Examen Password Safe

EXAMEN DE IMPLEMENTACION CON Password Safe
Software Deployment (w/hardening)
1. Verificar requisitos:
 Requisitos servidor e instalar roles y características
 Requisitos Clientes
 Requisitos Base de datos:
Instalar normalmente la base de datos ejemplo ( SQL Server database)
New SQL Server stand-alone installation

Under Feature Selection, check the following options, then click Next.
a. Database Engine Services
b. Full-Text and Semantic Extractions for Search
c. Analysis Services
d. Integration Services
Service Accounts:
l SQL Server 2012, 2014: Accept the default service accounts. An individual account is automatically created for each
service.
l Set the SQL Server Agent start mode as Automatic (the default is Manual).
l Select Windows authentication mode.
You can select Mixed mode authentication, if desired, and provide the sa account password.
Database Permissions Matrix
permisos
SQL Authentication (SQL Local or SQL Remote) Assign the SQL Server account the role of sysadmin.
Windows Authentication (SQL Local) Assign NT AUTHORITY\SYSTEM the role of sysadmin, if not
previously assigned.
Add NT AUTHORITY\NETWORK SERVICE as a Login
account
in SQL Server, if not previously added.
On the BeyondInsight database, assign NT
AUTHORITY\NETWORK SERVICE the roles of db_owner and
REM3Admins.
Set the Server Role on NT AUTHORITY\SYSTEM

1. In SQL Server Management Studio, go to Security > Logins.
2. Right click NT AUTHORITY\SYSTEM and select Properties.
3. Select Server Roles > sysadmin, and then click OK.
Port Requirements
 BeyondInsight
 UVM Appliance
Install BI
Install the BeyondInsight Software

1. After BeyondTrust generates your customer license, you will receive an email that includes a link to download product
installers. Download the installers to your system.
2. Run the downloaded BeyondInsight installer.
3. Enter the console license key (serial number).
4. Follow the default prompts.
5. When prompted, supply the license registration information.
Run the Configuration Wizard

1. After the software is installed, the BeyondInsight Configuration
Wizard automatically starts.
2. On the Database page, set SQL Server to (local) if the server is
on the same machine and will use the logged on Windows
credentials to connect.
3. Otherwise, click the Advanced button to enter database
information, including the server name, database name, and
database credentials.
4.The Web Site Information page informs you that the console will
be implemented as the default IIS web site.
5. On the Agent Password page, create a password that will be
used to configure the connection between the scanner and the
console. This password is required to retrieve Central Policy information and to import certificates using the Events Client
Configuration tool. The created password must match the machine's password requirements.
6. On the Event Server Information page, you may configure SNMP.
7. On the Email Information page, you may provide a default SMTP mail server and account. This may be used, for example, to
automatically email a report after a vulnerability scan completes.
8.On the Administrator Password page, create an initial login account to the console. This account will have full rights to the
console. The created password must match the machine's password requirements.
9. The database is now created. Please plan for this process to take about ten minutes.
10. Once complete, click Finish.
11. The management console now starts in your default browser. You can log in with the administrator credentials created during
this process.
Install Retina
Install the Network Security Scanner

1. To install the scanner, run the downloaded Network Security Scanner installer.
2. Enter the license key (serial number).
3. Follow the default prompts.
4. When prompted, supply the license registration information.
5. The auto-update process runs, contacting the BeyondTrust servers. This can take several minutes.
6. Once complete, the Network Security Scanner automatically starts.
Configure Retina Central Policy
Navigate to Start > BeyondTrust > Security Scanner Configuration.

