Hitachi IPAM

Course overview

  • Hitachi ID Privileged Access Manager is a system for securing access to privileged accounts.
  • Training by Realtime Expert trainer
  • Live Online Classes
  • Free study material
  • Online virtual Classes available in morning, evening and weekend

Course Duration

3 Days

Cost

Course Content

Introduction

 Install the software

  • Install replica

Targets and auto-discovery

  • AD target (source of profiles)
  • AD target (source of computers)
  • Configure the system to omit disabled accounts (for login)
  • Configure the system to “manage” all AD groups (for ACLs)
  • Run and troubleshoot psupdate
  • Log viewer

Manual targets and intro to policies

  • Configure a manual WinNT target
  • Configure a manual Linux target
  • Configure a simple MSP for these two targets
  • password policy and randomization schedule
  • account names to include
  • plug-ins to support (cmd-line/putty + RDP)
  • checkout limits
  • Configure a simple User Class for a few users
  • Link the MSP to the User Class to get ACLs
  • Run psupdate to get passwords randomized
  • Show logs and reports that illustrate what happened

Basic user experience

  • Sign into the UI with AD creds
  • Checkout access
  • Checkout launch RDP to one system
  • Checkout launch SSH to one system
  • Run reports to show that this activity was captured

Infrastructure auto-discovery and import rules

  • Introduce a bunch of fake computers on AD
  • Introduce the simulator for WinNT targets
  • Show the ‘discovered systems’ and ‘system attributes’ data that gets loaded into PAM
  • Define some import rules
  • Run through and troubleshoot discovery/import/management
  • Use the simulator to introduce daily evolution of the infrastructure
  • Show that the system responds during PSUPDATE with appropriate discovery and management/unmanagement
  • Discuss “unmanage” rules — e.g., for systems that have been offline for too long.

Ongoing support and maintenance

  • Show the HiPAM dashboard
  • Implement exit traps for various types of failures
  • replication problems
  • psupdate problems
  • failed authentication and authorization
  • Show and use reports:
  • who checked out what?
  • who got rejected?
  • who is busy vis-a-vis the system?

Introduce pull mode 

  • Motivation
  • laptops
  • mobility, NAT, firewalls, powerdown, etc.
  • scalability
  • Configure and deploy MSI to a WinXP and a Win7 client

Workflow for one-off requests

  • Discuss scenarios: where/when to use workflow
  • Request attributes and attribute validation
  • Selecting authorizers (focus on userclass, not plug-ins)
  • Consensus (N of M) and veto power
  • Automatic reminder e-mails
  • Automatic escalation after non-response
  • Early escalation (e.g., if authorizer is out of office)
  • Reports and dashboards: what’s going on in the workflow engine?
  • The roles of workflow and delegation managers

Service accounts on Windows

  • Intro to the Windows security model (why do we have to manage these darned things?)
  • Cases where service accounts are already managed by Windows (IIS, SCM in some cases)
  • Server-local accounts
  • Domain-level accounts and special challenges due to Microsoft “best practices”
  • Using updsvcpass
  • Reports to find service accounts and see how they are used

Embedded accounts and passwords

  • Intro to the problem of embedded passwords in programs and scripts
  • Alternative solution approaches:
  • modify the app to use an API to fetch a current password
  • leave the password where it lies and push new values into the cfg file or similar
  • Security catch-22:
  • authenticating users into the API?
  • caching passwords and securing the cache
  • Introduce the HiPAM API:
  • API-enabling users
  • OTP in authentication
  • IP subnet filtering (CIDR masks)
  • The need for an API wrapper
  • Generating key material with which to obscure cached passwords and OTPs
  • Caching and serialization
  • Simplifying use of the API

Enroll now

error: Content is protected !!