional capacity Contact Beyond Trust | https://ideas heyondtmst com | +1 877-026-6427 Version 211 2Ta Password Safe Foundations BeyondTrust Unit 1| Lesson 2 | Deployment Overview UNIVERSITY Active/Passive High Availability Active/ Passive is available for appliance-based configurations only. The two members of the high availability pair must be the same form factor, either both Physical or both Virtual ‘Two appliances are configured to form a high availability pair. Only one of the two appliances is active at a time. When the active appliance becomes unavailable, traffic is shifted to the other appliance. This failover is automatic, but not immediate. ‘The underlying SQL database is synchronized between appliances using TCP port 5022 at user- configured interval between 5 and 10,000 minutes. A heartbeat is sent from the primary appliance to the secondary appliance every 130 seconds. This heartbeat interval is static, and cannot be changed. If a heartbeat has not been detected for 14 minutes, the secondary appliance will promote itself to the primary. This detection interval is configurable, however if uptime is critical, we recommend using an Active/ Active high availability configuration. € %Y @ ®& NOTE: After a failover event using Active/Passive configuration. restoration to the previous primary appliance requires manual intervention. This will result in a maintenance window, Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-626-6427 Version 211 3a Password Safe Foundations BeyondTrust Unit 1| Lesson 2 | Deployment Overview UNIVERSITY Active/Active High Availability Active/Active high availability is available for mixed environments using both physical and virtual appliances, It requires the use of an external database using SQL Always On technology. Any number of appliances in one or more locations can be members of this high availability group and will be configured to connect to this database. All appliances can be used at once, and are fully redundant. If an appliance becomes unusable or requires maintenance, traffic can simply be routed to a different appliance. This also results in additional overall load capacity. € YG ae ®& Always On availability groups may be configured with a mix of synchronous commit and asynchronous commit replicas to provide real-time database redundancy. Active/ Active password changes can be tied to Workgroups in BeyondInsight allowing you to specify an individual workgroup to perform the password change. There are specific considerations required for creating an Active/Active high availability group - involvement with your BeyondTrust Implementation Team is recommended to ensure the best architecture for your requirements. Contact BeyondTrust | https//ideas beyondtrust.com | +1 877-826-6427 Version 211(a Password Safe Foundations BeyondTrust Unit 1 | Lesson 2 | Deployment Overview UNIVERSITY Architecture ‘The Password Safe proxy listens for connections on non-standard ports. Traffic is then parsed, recorded if enabled, and forwarded to the correct device. Password Safe uses port 4489 for proxied RDP connections and port 4422 for proxied SSH connections. Beyondinsight leverages two distinct databases. The first database manages the day-to-day operations and includes information about assets, accounts, and more. Because this database contains a substantial amount of data that grows over time, this data is purged after a configurable period of time, typically between 30-60 days. ‘The second database is used for reporting and analytics only. Data is copied from the assets and accounts database using a daily SQL server agent job. Data will remain permanently in the analytics and reporting database to provide long-term trending and reporting. Contact BeyondTmst | https://ideas heyondtrast com | +1 877-626-6427 Version 211 5a Password Safe Foundations BeyondTrust Unit 2 | Discovering Your Environment UNIVERSITY Unit 2 | Discovering Your Environment Introduction In this unit, you will learn how to configure Password Safe using Functional Accounts and Password Policies. Then you will discover and add systems and set up Smart Rules and Directory Queries. You will begin with setting up the accounts used to authenticate to systems when changing passwords. You will then configure the Password Policies used to generate new passwords for accounts. Next. you will use the discovery feature to identify systems in your environment and gather information. Finally, you will set up several Smart Rules and Directory Queries to select systems and accounts using specific criteria, display those lists, and perform actions. Contact BeyondTrust | https:/ideas beyondtrust.com | +1 877-626-6427 Version 211tT Password Safe Foundations BeyondTrust Unit 2 | Lesson 1 | Functional Accounts and Password Policies VERSITY Lesson 1| Functional Accounts and Password Policies During this lesson, you will become familiar with the following configuration options and settings: + Differentiate between functional, managed, and user accounts + Differentiate between assets and managed systems + Describe end-user roles + Configure functional accounts + Configure password policies = Follow the password change and test processes Managed Accounts ‘A managed account is an account on a managed system whose password is being maintained or for which access is being controlled by Password Safe. These may be local accounts on an individual system or domain accounts. ‘Typically, managed accounts are privileged accounts used to perform administrative tasks on managed systems. A typical example would be administrator accounts on Windows systems or the root account on Linux/Unix systems. This could also be an Exchange admin, root account, database admin, or other account. - ee e BEST PRACTICE: In a production environment, rot accounts should be managed and not used as functional accounts. Instead, a separate functional account should be created for Linux/Unix systems. Contact BeyondTrust | https//ideas beyondtrust.com | +1 877-826-6427 Version 211 ”Te Password Safe Foundations BeyondTrust Unit 2 | Lesson 1 | Functional Accounts and Password Policies INIVERSITY Functional Accounts In order for Password Safe to change passwords, the software needs what is called a functional account. This highly privileged functional account must have permissions to reset passwords of managed accounts. While you could use a domain administrator or similar account as a Password Safe functional account, best practice dictates that you use a separate dedicated account for this purpose. BEST PRACTICE: Ina production environment, all functional accounts should be managed by Password Safe and rotated regularly. General Requirements A functional account should be configured for each platform where Password Safe will be managing privileged accounts, eg SQL, AD, Oracle, Linux. Unix, Cisco, ete. Consider keeping the number of functional accounts to the minimum necessary, creating