Password Safe Integration

In Privilege Management for Windows, features to support Password Safe integration include:

  • Off-network account management: Privilege Management for Windows contacts Password Safe for password tests or password changes.
  • Allow as Password Safe user: You can run an application using managed account credentials sourced from Password Safe.

Off-Network Account Management

Password Safe can change passwords on managed accounts. There are two scenarios where Password Safe can change a password:

  • On-network: Password Safe uses a functional account (an account which has rights to change the managed accounts passwords) to manage local accounts on managed systems.
  • Off-network: Privilege Management for Windows can periodically contact Password Safe and request tasks, such as password changes or password tests.

The following section provides information on how to set up the off-network scenario.

Install Privilege Management for Windows Client

The Privilege Management for Windows installer includes the service Password Safe Service.

The Privilege Management for Windows client requires the Password Safe host certificate to enable communication with the Password Safe server.

For more information, please see Integrate BeyondTrust Privilege Management for Windows with BeyondInsight

BeyondInsight and Password Safe Install

Privilege Management for Windows must be installed using the Password Safe mode flags, PSMODE=1 and BIMODE=1, as shown:

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 PSMODE=1 BEYONDINSIGHTURL=https://useries002.btrusteng.com/EventService/Service.svc"

PMC Install

Privilege Management for Windows must be installed using the Password Safe mode flags, PSMODE=1, BIMODE=1, and IC3MODE=1, as shown:

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 PSMODE=1 IC3MODE=1 BEYONDINSIGHTURL=https://useries002.btrusteng.com/EventService/Service.svc"

ePO Extension Install

Privilege Management for Windows must be installed using the Password Safe mode flags, PSMODE=1, BIMODE=1, and EPOMODE=1, as shown:

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 PSMODE=1 EPOMODE=1 BEYONDINSIGHTURL=https://useries002.btrusteng.com/EventService/Service.svc"

Webserver Install

Privilege Management for Windows must be installed using the Password Safe mode flags, PSMODE=1, BIMODE=1, and WEBSERVERMODE=1, as shown:

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 PSMODE=1 WEBSERVERMODE=1 BEYONDINSIGHTURL=https://useries002.btrusteng.com/EventService/Service.svc"

Configure the Password Safe Service

Configure the Heartbeat Interval

  1. In the Policy Editor, select the Integration Settings node.
  2. From the Activation list, select one of the following: Not Configured, Enabled, or Disabled.
  3. Set the default heartbeat interval. This is the time span the endpoint polls Password Safe unless the time is determined by Password Safe. For most subsequent messages, the poll time is driven by Password Safe in the messages it sends to Privilege Management for Windows. This is because Password Safe knows when the next scheduled action must be performed.

Configure Password Safe

Managed systems and managed accounts can be added to Password Safe in the same way as an on-network scenario; manually and using Smart Rules. A discovery scan is not possible in the off-network scenario.

For more information, please see Add Assets to Password Safe in the Password Safe Administration Guide.

Limitations

Default values for the following Account Settings in Password Safe are applied in a Privilege Management for Windows off-network integration: Change Services (yes), Restart Services (no), and Change Tasks (no). The settings cannot be changed in this scenario.

Allow as Password Safe User

In Privilege Management for Windows, you can run an application using Managed Account credentials sourced from Password Safe.

Prerequisites

The endpoint must be set up as a managed system in Password Safe.

Communication to Password Safe relies on BeyondInsight communication channels and the appropriate client certificate. Therefore Privilege Management for Windows must be installed using the BIMODE=1 flag.

BeyondInsight and Password Safe Install

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 BEYONDINSIGHTURL=https://useries002.btrusteng.com/EventService/Service.svc"

PMC Install

Privilege Management for Windows must be installed using the Password Safe mode flags, BIMODE=1 and IC3MODE=1, as shown:

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 IC3MODE=1 BEYONDINSIGHTURL=https://useries002.btrusteng.com/EventService/Service.svc"

ePO Extension Install

Privilege Management for Windows must be installed using the Password Safe mode flags, BIMODE=1 and EPOMODE=1, as shown:

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 EPOMODE=1 BEYONDINSIGHTURL=https://useries002.btrusteng.com/EventService/Service.svc"

Webserver Install

Privilege Management for Windows must be installed using the Password Safe mode flags, BIMODE=1 and WEBSERVERMODE=1, as shown:

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 WEBSERVERMODE=1 BEYONDINSIGHTURL=https://useries002.btrusteng.com/EventService/Service.svc"

The Password Safe account name must be a managed account associated with the managed system (endpoint).

For more information, please see Add Assets to Password Safe in the Password Safe Administration Guide.

Configure the Application Rule

To configure the Password Safe user in the Privilege Management for Windows client, you need to set up an Application Rule that includes the Password Safe user.

  1. In the Edit Rule Application dialog box, select Allow as Password Safe User from the Action list.
  2. In the Password Safe Account Name field, enter the name of the account exactly as configured in Password Safe. This is the Managed Account configured in Password Safe for the endpoint.

End user messaging is not available in this release.

For more information about Application Rules, please see Application Rules in the Privilege Management for Windows Administration Guide.