BeyondTrust Privileged Remote Access Integration with Password Safe

Overview

The Endpoint Credential manager (ECM) plug-in integration with Password Safe enables automatic password injection to authorized systems through an encrypted BeyondTrust connection and removes the need to share and expose credentials to privileged accounts. In addition to the automatic rotation and retrieval of managed local accounts, it can also retrieve linked accounts, giving domain admins and other privileged users access to those credentials on the targeted system.

The integration enables:

  • One-click password injection and session spawning
  • Credentials to never be exposed to authorized users of BeyondTrust
  • Access to systems on or off the network with no pre-configured VPN or other routing in place
  • Passwords to be securely stored in Password Safe.

The BeyondTrust Endpoint Credential Manager enables communication between Password Safe and Privileged Remote Access. The ECM is deployed to a hardened Windows Server inside the firewall, typically in the same network as the Password Safe instance. Once deployed, BeyondTrust users see a list of administrator-defined credentials for the endpoints they are authorized to access. A set of these credentials can be selected when challenged with a login screen during a remote session, and the user is automatically logged in, having never seen the username/password combination.

Password Safe handles all elements of securing and managing the passwords, so policies that require passwords to be rotated after use are inherently supported. Privileged Remote Access handles creating and managing the access to the endpoint, as well as recording and controlling the level of access granted to the user. This includes what the user can see and do on that endpoint.

Prerequisites

The following software is required:

  • Endpoint Credential Manager (Current is 1.2.4)
  • Password Safe ECM Plugin (Current is 19.1.1.158)
  • Password Safe (Powered by PowerBroker)
  • Privileged Remote Access (Powered by Bomgar)

Installation and Administration

 

To complete this integration, please ensure that you have the necessary software installed and configured as indicated in this guide, along with accounting for any network considerations.

Network Considerations

Outbound From

Inbound To

TCP Port #

Purpose

ECM Server

PRA Appliance

443

API calls from ECM

ECM Server

Password Safe Server

443

ECM makes calls to Password Safe RESTful Web Services

For more information on installing and using the ECM plugin, please see the section on ECM installation and setup.