one per platform in your environment. Functional account requirements vary, however can generally be summarized as below. For more information, see the Creating Functional Accounts appendix. To view functional accounts and add to Password Safe, navigate to EConfiguration > Privileged Access Management > Functional Accounts. The list of functional accounts will be displayed. To add an account click the Create Functional Account + button at the top left of the screen. Beyondivcight | Sve=m Contact BeyondTrust | https:/fideas beyondtrust.com | +1 877-826-6427 Version 211 8i Password Safe Foundations Beyond Trust Unit 2 | Lesson 1 | Functional Accounts and Password Policies MIVERSITY Password Pol Password Policies allow you to specify the requirements used by Password Safe when generating a new randomized password to perform a password change. These policies should meet or exceed the password policy for the managed system. For example, if your AD password policy requires a certain length, your Password Safe password policy for managed AD accounts should be at least that length, The goal is to harmonize your Password Safe password policies with those of each platform you are managing accounts within. Navigate to the password policies at Configuration > Privilege Access Management Policies > Password Policies. The existing password policies will be displayed in the Password Policies pane. To create a new rule, click the Create Password Policy + icon at the top-left Password policies can be set to generate passwords with a length between 4 and 255 characters. While a longer password may seem more secure, keep in mind the difficulty of manually entering long passwords, if required. ‘Boondineghe | nm —— Bi | : mgt ee: NOTE: Password Safe is unable to read or modify password policies on your target platforms such as Active Directory or individual systems. Contact BeyondTrust | https//ideas beyondtrust.com | +1 877-826-6427 Version 211 9te Password Safe Foundations ndTrust Unit 2 | Lesson 1 | Functional Accounts and Password Policies UNIVERSITY How Passwords Are Changed Beyondinsight uses two server-side processes to facilitate password management. The Password Test Agent and the Password Change Agent. ‘A password change will occur with the following circumstances: + Request checked in (if configured) + Request expires (if configured) = At scheduled rotation (if configured) + Mismatch detected (if configured) + Manual forced change The Password Change Agent runs as a service installed on the Password Safe appliance. If additional redundancy and availability are desired, multiple appliances should be deployed, each of which would have an additional change agent. The agent connects to Password Safe to determine what passwords need changing, and logs any activities or messages including success and failure of password changes. ‘The change agent uses the functional account to perform the change It is important to note that no agent is required on the target or managed system. Passwords requiring change will be processed in the following manner: + Password Safe adds an account to the change queue within the database + Change agent requests batch of accounts to change from top of queue (oldest requests) + Change agent changes passwords, retrying if necessary as configured + Change agent records change in Password Safe when successful The password change queue has intelligence whereby if a password change is in the queue and a release is requested, it is dropped from the change queue to prevent the password from being changed while an active request is in progress. All changes are queued within the password change queue except for manual forced changes which are executed immediately. The time for the change agent to process a password change in a production environment may typically take 1-2 minutes, but may be longer. Settings for the change agent may be found in the BeyondInsight web interface by navigating to EConfiguration > Privilege Access Management Agents > Password Change Agent. Contact BeyondTrust | https:/fideas beyondtrust.com | +1 877-826-6427 Version 211 20(a Password Safe Foundations Beyond Trust Unit 2 | Lesson 1 | Functional Accounts and Password Policies UNIVERSITY Change agents are, by default, not assigned to any workgroup - that is they will execute jobs for any workgroup. However, they may be assigned to a specific workgroup by navigating to [Configuration > Privileged Access Management Agents > Worker Nodes. This may be useful for environments with multiple isolated networks, or where machines are grouped into workgroups by region to help improve password change performance. Beyondinsight | contaurstion (Glocjontinet —— motenssciminmgnen ites manera ane ieee omsonrye (Cl evintestares + Enable Password Change Agent: Determines if the change agent is active or inactive. + Active Change Tasks: Number of accounts the change agent should attempt to change concurrently. + Check the change queue every (seconds): Frequency at which the change agent checks Password Safe change queue for passwords to change. + Retry failed changed after (minutes): Time to wait after a failed password change attempt before trying again. + Unlimited retries/Maximum retries: Total number of failed password change attempts before failing. Contact Beyond Trust | https://ideas heyondtmst com | +1 877-026-6427 Version 211 afa Password Safe Foundations BeyondTrust Unit 2 | Lesson1| Functional Accounts and Password Policies UNIVERSITY Password Safe also uses a Password Test Agent to periodically verify the managed account stored within the BeyondInsight database matches the password stored on the managed system. Passwords of managed accounts will, by default, be checked on a schedule. Mismatched passwords can be optionally reset using a functional account and then checked by the test agent service. Navigate to the test agent settings via Configuration > Privilege Access Management Agents > Password Test Agent. NOTE: Mismatches may indicate an external change, a system restore, or possible malicious activity. Beyondinsight | Configuration } PeyondTrust Doings tenes Managemen Agnes Stenwers Ter ge PASSWORD TEST AGENT + Enable Password Test Agent: When enabled, allows the test agent to check accounts to ensure the password stored in Password Safe matches the password currently assigned to the account. Active Test Tasks: Number of accounts to check simultaneously. Schedule Interval: Frequency with which accounts are tested. Start Time: Time at which the test job is started. The job will finish when all accounts are tested. Contact BeyondTrust | htips://ideas beyondtrust.com | +1 877-826-6427 Version 211 2a BeyondTrust INIVERSITY Password Safe Foundations Unit 2 | Lesson 1 | Functional Accounts and Password Policies While viewing the Advanced Details of a Managed System, that system's Managed Accounts are visible. Clicking the # ellipsis icon for one of the Managed Accounts, you will have the opportunity to Test, Change or view the History of passwords. Beosdnag | Contact BeyondTrust | https//ideas beyandtrast.com | #1 877-826-6127 Version 21: 2fa Password Safe Foundations BeyondTrust Unit 2 | Lesson 2 | Discovering and Adding Systems VERSITY Discovery Scan ‘To perform a discovery scan: 1 Log in to the Beyondlnsight web console. 