Discovering Resources and Privileged Accounts

PAM360 provides the option to automatically discover endpoints in your environment and enumerate the privileged accounts associated with them. This helps enterprises to secure all their privileged identities swiftly and randomize the passwords of the accounts, upon discovery and thereafter at periodic intervals. It is possible to discover a variety of devices such as Windows, Linux, VMware and Network devices, and also the service accounts associated with Windows and Linux (SSH only) domain accounts.

The entire privileged accounts discovery process can be split into the following steps:

  1. Discovering Resources
    1.1 Prerequisites (common for all resources)
    1.2 Steps to Discover Resources

    1.2.1 Windows
    1.2.2 Linux
    1.2.3 Network Devices
    1.2.4 VMware
    1.2.5 AWS EC2
    1.2.6 Amazon WorkSpaces

    1.3 Scheduled Resource Discovery

    1.4 Track discovery status

  2. Adding the discovered Resources into PAM360
  3. 2.1 Windows
    2.2 Linux
    2.3 Network Devices
    2.4 VMware
    2.5 AWS
  4. Discovering Privileged Accounts
  5. 3.1 Accounts Discovery: Prerequisite
    3.2 Database accounts discovery
    3.3 Discover Privileged Accounts of Individual Resources
    3.4 Automated periodic discovery of privileged accounts
    3.5 PAM360 MSP Edition
    3.6 Randomize Passwords Post Discovery

Apart from the above topics, you will also learn how to Randomize Passwords Post Discovery.

1. Discovering Resources

1.1 Prerequisites (common for all resources)

Make sure you have installed the following, before commencing the discovery:

  • Microsoft .Net framework 4.5.2 or above.
  • Microsoft Visual C++ 2015 redistributable.

1.2 Steps to Discover Resources

The first step to adding resources to PAM360 is the discovery of different endpoints present in your network. The following sections explain how PAM360 goes about discovering different endpoints:

1.2.1 Windows:

PAM360 automatically discovers and lists all the Windows domains from the Windows domain controller, where the PAM360 is running. All you need to do is to select the required domain and provide the domain controller credentials.

Windows servers can be discovered directly from Active Directory. WMI API is used to connect with the domain controller and fetch the list of all the servers/workstations that are part of the selected Group/OU. Then, the WMI connection is established to reach out to each Windows end-point for device discovery.

Steps to Discover Windows Servers:

  1. Navigate to Resources >> Discover Resources >> Windows. The below wizard is displayed.
  2. Fill in the details as mentioned below:
    1. Choose a Domain Name, from which the assets are to be imported, from the drop down list [OR] click New Domain >> Add and enter a new domain name.
    2. Specify the Primary Domain Controller.
    3. Specify one or more Secondary Domain Controllers.
    4. Note: Mention the DNS names of the secondary domain controllers as comma-separated values. One of the listed controllers will be used when the primary controller is down. When you use SSL mode, make sure the DNS name specified here matches the CN (common name) specified in the SSL certificate for the domain controller.

    5. For each domain, you can configure the connection either through SSL or Non SSL. (PAM360 strongly recommends encrypted communication via SSL for enhanced security.)
    6. Supply valid credentials.
      1. Specify a valid Username/Password manually:
        1. Specify the DNS name of the domain controller along with a valid user credential (Username/ Password) which has read permission in that domain controller.
        2. If you want to discover users from multiple domains, enter the username as <DomainName >\<username>. For example, if you want to discover users of DOMAIN A users by giving DOMAIN B username/password, you need to enter the username as <DOMAIN B>\username. Any procedure that you normally use to import the SSL certificates to the machine's certificate store can also be followed to import the domain controller's certificate into PAM360's store. Just ensure that the certificate is in the base 64 format and it is stored in the PAM360 bin directory, after which it can be imported to use with PAM360.
        3. In the machine where PAM360 is installed, launch Internet Explorer and navigate to Control Panel >> Internet Options >> Content >> Certificates.
        4. Click Import. Browse and locate the root certificate issued by your CA.
        5. Click Next and choose the option Automatically select the certificate store based on the type of certificate and install.
        6. Again click Import.
        7. Browse and locate the domain controller certificate.
        8. Click Next and choose the option Automatically select the certificate store based on the type of certificate and install.
        9. Apply the changes and close the wizard.
        10. Repeat the procedure to install other certificates in the root chain.
      2. Use an Account Stored in PAM360:
        1. You can use a user account which is already stored in PAM360. This step will help PAM360 gain access and fetch the user accounts present under the specified domain name.
        2. Note: This option allows PAM360 server to communicate with this particular domain controller over SSL. Repeat the following steps for all domain controllers to which you want PAM360 to communicate with over SSL. Note that the DNS name you specify for the domain controller should match the CN (common name) specified in the SSL certificate for the domain controller.

