SlideShare a Scribd company logo

Dell Quest TPAM Privileged Access Control

Download as PPTX, PDF
Aidy Tificate
Aidy Tificate

Dell One Privileged Password Manager. TPAM.Dell Quest TPAM Privileged Access Control

Technology
1 of 41
TPAM Quest One Privileged Password Management
Introduction  Privileged Password Manager automates, controls and secures the entire process of granting administrators the credentials necessary to perform their duties. Privileged Password Manager is deployed on a secure, hardened appliance.
 Privileged Password Manager ensures that when administrators require elevated access (typically through shared credentials, such as the Unix root password), that access is granted according to established policy, with appropriate approvals; that all actions are fully audited and tracked; and that the password is changed immediately upon its return.
 The Privileged Appliance and Modules (TPAM) suite from Dell Software delivers privileged identity management and privileged access control. The TPAM suite includes two integrated modules:  Privileged Password Manager (PPM)  Enables secure storage, release control and change control of privileged passwords across a heterogeneous deployment of systems and applications, including passwords that are hardcoded in scripts, procedures and programs.  Privileged Session Manager (PSM)  Enables you to issue privileged access for a specific period or session to administrators, remote vendors and high-risk users, with full recording and replay for auditing and compliance.
 Release control Features  Manages password requests from authorized users, programs and scripts for the accounts they are entitled to access, via a secure Web browser connection with support for mobile devices. A password request can be automatically approved or require any level of manual approvals.  Change control  Supports configurable, granular change control of shared credentials, including time-based, last-use-based, and manual or forced change
 Auto discovery of:  Accounts and systems – Instantly discovers new accounts and systems, and then either sends notifications about them to specified users or automatically enrolls them in management.  Users – Automatically provisions users and maps permissions using your organization’s existing LDAP or Active Directory environment.
 Application password support  Replaces hardcoded passwords in scripts, procedures and other programs.  Application password management capabilities include:  Programmatic access – Includes both a command-line interface (CLI) and an application programming interface (API) with access for C++, Java, .NET and Perl. Connectivity is via SSH with DSS key exchange.  Role-based access – Supports role-based access for the CLI and API. You add a “programmatic” user with either “basic” access or “admin” access. Basic access enables the CLI or API to request account passwords and be granted access for authorized targets or accounts; this is appropriate, for example, for a “Requestor.” Admin access enables the CLI or API to perform administrative tasks.  Optimal performance – Natively executes approximately 100 call requests per minute. For applications requiring higher performance, the appliance supports an optional cache that supports more than 1,000 password requests a second, satisfying the requirements of your most demanding applications.  Extensive command set – Includes a comprehensive set of commands that can be executed via the CLI or API. Beyond simple “Get Password” commands, the solution supports extensive admin-level commands to provide tight integration with existing enterprise tools and workflows.
 Enterprise-ready integration  Integrates with existing directories, ticketing systems and user authentication sources, including Active Directory and LDAP. It also fully supports two-factor authentication through Defender® or other third-party two-factor authentication products. A robust CLI/API supports end-to- end integration with existing workflows and tools, including reviewer notification and escalation workflows.  Secure appliance  Lacks a console port or console-level interface – the appliance can only be accessed via a secure, role-based Web interface that provides protection from host admin attacks, as well as OS, database or other system-level modifications. The appliance also has an internal firewall that protects against external network-based attacks and provides additional auditing capabilities.
 Scalable appliance  Provides secure, enterprise-ready access and management of shared credentials for more than 250,000 accounts at once.  Secure password storage  Encrypts all passwords stored in Privileged Password Management using AES 256 encryption. In addition, the appliance itself also includes full disk encryption using BitLocker™ Drive Encryption.  Robust target support  Manages shared credentials on the widest range of target servers, network devices and applications.  Handheld device support  Supports password request, approval and retrieval via handheld devices, which is configurable on a per-user basis.
 Automated privileged governance  Take the hassle out of governing privileged users by automating the process for certifying and approving that only users that need access can request and gain access to privileged credentials. Users can request, provision and attest to privileged and general user access within the same console when you integrate Identity Manager(D1IM) with Privileged Password Manager.
Distributed Processing Appliances (DPAs)  You have the option to purchase Distributed Processing Appliances (DPAs) to increase the number of concurrent PSM sessions that can be run.  Each additional DPA supports up to 150 additional concurrent sessions.  PSM performs simplistic load balancing by sending the next session record or replay request to the active DPA with the most available sessions remaining.  With DPA v3.0+ you can now assign a DPA to a system to optimize password checking and changing. At the system level (on the Affinity tab) you can assign the DPA that should perform password checking and changing for all the accounts on that system.
High Availability Cluster  High availability clustering is an option for customers to support TPAM with a minimum of down time and eliminate a single point of failure. Each appliance is configured with a cluster role.  The cluster role choices are:  Primary - Acts as the information source for the cluster. Only one primary allowed per cluster.  Replica - redundant appliance that is kept in synch with the primary. Can be configured to automatically fail over if it loses contact with the primary.  Standalone - this role only applies to DPAs enrolled in the cluster and cannot be changed.
Archive Servers  Archive servers provide an external storage location for logs and offline backup files from TPAM.
 The Logs menu lets the System Administrator view many logs with critical information about the appliance. All logs can be exported to an excel or csv file.  Logs available  Sys-Admin Activity Log  Security Log  Firewall Log  Database Log  Alerts Log  Proc Log  Archive Log  SysLog Logs
Reason Codes  Reason codes can be configured for requestors and ISAs to use when making a file, password or session request. To enable reason codes make sure that the reason code global settings have been set to Optional or Required.
Global Settings  Global settings are used to maintain many key controls and parameters in TPAM. The number displayed in the Setting column represents the value set for the Option Name.
Password Rules  Password construction rules for managed systems are system and account specific. Two managed accounts on the same system can have different password rules assigned. If a system and account have different password rules the password rule assigned at the account level takes precedence.
Email Configuration  TPAM uses mail (SMTP) to provide notifications to approvers, requestors, reviewers, system contacts, account contacts, as well as providing error alerting for defined administrators.
Date and Time Configuration  The server time of the appliance is based on coordinated universal time (UTC). The UTC time zone never undergoes transitions between Standard and Daylight Savings time.
Keys and Certificates  The SSH Private Key is stored on TPAM, and is used to make secure connections to remote managed systems. The remote systems have the public key of the key pair. Dell Software provides an initial key pair for these connections when TPAM is shipped. It is common (and recommended) that these keys eventually be replaced. This ensures that no one, not even Dell Software, has the private key.
Automation Engine  The automation engine is the heart of TPAM. This portion of the TPAM architecture is where password management on remote systems is configured and scheduled. Once the automation engine is running, several different agents can be enabled on the engine to perform privileged password management functions. Logs provide a record of agent activities and messages of success or failure.
Agents  The agents in TPAM execute scheduled tasks for different functions on a regular basis.  Agents  Daily Maintenance Agent  Auto Discovery Agent  Post-Session Processing Agent  SSH Daemon
Backups  Considering the value of the information stored in TPAM the backup engine is an integral part of TPAM. Backups can be configured to run on automatically and moved securely to offline storage.  The backup is always encrypted, so the backup can be maintained without the risk of exposing sensitive data.
Alerts  The alerts in TPAM allow you to receive notification via email or SNMP, for over eighty different errors or status notifications.
External Authentication  TPAM supports several different methods of external authentication.  Certificate Based Authentication  SafeWord  RSA SecurID  LDAP  Windows Active Directory  RADIUS  Quest Defender
Ticket Systems  Ticket Systems are configured so that TPAM will validate ticket numbers and other information about the request that are entered at the time the password, file, or session request is submitted. If a password, file, or session is requested that requires a Ticket Number, the number is passed to the indicated ticket system for a “yes/no” answer. The validation may be as simple as “they entered a number and that’s all we need” or as involved as “not only must the ticket number exist in the ticket system but the data returned must match the user’s name, request, requested account, system, dates, and so on.” More than one ticket system can be configured.  If a password, file, or session request fails the validation rules that have been configured the request is immediately canceled and the requestor has the option to try again.  To set up ticket systems you must complete the following steps:  Configure the ticket system in the /admin interface.  Assign the ticket system to systems, accounts and files in the /tpam interface
 Customers have the ability to upload a custom logo, that will be displayed in the header of the TPAM web interface.  In order to be uploaded as a custom logo the file must meet the following requirements:  JPEG, PNG, GIF or BMP file format  GIF files must be static, no animation allowed  Maximum size of 30KB  Image dimensions must be between 10H x 10W and 47H x 120W pixels Custom Logo
License Management  When initially configuring your TPAM appliance you need to update the license quantities that were purchased. This is also needed if additional licenses are purchased at a later date.
Login Banner and Message of the Day  The login banner and message of the day are two ways that TPAM system administrators can post information for users that log on to TPAM.  They can be customized to display any text, such as a company policy or legal warning message.  Message of the day is a brief text message that will appear on the home page of the /tpam, /admin, and /config interfaces.  The message of the day can also be added as an optional message body tag in the email notifications sent by TPAM.
Net Tools  To assist the TPAM System Administrator with troubleshooting common network related problems, TPAM contains network tools that are accessible from the configuration interface. In addition, some specialized configurations can be made to add or manage static routes.  Net Tools  The Ping Utility  Nslookup Utility  TraceRoute Utility  Telnet Test Utility  Route Table Management
System Status Page and O/S Patch Status Page  The O/S patch status page and the system status page provide important information about the patch level of the TPAM appliance.
Software Updates  Product patches are not always cumulative. This means that some product patches must be applied to the system in order and none can be skipped. The release notes for each product update list the prerequisite version of TPAM required before the update can be applied to the appliance.  To apply a patch to TPAM perform the following steps:  Check the current version of TPAM  Take a backup.  On Demand BackUp  Download the patch from the Customer Portal  Stop any applicable agents  Apply the Patch  Check the Patch Log for errors  Restart any applicable agents
 Types of Software Updates  Hotfix  - a hotfix is a single, cumulative package that includes one or more files that are used to address a problem in the product that cannot wait until the next scheduled upgrade. A hotfix does not increment the software version number.  Feature Pack  - a feature pack is new product functionality that is distributed outside the context of a product release and is typically included in the next scheduled upgrade. The software version number is changed after an upgrade.  Upgrade  - an upgrade is a software package that replaces an installed version of TPAM with a newer version of the product. The software version number is changed after an upgrade.  OS Patches  - patches for the specific purpose of upgrading the underlying TPAM OS. These patches bear the distinct naming convention beginning with TPAM_OS.  Documentation Patch  - these patches update the online documentation available under the Help menu in TPAM.
Shut Down/Restart the Appliance  If the need arises to shutdown or restart your appliance this can be done from the /config or /admin interface.
Restore and Revert  In the event of a catastrophic failure a System Administrator can restore the data using an offline backup to another appliance.  Another use for restore is for test environments where customers may be testing an upgrade to a new version of TPAM.  Applying a restore will stop the automation engine, mail agent, and auto discovery agents. These will not automatically restart when the restore is complete, even if the auto start check boxes were selected prior to the restore.  Applying the restore will set any non-primary cluster members (replicas, DPAs) to inactive. Once the restore is complete these will have to manually be set to active on the cluster management page.
Remote Access  Remote access to the /config interface is enabled by default. When enabled, TPAM will allow access to the /config interface through port 8443. To access the /config interface remotely enter https://[IP address]:8443/config.
CLI Commands for the System Administrator  The TPAM command line interface (CLI) provides a method for authorized system administrators or automated processes to retrieve information from the TPAM system.  Commands must be passed to TPAM via SSH (secure shell) using an identity key file provided by TPAM.  A specific CLI system administrator user ID is also required.  SSH software must be installed on any system before it can be used for TPAM CLI access.
 Commands accept parameters in the style of --OptionName option value (two dashes precede the option name) with the exception of the GetStatus command.  Existing commands prior to TPAM v2.2.754 still also accept the comma-separated syntax, so existing scripts do not need to be modified unless you wish to take advantage of new parameters that have been added to the command in later versions of TPAM.  All commands recognize an option of --Help. This expanded help syntax will show all valid options for each command, whether the option is required or optional, and a description of the option and allowed values.
Relocating/Readdressing an Appliance  If it becomes necessary to relocate and readdress a TPAM primary or replica  Change a Primary’s IP Address  Change a Replica’s IP Address
Kiosk Access  The kiosk should ONLY be accessed if recommended by Technical support. You will not be able to perform any of these functions without technical support providing you the keys needed.  The functions available on the kiosk are to be used as a last resort before having to return the appliance if an issue cannot be fixed over the phone with technical support.
TPAM Quest One Privileged Password Management

Recommended

Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44
Jisc
 
IOS Zone based Firewall
IOS Zone based FirewallIOS Zone based Firewall
IOS Zone based Firewall
Netwax Lab
 
Cisco switch commands cheat sheet
Cisco switch commands cheat sheetCisco switch commands cheat sheet
Cisco switch commands cheat sheet
3Anetwork com
 
GSM and Basics of 3G
GSM and Basics of 3GGSM and Basics of 3G
GSM and Basics of 3G
Bhanu Sharma
 
The mac layer
The mac layerThe mac layer
The mac layer
aazamk
 
Switching
SwitchingSwitching
Switching
Shankar Gangaju
 
Ethernet and switching
Ethernet and switchingEthernet and switching
Ethernet and switching
Hari Prasetyo Utomo
 
Wimax / ieee 802.16
Wimax / ieee 802.16Wimax / ieee 802.16
Wimax / ieee 802.16
ankita pandey
 

Recommended

Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44
Jisc
 
IOS Zone based Firewall
IOS Zone based FirewallIOS Zone based Firewall
IOS Zone based Firewall
Netwax Lab
 
Cisco switch commands cheat sheet
Cisco switch commands cheat sheetCisco switch commands cheat sheet
Cisco switch commands cheat sheet
3Anetwork com
 
GSM and Basics of 3G
GSM and Basics of 3GGSM and Basics of 3G
GSM and Basics of 3G
Bhanu Sharma
 
The mac layer
The mac layerThe mac layer
The mac layer
aazamk
 
Switching
SwitchingSwitching
Switching
Shankar Gangaju
 
Ethernet and switching
Ethernet and switchingEthernet and switching
Ethernet and switching
Hari Prasetyo Utomo
 
Wimax / ieee 802.16
Wimax / ieee 802.16Wimax / ieee 802.16
Wimax / ieee 802.16
ankita pandey
 
GSM ARCHITECTURE
GSM ARCHITECTUREGSM ARCHITECTURE
GSM ARCHITECTURE
Abhishek Shringi
 
Introduction to networks CCNAv7 Module-1
Introduction to networks CCNAv7 Module-1Introduction to networks CCNAv7 Module-1
Introduction to networks CCNAv7 Module-1
Mukesh Chinta
 
Basics of Optical Network Architecture, PON & GPON
Basics of Optical Network Architecture, PON & GPONBasics of Optical Network Architecture, PON & GPON
Basics of Optical Network Architecture, PON & GPON
Syed Shujat Ali
 
Network Devices
Network DevicesNetwork Devices
Network Devices
Patel Gopal
 
Versitron fiber sfp module ppt
Versitron fiber sfp module pptVersitron fiber sfp module ppt
Versitron fiber sfp module ppt
RichTull
 
MPLS
MPLSMPLS
MPLS
Elyes Naouar
 
design of leased line network using vmux
design of leased line network using vmux design of leased line network using vmux
design of leased line network using vmux
Xhitesh Thakur
 
Cellular communication
Cellular communicationCellular communication
Cellular communication
Rahul Pandey
 
Subentting, Supernetting and VLSM presentation
Subentting, Supernetting and VLSM presentationSubentting, Supernetting and VLSM presentation
Subentting, Supernetting and VLSM presentation
Zakaria Hossain
 
GPRS(General Packet Radio Service)
GPRS(General Packet Radio Service)GPRS(General Packet Radio Service)
GPRS(General Packet Radio Service)
Jay Nagar
 
Cisco CCNA- DHCP Server
Cisco CCNA- DHCP ServerCisco CCNA- DHCP Server
Cisco CCNA- DHCP Server
Hamed Moghaddam
 
VLAN Trunking Protocol
VLAN Trunking ProtocolVLAN Trunking Protocol
VLAN Trunking Protocol
Netwax Lab
 
Hubs vs switches vs routers
Hubs vs switches vs routersHubs vs switches vs routers
Hubs vs switches vs routers
3Anetwork com
 
Asynchronous Transfer Mode ATM
Asynchronous Transfer Mode ATMAsynchronous Transfer Mode ATM
Asynchronous Transfer Mode ATM
Madhumita Tamhane
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
Reetesh Gupta
 
GPRS
GPRSGPRS
GPRS
Object-Frontier Software Pvt. Ltd
 
Juniper Switch Overview
Juniper Switch OverviewJuniper Switch Overview
Juniper Switch Overview
igxglobal UK Ltd
 
Benefits of vlan
Benefits of vlanBenefits of vlan
Benefits of vlan
Logitrain
 
Static Routing
Static RoutingStatic Routing
Static Routing
Kishore Kumar
 
Hot standby router protocol (hsrp) using
Hot standby router protocol (hsrp) usingHot standby router protocol (hsrp) using
Hot standby router protocol (hsrp) using
ShubhiGupta94
 
Asecurity-guidelines_and_best_practices_for_retail_online_and_business_online
Asecurity-guidelines_and_best_practices_for_retail_online_and_business_onlineAsecurity-guidelines_and_best_practices_for_retail_online_and_business_online
Asecurity-guidelines_and_best_practices_for_retail_online_and_business_online
wardell henley
 
e-DMZ Products Overview
e-DMZ Products Overviewe-DMZ Products Overview
e-DMZ Products Overview
Dell
 

More Related Content

What's hot

design of leased line network using vmux
design of leased line network using vmux design of leased line network using vmux
design of leased line network using vmux
Xhitesh Thakur
 

What's hot (20)

GSM ARCHITECTURE
GSM ARCHITECTUREGSM ARCHITECTURE
GSM ARCHITECTURE
 
Introduction to networks CCNAv7 Module-1
Introduction to networks CCNAv7 Module-1Introduction to networks CCNAv7 Module-1
Introduction to networks CCNAv7 Module-1
 
Basics of Optical Network Architecture, PON & GPON
Basics of Optical Network Architecture, PON & GPONBasics of Optical Network Architecture, PON & GPON
Basics of Optical Network Architecture, PON & GPON
 