Click the Configure Central Policy… link.
4. Check the Enable Central Policy box, and configure the following values:
a. Agent Name: (this is the scanner name appearing in BeyondInsight)
b. Central Policy Server: (this is the hostname or FQDN of BeyondInsight)
c. Central Policy Password: (agent password configured during BI setup)
d. Enable legacy Central Policy support: checked (note this is only required so we do not have
to configure HTTPS certificates in our lab environment)
Click the Test Central Policy button. A message should appear that the test was successful. Click
OK, then click Save Settings.
6. A confirmation message will appear that the save was successful. Click OK, then click the X in the
top-right corner of the dialog.
Configuring Events Client
The Events Client enables the BeyondTrust Network Security Scanner to securely send completed scan
data to BeyondInsight, where it will be extracted to populate the database.
7. In the BeyondTrust Network Security Scanner Configuration window, click the Configure
Event Client… link.
8. An Events Client Configuration wizard will appear. Click Next.
9. Enter the Host (this is the hostname or FQDN of BeyondInsight) and leave the default port of 21690. Click Next.
10. On the Workgroup information page, use the default values. Click Next.
11. On the Select a Client Certificate page, no action is needed. The wizard has automatically detected the certificate.
Click Next.
12. On the Event Aware Products page, enable all options and click Next.
13. At the Test Connection page, click Next.
14. After a few seconds, a Test Passed page should appear. Click Next then Finish.
15. Exit the Security Scanner Configuration application. When asked to start the scanner, click No.
Integration w/ AD or LDAP
 Configure a domain with Functional Account
1. In the BeyondInsight Console, navigate to Configuration > Privileged Access Management >
Functional Accounts.
2. To add a new functional account, click the Create Functional Account + button at the top-left of
the screen.
3. In the Create Functional Account pane, configure the new functional account as follows:
l Type: Directory
l Platform: Active Directory
l Username: PSFunctional
l Domain: nvgad.local
l Use SSL: Disble
l Password: Soporte123$
Click the Test Domain & Load Controllers button. You should see a message next to the button
confirming success.
5. Continue the remainder of the configuration as follows:
l Alias: PSFunctional
l Description: Active Directory functional account
At the bottom of the page, click Save New Account.
Create Password Policies for Linux and Windows Systems
11. Navigate to Configuration > Privileged Access Management > Password Policies.
12. To create a new password policy, select the Create Password Policy + button at the top-left of the
screen.
13. In the Create Password Policy pane, configure the new rule as follows.
l Password Policy Name: Windows Password Policy

l Minimum Length: 15
l Maximum Length: 50
l <Keep the remaining default settings>
14. Scroll to the bottom of the menu and select Create Password Policy.
15. Add an additional new password policy for Linux as follows.
l Password Policy Name: Linux Password Policy

17. Add an additional new password policy for MS SQL as follows.
l Name: MS SQL Password Policy

l Minimum Length: 8
 Manage AD or LDAP accounts
Manually Add an Asset

15. On the Asset page, click Create New Asset +.
Fill in the details as shown below and click SAVE ASSET and then click the > collapse panel button
at the top-right.
l Asset Name: 78
l DNS Name: app01
l Domain: bt.lab
l Asset Type: Server
l IP Address: 172.16.0.20
l MAC Address: <leave blank>
l Workgroup: BEYONDTRUST WORKGROUP
17. Back on the Assets page, locate the newly added app01 system, then click on the ellipsis menu
and select Go to advanced details.... Note that there is no SCAN DATA section, since a scan has
not been performed.
Create a Directory Query for Active Directory Users

18. Click on the Configuration tab and navigate to ROLE BASED ACCESS > Directory Credentials.
19. Click Create Directory Credential + at the top-left of the screen.
20. Configure the stored directory credential with the following details:
l Directory Type: Active Directory

l Title: btadmin
l Domain: bt.lab
l Use SSL: enabled
l Username: btadmin
l Password: BTlab1234!
21. Click the TEST CREDENTIAL button.

22. If the credential tests successfully, click the SAVE CREDENTIAL button, otherwise review the
configuration above.
23. To create the Directory Query, click on Configuration and navigate to ROLE BASED ACCESS >
Directory Queries.
24. Click Create Directory Query + at the top-left of the screen.
25. Configure the query with the following details:
l Title: Exchange Admin Accounts
l Credential: btadmin
26. Next, for the Query Target > Path section, click the BROWSE button at the right. A SELECT
DIRECTORY PATH pane appears at the right. Configure as follows:
l Forest or Domain Controller: bt.lab
l Click LOAD DOMAINS
l Domain (drop-down menu): bt.lab

