Common Local Administrator/Root Accounts -
Everything other than Windows
President & CEO
Continuing From Last
Managing non-Windows local accounts is also easy and fast since
we have built-in protocol connectors (i.e. SSH, Telnet, OLEDB, IPMI,
3270) and a large inventory of preconfigured XML response files for
handling pretty much everything with a network connection from just
about every vendor.
Machine list management is similarly rich compared to Windows in that
all of the typical machine list sources are accessible such as AD,
LDAP, databases, and more. Gaining initial Superuser access for these
other platforms for password change is agentless and achieved by a
combination of preloaded alternate administrator lists containing well
known accounts and passwords, as well as the ability to import known
account/password pairs for each system if there is no commonality of
One of the really cool features of managing non-Windows systems is that
we can handle new operating systems and devices in generally less than
five minutes. This bit of magic is accomplished by the “Remote Command
Builder” that you will find under the Cross-Platform Support Library
submenu of E/RPM. Essentially the command builder allows you to do an
actual logon and other common actions and see what comes back from your
host. You can then take the XML files generated by the command builder
and replace the actual user name and password field with variable
arguments…and you are done.
So how fast can you change local Superuser accounts in say,
Linux? You can pick up the machine lists from LDAP in a couple of
minutes. If you are using well known credentials for the root
accounts you can load those into our alternate admins dialog, or if
each machine has its own password, you can upload a CSV file containing
the pre-seeded credentials. From this point, you simply ask E/RPM to
logon and change the credentials. We have measured speeds of over 1000
system password changes per minute using only one host running E/RPM.
With this type of speed, you could randomize and secure over 100,000
Linux based devices in less than 2 hours.
What Happens Next
Each randomization of a set of systems generates a job within E/RPM
that will be marked as complete. If some of the systems were not
changed, the job will be set to retry the missed machines in the list
until a limit of retries is reached.
If you want to regularly randomize all of the local account on all your
platforms, you can open the completed jobs that you just created, and
set the frequency of running to pretty much whatever you want such as
every 30 days, 90 days, 3rd day of each month, or on demand such as
from the web site, where you can trigger randomization of groups of
system Superuser accounts when you wish.
Checking out passwords that have been randomized is similarly simple.
You can configure users, groups, certificates, roles and more to have
scope of access that will control who has access, when, and to which
systems. All of the password release controls are under the Delegation
menu of E/RPM.
We have worked really hard to keep you from having to maintain
compliance with privileged accounts and one of the crown jewels of this
technology is known as auto-roll technology. The feature creates a
scheduled job every time your user checks out a password. The created
job will automatically change the password whether or not your user
checks in the password without any human interaction. This feature
assures that credential disclosure is always a limited time event.
Changing local administrator credentials on both Windows and
non-Windows systems is a very easy thing to set up and execute within
E/RPM and most changes can be accomplished enterprise-wide in a day or
less; bringing your company into compliance, and with automatic
scheduling, there is little to nothing you need to do to keep the
passwords all different on all systems as well as automatically changed
All this means deployment of E/RPM and its ability to maintain
continuous compliance for local Superuser credentials is a piece of
cake to set up and maintain. Imagine, completing an identity management
project in a week…it can be done with our technology!
you think? Email me at: Phil@liebsoft.com.
You can also follow me on Twitter: @liebsoft
or connect with me via LinkedIn.
Your Vote for Lieberman Software!
Lieberman Software has a number of entries in the 2012
Community Choice Awards. Please take a moment to vote for us in
the following categories:
SQL Server Pro:
Deployment/Configuration Product – Lieberman Software User
Manager Pro Suite
Management Suite – Lieberman Software User
Manager Pro Suite
Security Product – Lieberman Software Enterprise Random Password
System Utility – Lieberman Software Service Account Manager
Task Automation Product – Lieberman Software Task Scheduler Pro
Vendor Tech Support – Lieberman Software
Security/Auditing/Compliance Product – Lieberman
Enterprise Random Password Manager
New in Identity Week
Featured commentary on our Identity
Week blog this month includes:
- How To Handle Password Spreadsheets.
Let’s face it. Despite the best efforts of us in the IT security
industry, the top solution for managing passwords is the trusty old
sticky note. Write down your password on the note and hide it somewhere
you can easily find it (hopefully not on your monitor)...
Events / Press /
of IT staff admit to accessing unauthorised executive data.
ComputerworldUK. Almost 40% of IT staff can get unauthorised
access to sensitive information, and 20% admit to accessing executives'
confidential data, according to research. IT professionals are allowed
to roam around corporate networks unchecked, according to a survey of
more than 450 IT professionals by security software firm Lieberman
Tech Tip of the Month
Automatically Manage Expired or Inactive User Accounts
Account Reset Console provides an automated password management system
to identify accounts with expired or near-expired passwords, or that
have been inactive for a certain number of days. Here's