Network Devices
Network DevicesNetwork Devices
Network Devices
 
Versitron fiber sfp module ppt
Versitron fiber sfp module pptVersitron fiber sfp module ppt
Versitron fiber sfp module ppt
 
MPLS
MPLSMPLS
MPLS
 
design of leased line network using vmux
design of leased line network using vmux design of leased line network using vmux
design of leased line network using vmux
 
Cellular communication
Cellular communicationCellular communication
Cellular communication
 
Subentting, Supernetting and VLSM presentation
Subentting, Supernetting and VLSM presentationSubentting, Supernetting and VLSM presentation
Subentting, Supernetting and VLSM presentation
 
GPRS(General Packet Radio Service)
GPRS(General Packet Radio Service)GPRS(General Packet Radio Service)
GPRS(General Packet Radio Service)
 
Cisco CCNA- DHCP Server
Cisco CCNA- DHCP ServerCisco CCNA- DHCP Server
Cisco CCNA- DHCP Server
 
VLAN Trunking Protocol
VLAN Trunking ProtocolVLAN Trunking Protocol
VLAN Trunking Protocol
 
Hubs vs switches vs routers
Hubs vs switches vs routersHubs vs switches vs routers
Hubs vs switches vs routers
 
Asynchronous Transfer Mode ATM
Asynchronous Transfer Mode ATMAsynchronous Transfer Mode ATM
Asynchronous Transfer Mode ATM
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
 
GPRS
GPRSGPRS
GPRS
 
Juniper Switch Overview
Juniper Switch OverviewJuniper Switch Overview
Juniper Switch Overview
 
Benefits of vlan
Benefits of vlanBenefits of vlan
Benefits of vlan
 
Static Routing
Static RoutingStatic Routing
Static Routing
 
Hot standby router protocol (hsrp) using
Hot standby router protocol (hsrp) usingHot standby router protocol (hsrp) using
Hot standby router protocol (hsrp) using
 

Similar to Dell Quest TPAM Privileged Access Control

Amarjeet_Updated_Resume
Amarjeet_Updated_ResumeAmarjeet_Updated_Resume
Amarjeet_Updated_Resume
Amarjeet Kumar
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討
Timothy Chen
 
Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)
Vinayak Hegde
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
aminpathan11
 
3 windowssecurity
3 windowssecurity3 windowssecurity
3 windowssecurity
richarddxd
 

Similar to Dell Quest TPAM Privileged Access Control (20)

Asecurity-guidelines_and_best_practices_for_retail_online_and_business_online
Asecurity-guidelines_and_best_practices_for_retail_online_and_business_onlineAsecurity-guidelines_and_best_practices_for_retail_online_and_business_online
Asecurity-guidelines_and_best_practices_for_retail_online_and_business_online
 
e-DMZ Products Overview
e-DMZ Products Overviewe-DMZ Products Overview
e-DMZ Products Overview
 
Amarjeet_Updated_Resume
Amarjeet_Updated_ResumeAmarjeet_Updated_Resume
Amarjeet_Updated_Resume
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected
 
CryptionPro Hdd Flyer English
CryptionPro Hdd Flyer EnglishCryptionPro Hdd Flyer English
CryptionPro Hdd Flyer English
 
HPE - Additional license authorizations - Ala atalla sep2016_5200-0625
HPE - Additional license authorizations - Ala atalla sep2016_5200-0625HPE - Additional license authorizations - Ala atalla sep2016_5200-0625
HPE - Additional license authorizations - Ala atalla sep2016_5200-0625
 
FOISDBA-Ver1.1.pptx
FOISDBA-Ver1.1.pptxFOISDBA-Ver1.1.pptx
FOISDBA-Ver1.1.pptx
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討
 
Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Dell Password Manager Introduction
Dell Password Manager IntroductionDell Password Manager Introduction
Dell Password Manager Introduction
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
 
A Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection SolutionsA Critical Analysis of Microsoft Data Protection Solutions
A Critical Analysis of Microsoft Data Protection Solutions
 
Haloteq Presentation
Haloteq PresentationHaloteq Presentation
Haloteq Presentation
 
FreeBSD System Administration Using SysAdm
FreeBSD System Administration Using SysAdmFreeBSD System Administration Using SysAdm
FreeBSD System Administration Using SysAdm
 
3 windowssecurity
3 windowssecurity3 windowssecurity
3 windowssecurity
 

More from Aidy Tificate

More from Aidy Tificate (13)

Dell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsDell Password Manager Architecture - Components
Dell Password Manager Architecture - Components
 
Identity Manager Opensource OpenIDM Architecture
Identity Manager Opensource OpenIDM ArchitectureIdentity Manager Opensource OpenIDM Architecture
Identity Manager Opensource OpenIDM Architecture
 