        3. Select the required password policy from the Password Policy dropdown. You can also specify password policy for each group or organizational unit while fetching them before the import process.
        4. Specify Resources, Resource Groups or OU's by specifying their names as comma-separated values in the respective text fields.
        5. If you want to import only a particular resource, enter the required resource name(s) in comma-separated form in the Resource(s) to Import field.
        6. Similarly, you can choose to import only specific resource groups or OUs from the domain. You can specify the names in the Resource group(s) to Import or OU(s) to Import fields respectively, in comma-separated form.
  3. If you have specified a resource, a resource group, or an OU, click on Import to initiate the process. If you have left the fields empty, you can click on Fetch Groups and OU's to enumerate all the available to resources from which you can choose and import. To view the selected groups before importing, click on View Selected Groups.
  4. PAM360 periodically queries the AD to keep the resources in sync - new resources added to the AD are automatically added to PAM360 to keep the resources database in sync. All you need to do is enter the time interval for PAM360 to query the AD and ensure to set the sync interval to 3 hours or more based on the number of resource groups and OUs discovered. Click Save.
  5. Click Fetch Groups & OUs.
  6. On successful discovery of resources, you can add All/ Selected Resources into PAM360.

1.2.2 Linux:

PAM360 uses Telnet and SSH as the remote connection modes to discover the devices, where Telnet/SSH are running.

Steps to Discover Linux Servers:

  1. Navigate to Resources >> Discover Resources >> Linux.
  2. Choose to discover using either of the Telnet or SSH.
    1. Discover using Telnet:
      1. Choose the Connection Mode as Telnet.
      2. As mentioned in Network Devices discovery part, you can discover a single VM device by specifying the host name or IP address OR multiple devices present in an IP range OR discover multiple devices whose details are available in a flat file.
      3. You can set the maximum Time Out period to be up to 999 seconds, within which the devices must be discovered.
      4. Enter the Telnet Port number (default port- 23).
      5. Click Discover. A Discovery Confirmation window pops up. Choose whether to send notifications to "All administrators" or to specific people. If you choose the latter option, specify the email addresses separated by commas. Click Proceed. Now, you will see the Discovery Status page where the discovered device will be added as a task. You will also see other details such as date/time when the discovery was invoked, completed, etc.
      6. If you want to schedule a periodic resource discovery, click Add Schedule. You will see a new window where you can create an automated scheduled task for discovering the newly added accounts during resource discovery. To know more, click here.
      7. Note: If the device to be discovered is present on a subnet, different from the host where PAM360 is running, discovery might take longer than the actual timeout specified, due to extended connectivity time. The Telnet option will be disabled soon, and you will have only "SSH" as the dedicated remote connection mode.

    2. Discover using SSH:
      1. Choose the Connection Mode as SSH.
      2. As mentioned in Network Devices discovery part you can discover a single device by specifying the host name or IP address OR multiple devices present in an IP range OR discover multiple devices whose details are available in a flat file.
      3. Initiate the profile configuration process. Choose an existing discovery profile(s) or click Add Profile.
      4. The Add New Discovery Profile wizard is displayed.
        1. Fill in details such as NameDescriptionSSH Port number and User Prompt
        2. Configure credentials in either of the below 3 ways:
          1. Specify the password manually: If you choose this option, you need to enter a valid Username and Password.
          2. Use an Account Stored in PAM360: If you choose this option, you need to choose a Resource Name and an Account Name from the respective drop downs.
          3. Add SSH private key: If you choose this option, you need to enter details such as UsernamePrivate Key Name and the Private Key Password. Choose a valid SSH key file.
        3. Account Discovery: Besides resource discovery, SSH connectivity allows discovery of related account(s), as well from the machine. By default, this option will be enabled. Disable, if you don't want any account(s) to be discovered.
        4. Choose a Privilege Elevation Method: This option appears only if you have enabled account discovery in the previous step.
          1. 'su' as root:  If you choose this option, provide the credentials of a super user only, in the fields that follow.
          2. Use 'sudo': If you choose this option and if the credentials configured in step (ii) is of a "sudo" privileged user, then all the resources(s) and the related account(s) will be discovered. If the credentials configured in step (ii) is of a "normal" user, then only the resource(s) will be discovered.
        5. Click Save.
      5. Set the maximum time limit within which the device discovery is expected to be completed. Specify a Time Out value, in seconds.
      6. Click Discover. A Discovery Confirmation window pops up. Choose whether to send notifications to All administrators or to specific people. If you choose the latter option, specify the email addresses separated by commas. Click Proceed. Now, you will see the Discovery Status page where the discovered device will be added as a task. You will also see other details such as date/time when the discovery was invoked, completed, etc. 
      7. If you want to schedule a periodic resource discovery, click Add Schedule. You will see a new window where you can create an automated scheduled task for discovering the newly added accounts during resource discovery. To know more, click here.
      8. Note: If the device to be discovered is present on a subnet, different from the host where PAM360 is running, discovery might take longer than the actual timeout specified, due to extended connectivity time.

