Rotate Privileged Credentials Using BeyondTrust Vault
It is a security best practice to rotate or change privileged credentials frequently. With BeyondTrust Vault, you can choose to set imported domain credentials to automatically rotate after each use, or you can manually rotate credentials at any time. Three actions trigger the automatic rotation of domain credentials:
- Manually checking in a credential from the /login interface.
- Leaving a support session where credential injection has been used.
- Scheduled password rotation is enabled and the password has reached its maximum age.
Rotate Domain and Local Credentials Manually
- From the /login interface, go to Vault > Accounts.
- Click the ellipsis button for the account password you wish to rotate.
- Select Rotate Password.
Once rotation is complete, the Password Age information updates with a time stamp of a few seconds.
Configure Automatic and Scheduled Rotation of Vault Credentials
You can configure passwords for Vault accounts to automatically rotate after each use by enabling the Automatically Rotate Credentials after Check In Rules option in the account policy being used for the account.
You can schedule password changes for Vault accounts by enabling the Scheduled Password Rotation Rules option in the account policy being used for the account.
- Service accounts running in a failover cluster environment cannot be rotated. The error "Failover Cluster detected. Unable to change the run-as password for the service <service_name>" appears when a rotation attempt is made and Rotation Failed is indicated in the Status column for the service.
- Services using a Microsoft Graph account as the Run As account cannot be rotated.
- Services that have dependent services cannot be rotated, due to the risk of services within the service chain not restarting successfully.
For more information on account policies, please see Add and Manage Vault Account Policies.