Security Basics mailing list archives
RE: Admin password management
From: "Valentin Fernandez Bolland" <vfernandez () juvaca com mx>
Date: Fri, 22 May 2009 10:07:45 -0500
There were a great solution under password synchronization approach, M-Tech with P-Synch which was bought by HDS a couple years ago... Under it you may manage almost any OS and service! For sure HDS has continued R&D and they should have a great solution for Identity Management and Password Management... Valentín Fernández Bolland Antes de imprimir este mensaje, piensa dos veces si es necesario que gastes una hoja de papel. Before printing this message, please be sure it is necessary. -----Mensaje original----- De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de Zhihao Tan Enviado el: jueves, 21 de mayo de 2009 11:19 p.m. Para: security-basics () securityfocus com Asunto: Re: Admin password management We use Cyberark for previleged identity management..it has got features like session recording so you can actually playback what a user does in the server after being given administrative rights. A very solid solution but price is a little on the high side. 2009/5/22 <grady () sharkbelly org>:
I have used a product called SecretServer from Thycotic. http://www.thycotic.com/ It is not open source but is quite inexpensive for most IT budgets and meets all of your requirements. We use SSL for the connection and the Database is AES encrypted so it is quite secure and can be configured with RBAC as well as One Time passwords for login to the system. We have gone so far as to integrate it with Apache and RSA authentication to access the website. We have been very pleased with the product and the response to change requests and feature enhancements as well. Grady-----Original Message----- From: Cisternas Marquez, Gonzalo [mailto:gcisternas () cientec com] Sent: Wednesday, May 20, 2009 02:58 PM To: 'mamo', security-basics () securityfocus com Subject: RE: Admin password management Maybe you can consider Onet Time Pasword? Or any other centralized scheme for several servers passowrd management. Atte. G.C. +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | _ | | Campaña de cinta Ascii ( ) | | - contra el correo X | | HTML / \ | | | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ -----Mensaje original----- De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de mamo Enviado el: Miércoles, 20 de Mayo de 2009 8:48 Para: security-basics () securityfocus com Asunto: Admin password management Hi all. I am responsible for the security of a small ISP. I need to manage the admin password of all the machine of the ISP (around 200 system mainly with linux, windows and solaris OS). By admin user I mean stuff like root, oracle, Oracle sys, MSsql SA, Bea admin password etc. We have a policy that require users to authenticate with nominal username/password (and sudo on UN*X) but there are situations where accessing with admin password is required, but it is not acceptable to share the password with all the group that work on IT Assurance activity. I would like to have a product that: - Log who take what password - Log who change the password - Permit to generate a new random password - Have a "decent" security - Permit to profile who can see what password (it is not mandatory) - Permit to add a note to the activity (why the users had the need to take the admin password) I am looking for a product that will be used by around 50-100 people that manage the ISP (not like keepass or password safe where the user has the encrypted db with all the password on the PC). I would appreciate to be able to do this activity with Open Source product, but I can evaluate also commercial product. Do you have any experience to share of product that match may description? Thank you. Mamo ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
-- ./Zhihao ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Admin password management mamo (May 20)
- RE: Admin password management Cornwell, Kay (NIH/NIGMS) [E] (May 21)
- RE: Admin password management Cisternas Marquez, Gonzalo (May 21)
- Re: Admin password management Aarón Mizrachi (May 21)
- <Possible follow-ups>
- Re: Admin password management grady (May 21)
- Re: Admin password management Zhihao Tan (May 22)
- RE: Admin password management Valentin Fernandez Bolland (May 22)
- Re: Admin password management Zhihao Tan (May 22)