Listing and notifying subscribers on managed target systems
The Windows NT connector can discover local services, scheduled tasks, DCOM objects, COM+ applications, IIS objects, and ODBC DSNs, referred to as subscribers. Subscribers are associated with a managed local or domain account, called a service account.
In order to list and notify subscribers from targets, the version should match the one on the instance server. For example, when targeting a Windows system, you can only list scheduled tasks with a version equal or lower than the instance server. Tasks configured for Windows 7 can be listed on an instance server with Windows 2008 R2, however, tasks configured for Windows 8 cannot be listed. You must install a proxy server on a system that contains the same version of the subscriber on the target system.
Make sure the Remote Registry service is started (On Windows workstations it is disabled by default, on Windows servers it is enabled by default).
Updating cached credentials (notification)
Subscribers contain a cached credential of the service account. This credential needs to be updated whenever the password is changed on a Windows server or workstation.
The act of updating the cached credentials of subscribers is called a subscriber notification. This is performed by using the "Update cached credentials" (updateresource) operation with the Windows NT connector. The operation can be triggered whenever a privileged password is randomized. This includes:
Expired passwords reset by the scheduler
Manually randomized passwords
Overridden passwords
Passwords that are checked in
The PAMSA SUBSCRIBER NOTIFICATION plugin determines which discovered services, scheduled tasks, DCOM objects, COM+ applications, iis objects, and ODBC DSNs will be updated when passwords are randomized or during a password change orchestration. See Subscriber notification for details about this plugin.
Requirements
IIS objects
Managed systems must have the same iis settings as the Bravura Security Fabric server. In order to manage iis the appropriate iis version or management tools must be installed.
COM+ Applications
In order to list and update COM+ applications, one of the following must be met:
The Bravura Security Fabric server is a domain member, or,
A proxy server is installed on a domain member system.
and
The psadmin user on the proxy server or the psadmin user on the instance server is a domain user and is also a member of the local administrators group for each targeted system, or,
The Run as? setting for the target system credentials is enabled for a domain user who is also a member of the local administrators group for each targeted system.
Remote COM+ access needs to be enabled. In order to do this, COM+ Network Access needs to be installed:
In Windows Server versions 2012 and earlier, this requires the Application Server role. This can be configured from the Windows Server Manager.
In Windows Server 2016, the Application Server role does not exist. Update the registry subkey "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3" to change the RemoteAccessEnabled DWORD value to 1 .
For more information see the Microsoft support article at:
Scheduled task objects
On Windows operating systems that support both Scheduled Task Interface versions 1.0 and 2.0 any version 1.0 task objects must be in the root folder of the Task Scheduler Library to be discovered.
Subscriber URIs
The following lists the URI formats for subscribers by type.
IIS7
Application Pools:
WAMUserName://LM/W3SVC – The default application pool’s identity
WAMUserName://LM/W3SVC/<poolname> – Application pool "<poolname>"’s identity; for example:
WAMUserName://LM/W3SVC/TestPool
Microsoft FTP Site Anonymous Authentication User:
AnonymousUserName://LM/MSFTPSVR – Top level default anonymous authentication user for FTP sites
AnonymousUserName://LM/MSFTPSVR/<ftpsite>; – The anonymous authentication user for FTP site <ftpsite>; for example:
AnonymousUserName://LM/MSFTPSVR/myftpsite
Virtual Directory Anonymous Authentication User:
AnonymousUserName://MACHINE/WEBROOT/APPHOST – Top level default anonymous authentication user for HTTP sites
AnonymousUserName://MACHINE/WEBROOT/APPHOST/<httpsite> – The anonymous authentication user for HTTP site <httpsite>; for example:
AnonymousUserName://LM/MSFTPSVR/myhttpsite
AnonymousUserName://MACHINE/WEBROOT/APPHOST/<httpsite>/path/to/folder – The anonymous authentication user for a specific sub-folder of HTTP site <httpsite>; for example:
AnonymousUserName://LM/MSFTPSVR/myhttpsite/this/is/a/folder
Physical Path Credentials for a Virtual Directory or Site
UNCUserName://<sitename>:/:/ – Physical path credentials for the root level of HTTP site <sitename>; for example:
UNCUserName://My Web Site:/:/
UNCUserName://<sitename>:/:/<vdir> – Physical path credentials for the virtual directory <vdir> of HTTP site <sitename>;
UNCUserName://My Web Site:/:/MyVirutalDir
UNCUserName://<sitename>:/:/<vdir1>/path/to/<vdir2> – Physical path credentials for the virtual directory <vdir2> of HTTP site <sitename>; for example:
UNCUserName://My Web Site:/:/MyVirutalDir/path/to/MyOtherVdir
Services
For services the URI is simply the service name. Note this is not the "display name" that you see by default in services.msc. To see this value:
Start the services.msc program.
Right click on Properties.
Select the General tab.
The value listed for Service name is the complete URI for the service.
Tasks
Task Scheduler V2.0 tasks could be at the root of the task scheduler hierarchy or in a sub-folder. For tasks at the root, the URI is simply the task name. For tasks in a sub-folder the URI is fully specified path relative to the root of the task scheduler hierarchy.
Windows Server 2008 Task URI Examples:
This is a v1 task.job – Windows Server 2008 V1.0 compatibility task
ThisIsARootv2Task – Windows Server 2008 V2.0 task, at the root level
This\Task\Is\In\A\Folder – Windows Server 2008 V2.0 task in a sub folder
While it is technically possible to create a V1.0 task in a sub-folder on Windows Server 2008, this is not supported by Bravura Privilege , because the API provided by Microsoft does not support this. See Updating cached credentials (notification) .
DCOM
URIs for DCOM objects are simply GUIDs. The particular GUID for a DCOM URI is the DCOM object’s "Application ID".
To see the Application ID for a DCOM object do the following:
Open the dcomcnfg Windows program.
Browse to My Computer > DCOM Config.
Right click on the DCOM object of interest.
Click Properties.
Select the General table.
The GUID is listed next to each application ID.
The URI must include { and } surrounding the application ID GUID as this corresponds directly to the registry key where it is configured.
Some examples:
{0bd2fd17-0874-443c-b001-6c6d29580b05}
{1a9f7926-1281-45c9-b454-6b9bdc064fb7}
COM+ Applications
URIs for COM+ applications follows a similar structure to DCOM objects, with the difference being that the URI has COM+: prepended to it.
To see the Application ID for a COM+ application, do the following:
Open the dcomcnfg Windows program.
Browse to My Computer > COM+ Applications.
Right click on the COM+ application of interest.
Click Properties.
Select the General table.
The GUID is listed next to each application ID.
The URI must include COM+:{ and } surrounding the application ID GUID as this corresponds directly to the registry key where it is configured.
Some examples:
COM+:{7B4E1F3C-A702-11D2-A336-00C04F7978E0}
COM+:{7EE3D513B-93A7-4e90-9458-7F8602547363}
ODBC DSNs
For ODBC DSN the URI is the system DSN password which is stored in the registry hive
{HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI} (32-bit ODBC data sources on 32-bit machines, 64-bit ODBC data sources on 64-bit machines)
{HKEY_LOCAL_MACHINE\Wow6432Node\SOFTWARE\ODBC\ODBC.INI} (32-bit ODBC data sources on 64-bit machines)