Title: Managing Local Administrator Passwords Enterprise Password Vault
1Managing Local Administrator PasswordsEnterprise
Password Vault
2Windows Local AdministratorsThe Challenge
- Exist on every Windows machine
- In an average enterprise there are thousands of
desktops, laptops and servers - Highly privileged
- Can be used to do anything on these machines
- Passwords are not changed enough
- It is extremely difficult to enforce password
policies - Becomes widely known
- In most cases the same Administrator password is
used across the entire organization - No accountability
- Who is the user behind the Administrator session
- Limited remote administration tools
- No automatic updates for moves, adds and changes
which are very frequent in an enterprise
environment
The risk Mismanagement of local administrators
can lead to disastrous results for the
enterprise! Every file on every PC can be
compromised CEO files, marketing plans, budgets,
HR records, etc.
3Windows Local AdministratorsThe Way it Works
4How to Easily Access any Windows Machine in the
Network - I
Step 1 Many cracking tools for Windows local
users are available on the web. Any insider can
use them to crack the local Administrator
password on her own laptop/desktop
5How to Easily Access any Windows Machine in the
Network - II
Step 2 Since it is the same password being
used across the organization for all local
administrators, the user can now remotely access
any desktop with administrator permissions!
CEO desktop
6Cyber-Ark Password Survey Results
Personal
Network Devices
Servers
Apps
Local Admins
40 of enterprises rarely change Local
Administrator passwords!
Source Cyber-Ark Password Survey, Aug 2006
7Windows Local AdministratorsEPV Solution Overview
- Cyber-Ark Enterprise Password Vault V4.1
introduces - Compliance and Security
- Automatic password change based on flexible
password policies - Compliance with regulations
- Enabling strong and unique password values
- Full audit trail for all administrative ID
activities - Guaranteed individual accountability
- Ease of Deployment
- Out of the box solution for managing Windows
local administrators - Highly secured solution for the keys to the
enterprise - Especially adjusted to IT Support Centers and
helpdesks - Automatic discovery of Windows machines in the
domain - 24x7, enterprise-wide accessibility to
administrators credentials upon demand - Enterprise readiness with seamless integration to
the IT environment - Quick deployment and implementation
- Proven in over 200 enterprise customers
8Windows Local AdministratorsEPV Benefits
- With EPV for Local Administrator accounts
- IT personnel, Support Center and HelpDesk
managers can have - Full accountability on their staff operations
when using administrative accounts - Assurance that administrative passwords on
laptops and desktops are never lost or forgotten - Immediate ROI by improving IT productivity
- Information Security managers can
- Enforce password policy on the sensitive
administrative accounts in the enterprise without
compromising IT staff productivity - Increase overall security of data on laptops and
desktops by centrally controlling and tracking
access to privileged accounts
9Windows Local AdministratorsWindows Vista
Benefits
- Windows Vista uses an improved security model
(UAC User Account Control) - Basic tasks such as installing a printer or fonts
no longer require full administrator privileges - By default, programs work in a non-privileged
mode and are required to provide the
administrator credentials to get elevated
privileges - Local administrator accounts still exist in Vista
- EPV enhances the Windows Vista security mechanism
by - Strongly protecting the shared administrative
accounts on Windows Vista - Allowing full control and audit over
administrative account usage - Providing full and automatic management
- Automatic detection and reflection in the Vault
of new machines in the domain - Automatic passwords replacement based on
enterprise policies - Strong and unique password values across the
enterprise
10Windows Local AdministratorsSimple Architecture
Desktops andLaptops
Vault
Administrators, Support Centers, Helpdesks
Windows Servers
DR Vault
Desktops andLaptops
CPM
Enterprise Backup
Enterprise Directory
RDP, Telnet, ODBC, etc. protocols
Enterprise Authentication
Windows Servers
11Windows Local AdministratorsDistributed
Architecture
All-in-one Solutions
PasswordAppliance/DR
PasswordAppliance/DR
PasswordAppliance/DR
Cyber-Ark EnterprisePassword Vault
CPM
CPM
CPM
Vault/DR
Cyber-Ark FW Friendly Secured Protocol
Cyber-Ark FW Friendly Secured Protocol
12Windows Local AdministratorsConcept of Operation
psw4deskadm
psw4deskadm
psw4deskadm
psw4deskadm
psw4lapadm
psw4lapadm
jist48Vop
cqg8_at_fz
cqg8_at_fz
lm7yT5w
lm7yT5w
jist48Vop
Gopdt65
0in7x
fuiE49fj
fuiE49fj
0in7x
Gopdt65
psw4lapadm
fuiE49fj
Desktops Laptops
fuiE49fj
Vault
- Until today local administrator passwords are
the same across enterprise desktops/laptops and
usually IT staff and help desk personnel memorize
them - Using the EPV solution different passwords are
automatically generated for each PC and IT staff
are no longer familiar with them - Whenever a password is required by an authorized
user, it is checked-out from the Vault - It is then used on the desktop or laptop and
automatically changed upon check-in
IT personnel
13Windows Local AdministratorsAutomatic Machines
Detection
default
cqg8_at_fz
cqg8_at_fz
default
fuiE49fj
fuiE49fj
- A new employee joins the enterprise The CPM
automatically starts managing the privileged
local administrator account - An employee leaves the enterprise -The CPM
automatically archives the relevant machine
(password) in the Vault
Vault
14Thank You