Identity Manager OpenSource OpenIDM - introduction
Identity Manager OpenSource OpenIDM - introductionIdentity Manager OpenSource OpenIDM - introduction
Identity Manager OpenSource OpenIDM - introduction
 
IAM Password
IAM PasswordIAM Password
IAM Password
 
IAM Cloud
IAM CloudIAM Cloud
IAM Cloud
 
Cloud introduction
Cloud introductionCloud introduction
Cloud introduction
 
IDM Introduction
IDM IntroductionIDM Introduction
IDM Introduction
 
Directory Introduction
Directory IntroductionDirectory Introduction
Directory Introduction
 
IAM Challenge Questions
IAM Challenge QuestionsIAM Challenge Questions
IAM Challenge Questions
 
IDM Reconciliation
IDM ReconciliationIDM Reconciliation
IDM Reconciliation
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
IAM Tools
IAM ToolsIAM Tools
IAM Tools
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Dell Quest TPAM Privileged Access Control

  • 1. TPAM Quest One Privileged Password Management
  • 2. Introduction  Privileged Password Manager automates, controls and secures the entire process of granting administrators the credentials necessary to perform their duties. Privileged Password Manager is deployed on a secure, hardened appliance.
  • 3.  Privileged Password Manager ensures that when administrators require elevated access (typically through shared credentials, such as the Unix root password), that access is granted according to established policy, with appropriate approvals; that all actions are fully audited and tracked; and that the password is changed immediately upon its return.
  • 4.  The Privileged Appliance and Modules (TPAM) suite from Dell Software delivers privileged identity management and privileged access control. The TPAM suite includes two integrated modules:  Privileged Password Manager (PPM)  Enables secure storage, release control and change control of privileged passwords across a heterogeneous deployment of systems and applications, including passwords that are hardcoded in scripts, procedures and programs.  Privileged Session Manager (PSM)  Enables you to issue privileged access for a specific period or session to administrators, remote vendors and high-risk users, with full recording and replay for auditing and compliance.
  • 5.  Release control Features  Manages password requests from authorized users, programs and scripts for the accounts they are entitled to access, via a secure Web browser connection with support for mobile devices. A password request can be automatically approved or require any level of manual approvals.  Change control  Supports configurable, granular change control of shared credentials, including time-based, last-use-based, and manual or forced change
  • 6.  Auto discovery of:  Accounts and systems – Instantly discovers new accounts and systems, and then either sends notifications about them to specified users or automatically enrolls them in management.  Users – Automatically provisions users and maps permissions using your organization’s existing LDAP or Active Directory environment.
  • 7.  Application password support  Replaces hardcoded passwords in scripts, procedures and other programs.  Application password management capabilities include:  Programmatic access – Includes both a command-line interface (CLI) and an application programming interface (API) with access for C++, Java, .NET and Perl. Connectivity is via SSH with DSS key exchange.  Role-based access – Supports role-based access for the CLI and API. You add a “programmatic” user with either “basic” access or “admin” access. Basic access enables the CLI or API to request account passwords and be granted access for authorized targets or accounts; this is appropriate, for example, for a “Requestor.” Admin access enables the CLI or API to perform administrative tasks.  Optimal performance – Natively executes approximately 100 call requests per minute. For applications requiring higher performance, the appliance supports an optional cache that supports more than 1,000 password requests a second, satisfying the requirements of your most demanding applications.  Extensive command set – Includes a comprehensive set of commands that can be executed via the CLI or API. Beyond simple “Get Password” commands, the solution supports extensive admin-level commands to provide tight integration with existing enterprise tools and workflows.
  • 8.  Enterprise-ready integration  Integrates with existing directories, ticketing systems and user authentication sources, including Active Directory and LDAP. It also fully supports two-factor authentication through Defender® or other third-party two-factor authentication products. A robust CLI/API supports end-to- end integration with existing workflows and tools, including reviewer notification and escalation workflows.  Secure appliance  Lacks a console port or console-level interface – the appliance can only be accessed via a secure, role-based Web interface that provides protection from host admin attacks, as well as OS, database or other system-level modifications. The appliance also has an internal firewall that protects against external network-based attacks and provides additional auditing capabilities.
  • 9.  Scalable appliance  Provides secure, enterprise-ready access and management of shared credentials for more than 250,000 accounts at once.  Secure password storage  Encrypts all passwords stored in Privileged Password Management using AES 256 encryption. In addition, the appliance itself also includes full disk encryption using BitLocker™ Drive Encryption.  Robust target support  Manages shared credentials on the widest range of target servers, network devices and applications.  Handheld device support  Supports password request, approval and retrieval via handheld devices, which is configurable on a per-user basis.