l Double-click on the text or the white folder ( but not the solid blue folder) to navigate to BT
Users > IT
l Single-click to select Shared Admins
l Click ADD PATH
27. Continue configuration of the Query Target section by entering the following details.
l Scope: This Object And All Child Objects
l Object Type: User Objects
28. In the bottom section, ensure BASIC FILTER is selected. In the Name box, enter exch* to filter for
accounts whose usernames begin with exch.
29. Click the TEST button at the bottom to display the query results.
30. Locate the Query Test Results section and confirm that a list of “Exchange Admin xx” named
accounts appears, then click SAVE to save the query.
Create a Computer-based AD Query
Next you will create a Directory Query that uses an LDAP query to identify computers.
32. Using a process similar to the previous steps, create a Directory Query that targets Computer
Objects and uses the ADVANCED FILTER, i.e, an LDAP query. Be sure to SAVE when complete.
l Title: BT Windows Desktops
l Path: bt.lab/BT Machines (be sure to use the BROWSE button so that the path syntax is
correct)
l Scope: This Object and All Child Objects
l Object type: Computer Objects
l ADVANCED FILTER: (&(operatingSystem=Windows Server 2019*) (sAMAccountname=LAB*))
Finally, make an additional computer query for BT Windows Servers. Be sure to SAVE when
complete.
l Title: BT Windows Servers
l Path: bt.lab/BT Machines (be sure to use the BROWSE button so that the path syntax is
correct)
l Object type: Computer Objects
l ADVANCED FILTER: (operatingSystem=Windows Server 2016*)

l TEST results should include APP01 and BI01 among others.
34. The resulting set of queries are used for subsequent labs. Confirm the following appear:
l BT Windows Desktops
l BT Windows Servers
l Exchange Admin Accounts
 Link accounts to domain assets
Onboarding of Assets
(3rd Party Imports, Discovery Scans & Manually)
 Able to use XML import to onboard a system?

 Able to use Detailed discover scan for a windows or Unix system?
Click the Scan icon from the side-menu or select the scan card from the home page.
Select Advanced Discovery Scan, then select NEX
Your first scan will be against the LAB01 machine. In the SELECT SCAN TARGETS pane, enter Lab01 (not case
sensitive) for the Target Entry and then select NEXT.
At the CHOOSE SCAN AGENT pane, select BTLab Scanner and then select NEXT.
For windows:
6. At the ENTER CREDENTIALS pane, Custom Credential section, enter the credentials shown below.
l Username: btadmin
l Domain: bt.lab
7. Verify that your credentials are valid by selecting the TEST CREDENTIAL button. Credentials are
validated against AD, not the target machine.
8. When the credentials have been verified, click NEXT.
9. At the NAME THE SCAN pane, select Immediate from the Schedule Type drop-down menu and
then select FINISH.
10. Selecting FINISH will take you to the SCANS page where you can track the scan status by
selecting the Refresh icon until it completes. It should take five to seven minutes to complete in our
lab environment. Note that even though the status says Completed, scan data is still being written
to the BeyondInsight database and won't be available to view in BeyondInsight until that process
For Linux
Perform another Advanced Discovery Scan, this time against the LX01 machine. Configure the scan
for a single hostname, LX01, and use the following credentials:
l Username: root
l Domain: <empty field>
12. Once both discovery scans are complete and processed into the database, select the Assets page
icon.
 Able to manually onboard a Database system?
Add the MS SQL Database to Password Safe as a Managed System

3. Click on the Assets tab.
4. Locate the BI01 asset, then click the ellipsis button and select Go to advanced details....
5. Under the GENERAL DATA section at the left, select Databases.
6. Note that the database instance on BI01 has automatically been added. Additional database
instances can be added by selecting Add Database + at the top-left of the Databases pane.
7. On the MSSQLSERVER database instance, click the ellipsis button and select Add to Password
Safe.... This will define the database as a Managed System.
Create the new database Managed System as follows:
l Automatic Password Change Options
l Password Policy: MS SQL Password Policy
l Credentials
l Functional Account: sa
9. Click CREATE MANAGED SYSTEM.
Onboarding of Accounts
 Knows where the password policies are and able to create 2 or more different password policies
Create Password Policies for Linux and Windows Systems

12. Navigate to Configuration > PRIVILEGED ACCESS MANAGEMENT POLICIES > Password
Policies.
13. To create a new password policy, select Create Password Policy + at the top-left of the screen.
14. In the Create Password Policy pane, configure the new rule as follows.
l Password Policy Name: Windows Password Policy
15. Scroll to the bottom of the menu and select CREATE PASSWORD POLICY.
16. Add an additional new password policy for Linux as follows.
l Password Policy Name: Linux Password Policy
18. Add an additional new password policy for MS SQL as follows.
l Name: MS SQL Password Policy
l Non-Alphanumeric Characters: Permit non-alphanumeric characters (no)
 Able to manage the target assets and successfully put the accounts under management
Select Assets from the side-menu. Locate the LX01 asset, then click ellipsis at the right and
select Add to Password Safe....
3. From the CREATE NEW MANAGED SYSTEM pane, configure the following:
l Platform: Linux
l Password Policy: Linux Password Policy
l Credentials
l Functional Account: Linux root account
4. Click the CREATE MANAGED SYSTEM button.
Using Smart Rules to Onboard Systems

