How Bravura Privilege manages service accounts
Bravura Privilege can be configured to secure service account passwords. This can be done two ways, depending on the mode of operation:
In local service mode, the Bravura Privilege workstation service periodically scrambles service account passwords locally, in coordination with the central Bravura Privilege server cluster.
In push mode, Bravura Privilege servers periodically connect to Windows servers in order to change the passwords of service accounts.
You can manage accounts on a domain controller by enabling all accounts to be discovered objects. However, subscribers cannot be listed from domain controllers.
Bravura Privilege must notify the program that launches services – the subscriber – of the new password value, so that it can successfully launch the service at the time of the next system restart or when an administrator manually stops and restarts the service in question. The Subscriber notification component provides this functionality.
Bravura Privilege includes several mechanisms for managing subscribers:
Auto-discovery of subscriber/account dependencies for a variety of subscriber types: IIS, Scheduler, SCM, DCOM, at various OS and subscriber versions.
A white-list mechanism (usually table driven, but a plugin is available for more complex scenarios) so customers can control which service accounts should have their passwords randomized and when.
Built-in tools to notify known subscribers of new password values.
A transaction manager that can retry notifications to off-line subscribers.
The above are primarily used when managed systems are integrated with Bravura Privilege in push mode – that is, there is no locally installed software on the target system and Bravura Privilege initiates all connections remotely, over the network, directly or via a co-located Bravura Privilege proxy server.
In case push mode is inappropriate – for example because the relevant services (such as remote registry, WMI) are disabled or firewalled or because the end system is offline or inaccessible due to name resolution or IP routing issues (such as NAT), a Local Workstation Service can be installed on the managed system, which performs essentially the same functions but with much simpler connectivity (call home over HTTPS) and no need for network accessible services on the local system.
Local service mode is normally used on laptops and in some cases desktop PCs, but works on any system running any version of the Windows OS. Any problems encountered in updating a service password can, and should be configured to trigger an exit trap program on the Bravura Privilege server, to notify an administrator of an imminent problem when the service in question is next started.