2. Navigate to the MScan menu item. 2. Select the type of scan you would like to run, then click Next. Beyondinsight | sr Laem | nuwascan < saucer scau tere 4. Enter one or more scan targets separated by commas, then click Next. RUN A SCAN {SELECT SCAN TARGETS Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-826-6427 Version 211Ta Password Safe Foundations BeyondTrust Unit 2 | Lesson 2 | Discovering and Adding Systems UNIVERSITY 5. Select an existing credential to use when authenticating to the system. You may use an existing credential or enter in a custom credential for the lifetime of this scan. Depending on the scan type, credentials may be optional. Click Next RUN A SCAN <_ eNTER crevenTiats P seectscariacsts Credenial st usarececintss. |] custom credential Jom OO Geeta este a chore Edetng Cadertiate(oSeactas) || . @ snow SB ora 6. Click the checkbox next to at least one scan agent to determine from where the scan will be executed, then click Next. 7. Finally, configure a name for the scan and set a schedule, then click Finish. Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-826-6427 Version 211 2a Password Safe Foundations Beyond Trust Unit 2 | Lesson 2 | Discovering and Adding Systems UNIVERSITY Directory Query in a Smart Rule A directory query in Beyondinsight is able to find computer or user objects in Active Directory (in addition to users). We can configure a smart rule to leverage a directory query to query Active Directory for a list of machines and set the smart rule action to schedule a scan for the resulting assets. ‘To use a directory query and smart rule to import systems: 1. Log in to the BeyondInsight web console. Navigate to Hiconfiguration > Role Based Access > Directory Queries. Create a directory query to look for computer objects. Navigate to ElAssets and click the Manage Smart Rules hyperlink in the upper right hand corner of the screen. 5. Create a smart rule + Ensure you have Directory Query as one of the selection criteria + Set the perform action to display as a smart group ren Beyondinsight assetsanp RM: Tes SR TH EAN > Serewintneng + Hniiamd eel O Contact BeyondTTrust | https//ideas beyondtrust.com | +1 877-826-6427 Version 211 afa Password Safe Foundations BeyondTrust Unit 2 | Lesson 2 | Discovering and Adding Systems UNIVE 6. Navigate to the Hlsmart Rules tab. 7. Locate the appopriate Smart Rule, then click the # ellipsis icon and select Scan. & Select the desired scan type, and progress through the Run a Scan wizard using the Next button. ndinsig Beyondinsight ronascay € sascrsavre 9, If desired, set the scan to a Schedule Type of Recurring to run the scan regularly. 10. Click Finish to schedule the scan to run, Assets will now be scanned as configured. Contact BeyondTrust | https://ideas-beyondtrustcom | +1 877-826-6427 Version ua 28Password Safe Foundations Unit 2 | Lesson 2 | Discovering and Adding Systems Manually ‘To manually create an asset: 1 Log in to the Beyondinsight web console. 2. Navigate to the BHAssets menu item, 3. Locate and click the Create New Asset icon. ASSETS allasses wf ‘days + 4, Enter details for the new asset and click Save, Contact ReyondTrust | https//ideas beyondtmust.com | +1877-#95-6427 Version 21 20@ a INIVERSITY Password Safe Foundations Unit 2 | Lesson 2 | Discovering and Adding Systems CREATE ASSET [owes > Contact BeyondTmst | https://ideas heyondtrast com | +1 877-626-6427 Version 211 aa Password Safe Foundations BeyondTrust Unit 2 | Lesson 3 | Smart Rules and Directory Queries UNIVERSITY Lesson 3 | Smart Rules and Directory Queries In this lesson we will define smart rules and smart groups, look at a use case for smart rules, list the type of smart rules, and look at the necessary steps to create the smart rules and directory queries. We will also look at some smart rule best practices. Smart Rules Smart Rules are SQL queries that run against the BeyondInsight database and are used to logically organize assets into groups and manage Password Safe managed accounts. They follow “If this, then that” logic, similar to email or firewall rules. Smart rules can also be used to target scans against a smart group, send email alerts, set attributes on assets, create tickets, filter reports, and target assets and accounts to manage in Password Safe. pooraraignl coe ° ‘mee | > svounore sew wasows ors > secon ee THIS Smart Groups Smart groups are the results of a smart rule and may be managed via the [#]Smart Rules menu icon or using the Manage Smart Rules link in the top right hand corner of the Assets, Managed Systems, and Managed Accounts pages. Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-826-6427 Version 211 2@ Password Safe Foundations BeyondTrust Unit 2 | Lesson 3 | Smart Rules and Directory Queries NIVERSITY Smart Rule Processing + Smart rules update results automatically, but can be executed manually by clicking Process + Smart rules are executed immediately when edited and saved + If an asset can no longer be contacted or no longer meets the criteria in the rule, it no longer appears in the results + Automatically executes at a regular interval + Each rule can have different minimum time between executions + Dedicated Account smart rules are executed when a change to mapped groups is detected via either new user logon or group refresh by view or edit of group in Role Based Access. In order to manage smart rules, a BeyondInsight user must be a member of the Administrators group, or be granted permissions on a particular smart rule or set of smart rules. Smart rules update dynamically, and are always current based on collected data and received events. Processing is performed several times daily and if assets no longer meet search criteria, the rule dynamically updates. Matching criteria is always current. You can name and categorize as you see fit. You are essentially building If - Then logic. The if is the criteria you will use in selecting assets. This criteria can be based on any collected data through scans or event processing. The Then aspect is the Action you wish to take. Creating Smart Rules Navigate to the the [Smart Rules menu icon within BeyondInsight. Once on the Smart Rules page, you can navigate to the desired Type of smart rule you need - asset based, managed account based, managed system based, or vulnerability based. | 6 FRY Se cre ee oseet ENG [ee eer at ris aera reer seme a ere edited Bownghagt | corn Te Contact BeyondTrust | https://ideas.beyondtrust com | +1 877-896-6427 Version 211 2@ Password Safe Foundations ndTrust Unit 2 | Lesson 3 | Smart Rules