6. Select Assets from the side-menu.
7. Click on Manage Smart Rules in the top-right.
8. Click Create Smart Rule + at the top-left of the window.
9. Configure the Smart Rule as follows:
l Category: Automation (Note: Type this in and click ADD AS NEW OPTION to create a new
category)
l Name: New Windows Desktops
l Description: Onboard new Windows desktops to Password Safe
l Reprocessing Limit: Default
10. Configure the Selection Criteria with the following values:

l Include items that match: ALL
l Criteria: Asset fields
l Field: First Discovery Date
l Match: is not older than X days
l Value: 14
11. Click Add another condition, then configure the new condition with the following values:
l Criteria: Operating System
l Match: contains
l Value: Windows Server 2019
l Limit to most recent OS detected: Enabled
l Exclude assets where value is unassigned

12. Next, set the first action as follows:
l Action: Manage Assets using Password Safe
l Platform: Windows
l Account Name Format: Domain\Username
l Functional Account: PSFunctional (bt.lab\PSFunctional)
l Enable Automatic Password Management: yes
l Enable Accounts for AD Queries: no
l Password Rule: Windows Password Policy
l Connection Timeout: 30
13. Finally, click Add another action and set the second action as follows:
l Action: Show asset as Smart Group
l Sub-Action: View assets in a standard asset grid
Click CREATE SMART RULE and then click the > expand panel icon in the top-left corner to show
the Smart Rules list.
Configure Automated Password Management
 Show where to enable password rotation
From the Managed Systems page, select the ellipsis icon for LAB01, then select Go to
advanced details....
6. Under ADVANCED DETAILS select Managed Accounts. From here you will add Managed
Accounts. These are existing accounts on the Managed System for which Password Safe manages
the password. Select Create New Account + and configure the following:
l Identification
l Name: mdavis_local
l Description: Local account for testing password rotation
l Credentials
l Password Policy: Windows Password Policy
7. Review the remaining settings, but make no further changes. Scroll to the bottom and select
CREATE ACCOUNT.
8. Select the ellipsis icon for the mdavis_local account, then select Test Password. This will
validate that the password stored in Password Safe matches that stored on the Managed System
(LAB01).
9. Select Change Password. This will cause Password Safe to connect to the Mananaged System
(LAB01) using the Functional Account and change the password for mdavis_local to one matching
the password policy (Windows Password Policy) associated with the Managed Account (mdavis_
local). Password Safe maintains a copy of the new password in its database.
 Show where to enable DSS Key rotation
Create a DSS Key Rule in Password Safe

36. Log in to the BeyondInsight management console as insightadmin, password BTlab1234!. Navigate
to Configuration > PRIVILEGED ACCESS MANAGEMENT POLICIES > DSS Key Policies.
37. At the top-left of the screen, select Create DSS Key Policy +.
38. In the Create DSS Key Policy pane, configure the new policy as follows:
l Name: BT DSS Policy
l Description: Policy used to generate new DSS keys for BT
l Key Type: RSA
l Bit Size: 2048
l Encryption: enabled
l Password Policy: Default Password Policy
39. Click the CREATE DSS KEY POLICY button.

Configure a Managed Account for DSS Authentication
40. Navigate to the Assets page.
41. Locate the LX01 asset, then click the ellipsis button and select Edit Password Safe details....
42. Under the General Settings section, change the DSS Key Policy to BT DSS Policy, then click
UDATE MANAGED SYSTEM.
43. Navigate to the Managed Systems page.
44. Locate the LX01 asset, then click the ellipsis button and select Go to advanced details....
45. Select the Managed Accounts tab and then click Create New Account +.
46. Within the CREATE MANAGED ACCOUNT pane, configure the new account as follows:
l Identification
l Name: mdavis_ssh
l Credentials
l Authentication Type: DSS
l Upload SSH Key File: click in the box and select the key file
C:\Users\btadmin.BT\Documents\SSH Keys\mdavis_OpenSSH
l Passphrase: BTlab1234!
l Auto-Manage DSS Key: enabled (you will need to scroll down to see this setting)
47. You do not need to enter the password for mdavis_ssh since she will be authenticated via SSH.
However, if for some reason, SSH authentication fails, or you want to utilize Password Safe’s
password authentication as a backup, you can select the Allow Fallback to Password option
found in the Credentials section. Leave that option disabled for this lab.
48. Click CREATE ACCOUNT.
Smart Rules (Asset based / Account based)
 Able to show understanding of the difference between Asset and Account smart rule
Create and use an account based smart rule to automatically onboard the local administrator account
 Create a smart rule to onboard assets
Create a Basic Smart Rule for Categorizing Discovered Assets

