Understanding Proxy-Based Privileged Password & Privileged Session Management
April 11th, 2017
Privileged password management (PPM) and privileged session management (PSM) are both important security technologies getting a lot of attention as IT teams look for ways to better protect the keys to the kingdom from mimikatz derivatives and all the other trends in play. It’s all about sequestering privileged credentials and carefully choreographing access to them. Or better yet— it’s about not even providing access to them, but facilitating use of them.
When done right, PPM/PSM is far more effective and less disruptive than going through all the work to implement the so-called red-forest plan. (It doesn’t have to be an either/or choice though; you can do both). Some might take issue with my claiming PPM/PSM is less disruptive but that’s why I say “when done right”. When administrators are forced to go through a portal and workflow process every time they need to administer a system, as the IT security team, you may face some real pushback. There are advantages to a portal-based workflow approach to PPM/PSM because you can capture information like ticket numbers to link to the session to for approval and audit purposes and to enhance accountability.
But a proxy-based privilege management technology can potentially allow administrators to continue using their favorite remote access tools and methods which are often the result of years of experience and productivity optimization – not just personal preference or obstinacy. For instance, an admin frequently needs to access many different systems and jumps back and forth between them in order to diagnose an issue or make changes and test them. Juggling a bunch of free-floating RDP session windows is confusing, frustrating, and unproductive. So, many admins depend on products like Remote Desktop Manager that keep all those sessions organized in a tabbed interface.
It’s easy to see why our best intentions at security sometimes breed resentment and pushback. The same goes for SSH sessions. I know with SSH I want to be able to choose my font-size, colors, etc.
If you can do all of this transparently, without changing which tools admins use or how they open sessions—your adoption will greatly improve.
By placing a proxy between the admin and the target system you can prevent the privileged password or it’s hash from ever touching the admin’s endpoint in any way, shape or form. The privileged credentials are used to open a session between the hardened appliance and the system being administered. And if you’ve read about pass-the-hash and related “mimikatz-esque” attacks you know why that is so important.
But if the admin’s PC is compromised what prevents the attacker from just keylogging the admin’s password used to authenticate to the privilege management appliance – whether proxy or portal-based? That’s where two-factor authentication that specifically assures “human-presence” comes in.
But beyond the “convenience/productivity” factor and the complete isolation of password from the admin and his/her endpoint, proxy technology also allows full-fidelity recording of privileged sessions and potentially the capture of metadata to make them searchable. It all comes down to how deeply the proxy understands the RDP and SSH traffic going through it.
In this real-training-for-free webinar, I’ll show you how the two main privileged session management protocols (RDP and SSH) work in general terms. Then I’ll explain how putting a privilege management proxy in the middle of that protocol stream allows you to implement:
- Session recording with searchable metadata
- Password sequestering
- Approval rules
- Two-factor authentication
- Risk mitigation of compromised admin PCs
- Audit and compliance reporting
All this and more is what we’ll explore in my next webinar, sponsored by BeyondTrust. BeyondTrust Product Manager Martin Cannard will briefly show you privileged access management solution and how their proxy technology works.