1.2.3 Network Devices:

Prerequisite - Create discovery profiles

Before proceeding with discovering the network devices, you should create discovery profiles that help PAM360 to use common details for discovering multiple devices.

Steps to Discover Network Devices:

  1. Navigate to Resources >> Discover Resources >>Network Devices.
  2. There are three different options to discover the devices:
    1. Discover a single device by specifying the Host Name / IP Address (Sample values are 192.168.1.1, cisco2611, etc.).
    2. Discover multiple devices by entering an IP Address Range (e.g. 192.168.11.1 To 192.168.11.5).
    3. Discover IT assets in bulk by importing a file containing multiple Host Names / IP Addresses. Enter one value per line and specify the IP Address Range as comma-separated or tab-separated values.
    4. Notes:

      1. At present, PAM360 supports IPV4 format only.
      2. When discovering network devices, only the resources are identified, not the associated accounts.

  3. Choose an existing discovery profile(s) [OR] click Add new profile beside the Profile field, to initiate the profile configuration process. SNMP versions V1, V2C, V3 are used for performing a GET of sysobject ID for identifying the network device vendor and model information. The profile creation process for each of the protocols has been explained below:
    1. SNMP - V1, V2c:
    2. For creating a profile for devices making use of SNMP V1 and V2c:

      1. Enter the new profile Name. This name uniquely identifies the profile.
      2. Enter a Description about the profile for your reference.
      3. Select the SNMP Version SNMP V1 or V2c in the Version drop-down list.
      4. Enter the SNMP Port number.
      5. Enter the Read Community (mandatory). Optionally, you can also specify the Write Community.
      6. Save the profile.
    3. SNMP V3:

      For creating a profile for devices using SNMP V3:

      1. Enter a unique profile Name.
      2. Enter a Description about the profile for your reference.
      3. Select the SNMP Version from the Version drop-down list as Version V3.
      4. Enter the SNMP Port number.
      5. User Name: Enter the name of the user (principal) on behalf of whom the message is being exchanged.
      6. Context Name: An SNMP context name or "context" in short, is a collection of management information accessible by an SNMP entity. An item of management information may exist in more than one context. An SNMP entity potentially has access to many contexts. In other words, if a management information has been defined under a certain context by an SNMP V3 entity, any management application can access that information by giving that context name. The "context name" is an octet string, which has at least one management information.
      7. Authentication Protocol & Password: Select any of the authentication protocols (MD5 or SHA) and enter the password. MD5 and SHA are processes which are used for generating authentication/privacy keys in SNMPv3 applications.
      8. You can either enter the password manually or use a user account stored in PAM360. (Follow above steps)
      9. Priv Protocol: Select the required privacy protocol and also specify the Priv Password.
      10. Save the profile.
  4. To avoid time-delay, you can set the number of Retries (maximum 5) up to which PAM360 should keep attempting to discover the devices.
  5. Click Discover. A Discovery Confirmation window pops up. Choose whether to send notifications to All administrators or to specific people. If you choose the latter option, specify the email addresses separated by commas. Click Proceed. Now, you will see the Discovery Status page where the discovered device will be added as a task. You will also see other details such as date/time when the discovery was invoked, completed, etc. 
  6. If you want to schedule a periodic resource discovery, click Add Schedule. You will see a new window where you can create an automated scheduled task for discovering the newly added accounts during resource discovery. To know more, click here.

1.2.4 VMware:

For VMware, VSphere API is used to get the list of all ESXi hosts for device discovery.

Prerequisite - Create Discovery Profiles

Before proceeding with discovering VMware devices, you should create discovery profiles that help PAM360 use common details for discovering multiple devices. You can create the discovery profiles using your vCenter API username and password.