and Directory Queries UNIVERSITY Following is a list of five of the many predefined smart rules and their definitions. They range from a blanket detection of all currently managed Password Safe assets to recently discovered assets not under management. Category | Smart Rule Name Description Assetsand All Assets in Password Safe _All assets under Password Safe management Devices Assets and Recent Assets not in All assets discovered in the last 30 days that have not been Devices Password Safe added to Password Safe Assets and Recent Non Windows Assets All non Windows assets discovered in the last 30 days that Devices _not in Password Safe ‘have not been added to Password Safe Servers Recent Windows Servers not Windows servers discovered in the last 30 days that have in Password Safe not been added to Password Safe Virtualized Recent Virtual Servers no in _ Virtualized server assets discovered in the last 30 days that Devices Password Safe have not been added to Password Safe Contact BeyondTrust | https://ideas beyonctrust.com | +1 877-826-6427 Version 211 En@ Password Safe Foundations BeyondTrust Unit 2 | Lesson 3 | Smart Rules and Directory Queries UNIVERSITY Click the Create Smart Rule + button to start creating a smart rule. seomncn ee sine toe Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-626-6427 Version 211 FePassword Safe Foundations Unit 2 | Lesson 3 | Smart Rules and Directory Queries Use Case In the next use case, the Smart Rule will identify assets first discovered within the last 7 days. It will also filter systems that have an operating system name of Windows Server 20:6. If the OS value is unassigned or blank, we will exclude that asset from the filtered result list for this Smart Rule. Each asset in the filtered result list will be onboarded with Password Safe. To do this, the platform, account name format, functional account, and other values must be set. The results of the Smart Rule will also be displayed as a smart group. Beyondinsight | covfevsin e Contact BeyondTrust | htips:/Ideas beyondtrust.com | +1 877-826-6427 Version 211 36a Password Safe Foundations BeyondTrust Unit 2 | Lesson 3 | Smart Rules and Directory Queries UNIVERSITY Beyondinsight covaieon ts Smart Rule Guidelines In general, we recommend you follow the best practice guidelines below when developing Smart Rules for your environment. + Put the most restrictive filter criteria at the top of the criteria section. + Ensure that assets can only havea single rule applied. If an asset can appear in multiple Smart Groups with such actions, this can lead to many inefficient overwrites and can cause confusion. + Minimize the use of the email alert action to whenever possible to prevent users from having overloaded inboxes. + Create Smart Rules categorizing Assets or Accounts in such a way soas to easily apply permissions later for groups of Users to access those managed Assets or Accounts. + Create many simple Smart Rules with no more than 2 filters and 2 or3 actions as opposed to a few very complex Smart Rules. Contact BeyondTrust | https://ideas.beyondtmast.com | +1 877-096 .6427 Version 211 aTa Password Safe Foundations BeyondTrust Unit 2 | Lesson 3 | Smart Rules and Directory Queries UNIVERSITY Directory Queries Directory queries are searches into the Active Directory database. We may be looking for Accounts to bring under Password Safe management or assets. Typically the results from a directory query are used by nesting the query in a smart rule to ultimately bring the found items under Password Safe management. Navigate to directory queries via [llConfiguration > Role Based Access > Directory Queries. In the following example we are looking for Helpdesk accounts in AD within the context of the btlab.btu.cloud/BTU Users/IT location. Notice the Helpdesk accounts actually reside in the Shared Admins Organizational Unit (QU) but because we used the “This Object and All Child Objects” scope setting, the search still finds the accounts (see the Query Test Results). Contact ReyondTrust | https://ideas heyondtrust.com | #1 877-826-6127 Version 211 2tT Password Safe Foundations Beyond Trust Unit 3 | Lesson 1 | Onboarding Systems VERSITY Lesson 1| Onboarding Systems Up to this point all the Assets discovered by scans, imported via an XML file, created manually or otherwise are merely known assets within Beyondinsight. It is now our task to on-board or manage these assets, ‘There are three main ways by which you can onboard a known system to Password Safe: = Manually + Smart Rule matching + XML import Manually Onboarding an Asset To on-board a system from a known to a managed state manually, from the EMjAssets page select Add to Password Safe from the ellipsis icon menu on the same line in the grid as the asset. Contact BeyondTrust | https//ideas.beyondtrust.com | +1 877-826-6427 Version 211 aa Password Safe Foundations BeyondTrust Unit 3 | Lesson 1| Onboarding Systems UNIVERSITY Enter settings for the managed system. You can choose the type, platform, functional account, default password policy, release duration and other settings. Then click the Greate Managed System button. ‘Contact BeyondTrust | https://ideas.beyondwrust.com | +1 877-826-6427 Version 2.1 2tT Password Safe Foundations BeyondTrust Unit 3 | Lesson 1 | Onboarding Systems VERSITY Onboarding Assets with Smart Rules BeyondInsight has unique functionality known as smart rules that allow you to match assets and accounts based on information stored in the database, including information from scans. This functionality allows organizations to dynamically respond and automatically make access decisions based on changes within the environment. Smart Rules can be setup to automatically assign newly discovered systems and accounts to Password Safe for management. After configuring a smart rule with "selection" criteria, select the "Perform Actions" option, Manage Assets using Password Safe or Manage Accounts using Password Safe to automatically add the asset or account to Password Safe for management. You may also use a smart rule coupled with a directory query to auto-assign items from Active Directory to Password Safe. Finally, you can import asset data from an XML File directly, or through API and then use Smart Rules to on-board assets into Password Safe for management. seer | te 8688 On ®t Wedons Sere! 206 Oracener Wo Can » Contact BeyondTrust | https//ideas beyondtrust.com | +1 877-826-6427 Version 211 a@ Password Safe Foundations Beyond Trust Unit 3 | Lesson 2 | Onboarding Managed Accounts UNIVERSITY Lesson 2 | Onboarding Managed Accounts In this section we will look at where a managed account might originate from, manually onboarding an account, using a Smart Rule to onboard an account, password rotation for a managed account and testing a managed account. Origin of Accounts Accounts to be managed may originate from Assets, from a Directory, or imported from an XML file. This course