RE: Admin password management

["Valentin Fernandez Bolland" <vfernandez () juvaca com mx>]

There were a great solution under password synchronization approach, M-Tech with P-Synch which was bought by HDS a 
couple years ago...

Under it you may manage almost any OS and service!

For sure HDS has continued R&D and they should have a great solution for Identity Management and Password Management...

Valentín Fernández Bolland

 Antes de imprimir este mensaje, piensa dos veces si es necesario que gastes una hoja de papel.
      Before printing this message, please be sure it is necessary.

-----Mensaje original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de Zhihao Tan
Enviado el: jueves, 21 de mayo de 2009 11:19 p.m.
Para: security-basics () securityfocus com
Asunto: Re: Admin password management

We use Cyberark for previleged identity management..it has got
features like session recording so you can actually playback what a
user does in the server after being given administrative rights. A
very solid solution but price is a little on the high side.

2009/5/22  <grady () sharkbelly org>:
> I have used a product called SecretServer from Thycotic. http://www.thycotic.com/  It is not open source but is quite 
> inexpensive for most IT budgets and meets all of your requirements.  We use SSL for the connection and the Database 
> is AES encrypted so it is quite secure and can be configured with RBAC as well as One Time passwords for login to the 
> system.  We have gone so far as to integrate it with Apache and RSA authentication to access the website.  We have 
> been very pleased with the product and the response to change requests and feature enhancements as well.
>
> Grady
>
>
> > -----Original Message-----
> > From: Cisternas Marquez, Gonzalo [mailto:gcisternas () cientec com]
> > Sent: Wednesday, May 20, 2009 02:58 PM
> > To: 'mamo', security-basics () securityfocus com
> > Subject: RE: Admin password management
> >
> > Maybe you can consider Onet Time Pasword?
> >
> > Or any other centralized scheme for several servers passowrd management.
> >
> >
> > Atte.
> >
> > G.C.
> >
> > +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
> > |                         _   |
> > | Campaña de cinta Ascii ( )  |
> > |   - contra el correo    X   |
> > |                HTML    / \  |
> > |                             |
> > +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
> >
> >
> >
> > -----Mensaje original-----
> > De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de mamo
> > Enviado el: Miércoles, 20 de Mayo de 2009 8:48
> > Para: security-basics () securityfocus com
> > Asunto: Admin password management
> >
> > Hi all.
> >
> > I am responsible for the security of a small ISP. I need to manage the
> > admin password of all the machine of the ISP (around 200 system mainly
> > with linux, windows and solaris OS).
> > By admin user I mean stuff like root, oracle, Oracle sys, MSsql SA,
> > Bea admin password etc. We have a policy that require users to
> > authenticate with nominal username/password (and sudo on UN*X) but
> > there are situations where accessing with admin password is required,
> > but it is not acceptable to share the password with all the group that
> > work on IT Assurance activity.
> >
> > I would like to have a product that:
> > - Log who take what password
> > - Log who change the password
> > - Permit to generate a new random password
> > - Have a "decent" security
> > - Permit to profile who can see what password (it is not mandatory)
> > - Permit to add a note to the activity (why the users had the need to
> > take the admin password)
> >
> > I am looking for a product that will be used by around 50-100 people
> > that manage the ISP (not like keepass or password safe where the user
> > has the encrypted db with all the password on the PC).
> > I would appreciate to be able to do this activity with Open Source
> > product, but I can evaluate also commercial product.
> >
> > Do you have any experience to share of product that match may description?
> >
> > Thank you.
> > Mamo
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: InfoSec Institute
> >
> > Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
> > concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. 
> > Gain a laser like insight into what is covered on the exam, with zero fluff!
> >
> > http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> > ------------------------------------------------------------------------
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: InfoSec Institute
> >
> > Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
> > concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. 
> > Gain a laser like insight into what is covered on the exam, with zero fluff!
> >
> > http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> > ------------------------------------------------------------------------
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
> concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. 
> Gain a laser like insight into what is covered on the exam, with zero fluff!
>
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ------------------------------------------------------------------------



-- 
./Zhihao

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------