From the side-menu, select the Smart Rules icon. Alterntatively, you could select the Assets
page icon to navigate to the Assets page and then select Manage Smart Rules at the top-right.
Click Create Smart Rule + at the top-left of the window.
4. Start defining the Smart Rule by specifying the following configuration.
l Category: Assets and Devices
l Name: Lab Workstations
l Description: Any workstation whose hostname contains 'Lab'

l Field: Asset Name
l Match: contains
l Value: Lab
6. Under the Actions heading, set an action of Show asset as Smart Group. While here, look at some
of the other actions available in the dropdown.
7. Click CREATE SMART RULE and then click the > expand panel icon in the top-left corner to show
Using Smart Rules to Onboard Systems

7. Click on Manage Smart Rules in the top-right.
9. Configure the Smart Rule as follows:
l Category: Automation (Note: Type this in and click ADD AS NEW OPTION to create a new
category)
l Name: New Windows Desktops
l Description: Onboard new Windows desktops to Password Safe
Configure the Selection Criteria with the following values:

l Field: First Discovery Date
l Match: is not older than X days
l Value: 14
11. Click Add another condition, then configure the new condition with the following values:
l Criteria: Operating System
l Match: contains
l Value: Windows Server 2019
l Limit to most recent OS detected: Enabled
l Exclude assets where value is unassigned
Next, set the first action as follows:

l Action: Manage Assets using Password Safe
l Platform: Windows
l Account Name Format: Domain\Username
l Enable Accounts for AD Queries: no
l Connection Timeout: 30
13. Finally, click Add another action and set the second action as follows:
l Action: Show asset as Smart Group
l Sub-Action: View assets in a standard asset grid
Click CREATE SMART RULE and then click the > expand panel icon in the top-left corner to show
16. Verify that the new New Windows Desktops group appears in the Smart Group filter drop-down
menu. After selecting the group, the LAB01 machine should display.
 Create a smart rule to onboard AD accounts
Adding Active Directory as a Managed System

30. Next you will onboard an Active Directory domain to Password Safe almost in the same way as
onboarding any other system.
31. Select Managed Systems from the side-menu.
32. At the top-left of the screen, click Create New Managed System +.
33. Configure the directory in the CREATE NEW MANAGED SYSTEM pane:
l Type: Directory
l Platform: Active Directory
l Identification
l Domain: bt.lab
l Use SSL: enabled
l Workgroup: BeyondTrust Workgroup
l Credentials
34. Click the CREATE MANAGED SYSTEM button
Onboard the DirectoryBrowser Account

Now that you have onboarded Active Directory as a Managed System, we can onboard DirectoryBrowser
as a Managed Account.
35. On the Managed Systems page, locate the newly added bt.lab managed system. Click the
ellipsis button and select Create Managed Account.
36. Add the DirectoryBrowser domain account.
l Identification
l Name: DirectoryBrowser
l sAMAccountName: DirectoryBrowser
l User Principal Name: DirectoryBrowser@bt.lab
l Description: DirectoryBrowser: Managed account for directory queries
l Credentials
Enable Query Credentials on a Managed Account
In this section, you will enable the DirectoryBrowser Managed Account you just onboarded to be used
for directory queries.
41. Navigate to the Managed Accounts page and find the DirectoryBrowser account.
42. Click on the ellipsis at the far right and select Edit Account....
43. Scroll down and expand Account Settings. Locate the Directory Query Enabled setting and enable
it.
Create Additional User Directory Queries
45. Navigate to Configuration > ROLE BASED ACCESS > Directory Queries. Click Create
Directory Query +.
46. Using the same process you followed in the previous labs, create a new directory query. This time
you will use the DirectoryBrowser managed account as your AD credentials.
47. Continue creating the rest of the query:
l Title: Helpdesk Admin Accounts
l Credential: DirectoryBrowser: Managed account for directory queries
l Path: bt.lab/BT Users/IT (be sure to use the BROWSE button so that the path syntax is
correct)
l Scope: This Object And All Child Objects
l Object type: User Objects
l BASIC FILTER - Name: helpdesk*
48. Click TEST to ensure the query shows 10 accounts. If successful, click SAVE.
Automating Active Directory Account Onboarding
49. Select Smart Rules from the side-menu, then from the Smart Rule type filter drop-down menu
select Managed Account.
51. Define the Smart Rule as follows:
l Category: Automation
l Name: Helpdesk Accounts
l Description: Onboard shared helpdesk accounts

