Managed System Requirements

In this section, we'll cover many of the required services and expected configurations for target managed computers and devices. These requirements are generally the same: a credential able to connect and perform the desired management function.

 

For credentials you'll include in password rotation, you must know your password policy requirements. Otherwise, Privileged Identity could attempt to set passwords which don't match the requirements of your policy, and if those changes succeed, problems will occur later.

For example, a device could allow the command to include special characters such as an @ symbol, but when the command is processed on the device, the @ symbol could be parsed as a string delimiter. This could either cause the entire command to fail or else report success but lock you out of management. Please be aware of your devices and their limitations.

Windows Requirements

  • File and print services for Microsoft networks (installed and enabled by default)
  • Server service (installed and enabled by default)
  • Remote registry (optional; required to gather further system information such as MAC address, DCOM applications, etc.)

If you plan to use Privileged Identity to propagate, manage, or discover any of the following items, enable each respective requirement to support management via the native API:

  • COM/MTS: Requires application server role with network COM access
  • DCOM: Requires remote registry service
  • IIS: Requires IIS management components, the application server role, and network COM access
  • WMI: For SQL Server reporting services account; requires SCOM SDK binaries (from the SCOM server) to be placed in the Privileged Identity installation directory

Enabling remote access to COM and IIS requires additional configuration steps on the target systems. For more information, please see Install Server Components.

For information on port requirements, please see Port Requirements.

Linux/Unix/OSX Requirements

  • Current SSH port: Required for password change and account enumeration
  • Login password or SSH key: Required for the login account and possibly for the account being managed (operation-specific)
  • Low-powered login account: (Optional) Used if root accounts are not allowed SSH access to the target system

Some distributions of Solaris, AIX, and other Linux/Unix distros may require password authentication to be enabled in the /etc/ssh/sshd config file. If this is required but not enabled, a password change job results in errors, saved in the log. To enable password authentication, open the /etc/ssh/sshd config file and set Password Authentication to Yes. Then restart the SSH daemon. The restart method is distro-specific. Here are some examples of various restart commands:

  • FreeBSD: /etc/rc.d/sshd restart
  • Solaris: svcadm restart network/ssh
  • Suse: rcsshd restart
  • Ubuntu: sudo /etc/init.d/ssh restart
  • Red Hat/Fedora/CentOS: /etc/init.d/sshd restart OR service sshd restart

Cisco Requirements

  • Login account username and password
  • Current password of the enabled account
  • SSH or Telnet port if changed from the default

IPMI Requirements

  • Root or admin-level login account username and password

SSH/Telnet Devices Requirements

Actual requirements vary based on target type and embedded operating system.

  • Login account username and password or SSH key
  • SSH port or Telnet port if changed from the default

For information about modifying the XML files used for SSH/Telnet targets, please see the Privileged Identity Admin Guide (PDF).

Other Platform Requirements

Other platforms have requirements specific to their implementation, configuration, and defined policies. Please see your target system's documentation for servicing requirements.