Password Safe Integration

In Privilege Management for Windows, features to support Password Safe integration include:

  • Off-network account management: Privilege Management for Windows contacts Password Safe for password tests or password changes.
  • Allow as Password Safe user: You can run an application using managed account credentials sourced from Password Safe.

Off-Network Account Management

Password Safe can change passwords on managed accounts. There are two scenarios where Password Safe can change a password:

  • On-network: Password Safe uses a functional account (an account which has rights to change the managed accounts passwords) to manage local accounts on managed systems.
  • Off-network: Privilege Management for Windows can periodically contact Password Safe and request tasks, such as password changes or password tests.

The following section provides information on how to set up the off-network scenario.

Prerequisites

The Privilege Management for Windows client requires the BeyondInsight client certificate to enable communication with the BeyondInsight server.

For more information, please see Installation Information for BeyondInsight and Privilege Management for Windows.

Install Privilege Management for Windows Client

The Privilege Management for Windows installer includes the service Password Safe Service.

Privilege Management for Windows must be installed using the Password Safe mode flags, PSMODE=1 and BIMODE=1, as shown:

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 PSMODE=1 BEYONDINSIGHTURL=https://uvm002.btrusteng.com/EventService/Service.svc"

Configure the Password Safe Service

This feature is only available with the BeyondInsight management console.

Configure the Heartbeat Interval

  1. In the Policy Editor, select the Integration Settings node.
  2. From the Activation list, select one of the following: Not Configured, Enabled, or Disabled.
  3. Set the default heartbeat interval. This is the time span the endpoint polls Password Safe unless the time is determined by Password Safe. For most subsequent messages, the poll time is driven by Password Safe in the messages it sends to Privilege Management for Windows. This is because Password Safe knows when the next scheduled action must be performed.

Configure Password Safe

Managed systems and managed accounts can be added to Password Safe in the same way as an on-network scenario; manually and using Smart Rules. A discovery scan is not possible in the off-network scenario.

For more information, please see Add Assets to Password Safe in the Password Safe Administration Guide.

Limitations

Default values for the following Account Settings in Password Safe are applied in a Privilege Management for Windows off-network integration: Change Services (yes), Restart Services (no), and Change Tasks (no). The settings cannot be changed in this scenario.

Allow as Password Safe User

In Privilege Management for Windows, you can run an application using Managed Account credentials sourced from Password Safe.

Prerequisites

The endpoint must be set up as a managed system in Password Safe.

Communication to Password Safe relies on BeyondInsight communication channels and the appropriate client certificate. Therefore Privilege Management for Windows must be installed using the BIMODE=1 flag:

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 BEYONDINSIGHTURL=https://uvm002.btrusteng.com/EventService/Service.svc"

The Password Safe account name must be a managed account associated with the managed system (endpoint).

For more information, please see Add Assets to Password Safe in the Password Safe Administration Guide.

Configure the Application Rule

This feature is only available with the BeyondInsight management console.

To configure the Password Safe user in the Privilege Management for Windows client, you need to set up an Application Rule that includes the Password Safe user.

  1. In the Edit Rule Application dialog box, select Allow as Password Safe User from the Action list.
  2. In the Password Safe Account Name field, enter the name of the account exactly as configured in Password Safe. This is the Managed Account configured in Password Safe for the endpoint.

End user messaging is not available in this release.

For more information about Application Rules, please see Application Rules in the Privilege Management for Windows Administration Guide.