Skip to main content

Example: Onboard a Windows server with subscribers

This example describes how to install the subscriber scenario component, onboard a Windows server and configure the subscribers so they receive the new password when it is randomized.

Install the components

The following components are required for this example:

  • RefBuild.pam_team_management.

  • Scenario.pam_system_type_vault.

  • Scenario.pam_subscriber_validation

  • Scenario.pam_system_type_winnt

Create and set up a team

To create and set up a team:

  1. Create a team administrator.

  2. Log in as the administrator to create the team.

  3. Add users to the groups in the team

Steps are detailed below.

Create a team administrator

  1. Click Manage the system > Policies > User classes .

  2. Select the PAM_TEAM_ADMINS.

  3. Click the Explicit users tab.

  4. Click Select .

  5. Search and select a user.

  6. Click Add.

This user can now log in and create, delete and manage teams.

Log in as administrator to create the team

  1. Log into Front-end (PSF) as the team administrator.

  2. Click Manage Resources.

    The Pre-defined requests page is displayed.

    3488.png

    The team administrator can create, delete and manage teams using these pre-defined requests.

  3. Click Team: Create.

    Bravura Security Fabric displays the team creation wizard

  4. Enter the following information:

    • Team Name: Vault-Management-Team

    • Team Description: Team to manage system vault

    Click Next .

  5. Add seven groups. Use the ”More” icon to add more team name fields to the list.

    • Team Trustees Users who can make team management requests.

    • Account Trustees Users who can make account management requests (onboard accounts).

    • Approvers Users who allow or disallow access requests.

    • Auto Approved Users who can check-out access to systems and accounts without making an access request.

    • Requesters Users who can make access requests.

    • Credential_Managers Users who can override or randomize the stored password on a checked-out account.

    • System Trustee Users who can make system management requests (onboard systems).

    • Subscriber Trustees Users who can make subscriber validation requests.

  6. Click Next and add team descriptions.

    Click Next .

  7. Assign privileges to the team groups:

    • Team Trustees Team trustees

    • Account Trustees Account trustees

    • Approvers Approvers

    • Auto Approved Auto_Approved and requesters

    • Requesters Requesters

    • Credential Managers Requesters and Credential_manager

    • System Trustees System trustees

    • Vault Trustees Vault trustees

    • Subscriber Trustees Subsriber trustees

    The Credential_Manager privilege allows a user to override or randomize the stored password on a checked-out account.

    3490.png

    Click Next .

  8. Set the initial team trustees for the new team. There must be at least one team trustee to create a team.

  9. Click Submit.

    Bravura Security Fabric notifies authorizers to review the request if required.

  10. Click the View request link at the top of the page to view the status of the request.

    Once the request has been approved, the team will be configured.

Add users to the groups in the team

  1. Log into Front-end (PSF) as a team trustee.

  2. From the home page, click Manage resources.

  3. Click Team: Manage Group Membership.

  4. Select the Vault-Team.

    Click Next .

  5. Select the Account Trustees, Approvers, Auto Approved, Requesters, System Trustees, Vault Trustees, Credential Managers and Team Trustees groups.

    3491.png

    Click Next .

  6. Add members to each team group.

  7. Click Submit.

    Bravura Security Fabric notifies authorizers to review the request if required.

  8. Click the View request link at the top of the page to view the status of the request.

Once submitted and approved, the group’s membership will be updated to include the selected users.

Onboard the Windows system

  1. Log into Front-end (PSF) as the system trustee for the Windows system team.

  2. Click Manage Resources.

    The Pre-defined requests page is displayed.

  3. Click System: Onboard.

  4. Select the Windows Server system type from the drop down menu.

    Click Next .

  5. Enter the System FQDN.

    If the Windows system is not on the domain use <hostname> .local

    3518.png

  6. Select the Windows system team to manage the system.

    Click Next

  7. Enter the system credentials.

  8. Click Submit.

    Bravura Security Fabric notifies authorizers to review the request if required.

  9. Click the View request link at the top of the page to view the status of the request.

    Once the request has been approved, trustees can manage accounts on this system.

Set discovery options

  1. Log into Front-end (PSF) as a superuser.

  2. Click Manage the system > Resources > Target systems > Automatically discovered .

  3. Select the Windows system you recently onboarded.

  4. Click the Discovery options tab.

  5. Select the following depending on what subscribers you expect to manage:

    • Link accounts on this target system to subscribers

    • Load scheduled task subscribers

    • Load service manager subscribers

    • Load IIS manager subscribers

    • Load DCOM manager subscribers

    3520.png

  6. Click Update.

  7. Execute Auto discovery.

Onboard Windows service account

Ensure the subscribers have been set up and discovered before onboarding the account. For example; your scheduled tasks and services set to use a managed account and auto discovery is ran to discover those accounts (subscribers).

  1. Log into Front-end (PSF) as the account trustee for the windows system team.

  2. Click Manage Resources.

  3. Click Account: Onboard.

  4. Select the service account to be managed by the Windows system team

  5. Click Next .

  6. Select the standard policy as the Managed System Policy ID.

  7. Click Next .

  8. Select the Windows system team as the Account Team .

  9. Click Next .

  10. Click Next .

  11. Click Submit.

    Bravura Security Fabric enters the request into the authorization workflow.

  12. As a superuser, execute auto discovery to generate subscriber validation requests.

  13. Log into Front-end (PSF) as a subscriber trustee for the windows system team.

  14. Click There is 1 request(s) awaiting your approval link at the top of the page.

  15. Select the request from the Results panel .

    3522.png

  16. Click Edit request.

  17. Set Notify subscriber of randomization to a value:

    • After randomizing

    • Before and after randomizing

    • Before randomizing

    • No Notification

    3523.png

  18. Set Restart subscriber after randomization to either Yes or No.

    Restarting may not be needed for large, slow, heavy subscribers like SQLserver; the notification (changing the configured account password) is enough, as the service account password is used only when the service starts up. However, tasks or services which use the service account to run several operations which require login, would lock the service account if they use the old password several times quickly, so they have to be restarted.

  19. Click Save.

  20. Approve the request.

    The Deny option is not valid for this type of request. If you do not want to send notifications before or after randomizing, update the request with Notify subscriber of randomization set to "No notification".

  21. Manually randomize the password for the service account.

    The password orchestration is now successfully set up.

In this section: