Use Case 1: Add Local Admin Accounts for Windows Servers

This use case walks through configuring the Smart Groups and user group roles and permissions required to enable automatic password rotation for local admin accounts on Windows servers with auto-approval for RDP sessions enabled.

The shared local administrative account that exists on all Windows servers needs to be controlled, audited, and rotated on a regular schedule. For this use case, you will bring in all Windows domain joined servers and manage the local built-in administrator account. You will also grant permissions to a specific set of users who need access to all Windows servers. As you do not know if there are additional local administrator accounts, you will configure a Smart Group to find them. You will also configure a Smart Group to ensure new servers are added dynamically as they are joined to the domain on a recurring basis.

To accomplish all of the above, you must create the following Smart Groups in the BeyondInsight Console:

  • An asset Smart Group for discovering the Windows servers
  • An asset Smart Group for adding the Windows servers to Password Safe management
  • A managed system Smart Group for granting system access to user groups
  • A managed account Smart Group to add the local admin accounts to Password Safe management

You must also associate the managed account Smart Group to user groups, and then assign roles and permissions to the associated managed account Smart Group.

Create Asset Based Smart Group to Discover Windows Servers

  1. From the left menu in BeyondInsight, click Smart Rules.
  1. Click Create Smart Rule.
  2. Select the Category and enter a meaningful Name and Description for the Smart Rule.

Create New Asset Based Smart Rule using Directory Query to Discover Windows Servers

  1. Set Selection Criteria as:
    • Directory Query, Include assets from query, <query name>, Use to discover new assets during scans (enabled)
    • Enter the interval in hours to rerun the query to ensure new servers that have joined the domain are automatically captured
  2. Set Actions as:
    • Show asset as Smart Group, View assets in a standard asset grid
  3. Click Create Smart Rule.

 

You can now run a Discovery Scan against this Smart Group. In order to pull details, including local accounts, from each asset into BeyondInsight, execute a scan with appropriate credentials.

You can initiate a scan from the vertical ellipsis menu for the Smart Group on the Smart Rules page in BeyondInsight. You can also schedule a recurring scan to discover new assets and confirm the local accounts and services have not changed on the existing assets. This is key to a dynamic onboarding process.

For more information on configuring a Discovery Scan, please see Run Discovery Scans in the BeyondInsight User Guide.

Create Asset Based Smart Group to Add Windows Servers to Password Safe Management

  1. From the left menu in BeyondInsight, click Smart Rules.
  1. Click Create Smart Rule.
  2. Select the Category and enter a meaningful Name and Description for the Smart Rule.

Create New Asset Based Smart Rule to Add Windows Servers to Password Safe

  1. Set Selection Criteria as:
    • Operating System, contains, windows
    • Asset fields, Domain Name, contains, domain

The Operating System criteria is used to query servers that have the same functional account. The action associates the functional account with the system.

  1. Set Actions as:
    • Show asset as Smart Group, View assets in a standard asset grid
    • Manage Assets using Password Safe, Platform: Windows, Account Name Format: Domain\Username, Functional Account: <functional account name>
  2. Click Create Smart Rule.

To ensure new servers are automatically added to Password Safe management, this Smart Group must be repeatedly processed, especially after the last scan completes.

 

Create Managed System Smart Group for Granting System Access to User Groups

Creating this managed system Smart Group is not always required but it helps you to group systems that have specific managed accounts associated with them and to assign asset level permissions to user groups. As the assets are added to Password Safe management, they automatically populate within the All Managed Systems Smart Group.

This smart group specifically looks for all Windows servers that are managed by Password Safe.

  1. From the left menu in BeyondInsight, click Smart Rules.
  1. Select Managed System from the Smart Rule Type filter list.
  2. Click Create Smart Rule.

Create Managed System Smart Rule to grant system access to user groups.

  1. Select Managed Systems from the Category list.
  2. Enter a meaningful Name and Description for the Smart Rule.
  3. Set Selection Criteria as:
    • Platforms, Windows
  4. Set Actions as:
    • Show managed system as Smart Group
  5. Click Create Smart Rule.

 

Create Managed Account Smart Group to Add Accounts to Password Safe Management

The initial creation of this Smart Group only has the one account name of the built-in Administrator account. After researching and reviewing reports, additional privileged account names may be added to this Smart Group.

  1. From the left menu in BeyondInsight, click Smart Rules.
  1. Select Managed Account from the Smart Rule Type filter list.
  2. Click Create Smart Rule.

Create New Managed Account Based Smart Rule to add Local Admin account to Password Safe

  1. Select Managed Accounts from the Category list.
  2. Enter a meaningful Name and Description for the Smart Rule.
  3. Set Selection Criteria as:
    • User Account Attribute, Account Name, equals, <Administrator>, Discover Accounts for Password Safe Management: yes, Discover accounts from: <Smart Group for adding Windows servers>
  4. Set Actions as:
    • Show managed account as Smart Group
    • Manage Account Settings, Password Rule: <password policy>, Enable Automatic Password Management: yes, Change Password Time: <desired time>, Change Password Frequency: <desired frequency>

The Manage Account Settings action onboards the specific account, if found in the system’s scan results. This action also dictates whether the account is rotated immediately or not.

  1. Click Create Smart Rule.

 

Assign User Group Permissions and Roles for Account Access

Associate a user group to the Smart Group that you created for adding accounts to Password Safe management, and then assign permissions, roles, and an access policy to the Smart Group. In this use case, the Password Safe users are Requestors with an access policy to allow auto-approved RDP sessions.

  1. From the left navigation in the BeyondInsight Console, click Configuration.
  2. Under Role Based Access, click User Management.
  3. Locate the user group in the grid, and then click the More Options (ellipsis) button for that group.
  4. Select View Group Details.

Assign Permissions and Password Safe Roles to User Group Using a Smart Group

  1. From the Group Details pane, select Smart Groups.
  2. In the Smart Groups Permissions grid, select the Smart Group you created for adding the local Windows admin account to Password Safe, and then click Assign Permissions above the grid.
  3. Select Assign Permissions Read Only.
  4. Click the vertical ellipsis button for the Smart Group, and then select Edit Password Safe Roles.

 

Assign Password Safe Role and Access Policy to User Group Using a Smart Group

  1. Select the Requestor role, and then select the Access Policy.
  2. Click Save Roles.