Getting Started with Password Management

The Password Management feature allows you to securely store and manage the credentials of shared privileged accounts by using secrets (where these credentials are stored in encrypted form in the database), and implement role-based access control. The system supports the JIT (Just in Time) PAM approach.

NOTE: The Password Management feature is only available if you have an activated serial key for the Enterprise Edition of Ekran System and a Terminal Server Client license for the Client (jump server) machine from which users will get access to critical endpoints.

NOTE: The Ekran System Connection Manager requires .NET Framework 4.8 to be installed on Client machines.

Follow the steps below to configure the Password Management options for using secrets.

1. Configuring Client Management

To configure a Client to be used as a jump server, do the following:

1. In the Management Tool, click the Client Management navigation link on the left.

2. On the Client Management page that opens, click on the required Client name, then on the Properties tab, select the following checkboxes in the Client Properties section:

• Enable Jump Server mode: Allows you to dedicate the Client machine to be used as a jump server.

NOTE: For correct operation of the jump server, we recommend using a Server OS.

• Replace Windows Shell with Ekran System Connection Manager: Allows you to enable the use of Ekran System Connection Manager instead of Windows Shell, which creates the desktop application for using secrets (as shown in the second screenshot below).

3. To finalize configuration of the Client, select the Authentication Options tab, and scroll down to the Two-Factor and Secondary Authentication section, then select the Enable secondary user authentication on login checkbox to allow users of the Client machine to access secrets.

NOTE: This option is not required for Active Directory users.

4. Click the Finish button to apply the changes.

2. Configuring Password Management (Secrets)

The credentials of shared privileged accounts are stored in secrets.

To create and configure any type a secret (for a privileged user account account), do the following:

1. In the Management Tool, click the Password Management navigation link on the left.

2. On the Password Management page that opens, click the Add Secret button (in the top right of the page).

3. In the Add Secret pop-up window that opens, on the Secret Properties tab, specify the following values:

• Secret Name: A name for the secret.

• Secret Type: The type of secret required (Active Directory account / Windows account / Unix account (SSH) / Unix account (Telnet) / Web account / MS SQL account).

• Description: A description for the secret (optional).

• One of the following (depending on the type of secret):

- Domain: The Active Directory domain name.

- Computer Name: The hostname or IP address of the machine.

- URL: The URL to connect to.

- Server: The hostname or IP address of the machine with the MS SQL database (the port can also be specified, separating them with a comma).

NOTE: For the Unix account (SSH) secret type, the "Use password" or the "Use SSH key" option can also be selected.

• Login: The user’s login name.

• Password: The user’s password.

4. On the Automation tab, you can configure automatic password rotation (which is only available for Active Directory accounts, MS SQL accounts, Windows accounts, and Unix accounts (SSH)):

• Enable remote password rotation: This checkbox allows you to enable/disable changing of the password automatically for users.

• Rotate Password Every: Select the frequency at which the password will be changed automatically.

5. On the Security tab, you can enhance security by enabling the Password Checkout functionality, so that only one user can use the secret at any given time, along with several other options for it:

• Requires check out: Select this checkbox to enable the feature, so that only one user can check out the secret's password (i.e. log in to the secret) at any time.

• Change password on check in: Select this checkbox for the password to be rotated every time the secret's password is checked back in (i.e. every time a user logs out / is logged out of the secret).

• Check in automatically after: Select this checkbox to specify a time period, after the expiry of which the secret's password will be automatically checked back in (i.e. after which the current user of the secret will be forcibly logged out).

• Force Check In: This button can be clicked at any time to manually check the secret's password back in (i.e. to forcibly log out the current user) immediately.

6. On the Permission tab, you can assign users / user groups to the secret by clicking the Add button, and selecting the required users / user groups and the required access levels:

• Owner: Allows the user to grant any permissions, view the secret data (including the credentials of shared privileged accounts), and delete, edit, and use the secret.

• Editor: Allows the user to grant the Editor or PAM User permissions, view the secret data, and edit and use the secret.

• PAM User: Allows the user to use the secret.

7. On the Restriction Types tab, you can configure access restrictions for users to access the secret:

• Access without any restrictions: If this option is selected, users will be able to access the secret without any restrictions.

• Always require approval on secret usage: If this option is selected, users will be required to request approval whenever they want to access the secret.

• Allow access without approval during work hours: If this option is selected, specify the work hours, date range, and days of the week when users will be able to access the secret without approval.

• Users Who Can Approve Access: Select the users (i.e. Approvers) who will be able to approve requests by users to access the secret.

• Owners or Approvers also require approval: Select this checkbox to also require approval (e.g. by the default admin user) for Owners and Approvers to access the secret.

NOTE: Approvers receive notifications by email and can approve access either by clicking the link in the email or by way of the Management Tool (see the Access Requests section).

8. Click the Save button to complete creating the secret.

3. Using Secrets

Different types of secrets are used to access the corresponding different types of accounts:

1. Active Directory Accounts

The Active Directory account secret allows you to choose where you want to connect to inside Active Directory.

After selecting the required secret and clicking Connect, enter the name or the IP address of the required computer in the pop-up window.

The system then automatically logs the user in to the Active Directory account, after clicking Connect to start using the secret.

2. Windows Accounts

The Windows account secret type allows you to work with local and domain user accounts on a specific machine.

The system automatically logs the user in to the selected Windows account (after clicking Connect in the Ekran System Connection Manager) to start using the corresponding secret.

3. Unix Accounts (SSH)

The Unix account (SSH) secret type allows you to configure the user’s connection to a Unix account.

NOTE: For this type of secret to work, PuTTY needs to be installed, and the SSH key option for logging in can also be used.

The system automatically logs the user in to the Unix account (SSH), after clicking Connect to start using the secret.

4. Unix Accounts (Telnet)

The Unix account (Telnet) secret type allows you to configure the user’s connection to a Unix account.

The system automatically logs the user in to the Unix account (Telnet), after clicking Connect to start using the secret.

5. Web Accounts

The Web account secret type allows you to configure the user’s connection to a web account.

NOTE: Web account secrets are only compatible with the Google Chrome browser (this type of secret will not work in other browsers). Also, Web account secrets always need to be opened in Incognito mode, which does not allow the browser to cache data.

The system automatically logs the user in to the Web account, after clicking Connect to start using the secret.

NOTE: If the system does not log you in automatically, an Ekran System extension for the Google Chrome browser is available that allows you to insert the login and password for the Web account.

6. MS SQL Accounts

The MS SQL account secret type allows you to configure a user's connection to the database.

NOTE: Version 18.0 or higher of MS SQL Management Studio needs to be pre-installed for this type of secret to work.

The system automatically logs the user in to MS SQL Management Studio, after clicking Connect to start using the secret.

Table of Contents