Credential Management in BeyondTrust Remote Support (On-Premises)

Credential Management with BeyondTrust Vault

BeyondTrust Vault is a credential store that exists on the B Series Appliance, enabling discovery of and access to privileged credentials. You can manually add privileged credentials, or you can use the built-in discovery tool to scan and import Active Directory and local accounts into BeyondTrust Vault.

BeyondTrust Vault fits seamlessly with service desk workflow because it is integrated directly with the Remote Support solution. Technicians do not have to learn to use another tool or even exit Remote Support to retrieve passwords. With just one click in the BeyondTrust representative console, users can select the correct credential from the dropdown and log directly in to a remote system - without ever having to know or even see the actual password.

Frequently Asked Questions about BeyondTrust Vault

What Communication Pathways Are Used With BeyondTrust Vault (Ports, Protocols, Connection Types, etc.)?

  • Active Directory and Discovery:
    • By default, discovery occurs over LDAP via the Active Directory Service Interface (ADSI) on port 389.
    • If LDAPS is enabled, Active Directory queries run over LDAP under an SSL/TLS layer on port 636, unless another port is specified. This transport-layer security encrypts all data communicated to and from Active Directory.
  • Windows Local Discovery
    • Local Windows accounts are discovered via a series of calls directly to Windows APIs.
    • These APIs use Remote Procedure Calls (RPCs) and named pipes as the network protocol.
    • The RPC process translates the request parameters as well as any response data into a standard, encoded format for transmission.
    • Protection is negotiated at the operating system level.

Where Does Encryption for BeyondTrust Vault Occur?

  • Passwords and private SSH keys are encrypted at rest using AES-256-GCM in addition to any full disk encryption enabled for the BeyondTrust Appliance B Series.
  • Passwords and private SSH keys are encrypted in transit using an ephemeral public+private key pair when used for injection. This encryption occurs in addition to Remote Support's use of TLS to encrypt communication among all Remote Support components, such as the B Series Appliance, Jumpoint, customer client, etc.
  • Passwords are encrypted in transit by TLS.
  • Passwords used by Jumpoints to authenticate with Active Directory are never sent in plaintext to Active Directory.

Where Is the Vault Encryption Key Stored? Can It Be Accessed via /login or /appliance?

  • The Vault encryption key is needed to decrypt credentials managed by BeyondTrust Vault. This key is stored in one of the credential stores configured on the appliance.
  • The encryption key can be backed up by going to /login > Management > Software Management > Backup Vault Encryption Key. The backup file format used for the encryption key is the same NSB file format used for configuration and reporting data.

Is the Remote Support Application Database Encrypted, and If So, How?

  • BeyondTrust Vault stores data in an encrypted format in the database. If full disk encryption is enabled for your B Series Appliance, the Remote Support application database is also encrypted. However, this is independent of the encryption performed by BeyondTrust Vault.

What Best Practices Are Recommended to Maintain the Highest Level of Security Across All Points of Connection (Discovery, Injections, Support, etc.)?

  • BeyondTrust recommends using a valid CA-signed SSL certificate to protect communication among all Remote Support components.
  • We recommend that Jumpoints run on a system only a few privileged users have permissions to access.

For more information about Jumpoints, please see Remote Support Jumpoint Guide: Unattended Access to Computers in a Network.

There are no user-visible security settings for BeyondTrust Vault.