concentrates on these from a managed asset or from a directory. Accounts from a scanned Managed Asset From the BilAssets page click the # ellipsis icon of the desired asset and select Go to advanced details. from the menu. 17,2000, 355PM, © View Details D Goto advanced det Bi open asset Detals Report. * son G Edt Password Safe Details. Contact BeyondTrust | https:/fideas beyondtrust com | +1 877-826-6427 Version 211 a4(a Password Safe Foundations Beyond Trust Unit 3 | Lesson 2 | Onboarding Managed Accounts INIVERSITY Once there, we can see the list of users (under Scan Data) discovered on the Managed Asset. wenger = Active Directory Organizational Unit (OU) where users exist that may be chosen for Password Safe Management. feccganne feaeea f Hiss Contact BeyondTrust | https://ideas.beyondtrustcom | +1 877-626-6427 Version 21 4si Password Safe Foundations BeyorsiTrust Unit 3 | Lesson 2 | Onboarding Managed Accounts INIVERSITY Click the Create New Account + button. Enter details of the account to be added to Password Safe, then click Create Account at the bottom of the dialog. ‘yondineght | wren rs Contact ReyondTrust | https://ideas beyondtrust.com | +1877:825-6427 Version aL eoTa Password Safe Foundations BeyondTrust Unit 3 | Lesson 2 | Onboarding Managed Accounts UNIVER Manually On-boarding an Active Directory Account On-boarding an account from Active Directory manually, presupposes that the directory has already been defined within Password Safe. You can confirm this is true by looking at the EJ Managed Systems page Click the # ellipsis icon for the directory and select the Go to advanced details... option from the menu. ——] fomeanie (0 crene managed xecsunt omanaue (2 tae amazed Sem Somstour Th WG a0nceo seas Click the Create New Account + button to begin managing an existing account within Active Directory. Beyondinsight | Managecsysiems enter | stamens sruapsru.c.ouo Advanced Deals $ manage Accounes | Mangged cours fe Donnan Contact ReyondTrust | httpe://ideas.beyondtrust.com | #1 877-826-6427 Version 21 eTa Password Safe Foundations Unit 3 | Lesson 2 | Onboarding Managed Accounts oe Contact BeyondTrust | https//ideas beyondtrust.com | +1 877-826-0427 Version 213 2Ta Password Safe Foundations BeyondTrust Unit 3 | Lesson 2 | Onboarding Managed Accounts UNIVERSITY Using a Smart Rule to Onboard an Account Onboarding an Account From a Discovered Managed Asset Since all the information from a discovered managed asset is already in the Beyondlnsight (BI) database as a result of a previous scan on the asset, we can use the criteria portion of the smart rule to search the database for matches of accounts we wish to manage. In this example we are looking for Windows administrator accounts already known to the BI database. Also note that we are pointing the Smart Rule query (criteria section) towards an asset-based smart group called New Windows Desktops. New Windows Desktops is a smart group created earlier that categorizes previously discovered Windows systems into one group. The second action in the “actions” section then directs the found administrator accounts from the BI database to be managed. This action effectively fills out the settings of an account automatically and saves it. Devore | em a —| oo Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-626-6427 Version 211 sotT Password Safe Foundations Beyond Trust Unit 3 | Lesson 2 | Onboarding Managed Accounts Torr manasa AecouNT > iar omnia Aarons Pasonerd Change Opens Poplentins ‘The result of this smart rule then shows the newly managed administrator account on the EJManaged Accounts page. If there had been multiple instances of multiple administrator accounts matching the criteria, they would all be listed here as well. BayorneGh | neg oo i Contact ReyondTrust | https://ideas heyondtmust.com | +1877-#26-6427 Version 211 stTa Password Safe Foundations BeyondTrust Unit 3 | Lesson 2 | Onboarding Managed Accounts UNIVERSITY Onboarding an Active directory Account with a Smart Rule In this example we will target all the helpdesk accounts from btlab btucloud/BTU Users/IT/Shared Admins in AD. For this smart rule we are searching Active Directory with a Directory Query "Helpdesk Admin Accounts", which was previously created and tested. The smart rule executes automatically at a regularly scheduled interval We also confirm in the criteria, we are discovering the accounts for Password Safe management and then specify the domain we are looking into. In the perform actions section we are: 1. Managing the Accounts. 2. Linking the domain accounts toa Managed system. 3. Showing it as a smart group so we can see the results in the grid of the managed accounts page. Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-826-6427 Version 211 2fa Password Safe Foundations BeyondTrust Unit 3 | Lesson 2 | Onboarding Managed Accounts UNIVERSITY Bepndisighe | tera h o — Contact BeyondTrust | https:/ideas beyondtrust.com | +1 877-826-6427 Version 211 33fa Password Safe Foundations BeyondTrust Unit 3 | Lesson 2 | Onboarding Managed Accounts UNIVERSITY Password Rotation on a Managed Account A Managed Account's password will be rotated for the following reasons: Scheduled password change, Forced password reset and when a Managed Account is "checked back in" after being used. You can view the history of a Managed Accounts password rotation by looking at the Go to advanced details... of the account on the Managed Accounts page. 1 fit thie bride Beyondinsight | Managed accounts [Bi eeoncmuct | serie MOAVIS LOCAL, Advanced Dells PassnordHistory Q sevenpesencrs nmcryinctes Syren keene ed Posereleate Reser Contact BeyondTrust | https://ideas.beyondtrust.com | +1 877-826-6427 Version 21 34a Password Safe Foundations BeyondTrust Unit 3 | Lesson 2 | Onboarding Managed Accounts UNIVERSITY Please note the top Password in the history list is the current password and will not be revealed here. Only in the Password Safe request area when an approved user is making a request. Syneed Accounts ‘An account may be configured to have subscribers to share the same password. If the primary account password gets rotated, each subscriber account will be rotated to the same password. This allows enforcement of a common password across multiple managed accounts. To configure synced accounts, navigate to the H¥Managed Accounts page, then select an account and click "Go to advanced details" from the 1 ellipsis icon menu. In the Advanced details, select the Synced Accounts option. Contact BeyondTrust | https:/ideas beyondtrust.com | +1 877-626-6427 Version 211 ssi Password Safe Foundations Boyond Trust Unit 3 | Lesson 2 | Onboarding Managed Accounts UNIVERSITY Testing a Managed Account and Forcing a Password Reset To test that the stored password of a managed account matches the account itself, click the "Test Password!" option. The account will be tested in real-time. After the test is complete, a green notification message (at