Steps to Discover VMware Devices:

  1. Navigate to Resources >> Discover Resources >> VMware.
  2. As detailed above in the Network Devices discovery section, you can discover a single VM device by specifying the host name or IP address OR multiple devices present in an IP range OR discover multiple devices whose details are available in a flat file.
  3. Choose an existing discovery profile(s) [OR] click Add profile to initiate the profile configuration process.
    1. In the new window that opens, enter a unique profile Name.
    2. Enter a Description about the profile for your reference.
    3. Enter the VMware Port, the vCenter API Username and Password to establish communication with the virtual device. You can either enter the password manually or use a user account stored in PAM360. (Follow above steps)
    4. Click Save.
  4. To avoid time-delay, you can set the number of Retries (maximum 5) up to which PAM360 should keep attempting to discover the devices.
  5. Click Discover. A Discovery Confirmation window pops up. Choose whether to send notifications to "All administrators" or to specific people. If you choose the latter option, specify the email addresses separated by commas. Click Proceed. Now, you will see the Discovery Status page where the discovered device will be added as a task. You will also see other details such as date/time when the discovery was invoked, completed, etc. 
  6. If you want to schedule a periodic resource discovery, click Add Schedule. You will see a new window where you can create an automated scheduled task for discovering the newly added accounts during resource discovery. To know more, click here.

1.2.5 AWS EC2:

Amazon Web Services(AWS) is an on-demanding, cloud computing platform and Elastic Compute Cloud (EC2) is one of the popular Amazon services. The EC2 platform allows users to rent several virtual instances to run their applications. All these instances can be directly retrieved, imported and managed from PAM360.

Prerequisite

You should have the Administrator access and Amazon EC2 Read-Only Access to add resources in AWS.

Steps to discover AWS resources:

  1. Navigate to Resources >> Discover Resources >> AWS.
  2. In the Resource Discovery page displayed, do the following:
    1. Mention the Task Name. Select the Region from which the instances should be discovered.
    2. Either or
    3. If you choose to Specify Access Key Id and Secret Access Key Manually, enter the Access Key and Secret Key.
    4. If you choose to Use an Access Key Id and Secret Access Key stored in PAM360, select the Resource Name and select the respective access key and secret key from the AWS IAM dropdown.
    5. Select Discovery Profile(s) or click the Add Profile link and specify the following details in the pop-up that appears:
      1. Mention the Name and Description.
      2. Depending on whether you want to Add a SSH Private Key or Use an SSH Private Key stored in PAM360, select the required one accordingly.
      3. If you choose to Add a SSH private key, upload the SSH Key by clicking Browse. Then, mention the Private Key Name and Private Key Password.
      4. Note: Private key's name should be the same as used in that particular instance.

      5. If you choose to Use a SSH private key stored in PAM360, select the Resource Name and Account Name.
      6. Enter the Username so that PAM360 checks for a Windows instance and if fails, it checks the credentials for Linux and tries to login. If the Username is not mentioned, PAM360 assumes the resource to be a Windows instance and uses the default administrator as the username and tries to login.
      7. In the event of successful verification, the instances are added in the Profile category.
      8. Click Save. Now, the added profile will be displayed in the Profile section. Clicking the and icon against the desired profile lets you modify and delete that profile, respectively.
      9. Note: To discover an account from a Windows instance, the Remote Password Reset must be configured manually for that account.

    6. Now, Tap Discover. In the pop-up that appears, select to send notifications to All administrators or/and Specific Email Addresses (mention the email id's to whom you want to Send Notifications to).
    7. Click Proceed. The notification will be sent to the specified email id's.
  3. Click the Discovery Status tab. You will be able to find the list of discovery operations running in the background.
    1. All the tasks discovered will be available in a list view for which you can find its Task Name, Invoked On, Completed At, Discovery Status and its Description.
    2. Click the task name to view the list of resources that were discovered during that particular task in a pop-up.
      1. Click Add all discovered resources to add all the resources that were discovered during this task.
      2. From the list of discovered resources, select only the resource(s) that you wish to add and click Add selected resources.
      3. Click the Search icon to look for a particular resource.
      4. You can sort these resources using the drop-down available on the top-right corner of the list view.
    3. To stop or resume a task(s), select the task(s) from the list view and click Stop Discovery Tasks or Resume Discovery Task.
    4. Select the task(s) you want to delete and hit Delete Discovery Tasks button to delete those task(s).
    5. Note: In Windows, if an admin password is rotated, the resource should not be deleted because its password cannot be retrieved by the AWS and the account should be managed by PAM360.

    6. Hit the Search button to search for a required task.

1.2.6 Amazon WorkSpaces:

In addition to the above-mentioned endpoints, PAM360 also allows you to discover and add virtual desktops from an Amazon WorkSpaces client as resources in the PAM360 repository. You can retrieve, import, and manage all the virtual instances, directly from PAM360. To use PAM360 to discover virtual machines from an Amazon WorkSpaces client, you must first create a directory in the AWS console and establish a virtual desktop. Follow the below steps:

  1. Follow the steps detailed in this AWS document to create your Amazon WorkSpaces client.
  2. Next, launch a virtual desktop using the Amazon WorkSpaces client you created.
  3. Once you have set up your virtual desktop, install PAM360 in it.
  4. After installing PAM360 in the desktop, proceed with the discovery process by following the steps for Windows or Linux, based on the operating system the virtual desktop runs on.

