1 / 14

Managing Local Administrator Passwords

Many cracking tools for Windows local users are available on the web. ... Windows Vista uses an improved security model (UAC User Account Control) ...

Kelvin_Ajay
Download Presentation

Managing Local Administrator Passwords

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    Slide 1:Managing Local Administrator Passwords Enterprise Password Vault

    May 2007

    Slide 2:Windows Local Administrators The Challenge

    Exist on every Windows machine In an average enterprise there are thousands of desktops, laptops and servers Highly privileged Can be used to “do anything” on these machines Passwords are not changed enough It is extremely difficult to enforce password policies Becomes widely known In most cases the same Administrator password is used across the entire organization No accountability Who is the user behind the Administrator session Limited remote administration tools No automatic updates for moves, adds and changes which are very frequent in an enterprise environment The risk Mismanagement of local administrators can lead to disastrous results for the enterprise! Every file on every PC can be compromised: CEO files, marketing plans, budgets, HR records, etc.

    Slide 3:Windows Local Administrators The Way it Works…

    This is a sample email written by a system administrator in a very large enterprise. It proves that the same password is actually used for all local administrators. Whenever the password is changed, all users are informed on it and can contact him to receive the new password.This is a sample email written by a system administrator in a very large enterprise. It proves that the same password is actually used for all local administrators. Whenever the password is changed, all users are informed on it and can contact him to receive the new password.

    Slide 4:How to Easily Access any Windows Machine in the Network - I

    Step 1 – Many cracking tools for Windows local users are available on the web. Any insider can use them to crack the local Administrator password on her own laptop/desktop… This slide emphasizes the major risk of using the same password value for all Windows local administrators across the enterprise. Step 1 - One can crack his/her local administrator password on his/her desktop/laptop This slide emphasizes the major risk of using the same password value for all Windows local administrators across the enterprise. Step 1 - One can crack his/her local administrator password on his/her desktop/laptop

    Slide 5:How to Easily Access any Windows Machine in the Network - II

    Step 2 – Since it is the same password being used across the organization for all local administrators, the user can now remotely access any desktop with administrator permissions! CEO desktop Step 2 – the user can then easily access any desktop in the enterprise with administrator permissions (!), which means s/he can do ANYTHING on this machine. Step 2 – the user can then easily access any desktop in the enterprise with administrator permissions (!), which means s/he can do ANYTHING on this machine.

    Slide 6:Cyber-Ark Password Survey Results

    40% of enterprises rarely change Local Administrator passwords! Personal Network Devices Servers Apps Local Admins Source: Cyber-Ark Password Survey, Aug 2006

    Slide 7:Windows Local Administrators EPV Solution Overview

    Cyber-Ark Enterprise Password Vault V4.1 introduces: Compliance and Security Automatic password change based on flexible password policies Compliance with regulations Enabling strong and unique password values Full audit trail for all administrative ID activities Guaranteed individual accountability Ease of Deployment Out of the box solution for managing Windows local administrators Highly secured solution for the “keys to the enterprise” Especially adjusted to IT Support Centers and helpdesks Automatic discovery of Windows machines in the domain 24x7, enterprise-wide accessibility to administrators’ credentials upon demand Enterprise readiness with seamless integration to the IT environment Quick deployment and implementation Proven in over 200 enterprise customers

    Slide 8:Windows Local Administrators EPV Benefits

    With EPV for Local Administrator accounts: IT personnel, Support Center and HelpDesk managers can have: Full accountability on their staff operations when using administrative accounts Assurance that administrative passwords on laptops and desktops are never lost or forgotten Immediate ROI by improving IT productivity Information Security managers can Enforce password policy on the sensitive administrative accounts in the enterprise without compromising IT staff productivity Increase overall security of data on laptops and desktops by centrally controlling and tracking access to privileged accounts

    Slide 9:Windows Local Administrators Windows Vista Benefits

    Windows Vista uses an improved security model (UAC – User Account Control): Basic tasks such as installing a printer or fonts no longer require full administrator privileges By default, programs work in a non-privileged mode and are required to provide the administrator credentials to get elevated privileges Local administrator accounts still exist in Vista EPV enhances the Windows Vista security mechanism by: Strongly protecting the shared administrative accounts on Windows Vista Allowing full control and audit over administrative account usage Providing full and automatic management: Automatic detection and reflection in the Vault of new machines in the domain Automatic passwords replacement based on enterprise policies Strong and unique password values across the enterprise We are often being asked if our solution is still necessary with the new enhancements of Windows Vista with regards to local administrators. This slide explains what are these enhancements and why they do not eliminate the need to protect and manage these administrative accounts.We are often being asked if our solution is still necessary with the new enhancements of Windows Vista with regards to local administrators. This slide explains what are these enhancements and why they do not eliminate the need to protect and manage these administrative accounts.