l Criteria: Directory Query
l Type: Include accounts from Directory Query
l Query: Helpdesk Admin Accounts
l Re-run the query every X hours: 0 (this executes the query once initially, then on-demand
only)
l Discover accounts for Password Safe Management: enabled
l Domain: bt.lab
53. Set three actions.
l Action 1: Manage Account Settings
l Action 2: Link domain accounts to Managed Systems
l Asset or Managed System Smart Group: New Windows Desktops - (Asset group)
l Action 3: Show managed account as Smart Group
Click CREATE SMART RULE and then > expand panel in the top-left to return to the smart rule
list.
 Create Smart Rules to map dedicated admin accounts
Directory Query that targets the dedicated admin account.
select Configuration and navigate to ROLE

BASED ACCESS > Directory Queries.
11. Click Create Directory Query + at the top-left of the screen.
Configure the query with the following details:
l Title: Dedicated Admin Accounts (Managed)
l Credential: DirectoryBrowser: Managed account for directory queries
l Path: bt.lab/BT Users/IT/Dedicated Admins (be sure to use the BROWSE button so that the
path syntax is correct)

l Object Type: User Objects
l BASIC FILTER- Name: *-adm
Click the TEST button at the bottom to display the query results.
14. Review the Query Test Results and confirm that a list of “xx xx (Admin)” named accounts appears,
then click SAVE.
Onboard Dedicated Admin Accounts to Password Safe with a Smart Rule
22. Select Smart Rules from the side-menu and then, from the Smart Rule type filter drop-down
menu, select Managed Account.
l Category: Dedicated Admin Accounts (Note: Type this in and click Add as New Option to
create a new category)

l Name: Dedicated Admin Accounts (Managed)
l Description: Onboard dedicated admin accounts
Configure the Selection Criteria with the following values:

l Criteria: Directory Query
l Type: Include accounts from Directory Query
l Query: Dedicated Admin Accounts (Managed)
l Re-run the query every X hours: 0 (this executes the query once initially, then on-demand
only)
l Discover accounts for Password Safe Management: enabled
l Domain: bt.lab
Next, set the Actions section as follows.

l Action: Manage Account Settings
l (leave other items at their defaults)
27. Click Add another action and add the second action Show managed account as Smart Group.
Click CREATE SMART RULE and then click > in the top-left to return to the smart rules list.
29. Now,
Map End Users to Dedicated Admin Accounts With a Smart Rule
38. Create another Managed Account Smart Rule.

l Category: Dedicated Admin Accounts
l Name: Map Dedicated Admin Accounts
l Description: Map managed dedicated admin accounts to PS Dedicated Admin Requesters group
Configure Selection Criteria:

l Criteria: Dedicated Account
l Type: Account Name
l Match: with suffix
l Value: -adm
41. Click Add another condition and set the new criteria with the following values:
l Criteria: Dedicated Account
l Type: Domain Name
l Match: equals (=)
l Value: bt.lab
Set Actions as follows:

l Action: Map Dedicated Accounts To
l User Group: bt.lab\PS Dedicated Admin Requesters
Click Add another action and add the second action Show managed account as Smart Group.
Click CREATE SMART RULE and then click > in the top-left to return to the smart rules list.
Creating Local User Groups & Active Directory (Configure RBAC)
 Map groups from Active Directory to B.I.
Map the AD PS Requester Group in BeyondInsight
2. In the BeyondInsight console, click on Configuration > ROLE BASED ACCESS > User Management.
3. At the top of the screen, click Create New Group + then select Add an Active Directory Group....
In the dialog that appears, fill in the details below.
l Credential: DirectoryBrowser: Managed account for directory queries (bt.lab)
l Domain: bt.lab
l Filter by Group Name: PS*
When results appear, select PS Requesters then click ADD GROUP.