1.3 Scheduled Resource Discovery

Add schedules to perform automated periodic resource discovery of Linux, VMware, and Network devices at specified intervals. Set the repeat frequency, set import criteria - filter resources during import based on Resource Name or DNS name using specific criteria. You can also choose to send notifications. Check out the detailed steps below:

Note: Scheduled Resource Discovery is available only for Discover devices using IP Range.

    1. After mentioning the required details, click Add Schedules.
    2. In the pop-up that appears:
      1. Select the occurrence between Once, Days or Monthly.
      2. If you choose the occurrence as Once, mention the Start From and the Start Time. This will allow users to schedule the discovery once on the mentioned Start Date.
      3. If you choose the occurrence as Days, mention the Start From, Interval Day(s) and the Start Time.
      4. If you choose the occurrence as Monthly, mention the On and the Start Time.
    3. Select if you want to Import all Discovered Resources or if you want to Import by Criteria.
      1. If you choose to Import by Criteria, mention the conditions by which you want to import the discovered resources.
      2. You can choose to Match all of the following or Match any of the following mentioned criteria.
      3. Select Resource Name or DNS name. You can filter the search based on conditions such as 'equals' or 'does not equal', 'contains' or 'does not contain', 'starts with' or 'ends with'.
    4. Select Administrators with Discovery Feature Role or Specify Email Address and mention the email address separated by comma to notify about the schedule.
    5. Click Save to save the schedule.
    6. Click Save and Run to save and run the schedule (applicable only for Days and Monthly occurrence).

    Now, you have successfully added a schedule for Resource Discovery. The added schedule can be viewed from the Discovery Schedules tab or from Admin >> Manage >> Scheduled Task. From here, you will also be able to Edit, Disable and Delete the schedule.

    1.4 Track Discovery Status

    1. After initiating the discovery operation, PAM360 allows you to track the status of the operation in real-time.
    2. The list of discovery operations, which are currently running in the background can be found in the Discovery Status tab. Using the same tab, you can also track down the history of discovery scans which were performed earlier.
    3. For any Discovery operation, you can find its Task name, Time invoked, Completed At and Discovery Status.
    4. PAM360 also provides an option to stop any discovery operation which is currently in progress.
    5. Click any Task Name to view the entire list of IT assets discovered during that particular task.

    2. Adding the Discovered Resources into PAM360

    The following topics explain how each type of discovered resources are added into PAM360:

    2.1 Windows

    When a Group/OU is imported from AD, the Windows devices that are part of the Group/OU will be automatically listed under the Resources tab, from where they can be viewed.

    2.2 Linux

    For Linux devices, you need to move the discovered resources to the Resource tab manually. In the Discovery Status window under the Discover Resources option, select the required resources that are discovered and move them to Resources tab. This operation can also be performed in bulk by selecting multiple resources discovered.

    2.3 Network Devices

    For network devices, you need to move the discovered resources to the Resource tab manually. In the Discovery Status window under Discover Resources option, select the required resources that are discovered and move them to the Resources tab. This operation can also be performed in bulk by selecting multiple resources discovered.

    1. In the Discovery Status window, PAM360 provides you an option either to add all discovered resources or add selected resources into the inventory.
    2. In the Discovery Status window, upon clicking a task name, the Discovery Task Status will pop up.
    3. Click on Add all discovered resources, to add the entire set of resources into PAM360 inventory and click the OK button.
    4. If you want to add only particular resources into the PAM360 inventory, select those resources and click on Add selected resources.

    2.4 VMware

    For VMware, you need to move the discovered resources to the Resource tab manually. In the Discovery Status window under the Discover Resources option, select the required resources that are discovered and move them to Resources tab. This operation can also be performed in bulk by selecting multiple resources discovered.

    2.5 AWS

    For AWS, you will have to add the resources manually. From the Discovery Task Status window, you will be able to import all the resources by clicking on the Add all discovered resources button or you can select the required resources and click the Add selected resources button.

    3. Discovering Privileged Accounts

    After successfully discovering the IT assets, the next step is to discover the privileged accounts associated with those IT assets. You can discover the privileged accounts associated with each resource individually as well as in bulk.

