Disconnected Account Management

Are You Changing the Administrative Passwords on Your Offline Systems?

Historically, IT departments were able to directly manage all their systems because they were connected to the corporate network. IT could, at any time, reach out and connect to the systems to make changes immediately. But in today’s mobile-first and cloud-first world, most organizations operate with many disconnected systems - including air-gapped machines.

Even when disconnected, systems still need automatic and regular changes to the credentials on powerful administrator and root accounts. Otherwise, organizations cannot meet regulatory compliance mandates and are at risk from cyber attacks like pass-the-hash.

Privileged identity management solutions have long been able to change privileged passwords on connected systems. However, they often missed systems that were disconnected from the network.

BeyondTrust Privileged Identity can automatically update privileged account passwords on both connected and disconnected servers, desktops and laptops with Disconnected Account Management technology.

With Disconnected Account Management, all systems receive regularly scheduled password changes – despite the size of the enterprise and irrespective of connectivity – so that there are no privileged access security holes in the IT environment.

Install Tenant Application

• IT administrator creates different tenants (i.e. groups of systems) with different password policies
• Each tenant generates different installer packages suitable for those user machines
• IT administrator downloads a specially crafted application for each tenant
• Pre-configured application is installed in each machine
• Application automatically registers itself with either a public or private server
• Application receives policy that defines how often to change the password, and how to generate new and unique local passwords
• Application changes the root or administrator password on a regular schedule indefinitely

Share Secrets, Policies and Synchronized Clocks: Remote Application vs. Central Service

• The central service and the remote application refer to the same time clock
• Both know the policy of when passwords get changed
• A common secret defines the sequence of passwords that will be generated

Manage via Secure Web Interface

• Policies for passwords are controlled by the web portal
• Delegation of access is provided per tenant
• Authorized IT administrators can retrieve the current password being generated on a remote machine at any time
• Shows how long the current password will be valid as well as the next password to be generated

Benefits of Disconnected Account Management

• Change administrative passwords on offline systems automatically
• Mitigate pass-the-hash attacks
• Meets regulatory compliance requirements for password change frequency
• Work connected or disconnected from the network/domain
• Support Windows, Mac, Linux, UNIX, as well as embedded devices that support Python