the bottom of the screen) or a red notification message will appear to indicate the success or failure of the test. Forcing a password reset can be accomplished by clicking the Change Password option. A confirmation message will appear. Click "Change Passwords". the password change will be executed immediately. Success of the password change will be indicated by a green confirmation message (at the bottom of the screen). CONFIRM PASSWORD CHANGE ‘re you sure you want to eevecule an immediate pazcivord change forall selects ‘sccounts? F caver. | cHance passworns Contact ReyondTrust | https//ideas beyondtmust.com | +1877-#95-6427 Version 21 56Ta Password Safe Foundations BoyondTrust Unit 3 | Lesson 3 | Creating Access Policies UNIVERSITY Lesson 3 | Creating Access Policies Access Policies are used to control end-user access to managed accounts. User access to credentials can be restricted based on a variety of criteria, and multiple access policies can be used to accommodate practically any requirement. These policies can be very granular and allow you specify set time-frames, days and date ranges, locations and the level of access permitted. For example, access can be restricted to only recorded sessions, and can be set to a restricted number of approvers, or set to auto-approved. To view, create, or modify access policies, navigate to EConfiguration > Privileged Access Management Policies » Access Policies. Pelicies will appear in the Access Policy pane. Clicking on a policy will view its properties, and clicking the Create New Access Policy + button at the top-left of the pane will createa new policy. Beyondinsight | Covizreven oS Domne | Rnscnatoagen Aone a news | SA, IAL to ean 2 cenameigninam 8 | poy oy ean CBB wenn Bs a + Name: The alias used when displaying the access policy. + Description: Information provided to users looking for more information on the access policy. + Email Notifications: In enabled, sends notifications of any request submitted using this policy to one or more entered email addresses. + Available for Use: When checked, allows the policy to be used; disabled by default. Note the policy must be saved before checking and re-saving the policy. + Schedule Tab: Dates and times during which this access policy is available. Click Create Schedule + to add a schedule entry. Multiple schedules can be added to an access policy. + Assignees Tab: Displays groups which have this access policy assigned. Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-626-6427 Version 211 s7Password Safe Foundations Unit 3 | Lesson 3 | Creating Access Policies Password Safe User Roles Password Safe has several defined roles that determine the level of access end-users have. In Password Safe. a role is the connection between a Password Safe user account and a managed system or managed account. A role defines what the user or group can do with respect to that managed system or account. Account-Based Roles + Requestor: allows the user to request passwords directly and request proxied sessions. When assigning this role, you must select an access policy. + Approver: enables the user to approve requests submitted by a requestor. + Approver/Requestor: enables a user to submit and/or approve requests, however, a user can not approve their own requests. When assigning this role, you must select an access policy. Additional add-on permissions include: + Credentials Manager: allows a user to manage the credential, including the ability to manually reset the password on-demand through Password Safe. + Recorded Session Reviewer: enables the user to access the EJPassword Safe ~ Replay menu option. This grants the user access to replays of completed sessions, including session playback, keystrokes, comments, and marking the recording as reviewed. + Active Session Reviewer: allows the user to access the EJPassword Safe > Active Sessions menu option. The user can select an active session, view the session activity, lock and unlock the session, terminate the session, and view keystrokes. Beyendncight cote ° > | tmet oe roinn faa SS if Contact BeyondTrust | https://ideas.beyondtrust.com | +1 87825-6427 Version 2.1 58Ta Password Safe Foundations BeyondTrust Unit 3 | Lesson 3 | Creating Access Policies UNIVERSITY Asset-Based Roles ‘The Information Security Administrator (ISA) role provides rights and functionality required for security personnel. Users with this role can: + Set up managed systems and accounts + View recorded sessions + View active sessions (including Lock/Unlock, Terminate, and Terminate and Cancel of sessions) + Bypass workflow ‘The Auditor role allows the user to run reports in BeyondInsight’s Analytics and Reporting and to review replay sessions. Beyondinsight | compu Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-#26-6427 Version 2.1 59Ta Password Safe Foundations BeyondTrust Unit 3 | Lesson 4 | Mapping End Users and Groups UNIVER Lesson 4 | Mapping End Users and Groups ‘This module will familiarize us with mapping Active Directory users and groups to BeyondInsight, adding local Password Safe users to Beyond|nsight, adding local Password Safe groups to BeyondInsight, configuring permissions on groups and configuring roles on groups. Creating User Groups in Beyondinsight from Active Directory ‘The first step in this process is to create an Active Directory (AD) group and populate it with AD users. This AD group then gets added to BeyondInsight. Navigate to Configuration > Role Based Access > User Management. Click the Create New Group + button. Beyondinsight | covfigiraton Croectnn | st USERMANAGENENT © TV sey Seo (© atts caren : You will then be presented with the opportunity to search for the desired AD group. Fill in the Domain, pick a predefined Credential, fill in the Group Filter and click Search Active Directory. Highlight the desired Group in the list and click the Add Group button. Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-626-6427 Version 211 ©(a Password Safe Foundations BeyondTrust Unit 3 | Lesson 4 | Mapping End Users and Groups ‘The result of the previous action will take you to the new group's details. Select Smart Groups in the left hand column, locate the All Managed Accounts smart group, click the # ellipsis icon and choose the Assign Permissions Read Only option from the menu. Now that the Group has been created and a permission granted, a role and access policy needs to associated with the group in order for the group members to have access. In this example we have chosen the All Managed Accounts smart group. This will give the group members effective access to Any & All the Managed Accounts under Password Safe management. This would not be typical in a production environment. Locate the All Managed Accounts smart group again, then click the { ellipsis icon and select Edit Password Safe Roles. Check the Requestor option, and set the appropriate Access Policy for Requestor. Click Save Roles when