    Windows Local Administrators Simple Architecture Vault CPM Desktops and Laptops Administrators, Support Centers, Helpdesks Windows Servers Desktops and Laptops Windows Servers DR Vault Enterprise Backup Enterprise Directory Enterprise Authentication RDP, Telnet, ODBC, etc. protocols

    Slide 10:In a simple architecture there is one Vault and one CPM in the center. In order to manage those servers and desktops on remote (separate) networks, you need to open the FW for these protocols, such as RDP (for Windows), ODBC (DBs), telnet, SSH, etc.In a simple architecture there is one Vault and one CPM in the center. In order to manage those servers and desktops on remote (separate) networks, you need to open the FW for these protocols, such as RDP (for Windows), ODBC (DBs), telnet, SSH, etc.

    Windows Local Administrators Distributed Architecture Vault /DR CPM CPM Cyber-Ark “FW Friendly” Secured Protocol CPM Cyber-Ark “FW Friendly” Secured Protocol Password Appliance/DR All-in-one Solutions Cyber-Ark Enterprise Password Vault Password Appliance/DR Password Appliance/DR

    Slide 11:In a distributed environment: All-in-one solutions (our competitors) – you need to install a stand-alone password appliance in each sub network, with a stand-alone DR for each of them. You actually do not have one central password management tool and no central audit. The solution is duplicated and the administrative overhead efforts are also duplicated. EPV – You need to install only one Vault and one DR in the center, whereas in the distributed networks you only need install a CPM. No special FW configurations are needed, as the CPM and the Vault communicate in a “FW friendly” secured cyber-Ark protocol. You gain one central tool for managing your privileged and shared accounts. Central audit for the entire enterprise, etc.In a distributed environment: All-in-one solutions (our competitors) – you need to install a stand-alone password appliance in each sub network, with a stand-alone DR for each of them. You actually do not have one central password management tool and no central audit. The solution is duplicated and the administrative overhead efforts are also duplicated. EPV – You need to install only one Vault and one DR in the center, whereas in the distributed networks you only need install a CPM. No special FW configurations are needed, as the CPM and the Vault communicate in a “FW friendly” secured cyber-Ark protocol. You gain one central tool for managing your privileged and shared accounts. Central audit for the entire enterprise, etc.

    Slide 12:Windows Local Administrators Concept of Operation

    psw4deskadm psw4deskadm psw4deskadm Vault Desktops & Laptops psw4deskadm psw4lapadm IT personnel 0in7$&x fuiE49&fj fuiE49&fj 0in7$&x lm7yT5w lm7yT5w fuiE49&fj fuiE49&fj psw4lapadm psw4lapadm jist48Vop jist48Vop Gopdt6$5 Gopdt6$5 cqg8@fz cqg8@fz Until today – local administrator passwords are the same across enterprise desktops/laptops and usually IT staff and help desk personnel memorize them Using the EPV solution – different passwords are automatically generated for each PC and IT staff are no longer familiar with them Whenever a password is required by an authorized user, it is checked-out from the Vault It is then used on the desktop or laptop and automatically changed upon check-in

    Slide 13:Windows Local Administrators Automatic Machines Detection

    Vault fuiE49&fj default cqg8@fz default cqg8@fz A new employee joins the enterprise –> The CPM automatically starts managing the privileged local administrator account An employee leaves the enterprise -> The CPM automatically archives the relevant machine (password) in the Vault fuiE49&fj This slide demonstrates how changes such as new Windows machine joining or leaving the network are automatically reflected in the Vault by the CPM. This is especially important for large enterprises, where there are hundreds of thousands of machines, and the environment changes on a daily basis.This slide demonstrates how changes such as new Windows machine joining or leaving the network are automatically reflected in the Vault by the CPM. This is especially important for large enterprises, where there are hundreds of thousands of machines, and the environment changes on a daily basis.

    Slide 14:Thank You

More Related