  • 10.  Automated privileged governance  Take the hassle out of governing privileged users by automating the process for certifying and approving that only users that need access can request and gain access to privileged credentials. Users can request, provision and attest to privileged and general user access within the same console when you integrate Identity Manager(D1IM) with Privileged Password Manager.
  • 11. Distributed Processing Appliances (DPAs)  You have the option to purchase Distributed Processing Appliances (DPAs) to increase the number of concurrent PSM sessions that can be run.  Each additional DPA supports up to 150 additional concurrent sessions.  PSM performs simplistic load balancing by sending the next session record or replay request to the active DPA with the most available sessions remaining.  With DPA v3.0+ you can now assign a DPA to a system to optimize password checking and changing. At the system level (on the Affinity tab) you can assign the DPA that should perform password checking and changing for all the accounts on that system.
  • 12. High Availability Cluster  High availability clustering is an option for customers to support TPAM with a minimum of down time and eliminate a single point of failure. Each appliance is configured with a cluster role.  The cluster role choices are:  Primary - Acts as the information source for the cluster. Only one primary allowed per cluster.  Replica - redundant appliance that is kept in synch with the primary. Can be configured to automatically fail over if it loses contact with the primary.  Standalone - this role only applies to DPAs enrolled in the cluster and cannot be changed.
  • 13. Archive Servers  Archive servers provide an external storage location for logs and offline backup files from TPAM.
  • 14.  The Logs menu lets the System Administrator view many logs with critical information about the appliance. All logs can be exported to an excel or csv file.  Logs available  Sys-Admin Activity Log  Security Log  Firewall Log  Database Log  Alerts Log  Proc Log  Archive Log  SysLog Logs
  • 15. Reason Codes  Reason codes can be configured for requestors and ISAs to use when making a file, password or session request. To enable reason codes make sure that the reason code global settings have been set to Optional or Required.
  • 16. Global Settings  Global settings are used to maintain many key controls and parameters in TPAM. The number displayed in the Setting column represents the value set for the Option Name.
  • 17. Password Rules  Password construction rules for managed systems are system and account specific. Two managed accounts on the same system can have different password rules assigned. If a system and account have different password rules the password rule assigned at the account level takes precedence.
  • 18. Email Configuration  TPAM uses mail (SMTP) to provide notifications to approvers, requestors, reviewers, system contacts, account contacts, as well as providing error alerting for defined administrators.
  • 19. Date and Time Configuration  The server time of the appliance is based on coordinated universal time (UTC). The UTC time zone never undergoes transitions between Standard and Daylight Savings time.
  • 20. Keys and Certificates  The SSH Private Key is stored on TPAM, and is used to make secure connections to remote managed systems. The remote systems have the public key of the key pair. Dell Software provides an initial key pair for these connections when TPAM is shipped. It is common (and recommended) that these keys eventually be replaced. This ensures that no one, not even Dell Software, has the private key.
  • 21. Automation Engine  The automation engine is the heart of TPAM. This portion of the TPAM architecture is where password management on remote systems is configured and scheduled. Once the automation engine is running, several different agents can be enabled on the engine to perform privileged password management functions. Logs provide a record of agent activities and messages of success or failure.
  • 22. Agents  The agents in TPAM execute scheduled tasks for different functions on a regular basis.  Agents  Daily Maintenance Agent  Auto Discovery Agent  Post-Session Processing Agent  SSH Daemon
  • 23. Backups  Considering the value of the information stored in TPAM the backup engine is an integral part of TPAM. Backups can be configured to run on automatically and moved securely to offline storage.  The backup is always encrypted, so the backup can be maintained without the risk of exposing sensitive data.
  • 24. Alerts  The alerts in TPAM allow you to receive notification via email or SNMP, for over eighty different errors or status notifications.
  • 25. External Authentication  TPAM supports several different methods of external authentication.  Certificate Based Authentication  SafeWord  RSA SecurID  LDAP  Windows Active Directory  RADIUS  Quest Defender
  • 26. Ticket Systems  Ticket Systems are configured so that TPAM will validate ticket numbers and other information about the request that are entered at the time the password, file, or session request is submitted. If a password, file, or session is requested that requires a Ticket Number, the number is passed to the indicated ticket system for a “yes/no” answer. The validation may be as simple as “they entered a number and that’s all we need” or as involved as “not only must the ticket number exist in the ticket system but the data returned must match the user’s name, request, requested account, system, dates, and so on.” More than one ticket system can be configured.  If a password, file, or session request fails the validation rules that have been configured the request is immediately canceled and the requestor has the option to try again.  To set up ticket systems you must complete the following steps:  Configure the ticket system in the /admin interface.  Assign the ticket system to systems, accounts and files in the /tpam interface
