Skip to main content
  • Bravura Security Fabric Documentation
  • Privilege
  • Privileged Access

Privileged Access

About privileged access management

Large organizations may have thousands of workstations, and hundreds of servers and applications running on multiple platforms. This complexity leads to numerous security problems.

IT assets often have multiple sensitive passwords such as administrator passwords, service passwords, application passwords. These passwords commonly do not have expiry enabled, although they should. Changing these passwords can be time-consuming because of the large number of IT assets, users who need to know the passwords, and configuration interfaces, scripts, or programs that may contain hard coded passwords.

Bravura Privilege secures target system credential passwords on servers and workstations by periodically randomizing them, while maintaining the ability of IT staff to retrieve current credentials for devices into which they must log in. You can also use Bravura Privilege to store passwords for managed systems that must be managed manually.

Bravura Privilege has the following features:

  • Frequent password randomization eliminates static, shared passwords and controls former IT staff knowledge of passwords

  • Access controls limit who can see passwords

  • Logging and reporting of access disclosure facilitates audit compliance and faster troubleshooting

  • Encryption secures passwords in storage and transit so that physical compromise will not expose passwords

  • Replication ensures passwords are stored on multiple servers in different sites so that password access and security survives server failures or site disasters

  • Trusted SSH key management eliminates the use of passwords when accessing accounts on Unix systems

How Bravura Privilege works

Bravura Privilege manages systems using two modes: push mode and local service mode (previously known as pull mode).

You must use only one mode for a system. If both are used, duplicate managed accounts may be created, resulting in password history inconsistencies and workflow errors. For more details, see Do not double target .

Push mode

Push mode performs remote password resets using the Privileged Access Manager Service. Changes at the Bravura Privilege server trigger immediate actions on managed systems, and systems do not require a software footprint.

Choose push mode if you:

Systems can be discovered automatically on a domain or added manually. Accounts may also be managed manually or through auto discovery.

  • Do not want software installed on servers or workstations

  • Require real-time updates

  • Want to manage non-Windows systems

  • Want to manage SSH public keys on Unix systems

  • Must manage systems in a DMZ that cannot connect inbound to the Bravura Privilege server

Local service mode

Local service mode installs the Local Workstation Service on each managed system. The service periodically connects to the Bravura Security Fabric server, polls for tasks, performs them locally, and returns results at the next polling interval.

  1. After installing on the system to be managed, the Local Workstation Service waits a random amount of time.

    This prevents large numbers of Local Workstation Services, installed during a mass deployment, from contacting the Bravura Privilege server simultaneously.

  2. The Local Workstation Service then connects to the pamlws on the Bravura Security Fabric server over HTTP or HTTPS (recommended) and registers itself with Bravura Security Fabric . This initiates the discovery process, during which the system is listed as a discovered object, and evaluated against import rules. This process is repeated until the system passes an import rule and is managed, or is disabled.

  3. Once a system is discovered and managed, the Bravura Security Fabric server periodically checks on what needs to be done, based on workflow requests and password expirations, and sets the necessary flags for it.

  4. The Local Workstation Service periodically connects to, or polls, the pamlws over HTTP or HTTPS to check on any tasks, such as listing users and attributes, changing a password, or adding and removing users from groups.

  5. The Local Workstation Service performs the assigned task, if any, and sends the required data back to the pamlws at the next poll. This may either be the list of users, groups and attributes, or success and failures on other tasks. It will wait a configured amount of time before connecting to the Bravura Security Fabric server again.

Local service mode is only available for Windows systems; however, a plugin architecture supports applications running on Windows.

Choose local service mode if you have:

  • Many Windows machines that are not permanently connected to the domain (laptops, workstations etc.)

  • Systems that aren't always on or are periodically unavailable.

  • Servers that do not allow inbound access due to firewall rules or other networking restrictions. Installing Local Workstation Service on these servers will allow outbound connections to the Bravura Security Fabric server.

    Caution

    Many desktops are left on and locked so that users can resume their work the next day; if these are contactable via normal auto discovery (psupdate), do not add the Local Workstation Service to these machines.

When users request privileged access on local service mode systems, group and account operations may take longer than on push mode systems, since Bravura Security Fabric is required to wait for communication from the local workstation.

Legacy terminology of pull mode may be referenced in binary files and add-on installer names, glossaries, customer solution documents, language tags used in the product, and some are hard-coded in the log entries.

Vault-only systems

Product administrators can use Bravura Privilege to manually store information in vault-only managed systems. In this case, there is no communication between the Bravura Privilege server and the managed system. In other words, the managed system exists in Bravura Privilege , however, all management is done manually by a user.

Bravura Privilege does not automatically randomize passwords for these managed systems. Users can be granted permission, via access controls, to override the stored password after they have accessed it.

Managed system policies

The managed system policy contains all configuration information required to manage accounts on a managed system. Access controls for product administrators and regular users are based on which managed system policies they have access to and which operations they are allowed to perform on them.

The managed system policy, contains configuration for:

  • What systems are members of the policy

  • What accounts are managed on the systems

  • Who must authorize access to privileged accounts

  • What authentication types can be used to access accounts or group sets

  • Who will have access to privileged accounts

System-wide or policy-level settings include password randomization frequency, password creation rules, access control configuration, and session monitoring settings.

Auto discovery and management of systems and accounts

Bravura Security Fabric ’s auto discovery feature can list information about:

  • Systems on a domain

  • Administrator, domain, and user accounts whose credentials are used to manage services, scheduled tasks, IIS websites, or DCOM objects

These discovered objects can be manually or automatically imported to become managed systems and accounts.

See Infrastructure Auto Discovery for more information.