In the Features pane that appears, do not enable any features. Features determine which areas of
the BeyondInsight console users will have access to. With no features assigned, users belonging to
the Requester group will not have console access, but will have access to the Password Safe client.
8. On the left side, click the Smart Groups tab.
9. Locate the All Managed Accounts smart group, then click the ellipsis button and select +
Assign Permissions Read Only.
 Assign console and access permissions

When results appear, select PS Requesters then click ADD GROUP.
On the left side, click the Smart Groups tab.
9. Locate the All Managed Accounts smart group, then click the ellipsis button and select + Assign Permissions
Read Only.
When results appear, select PS Approvers then click ADD GROUP.

18. In the Features pane that appears, do not enable any features.
Locate the All Managed Accounts smart group, then click the ellipsis button and select + Assign Permissions Read
Only.
When results appear, select PS ISAs then click ADD GROUP.

28. In the Features pane that appears, select the checkbox in the header to select all features.
29. Click Assign Permissions (shown right above the column header), then Assign Permissions Full
Control. This will provide access to all features within the BeyondInsight console.
 Configure the roles of requester and approver in the correct smart group
PS Requesters Locate the All Managed Accounts smart group, then click the ellipsis button and select + Assign
Permissions Read Only.
Locate the All Managed Accounts smart group again, then click the ellipsis button and select Edit Password Safe
Roles.
Check Requestor, and set the Access Policy for Requestor to 24x7 Auto-approve. Click SAVE
ROLES when done.
PS Approvers Locate the All Managed Accounts smart group, then click the ellipsis button and select + Assign
Permissions Read Only.
Locate the All Managed Accounts smart group again, then click the ellipsis button and select Edit Password Safe
Roles.
Check Approver. Click SAVE ROLES when done.
 Create a local account in B.I.

Create a Password Safe Unix Admin User
44. Navigate to Configuration > ROLE BASED ACCESS > User Management.
45. At the top of the screen, click the Users tab.
46. Click Create New User + then select Create a New User... to create a user account that is
managed locally.
47. In the CREATE NEW USER pane, populate the following information:
l First Name: Linux
l Last Name: Administrator
l Email: linuxadmin@bt.lab
l User Name: linuxadmin
48. Scroll to the bottom and click CREATE USER.
Navigate to Configuration > ROLE BASED ACCESS > User Management.

36. At the top-left, click Create New Group + then select Create a New Group... to create a group that
is managed locally.
37. You will create a group that has administrative capabilities only for Linux assets, Managed Systems
and Managed Accounts. In the CREATE NEW GROUP pane, configure the new group with the
following settings:
l Group Name: Linux PS Admins
l Description: PS Admin for Linux Managed Systems and Accounts
38. Click the CREATE GROUP button.

39. In the Features pane that appears, select the Feature Name checkbox in the header to select all
features.
40. Click Assign Permissions, then Assign Permissions Full Control. This will provide access to all
features within the BeyondInsight console.
41. On the left side, click the Smart Groups tab.
42. For Linux Machines, Linux Manged Accounts and Linux Managed Systems Smart Groups, set
Assign Permissions Full Control.
43. For Linux Machines, set the Password Safe Role to Information security administrator.
 Add the created account into an Auditor’s group
After creating the user, the Groups screen appears. Select the Linux PS Admins group then click Assign Group +.
 Test login of both Active Directory and local accounts for requester
Access policy
 Navigate to access policies
From the BeyondInsight console navigate to Configuration > PRIVILEGED ACCESS MANAGEMENT
POLICIES > Access Policies.
 Create 2 or 3 policies for the following:

 24 by 7 – Auto approve
Select Create New Access Policy + at the upper-left.

4. Enter 24x7 Auto-approve in the Access Policy Name field and then click CREATE ACCESS
POLICY.
5. Under the BASIC DETAILS tab, enter 24x7 access, auto-approve, with recording in the
Description field and then select SAVE ACCESS POLICY.
6. Select the SCHEDULE tab and then select Create Schedule +.
At the CREATE NEW SCHEDULE pane, configure the access policy as follows:
l Time Range > Total Time: All Day (enable)
l Recurrence > Repeat Presets: Every Day
l Allow multi-day check-out of accounts: (enable)
Policy Types:
o View Password: (enable)
n Approvers: Auto Approve (checked)
RDP: (enabled by default)

n Concurrent: Unlimited (checked)
n Record: (enabled by default)
n Keystroke Logging: (checked)
n Enhanced Session Auditing: (checked)
Logoff On Disconnect: (checked)

SSH: (enabled by default)
Keystroke Logging: (checked)

Application: (enable)
n Logoff On Disconnect: (checked)

8. Select CREATE SCHEDULE.
9. Select the BASIC DETAILS tab, check Available for use and then select SAVE ACCESS POLICY.
 Split policy – Auto approve for RDP/SSH and one approval on password
Select Create New Access Policy + at the upper-left.

4. Enter Auto approve for RDP/SSH and one approval in the Access Policy Name field and then click CREATE
ACCESS
POLICY.
5. Under the BASIC DETAILS tab, enter Auto approve for RDP/SSH and one approval, with recording in the
Description field and then select SAVE ACCESS POLICY.
6. Select the SCHEDULE tab and then select Create Schedule +.
At the CREATE NEW SCHEDULE pane, configure the access policy as follows:
l Time Range > Total Time: All Day (enable)
l Recurrence > Repeat Presets: Every Day
l Allow multi-day check-out of accounts: (enable)
Policy Types:
o View Password: (enable)
RDP: (enabled by default)

Logoff On Disconnect: (checked)

SSH: (enabled by default)
n Approvers: one Approve
Keystroke Logging: (checked)

Application: (enable)
n Logoff On Disconnect: (checked)

8. Select CREATE SCHEDULE.
9. Select the BASIC DETAILS tab, check Available for use and then select SAVE ACCESS POLICY.
 After hours policy – approvals Needed
Request RDP/SSH Sessions
Request RDP session
Request SSH session
Demonstrate approval process
List methods:
o Password Safe web portal
o Direct connect (RDP+SSH)

Examen Password Safe

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Examen Password Safe

Uploaded by

Copyright:

Available Formats

EXAMEN DE IMPLEMENTACION CON Password Safe

Software Deployment (w/hardening)

Instalar normalmente la base de datos ejemplo ( SQL Server database)

New SQL Server stand-alone installation

l Select Windows authentication mode.

Database Permissions Matrix

Set the Server Role on NT AUTHORITY\SYSTEM

Install the BeyondInsight Software

Run the Configuration Wizard

Install the Network Security Scanner

Configure Retina Central Policy

Navigate to Start > BeyondTrust > Security Scanner Configuration.

 Configure a domain with Functional Account

l Platform: Active Directory

l Use SSL: Disble

l Description: Active Directory functional account

At the bottom of the page, click Save New Account.

Create Password Policies for Linux and Windows Systems

l Password Policy Name: Windows Password Policy

l <Keep the remaining default settings>

l Password Policy Name: Linux Password Policy

l Name: MS SQL Password Policy

l <Keep the remaining default settings>

 Manage AD or LDAP accounts

Manually Add an Asset

l DNS Name: app01

l Asset Type: Server

l MAC Address: <leave blank>

l Workgroup: BEYONDTRUST WORKGROUP

Create a Directory Query for Active Directory Users

l Directory Type: Active Directory

l Use SSL: enabled

21. Click the TEST CREDENTIAL button.

l Title: Exchange Admin Accounts

l Click LOAD DOMAINS

l Domain (drop-down menu): bt.lab

l Click ADD PATH

l Object Type: User Objects

Create a Computer-based AD Query

l Title: BT Windows Desktops

l Object type: Computer Objects

l ADVANCED FILTER: (&(operatingSystem=Windows Server 2019*) (sAMAccountname=LAB*))

l Title: BT Windows Servers

l Object type: Computer Objects

l ADVANCED FILTER: (operatingSystem=Windows Server 2016*)

l Exchange Admin Accounts

 Link accounts to domain assets

(3rd Party Imports, Discovery Scans & Manually)

 Able to use XML import to onboard a system?

Select Advanced Discovery Scan, then select NEX

l Domain: <empty field>

 Able to manually onboard a Database system?

Add the MS SQL Database to Password Safe as a Managed System

l Password Policy: MS SQL Password Policy

9. Click CREATE MANAGED SYSTEM.

Create Password Policies for Linux and Windows Systems

l <Keep the remaining default settings>

l <Keep the remaining default settings>

l Non-Alphanumeric Characters: Permit non-alphanumeric characters (no)

l <Keep the remaining default settings>

l Automatic Password Change Options

l Password Policy: Linux Password Policy

l Functional Account: Linux root account

4. Click the CREATE MANAGED SYSTEM button.

l ADVANCED FILTER: (&(operatingSystem=Windows Server 2019) (sAMAccountname=LAB))