done. Contact Beyond Trust | https://ideas heyondtmst com | +1 877-026-6427 Version 211 a(a Password Safe Foundations BeyondTrust Unit 3| Lesson 4 | Mapping End Users and Groups INIVERSITY Creating Local Users & User Groups in BeyondInsight Create a Local Group Navigate to EConfiguration > Role Based Access > User Management. At the top of the screen, click Create New Group + then select Create a New Group... to create a group that is managed locally. Beyondinsight —confiuraion tse aces eae USER MANAGEMENT O nit enschede cn. Osea @ ssa carana, . Tee erence You will create a group that has administrative capabilities only for Linux assets and accounts. In the Create New Group pane, configure the new group with the following settings: + Group Name: Unix BeyondInsight Admins + Description: Admin for Linux assets and accounts only Click the Create Group button. In the Features pane that appears, select the checkbox in the header to select all features. Click the Assign Permissions button, then Assign Permissions Full Control. This will provide access to all features within the BeyondInsight console. On the left side, click the Smart Groups tab. For both the Linux Machines and Linux Managed Accounts smart groups, use the Assign Permissions Full Control option. Contact BeyondTrust | https//ideas beyondtrust.com | +1 877-826-6427 Version 211 eeTa Password Safe Foundations BoyondTrust Unit 3 | Lesson 4| Mapping End Users and Groups YERSITY Create a Local User Navigate to EConfiguration > Role Based Access > User Management. At the top of the screen, click the Users heading. Click Create New User + then select Create a New User... to create a user account that is managed locally. ‘epratcign — In the Create New User pane, populate the following information: First Name: Unix + Last Name: Administrator + Email unixadmin@btucloud + Username: unixedmin + Password: create a password that reflects complexity requirements, like Password! Scroll to the bottom and dlick Create User. After creating the user, the Groups screen appears. Select the Unix Beyondinsight Admins group then click Assign Group +. In this example we have created a local group with all permissions to the BeyondInsight Management Console but we are limiting what they will see in the console to administrative tasks associated with only Linux Managed Accounts & Linux Machines (the two Smart Groups chosen). Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-626-6427 Version 211 @fa Password Safe Foundations Beyond Trust Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions UNIVERSITY Lesson 5 | Requesting, Approving, and Viewing Sessions Looking at Password safe from a user's perspective, this module will explore the day to day end-user experience including requesting, approving and reviewing recorded sessions. The normal end-user interaction with Password Safe is performed using the same web page logon screen as any other user defined within the Beyondinsight (BI) Management Console. Once logged on, access to BI and Password Safe is determined by the previously designated Group membership, Permissions granted and Role assignments for the User. In our example we will log on to BI with the credentials of member of the PS Requestors Group, mdavis. As part of the PS Requestors Group, mdavis has access to all Managed Accounts (not typical in a production environment). The PS Requestors Group however, does not have any access to the BI Management Console. Mdavis will be limited to ‘making requests" for resources associated with the Managed Accounts she has access to. Note that mdavis is an Active Directory defined user and as such is required to specify a Domain during the logon. (a) BeyondTrust PLEASELOG IN, Be dis BB bas beach 7 Contact BeyondTrust | https://ideas.beyondtrust.com | +1 877-826-6427 Version 21 osTa Password Safe Foundations BeyondTrust Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions UNIVERSITY ‘The next screen will differ depending on configured access types, but could include Request Access Types to retrieve the password or start a session. Beyondinsight | Password Safe Beyonetiat | Seem RequestiD: 17 Requstecty. Marta avis @ on 272v2029.27AM(minxws ago) secouts maw oeaton wsIo © Fequeted Date 27120009 28AM: 112840 opronsReautes 9 Contact BeyondTrust | https://ideas beyondtrust.com | +1 877-826-6427 Version 211 70(a Password Safe Foundations peyondtiust —- Unit 3| Lesson 5 | Requesting, Approving, and Viewing Sessions INIVERSITY Once logged in, a user in this Requestor context has the following options available: + Accounts page - Where choices can be made regarding the type of resource the user wants to access. You may enter an item above in the global search field as opposed to returning all accounts. ‘Beyonatnsignt | see ° tm a « Requests page - Where the user can view all their the requests, or Active and Pending requests may be viewed separately. Beyonctnsigt o—— Beyonahsight | Pwo ee Contact BeyondTrust | https://ideas.beyondtrust com | +1 877-£26-6427 Version 211 &Password Safe Foundations Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions Active Requests Deyonctesight ° Bae = = =~ Pending Requests Beyond | tsi “ ° bee | a a Contact BeyondTrust | https:/ideas beyondtrust.com | +1 877-826-6427 Version 211 «@ Password Safe Foundations ndTrust Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions UNIVERSITY Using OneClick Launch Using the OneClick Launch option requires the associated access policy to be set to auto-approve. If the access policy is not set to auto-approve, the OneClick Launch button will appear grayed out and cannot be selected. After clicking the OneClick Launch button, a condensed request window is displayed. A reason must be provided before continuing unless disabled in global configuration. Contact BeyondTrust | https://ideas beyonctrust.com | +1 877-826-6427 Version 211 nTa Password Safe Foundations BeyondTrust Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions UNIVERSITY Requesting Access Users may request access to those resources and associated Managed accounts granted to them according to Group membership assigned in BeyondInsight. In this instance, the User Mdavis, is asking to retrieve a password associated with the mdavis_local Managed account. The objective is to access the managed Asset WS10 with the mdavis_local managed account. After logging into Password Safe the user may choose the Accounts page and the Systems button in order to display the available managed systems they could request or check-out for a period of time. ° Beyordinsight | eassordsste Damme | ime rotten FEAT omen omens senna =~ Auser may initiate an access request in two ways: 1. Click the account-system combination 2. Click the * OneClick Launch button Ca Contact BeyondT rust | httpe://ideas beyondtrust.com | #1 877-826-6127@ Password Safe Foundations BeyondTrust Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions UNIVERSITY