  • 27.  Customers have the ability to upload a custom logo, that will be displayed in the header of the TPAM web interface.  In order to be uploaded as a custom logo the file must meet the following requirements:  JPEG, PNG, GIF or BMP file format  GIF files must be static, no animation allowed  Maximum size of 30KB  Image dimensions must be between 10H x 10W and 47H x 120W pixels Custom Logo
  • 28. License Management  When initially configuring your TPAM appliance you need to update the license quantities that were purchased. This is also needed if additional licenses are purchased at a later date.
  • 29. Login Banner and Message of the Day  The login banner and message of the day are two ways that TPAM system administrators can post information for users that log on to TPAM.  They can be customized to display any text, such as a company policy or legal warning message.  Message of the day is a brief text message that will appear on the home page of the /tpam, /admin, and /config interfaces.  The message of the day can also be added as an optional message body tag in the email notifications sent by TPAM.
  • 30. Net Tools  To assist the TPAM System Administrator with troubleshooting common network related problems, TPAM contains network tools that are accessible from the configuration interface. In addition, some specialized configurations can be made to add or manage static routes.  Net Tools  The Ping Utility  Nslookup Utility  TraceRoute Utility  Telnet Test Utility  Route Table Management
  • 31. System Status Page and O/S Patch Status Page  The O/S patch status page and the system status page provide important information about the patch level of the TPAM appliance.
  • 32. Software Updates  Product patches are not always cumulative. This means that some product patches must be applied to the system in order and none can be skipped. The release notes for each product update list the prerequisite version of TPAM required before the update can be applied to the appliance.  To apply a patch to TPAM perform the following steps:  Check the current version of TPAM  Take a backup.  On Demand BackUp  Download the patch from the Customer Portal  Stop any applicable agents  Apply the Patch  Check the Patch Log for errors  Restart any applicable agents
  • 33.  Types of Software Updates  Hotfix  - a hotfix is a single, cumulative package that includes one or more files that are used to address a problem in the product that cannot wait until the next scheduled upgrade. A hotfix does not increment the software version number.  Feature Pack  - a feature pack is new product functionality that is distributed outside the context of a product release and is typically included in the next scheduled upgrade. The software version number is changed after an upgrade.  Upgrade  - an upgrade is a software package that replaces an installed version of TPAM with a newer version of the product. The software version number is changed after an upgrade.  OS Patches  - patches for the specific purpose of upgrading the underlying TPAM OS. These patches bear the distinct naming convention beginning with TPAM_OS.  Documentation Patch  - these patches update the online documentation available under the Help menu in TPAM.
  • 34. Shut Down/Restart the Appliance  If the need arises to shutdown or restart your appliance this can be done from the /config or /admin interface.
  • 35. Restore and Revert  In the event of a catastrophic failure a System Administrator can restore the data using an offline backup to another appliance.  Another use for restore is for test environments where customers may be testing an upgrade to a new version of TPAM.  Applying a restore will stop the automation engine, mail agent, and auto discovery agents. These will not automatically restart when the restore is complete, even if the auto start check boxes were selected prior to the restore.  Applying the restore will set any non-primary cluster members (replicas, DPAs) to inactive. Once the restore is complete these will have to manually be set to active on the cluster management page.
  • 36. Remote Access  Remote access to the /config interface is enabled by default. When enabled, TPAM will allow access to the /config interface through port 8443. To access the /config interface remotely enter https://[IP address]:8443/config.
  • 37. CLI Commands for the System Administrator  The TPAM command line interface (CLI) provides a method for authorized system administrators or automated processes to retrieve information from the TPAM system.  Commands must be passed to TPAM via SSH (secure shell) using an identity key file provided by TPAM.  A specific CLI system administrator user ID is also required.  SSH software must be installed on any system before it can be used for TPAM CLI access.
  • 38.  Commands accept parameters in the style of --OptionName option value (two dashes precede the option name) with the exception of the GetStatus command.  Existing commands prior to TPAM v2.2.754 still also accept the comma-separated syntax, so existing scripts do not need to be modified unless you wish to take advantage of new parameters that have been added to the command in later versions of TPAM.  All commands recognize an option of --Help. This expanded help syntax will show all valid options for each command, whether the option is required or optional, and a description of the option and allowed values.
  • 39. Relocating/Readdressing an Appliance  If it becomes necessary to relocate and readdress a TPAM primary or replica  Change a Primary’s IP Address  Change a Replica’s IP Address
  • 40. Kiosk Access  The kiosk should ONLY be accessed if recommended by Technical support. You will not be able to perform any of these functions without technical support providing you the keys needed.  The functions available on the kiosk are to be used as a last resort before having to return the appliance if an issue cannot be fixed over the phone with technical support.
  • 41. TPAM Quest One Privileged Password Management