Privileged password management

Privileged password management

=Overview=

Privileged password management software may be deployed by organizations to secure the passwords for login IDs that have elevated security privileges. This is most often done by periodically changing every such password to a new, random value. Since users and automated software processes need these passwords to function, privileged password management systems must also store these passwords and provide various mechanisms to disclose these passwords in a secure and appropriate manner.

Examples of privileged passwords

There are three main types of privileged passwords. They are used to authenticate:
* Local administrator accounts.
* Service accounts.
* Connections by one application to another.

Local administrator accounts and passwords

On Unix and Linux systems, the root user is a privileged login account. On Windows, the equivalent is Administrator. On SQL databases, the equivalent is sa. In general, most operating systems, databases, applications and network devices include an administrative login, used to install software, configure the system, manage users, apply patches, etc. On some systems, different privileged functions are assigned to different users, which means that there are more privileged login accounts, but each of them is less powerful.

ervice accounts and passwords

On the Windows operating system, service programs execute in the context of either SYSTEM (very privileged, but has no password), or of a user account. When services run as a non-SYSTEM user, the service control manager must provide a login ID and password to run the service program -- so service accounts have passwords. On Unix and Linux systems, init and inetd can launch service programs as non-privileged users without knowing their passwords, so services do not normally have passwords.

Embedded application accounts and passwords

Often, one application needs to be able to connect to another, to access a service. A common example of this pattern is when a web application must log into a database to retrieve some information. These inter-application connections normally require a login ID and password and this password.

ecuring privileged passwords

A privileged password management system secures privileged passwords by:
* Periodically changing each password to a new, random value.
* Storing these values.
* Protecting the stored values (e.g., using encryption and replicated storage).
* Providing mechanisms to disclose these passwords to various types of participants in the system:
** IT administrators.
** Programs that launch services (e.g., service control manager on Windows).
** Applications that must connect to other applications.

Required infrastructure

A privileged password management system requires extensive infrastructure:
* A mechanism to schedule password changes.
* Connectors to various kinds of systems.
* Mechanisms to update various participants with new password values.
* Extensive auditing.
* Encrypted storage.
* Authentication for parties that wish to retrieve password values.
* Access controls / authorization to decide whether password disclosure is appropriate.
* Replicated storage, to ensure that hardware failure or a site disaster does not lead to loss of data.

External links

* [http://id-archive.com/docs/privileged-password-management.pdf Privileged password management] is a white paper discussing the architectural challenges associated with large scale management of sensitive passwords.


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • Password management — There are several forms of software used to help users or organizations better manage passwords:* Personal software, installed and used by individual users: ** Password manager software is used by individuals to organize and encrypt many personal …   Wikipedia

  • Comparison of privilege authorization features — A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations …   Wikipedia

  • Hitachi ID Systems, Inc. — Company Overview= Hitachi ID Systems, Inc., formerly M Tech Information Technology, Inc. , is a leading publisher of identity management software. Hitachi ID products help organizations strengthen network security, lower IT support costs and… …   Wikipedia

  • Cyber-Ark — Software, Inc. Type Private Industry Computer software Founded 1999 Headquarters …   Wikipedia

  • Salt (cryptography) — In cryptography, a salt consists of random bits, creating one of the inputs to a one way function. The other input is usually a password or passphrase. The output of the one way function can be stored rather than the password, and still be used… …   Wikipedia

  • Rootkit — A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. The term rootkit is a concatenation… …   Wikipedia

  • Kernel (computing) — A kernel connects the application software to the hardware of a computer In computing, the kernel is the main component of most computer operating systems; it is a bridge between applications and the actual data processing done at the hardware… …   Wikipedia

  • RSTS/E — Infobox OS name = RSTS caption = Example text display via remote connection. developer = Digital Equipment Corporation (now owned by Mentec Inc.) source model = Closed Source kernel type = Time sharing operating systems supported platforms = PDP… …   Wikipedia

  • Malware — Malware, short for malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access… …   Wikipedia

  • Wireless security — An example wireless router, that can implement wireless security features Wireless security is the prevention of unauthorized access or damage to computers using wireless networks. Many laptop computers have wireless cards pre installed. The… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”