    3.1 Prerequisite (Accounts Discovery)

    To discover and enumerate the privileged accounts (including local administrator accounts) from the resources, you need to supply the credentials to enable PAM360 to fetch the accounts. You can do this by clicking the Edit button against each resource. This step has to be repeated for all resources whose accounts are to be discovered.

    1. Navigate to the Resources tab.
    2. Click the Resource Actions icon against WindowsDomain resource and select Configure password reset from the dropdown.
    3. In the pop-up form that appears, select the Domain Admin account as the Administrator Account.
    4. PAM360 supports only specific resource types for privileged accounts discovery. If any of your device is not supported, but is similar to the other supported types, you may select the closest resource type available and try discovering the accounts.
    5. When discovering resources, PAM360 fills the resource type field as well. However, check the resource type field and ensure that the correct type is chosen. Otherwise, change the type.
    6. Click Save.

    3.1.1 Discovery of Windows Service Accounts and Local Accounts Associated with the Domain Member Server

    When discovering Windows accounts, PAM360 will also automatically fetch the service accounts associated with services present in the domain members. The Windows service accounts discovery and enumeration of the same in the inventory takes place as explained below:

    1. Initially, PAM360 will create a Windows domain resource with the domain name. For example, if the domain name is PAM360, then the resource name created will also be PAM360 - Domain Controller.
    2. Then, PAM360 will try to fetch all the available Windows member servers that are available under the specified OU or groups.
    3. After importing the available resources, the corresponding local accounts associated with those resources will also be fetched.

    Finally, the service accounts will be fetched for the imported resources. These service accounts will be mapped to the resource group that contains the resources where service accounts are used. The resource group will be created in the form DomainName_MemberServerGroup. For example, if the domain name is given as PAM360, the resource group name will be PAM360_MemberServerGroup. If the resource group with that name already exists, resource will be added to that resource group.

    3.1.2 Discovery of Privileged Domain Accounts

    To discover the privileged domain accounts, such as enterprise administrator accounts and domain administrator accounts of the Windows Domain resources in PAM360, perform the steps outlined below:

    Note: It is recommended to manage only the privileged domain accounts, such as domain administrator accounts and enterprise administrator accounts in Active Directory, and not the named accounts.

    1. Navigate to the Resources tab and select the Windows Domain resource from which you want to discover the privileged domain accounts.
    2. Click the Discover Domain Accounts button and perform the following actions:
      1. In the window that appears, choose a Resource and Account to be used for carrying out the discovery and password reset operation. The account can be from the same Windows Domain resource or another one in connection to the selected Windows Domain resource.
      2. Note: The selected account should hold privileges to connect with the Active Directory and discover the domain accounts to carry out operations within the Windows Domain.

      3. Tick the Use this account for password reset operations checkbox if you are about to use this domain account for password reset operations.
      4. If you are looking for specific domain accounts discovery or from certain Active Directory groups, specify the names in the Domain Account Name or Import from AD Group(s) in comma-separated values under the Import Criteria section and click Import. This will perform a discovery operation and import privileged domain accounts based on the provided inputs.
      5. If you are unaware of the privileged domain account names or group names, skip the import criteria section and click the Enumerate Groups button. From the enumerated groups, select the required Active Directory groups from which the privileged domain accounts are to be discovered and click Import.
      6. Notes:

        1. You can filter the search efficiently based on criteria such as contains, equals, not equals, starts with, ends with, and RegEx (regular expression).
        2. During the import process, only the domain accounts of the current Active Directory will be fetched.

      7. To synchronize schedules for the domain account discovery, select the Synchronization Schedule checkbox and choose any of the provided synchronization occurrences based on your schedule requirements.
      8. Click Import to complete the import process.
    3. The domain account discovery schedules can be viewed from for the specific Windows Domain resource by selecting Resource Actions >> Domain Account Discovery Schedule. Here, you can edit, enable, disable, and delete schedules for the specific groups from which the domain accounts are scheduled to import. Also, you can perform the same from Admin >> Scheduled Tasks >> User Created Schedules.

    Limitations

    1. Domain account discovery cannot be performed if privileged domain accounts or Active Directory groups contain comma (,) characters in their names.
    2. The privileged domain accounts cannot be discovered if the account name is appended with the domain controller name
    3. The privileged domain accounts cannot be discovered from the nested Active Directory groups. However, the groups can be selected individually during the import process.

    3.2 Database Accounts Discovery

    Similar to the resources listed above, you can also discover database accounts through the discovery feature in PAM360.

    As mentioned above, to discover and enumerate the privileged accounts (including local administrator accounts) from database resources, you need to supply the credentials to enable PAM360 to fetch the accounts. You can do this by clicking the Edit button against each resource. This step has to be repeated for all resources whose accounts are to be discovered.