How local workstation service discoveries are processed

Bravura Privilege adds Local Workstation (LWS) discoveries as individual mini-discoveries processed serially, among the other types of discovery that the rest of Bravura Security Fabric runs in much larger batches: Auto-discovery (psupdate), manual discovery (for the entire instance or a specific target), or persistent-listing-triggered discoveries.

None of the above can be executed in parallel, so they must wait for previous ones to finish in the discovery queue (files saved in the instance's db\iddiscover directory).

At a high level, this is how a LWS discovery is generated and processed:

  1. LWS client contacts Bravura Privilege with a poll.

  2. If any changes are found that need to be applied, a .commit (0 bytes file) and a set of .dat files with the same discovery guid in the filename as the .commit, are created in db\iddiscover.

  3. The files wait in the queue until iddiscover can process them.

  4. If no resynchronization has been submitted for the discoveries so far, this discovery is batched with previously submitted ones.

    1. LWS resynchronizations batch with resynchronizations.

    2. Normal or computed-attribute discoveries batch together.

    3. Since the LWS resynchronizations usually are fewer, they are the ones that interrupt normal LWS discovery batching.

    4. psupdate-triggered discoveries don't batch with anything, as they are always PUSH mode batches, they just wait their turn.

    5. Any LWS discoveries coming in while the psupdate processes also wait their turn (between its "starting psupdate" and "done psupdate" entries).

  5. If successful, the .commit and its .dat files are removed, and the discoverystate for that discovery in the backend DB changes from R(unning) to S(successful).

  6. If failed, the .commit is renamed to .archive and the discoverystate for that discovery in the backend DB changes from R(unning) to F(ailed).

    Steps 5 and 6 happen for all discoveries in the same batch as the failed one as soon as one batch fails or succeeds; all LWS discoveries in a batch succeed or fail together.

Password randomization

As explained in How Bravura Privilege works, Bravura Privilege can automatically randomize passwords using two modes: push and local service.

Passwords are randomized daily by default. You can change this frequency system-wide, or for individual managed system policies.

Note

With a limited Bravura Privilege license, only target system credentials for managed systems can be managed accounts on a push mode policy. A system can be managed in push mode by any of the default push-mode managed system policies. Once managed by a policy, the system’s targeting credentials can be managed. With a full Bravura Privilege license, any account can be managed via a push mode or local service mode policy. In local service mode, actions are performed when a system or workstation connects to the server at regular intervals.

See Password randomization for more information.

Authentication types

When creating a managed system policy , administrators must select one (or more) authentication types that will be used for accessing the accounts or group sets in the managed system policy .

There are three authentication types:

  • Password:

    • Use this type if managed accounts in the managed system policy will be checked out using passwords.

    • This type can only be used for single account check-outs and account set check-outs.

  • SSH key:

    • Use this type if managed accounts in the managed system policy will be checked out using SSH keys.

    • This type can only be used for single account check-outs.

  • Group set:

    • Use this type if adding group sets to the managed system policy .

    • This type can only be used for group set check-outs.

For example, if both Password and SSH key are selected for a managed system policy, requesters can choose which authentication type to use to access the managed account. Single account access request forms include an Operation to perform during check-out and check-in option.

Support for authentication types depends on the managed system policy mode:

  • Push mode: group set, password, and SSH key are available

  • Local service mode: group set and password are available

  • Vault mode: only password is available

Once authentication types are selected for the managed system policy, administrators can modify them. They can add more, remove, or replace authentication types but there are restrictions:

  • Authentication types can only be added if they are valid for the managed system policy mode.

  • The password authentication type can be removed only if the managed system policy has no managed accounts.

  • The SSH key authentication type can be removed only if the managed system policy has no managed accounts

  • The group set authentication type can be removed only if the managed system policy has no group sets.

Access request workflow

Regular users can request temporary access to managed accounts or group sets. Depending on how you configure access controls, a given user’s request may be auto-approved, or require authorization. If approved, the user can check-out the requested access within a set time period.

The access permission can be checked-in by the user once they are finished or automatically checked-in if the set time period expires. If they had access to an account, the password is randomized. If they had access to the account using SSH authentication, the user’s SSH public key is removed from the target. If they had group set access, the user is removed from the group membership.

Consider the following when determining who can access and manage privileged accounts or group sets:

  • Who should be able to request access to which accounts or group sets?

  • Who can be auto-approved?

  • Who requires approval from an authorizer?

See:

Access disclosure

Once a user has been granted access to a managed account, access disclosure plugins provide the user with access to the password, or an automatic connection to the managed system.

The following disclosure methods are available with Bravura Privilege :

  • Command prompt control – allow users to automatically connect by launching a program

  • Copy control – allow users to copy and paste the password

  • Remote desktop control – allow users to automatically connect by launching a remote desktop connection

  • Display control – allow users to access privileged accounts on the web interface

  • Browser driver control – provides users access to web sites using managed passwords

See Access disclosure plugins for details,

Session recording and viewing

The session monitoring feature enables the monitoring, recording, searching, and viewing of actions performed during administrative sessions using Bravura Privilege credentials.

Determine who can do what with recorded sessions:

  • Who should be able to search their own recorded sessions?

  • Who should be able to search other people’s recorded sessions?

  • Who can be auto-approved to search, view or download recorded sessions?

  • Who requires approval from an authorizer?

You can configure Bravura Privilege session monitoring to use one or more collection modules :

  • Keystroke capture – to record keys that were pressed during a session

  • Video capture – to periodically capture screen shots during a session

  • Webcam capture – to periodically capture images from any attached web cams during a recorded session

  • Clipboard capture – to collect copy/paste information during a session

  • User interface capture – to capture text data from user interface elements during a recorded session

  • Process name capture – to capture process created

See Session monitoring for details.

In this section: