BeyondTrust Privileged Remote Access Vault Guide

BeyondTrust Vault for Privileged Remote Access mitigates the risk of shared privileged account credentials by enabling secure credential management, including credential discovery, masking, injection, and rotation.

BeyondTrust Vault fits seamlessly into your service desk workflow by integrating directly with the Privileged Remote Access solution, allowing administrator accounts to access systems without exiting BeyondTrust. With just one click in the Privileged Remote Access representative console, users can select the correct credential and log directly into a remote system, keeping your privileged accounts more secure.

This document covers the following topics:

  • Vault Configuration: Enable the user permissions needed to start using BeyondTrust Vault.
  • Discovery & Import: Find privileged accounts commonly used by your privileged users, along with their associated endpoints, as well as Windows service accounts, and import them into the BeyondTrust Vault.
  • Add Credentials Manually: Manually add shared and personal generic accounts into the BeyondTrust Vault.
  • Use SSH keys with a Certificate Authority: Vault can provide unique private keys for each usage request, ensuring the user never receives the private key that is trusted by the endpoint. Each key can be time-limited and valid only until its expiry time. After that, it becomes useless. Short-lived keys reduce the risk of attacks, as the keys hold less value to an attacker.
  • Credential Grouping: Use account groups to logically group vault accounts and grant users access to multiple accounts at one time.
  • Vault Account Policies: Use account policies to define account settings related to password rotation and credential checkout and apply those settings to multiple accounts at once.
  • Credential Rotation: Rotate passwords, manually or automatically, after each use.
  • Check In and Check Out: Retrieve credentials for use outside of a BeyondTrust session.
  • Credential Injection: Inject credentials into a remote system directly from the BeyondTrust access console.
  • Reporting: View and track credential activity, including the use of shared credentials.
  • Use Vault with Entra ID Domain Services accounts: Create a Microsoft Entra ID Service Principal and use Vault to discover and manage Entra ID Domain Services accounts.