Configuring the setup for Password Rotation in Windows and Unix Privilege Account
Microsoft Windows Password Rotation
Windows AD Accounts Password Rotation
Windows Local Accounts Password Rotation
Microsoft Windows Password Rotation
Before You Begin
Steps to consider for running a test Password Rotation job
Make sure to create a test Password Rotation policy for initial testing and assign test policy on one or two servers.
Onboard the test accounts
Make sure to keep following server level policy details available:
Details of Password Complexity policy
Password expiration policy on the server level
Ensure below mentioned ‘Group Policies’ are configured on the target server
Ensure above mentioned server level policies are replicated on the ‘PAM Password policy and Rotation policy’
Make sure to configure ‘Management account’ in PAM application for Windows Local / Active Directory servers.
Ensure network connectivity to the target servers is enabled with required port.
Steps to consider for enabling schedule-based Password Rotation
Ensure all above steps are followed before enabling password rotation on the production servers.
Make sure to create separate password complexity and rotation policy for Windows Workgroup based servers and Windows Active Directory based servers.
Ensure PAM password rotation policy is configured to trigger at least five days earlier than that of the server level policy.
Windows AD Accounts Password Rotation
Team Involvement required: Security Team and Infra Team involvement is required for this configuration.
Pre-requisites:
For Windows AD Accounts Password change through Sectona PAM
Require one ‘Admin’ account in Domain which will be configured as ‘Management Account’ in Sectona PAM, this can be the same account which is used when adding Active Directory in Sectona PAM
Note:
The required account should be service account (non-interactive) and should be part of same OU where the other privilege accounts are already into the OU for which PAM needs to change password.
Right click on OU > ‘Delegation of Control Wizard’ window will pop-up > Select a the Management account> Select ’Create a custom task to Delegate’ > Next > Select ‘Only the following object of the folder’ > Tick User objects > Next > Select permissions ‘General’ and ‘Property-specific’ > Under Permissions tick ‘Reset Password’, ‘Read pwdLastSet’, ‘Write pwdLastSet’, ‘Read lockOutTime’ and ‘Write lockOutTime’.
Delegated above permissions for the management account in Domain.
To rotate the password of Domain or Enterprise Admin account we require account with equivalent permission to be configured in PAM.
139 & 445 port required for password rotation.
For example, in below screenshots we have assigned required permission to ‘Admin’ account
I. Reset Password
II. Password Last Set
III. Lockout time
Windows Local Accounts Password Rotation
Team Involvement required: Security Team and Infra Team involvement is required for this configuration.
Pre-requisite:
A. For Windows Local Accounts Password change through Sectona PAM when server is on ‘Domain’
Require one Domain account which will be configured as ‘Management Account’ in Sectona PAM, this can be the same account which is used when adding Active Directory in Sectona PAM
Please refer above Note for creating a Domain account
Either, the given ‘Domain account’ or the ‘Domain group’ in which the domain account belongs should be added in ‘Local Administrators’ group in all the windows servers which are on the same domain.
Or
The built-in local admin account of the server should be integrated in PAM and configured as ‘Management Account’.
Password Change Process in Sectona:
When Password change process is initiated for a local account, Sectona PAM will use the defined ‘Management Account’ to connect the remote server (over Remote WMI connections) and reset the password of the local account.
B. For Windows Local Accounts Password change through Sectona PAM when server is in ‘Workgroup’
Require one ‘Local Admin’ account which is part of ‘Local Administrators’ group on the respective Windows Server which will be configured as ‘Management Account’ in Sectona PAM
The ‘Local Admin’ account can be the ‘Built-in Administrator’ of the server.
Require Local policy ‘User Account Control: Run all administrators in Admin Approval Mode’ to be ‘Disabled’ for WMI Connection to the server to work correctly and change the password of other Local accounts. If policy was originally in ‘Enabled’ state then after disabling it, a system ‘restart’ is required for policy to get applied. (Path: run > gpedit.msc > Windows Settings > Security Settings > Local Policies > Security Options > select policy ‘User Account Control: Run all administrators in Admin Approval Mode’ and select ‘Disabled’ and apply > ok)
Password Change Process in Sectona:
When Password change process is initiated for a local account, Sectona PAM will use the defined ‘Management Account’ to connect the remote server (over Remote WMI connections) and reset the password of the local account.
C. For Windows Local Accounts Password change and RDP Access through Sectona PAM when server is in ‘Workgroup’ or ‘Domain’ (applicable for both).
LMCompatibility level need to be same on both the PAM server as well as on Target server, it also causes connection issue while taking RDP of the target servers. The path for the same is stated below: Open Registry Editor > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > LSA. Right click on LMCompatibility Level and select Modify option to change the value.
Open Local group policy editor on target server > Local Computer Policies > Computer Configuration > Security Settings > Local Policies > In Security options search the below policies and disable them accordingly:
a. User Account Control: Admin Approval Mode for built-in Administrator Account
b. Control: Run all administrator in Admin Approval Mode.
While Taking RDP connection of the windows server via PAM if asking for credentials to enter manually then the policy called Always prompt for password upon connection need to be disabled the path for the same is: Open Local group policy editor on the target server > Local Computer policies > Computer Configuration > Administrative Templates > Windows Component > Remote Desktop Services > Remote Desktop Session Host > Securities Right Click on policy called Always Prompt for Password upon Connection and select edit and configure the value to not Configured or disabled.
WMI connections uses below mentioned TCP ports over Network:
Source | Destination | Ports | Communication |
Sectona Web Access (Application Server) | Windows Servers | 135,139,445, 49152-65534 | WMI |
Unix/Linux Password Rotation
Before You Begin
Steps to consider for running a test Password Rotation job
Make sure to create a test Password Rotation policy for initial testing and assign test policy on one or two servers
Onboard the test accounts
Make sure to keep following server level policy details available:
Details of Password Complexity policy
Password expiration policy on the server level
Ensure privilege account has ‘self-password change’ permission
Ensure above mentioned server level policies are replicated on the ‘PAM Password policy and Rotation policy’
Ensure SSH connectivity to the target servers is enabled on network from PAM application server
Steps to consider for enabling schedule-based Password Rotation
Ensure all above steps are followed before enabling password rotation on the production servers.
Ensure PAM password rotation policy is configured to trigger at least five days earlier than that of the server level policy.
Pre-requisites:
Privilege account should have self-password change permission on the target server level.
SSH connectivity to the target server must be enabled from PAM Application server.
All the above-mentioned server level policies should be configured in PAM.