Submitting an Access Request To submit an access request, click any where within the highlighted line of the account and system combination for which you would like to submit an access request. An access request form will appear. Populate the details of your request, then click Submit Request. If configured in the access policy, an email may be sent to an approver. Start Date: date on which the access should begin. Access Policy Windows: allows selection of the appropriate access policy if multiple policies could apply. Start Time: time of day at which the access should begin. Select the Immediately option to request access now. Requested Duration: length of time for which the system/account should be available for access under this request. This time may not be enforced if Force Termination is not enabled in the access policy. The default value is two hours with a default maximum of 365 days. These defaults may be changed at Configuration > Global Settings. Access Request: check the option of the method{s) you would like to use to access the system/account. Available options are determined by the access policy but could include Password, RDP Session, SSH, and Application Session. Reason: enter a textual justification of up to 200 characters for use of the system/account. This field is required by default unless disabled at Configuration > Privileged Access Management > Password Safe, then Global Settings, option Reason is required for new requests. Ticket System: if configured, allows you to select a system to which the ticket number is associated for cross-reference. Ticket Number: if configured, allows entry of a ticket number to which this session is related. Contact BeyondTrust | https://ideas.beyondurust.com | +1 877-826-6427 Version 2.1 os@ Beyond Trust UNIVERSITY Unit 3 | Lesson Password Safe Foundations 5 | Requesting, Approving, and Viewing Sessions If retrieving the password, the user may display the password or copy the password to the clipboard. Beyondinsight (B.oeyonctrust Password Safe a ce Display password Copy to clipboard Contact BeyondTrust | https//ideas beyondtru ist.com | +1 877-826-6427 Version 212 na Password Safe Foundations BeyondTrust Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions UNIVERSITY Beyondinsight — =:-:vor4 sie wir 1 Pemescmcr sen Saramago << Asian oon re contro byte Rest Bley soo es magnate — os After clicking Submit Request, the Requests page will be displayed. To access the credential or session, click the highlighted Active request highlighted line. a I =- Contact BeyondTrust | https//ideas beyondtrust.com | +1 877-826-6427 Version 211 Cya BeyondTrust UNIVERSITY Password Safe Foundations Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions Approvals Once submitted, a request may or may not require approval. If an approval is necessary as configured in the corresponding access policy, the user's initiated request will be in the pending section on the request page until approved. ‘An approver approves the request and the approval is acknowledged by Password Safe. Beyondinsight Beta Request 0:18 ‘Approval History rote Password Sale coor Contact BeyondTrust | https://ideas.beyondtrust com | +1 877-896-6427 Version 211 n@ Beyond Trust UNIVERSITY Password Safe Foundations Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions Beyondinsight | Password sale Dreier | ee An approvers group may be configured with multiple members irrespective of the configured number of approvers in the access policy. Only the number of approvers configured in the access policy must approve the request - additional approvals have no impact on the access request. Approvers are all peers within the context of the approval system. For example, if the approver pool contains five members, and the access policy is configured to require two approvers, then only any two of the five approvers must allow the request. Beyondlnsight | contrate oo ran eis < ono Sten = Ynen Contact BeyondTrust | https:/ideas.beyondtrust.com | +1877-626-6427 Version 21 mi Password Safe Foundations BeyondTrust - Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions UNIVERSITY Policy Types {At least ene Policy Type must be enabled in order forthe Access Poly to take effec CO) Auto Aoprove Contact BeyondTmst | https://ideas heyondtrast com | +1 877-626-6427 Version 211 si Password Safe Foundations beyondtrust - Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions INIVERSTTY Reviewing Recorded Se: Fora user to be able to review recorded sessions, the user must be an administrator, have the auditor role, or have the ISA role A user with the appropriate permissions would navigate to E]Password Safe > Replay. The replay page will display any available recorded sessions in a sortable and filterable grid. Boorse | Sonn ae ES cocaine When a session is clicked. more information is displayed, including previous access and comments on the session replay, as well as a button to open the session for replay. —] = : Cesena Once opened, the following options are available from the replay screen: Play/Pause video rendering of session screen Export a snapshot of a session video frame as a JPG file + Add comments Search keystrokes + Mark recording as reviewed Contact BeyondTrust | https://ideas.beyondtrust.com | +1877-826-6427 Version 211 atT Password Safe Foundations seyonctrust -- Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions , Ire ’ Save & Close, completing the Ausit trail outeae Contact ReyondTrust | https//ideas beyondtmust.com | +1877-#95-6427 Version 211 nTa Password Safe Foundations BeyondTrust Unit 3 | Lesson 5 | Requesting, Approving, and Viewing Sessions UNIVERSITY Reviewing Active Sessions For a user to be able to review active sessions, the user must be an administrator, have the ISA role, or be assigned the Active Session Reviewer permission on an account-based smart rule. To review active sessions, a user would navigate to Password Safe > Active Sessions. Allist of currently active sessions will be presented. When an active session is selected, more details will appear, including the ability to lock, terminate, or terminate and cancel the session. + Lock: when clicked, the session will remain open, however a graphic or message will be displayed preventing the user from viewing and controlling the session. The graphics and messages can be customized. + Terminate: the session will be ended immediately and may be reviewed using the Replay menu option, if accessible. The request will still remain active unless it was already expired or cancelled + Terminate and Cancel: the session will be ended immediately and the request will be checked in. 7 Beyondinsight | = ° ‘The user may also click the thumbnail to view the session video and keystrokes in real-time. Logged keystrokes from earlier in the session are inaccessible during active sessions. Contact ReyondTrust | https://ideas beyondtrust.com | #1 877-826-6127 Version 211 *