Managing Local Administrator Passwords Enterprise Password Vault

1
Managing Local Administrator PasswordsEnterprise
Password Vault

• May 2007

2
Windows Local AdministratorsThe Challenge

• Exist on every Windows machine
• In an average enterprise there are thousands of
  desktops, laptops and servers
• Highly privileged
• Can be used to do anything on these machines
• Passwords are not changed enough
• It is extremely difficult to enforce password
  policies
• Becomes widely known
• In most cases the same Administrator password is
  used across the entire organization
• No accountability
• Who is the user behind the Administrator session
• Limited remote administration tools
• No automatic updates for moves, adds and changes
  which are very frequent in an enterprise
  environment

The risk Mismanagement of local administrators
can lead to disastrous results for the
enterprise! Every file on every PC can be
compromised CEO files, marketing plans, budgets,
HR records, etc.
3
Windows Local AdministratorsThe Way it Works
4
How to Easily Access any Windows Machine in the
Network - I
Step 1 Many cracking tools for Windows local
users are available on the web. Any insider can
use them to crack the local Administrator
password on her own laptop/desktop
5
How to Easily Access any Windows Machine in the
Network - II
Step 2 Since it is the same password being
used across the organization for all local
administrators, the user can now remotely access
any desktop with administrator permissions!
CEO desktop
6
Cyber-Ark Password Survey Results
Personal
Network Devices
Servers
Apps
Local Admins
40 of enterprises rarely change Local
Administrator passwords!
Source Cyber-Ark Password Survey, Aug 2006
7
Windows Local AdministratorsEPV Solution Overview

• Cyber-Ark Enterprise Password Vault V4.1
  introduces
• Compliance and Security
• Automatic password change based on flexible
  password policies
• Compliance with regulations
• Enabling strong and unique password values
• Full audit trail for all administrative ID
  activities
• Guaranteed individual accountability
• Ease of Deployment
• Out of the box solution for managing Windows
  local administrators
• Highly secured solution for the keys to the
  enterprise
• Especially adjusted to IT Support Centers and
  helpdesks
• Automatic discovery of Windows machines in the
  domain
• 24x7, enterprise-wide accessibility to
  administrators credentials upon demand
• Enterprise readiness with seamless integration to
  the IT environment
• Quick deployment and implementation
• Proven in over 200 enterprise customers

8
Windows Local AdministratorsEPV Benefits

• With EPV for Local Administrator accounts
• IT personnel, Support Center and HelpDesk
  managers can have
• Full accountability on their staff operations
  when using administrative accounts
• Assurance that administrative passwords on
  laptops and desktops are never lost or forgotten
• Immediate ROI by improving IT productivity
• Information Security managers can
• Enforce password policy on the sensitive
  administrative accounts in the enterprise without
  compromising IT staff productivity
• Increase overall security of data on laptops and
  desktops by centrally controlling and tracking
  access to privileged accounts

9
Windows Local AdministratorsWindows Vista
Benefits

• Windows Vista uses an improved security model
  (UAC User Account Control)
• Basic tasks such as installing a printer or fonts
  no longer require full administrator privileges
• By default, programs work in a non-privileged
  mode and are required to provide the
  administrator credentials to get elevated
  privileges
• Local administrator accounts still exist in Vista
• EPV enhances the Windows Vista security mechanism
  by
• Strongly protecting the shared administrative
  accounts on Windows Vista
• Allowing full control and audit over
  administrative account usage
• Providing full and automatic management
• Automatic detection and reflection in the Vault
  of new machines in the domain
• Automatic passwords replacement based on
  enterprise policies
• Strong and unique password values across the
  enterprise

10
Windows Local AdministratorsSimple Architecture
Desktops andLaptops
Vault
Administrators, Support Centers, Helpdesks
Windows Servers
DR Vault
Desktops andLaptops
CPM
Enterprise Backup
Enterprise Directory
RDP, Telnet, ODBC, etc. protocols
Enterprise Authentication
Windows Servers
11
Windows Local AdministratorsDistributed
Architecture
All-in-one Solutions
PasswordAppliance/DR
PasswordAppliance/DR
PasswordAppliance/DR
Cyber-Ark EnterprisePassword Vault
CPM
CPM
CPM
Vault/DR
Cyber-Ark FW Friendly Secured Protocol
Cyber-Ark FW Friendly Secured Protocol
12
Windows Local AdministratorsConcept of Operation
psw4deskadm
psw4deskadm
psw4deskadm
psw4deskadm
psw4lapadm
psw4lapadm
jist48Vop
cqg8_at_fz
cqg8_at_fz
lm7yT5w
lm7yT5w
jist48Vop
Gopdt65
0in7x
fuiE49fj
fuiE49fj
0in7x
Gopdt65
psw4lapadm
fuiE49fj
Desktops Laptops
fuiE49fj
Vault

• Until today local administrator passwords are
  the same across enterprise desktops/laptops and
  usually IT staff and help desk personnel memorize
  them
• Using the EPV solution different passwords are
  automatically generated for each PC and IT staff
  are no longer familiar with them
• Whenever a password is required by an authorized
  user, it is checked-out from the Vault
• It is then used on the desktop or laptop and
  automatically changed upon check-in

IT personnel
13
Windows Local AdministratorsAutomatic Machines
Detection
default
cqg8_at_fz
cqg8_at_fz
default
fuiE49fj
fuiE49fj

• A new employee joins the enterprise The CPM
  automatically starts managing the privileged
  local administrator account
• An employee leaves the enterprise -The CPM
  automatically archives the relevant machine
  (password) in the Vault

Vault
14
Thank You