    Database Resource Types Supported by PAM360:

    1. MS SQL
    2. MySQL
    3. PostgreSQL
    4. Oracle
    5. Sybase

    Prerequisite

    Supply credentials for remote synchronization.

    i. MS SQL Server

    1. To add an MS SQL resource to PAM360, navigate to Resources >> Add Resource and add a resource with the resource type MS SQL server and a valid DNS name/IP address.
    2. In the Add Account window, provide an administrator account's credentials to facilitate the account discovery through this account.
    3. To configure remote password reset for this resource, click on the Resource Actions drop-down menu beside the resource and select Configure Remote Password Reset.
    4. For an MSSQL server, the default port in 1433. Select an administrator account from the Account Name drop-down list and Save the settings.
    5. You can configure the connection either through SSL or Non SSL mode. In case of SSL mode, the SSL certificate must be imported before discovering accounts in PAM360.
    6. To enable the SSL mode, the MS SQL server should be serving over SSL and you will have to import the database server's root certificate into the PAM360 server machine's certificate store.
    7. You need to import all the root and intermediate certificates that are present in the respective certificate chain. Before you import the root certificate, stop the PAM360 server.
    8. Open the command prompt and navigate to the <PAM360_SERVER_HOME>\bin directory and execute the following command:

      For Windows:

      importCert.bat<Absolute Path of certificate>

      For Linux:

      importCert.sh<Absolute Path of certificate>


    9. Restart PAM360 server.

    ii. MySQL server

    1. To add a MySQL resource to PAM360, navigate to Resources >> Add Resource and add a resource with the resource type MySQL server and a valid DNS name/IP address.
    2. In the Add Account window, provide an administrator account's credentials to facilitate the account discovery through this account.
    3. To configure remote password reset for this resource, click on the Resource Actions drop-down menu beside the resource and select Configure Remote Password Reset.
    4. For a MySQL server, the default port in 3306.Select an administrator account from the Root Account Name drop-down list and click Save to save the settings.
    5. You can configure the connection either through SSL or Non SSL mode. In case of SSL mode, the SSL certificate must be imported before discovering accounts in PAM360.
    6. To enable the SSL mode, the MS SQL server should be serving over SSL and you will have to import the database server's root certificate into the PAM360 server machine's certificate store.
    7. You need to import all the root and intermediate certificates that are present in the respective certificate chain. Before you import the root certificate, stop the PAM360 server. Open a command prompt and navigate to the <PAM360_SERVER_HOME>\bin directory and execute the following command:

      For Windows:

      importCert.bat<Absolute Path of certificate>

      For Linux:

      importCert.sh<Absolute Path of certificate>

    8. Restart PAM360 server.

    iii. PostgreSQL Server

    1. To add a PostgreSQL resource to PAM360, navigate to Resources >> Add Resource and add a resource with the resource type PostgreSQL server and a valid DNS name/IP address.
    2. In the Add Account window, provide an administrator account's credentials to facilitate the account discovery through this account.
    3. To configure remote password reset for this resource, click on the Resource Actions drop down menu beside the resource and select Configure Remote Password Reset. For a PostgreSQL server, the default port in 5432.
    4. Select an administrator account from the Root Account Name drop-down list and Save the settings.
    5. You can configure the connection either through SSL or Non SSL mode. In case of SSL mode, the SSL certificate must be imported before discovering accounts in PAM360.
    6. To enable the SSL mode, the MS SQL server should be serving over SSL and you will have to import the database server's root certificate into the PAM360 server machine's certificate store.
    7. You need to import all the root and intermediate certificates that are present in the respective certificate chain . Before you import the root certificate, stop the PAM360 server. Open a command prompt and navigate to the <PAM360_SERVER_HOME>\bin directory and execute the following command:

      For Windows:

      importCert.bat<Absolute Path of certificate>

      For Linux:

      importCert.sh<Absolute Path of certificate>


    8. Restart PAM360 server.

    iv. Oracle DB Server

    1. To add an Oracle DB resource to PAM360, navigate to Resources >> Add Resource and add a resource with the resource type Oracle DB server and a valid DNS name/IP address.
    2. In the Add Account window, provide an administrator account's credentials to facilitate the account discovery through this account.
    3. To configure remote password reset for this resource, click on the Resource Actions drop-down menu beside the resource and select Configure Remote Password Reset.
    4. For an Oracle DB server, the default port is 1521. Select an Administrator Account from the drop-down list and Save the settings.
    5. You can configure the connection either through SSL or Non SSL. In case of SSL mode, the SSL certificate must be imported before discovering accounts in PAM360.
    6. To enable the SSL mode, the MS SQL server should be serving over SSL and you will have to import the database server's root certificate into the PAM360 server machine's certificate store.
    7. You need to import all the root and intermediate certificates that are present in the respective certificate chain.
    8. Before you import the root certificate, stop the PAM360 server. Open a command prompt and navigate to the <PAM360_SERVER_HOME>\bin directory and execute the following command:

      For Windows:

      importCert.bat<Absolute Path of certificate>

      For Linux:

      importCert.sh<Absolute Path of certificate>


    9. Restart PAM360 server.

    v. Sybase Server

    1. To add a Sybase resource to PAM360, navigate to Resources >> Add Resource and add a resource with the resource type Sybase ASE and a valid DNS name/IP address.
    2. In the Add Account window, provide an administrator account's credentials to facilitate the account discovery through this account.
    3. To configure remote password reset for this resource, click on the Resource Actions drop-down menu beside the resource and select Configure Remote Password Reset.
    4. For a Sybase server, the default port in 5000. Select an Administrator Account from the drop-down list and Save the settings.
    5. You can configure the connection either through SSL or Non SSL. In case of SSL mode, the SSL certificate must be imported before discovering accounts in PAM360.
    6. To enable the SSL mode, the MS SQL server should be serving over SSL and you will have to import the database server's root certificate into the PAM360 server machine's certificate store.
    7. You need to import all the root and intermediate certificates that are present in the respective certificate chain . Before you import the root certificate, stop the PAM360 server. Open a command prompt and navigate to the <PAM360_SERVER_HOME>\bin directory and execute the following command:

      For Windows:

      importCert.bat<Absolute Path of certificate>

      For Linux:

      importCert.sh<Absolute Path of certificate>


    8. Restart PAM360 server.

    3.3. Discover Privileged Accounts of Individual Resources

    Privileged Account Discovery can be initiated from four places in the PAM360 UI:

    1. In the Resources tab, upon clicking a resource, you will see the Discover Accounts button. You can use this option whenever you want to discover new accounts added under that particular resource.
    2. You can also use the Discover Accounts option to discover accounts that are part of multiple resources. Select multiple resources using the checkboxes and click on this option to discover the accounts that are part of all the selected resources.
    3. In the Groups tab, select Discover Accounts from the Bulk Configuration dropdown. You can select multiple resource groups and use this option to discover the accounts that are part of all the selected resource groups.
    4. In the Resource Groups tab, select Periodic Account Discovery from the Actions dropdown. Using this, you can create a scheduled task to periodically discover the accounts that are part of the resources belonging to the resource group.

    3.4 Automated Periodic Discovery of Privileged Accounts

    You can automatically discover the privileged accounts of the resources at periodic intervals. This can be configured at the resource group level. The accounts discovered through this method will be added automatically.

    1. Navigate to the Groups tab.
    2. Click the Actions icon against the resource group and select Periodic Account Discovery from the dropdown.
    3. Once

      Now or Later

      Days

      Perform on a specific day repeatedly starting from a particular date and time (maximum number of days allowed is 999).

      Monthly

      On a particular day and time every month.

      Never

      To stop schedule.

    1. PAM360 also provides you with an option to notify the existing PAM360 users or the specified email IDs once the account discovery process is completed.
    2. The scheduled account discovery process will be reflected in the audit trails for security purposes.
    3. Click on the Schedule button.

    3.5 PAM360 MSP Edition

    Discovery option for the client organization can be enabled from the Admin tab as follows:

      1. Navigate to Admin >> Settings >> General Settings.
      2. In the UI that opens, select User Management from the options on the left-hand side.
      3. Select the checkbox Enable Discovery in client organization.
      4. Click Save.
      After discovering the accounts, it is recommended to randomize the passwords of the newly discovered accounts.

    Note: You can also discover the privileged accounts in the agent mode.

    3.6 Randomize Passwords Post Discovery

    After discovering accounts, it is recommended to reset the passwords of the newly discovered accounts. When accounts are discovered, PAM360 can only fetch the user account name, it cannot fetch the actual password. However, PAM360 is capable of randomizing the passwords upon discovery according to the password policy. The new passwords will then be stored in PAM360.

    To randomize passwords after discovery,

    1. Navigate to the Resources tab.
    2. Select the resource(s) whose passwords are to be reset, click the Resource Actions button and select Discover Accounts from the dropdown.
    3. In the dialog box that opens, select the checkbox Randomize passwords after discovery.
    4. You can send notification about randomization to password owners. There is also provision to notify other users and specific email IDs.
    5. Click Save.
Top