Manage Credentials in BeyondTrust Privileged Remote Access (Cloud)

BeyondTrust Privileged Remote Access (PRA) can be integrated with an Endpoint Credential Manager (ECM) to improve password security for privileged users and vendors.

An ECM functions as the middleware for communication, and the ECM can be used to integrate PRA with password vaults.

Credential injection is a built-in feature of PRA. It allows administrators and privileged users to seamlessly inject credentials into systems without exposing plain text passwords, and this feature can also be used with third-party vault tools.

Credential Management with BeyondTrust Vault

BeyondTrust Vault is a credential store that exists on the B Series Appliance, enabling discovery of and access to privileged credentials. You can manually add privileged credentials, or you can use the built-in discovery tool to scan and import Active Directory and local accounts into BeyondTrust Vault.

BeyondTrust Vault fits seamlessly with service desk workflow because it is integrated directly with the Privileged Remote Access solution. Technicians do not have to learn to use another tool or even exit BeyondTrust to retrieve passwords. With just one click in the BeyondTrust representative console, users can simply select the correct credential from the dropdown and log directly into a remote system - without ever having to know or even see the actual password.

Frequently Asked Questions about BeyondTrust Vault

What Communication Pathways Are Used With BeyondTrust Vault (Ports, Protocols, Connection Types, etc.)?

  • Active Directory and Discovery:
    • By default, discovery occurs over LDAP via the Active Directory Service Interface (ADSI) on port 389.
    • If LDAPS is enabled, Active Directory queries run over LDAP under an SSL/TLS layer on port 636, unless another port is specified. This transport-layer security encrypts all data communicated to and from Active Directory.
  • Windows Local Discovery:
    • Local Windows accounts are discovered via a series of calls directly to Windows APIs.
    • These APIs use Remote Procedure Calls (RPCs) and named pipes as the network protocol.
    • The RPC process translates the request parameters as well as any response data into a standard, encoded format for transmission.
    • Protection is negotiated at the operating system level.

Where Does Encryption for BeyondTrust Vault Occur?

  • Passwords and private SSH keys are encrypted at rest using AES-256-GCM in addition to any full disk encryption enabled for the B Series Appliance.
  • Passwords and private SSH keys are encrypted in transit using an ephemeral public+private key pair when used for injection. This encryption occurs in addition to Privileged Remote Access's use of TLS to encrypt communication among all BeyondTrust components, such as the B Series Appliance, Jumpoint, customer client, etc.
  • Passwords are encrypted in transit by TLS.
  • Passwords used by Jumpoints to authenticate with Active Directory are never sent in plaintext to Active Directory.

Where Is the Vault Encryption Key Stored? Can It Be Accessed via /login or /appliance?

  • The Vault encryption key is needed to decrypt credentials managed by BeyondTrust Vault. This key is stored in one of the credential stores configured on the appliance.
  • The encryption key can be backed up by going to /login > Management > Software Management > Backup Vault Encryption Key. The backup file format used for the encryption key is the same NSB file format used for configuration and reporting data.

Is the BeyondTrust Application Database Encrypted, and if So, How?

  • BeyondTrust Vault stores data in an encrypted format in the database. If full disk encryption is enabled for your B Series Appliance, the BeyondTrust application database is also encrypted. However, this is independent of the encryption performed by BeyondTrust Vault.

What Best Practices Are Recommended to Maintain the Highest Level of Security Across All Points of Connection (Discovery, Injections, Support, etc.)?

  • BeyondTrust recommends using a valid CA-signed SSL certificate to protect communication among all BeyondTrust components.
  • Jumpoints should run on a system only a few privileged users have permissions to access.

For more information about Jumpoints, please see Privileged Remote Access Jumpoint Guide: Unattended Access to Computers in a Network.

There are no user-visible security settings for BeyondTrust Vault.