The EmpowerID Local Windows Connector facilitates Server Connector is designed to enhance IT security and simplify the management of local computer administrator accounts, addressing the challenge of protecting these vulnerable accounts. It seamlessly integrates with both on-premise and cloud-based Windows servers, focusing on efficiently managing local users and groups within an organization. This document provides anoverview of the connector's core functionalities, technical requirements, and its integration within EmpowerID, particularly local administrators. The connector features an automated password management system for Windows servers, enhancing security by managing password rotation and resets for privileged identities. Additionally, it supports compliance efforts with SOX, HIPAA, and PCI-DSS regulations through inventory tracking, attestation policies, and integration with EmpowerID's Privileged Session Manager for identity verification and session recording.
Technical Requirements
Before implementing the Local Windows Connector, ensure you have the following prerequisites:
...
The Local Windows Connector automatically discovers and inventories local users and groups on Windows servers, including detailed information about local administrators. This discovery process ensures comprehensive visibility into privileged accounts, which are often prime targets for security breaches.
...
Lifecycle Management: Includes processes for recertification and ownership assignment processes, ensuring regular review and maintenance of privileged accounts to prevent unauthorized access.
...
IT Shop Integration: Supports access requests and approvals, simplifying the process for managing privileged access.
Privileged Session Manager Integration: Provides adaptive identity verification and session recording for enhanced security and compliance.
PowerShell Cmdlets Used
EmpowerID leverages a variety of PowerShell cmdlets to perform operations on local Windows accounts, services, and IIS application pools. Below are the key cmdlets used:
Functionality | PowerShell Cmdlet |
|---|---|
Retrieve local user accounts | Get-LocalUser |
Create a new local user account | New-LocalUser |
Delete a local user account | Remove-LocalUser |
Enable a local user account | Enable-LocalUser |
Disable a local user account | Disable-LocalUser |
Reset local user password | Set-LocalUser |
Retrieve local groups | Get-LocalGroup |
Create a new local group | New-LocalGroup |
Delete a local group | Remove-LocalGroup |
Add members to a local group | Add-LocalGroupMember |
Remove members from a local group | Remove-LocalGroupMember |
Retrieve local group members | Get-LocalGroupMember |
Retrieve SMB shares | Get-SMBShare |
Create a new SMB share | New-SMBShare |
Remove an SMB share | Remove-SMBShare |
Grant SMB share access | Grant-SMBShareAccess |
Revoke SMB share access | Revoke-SMBShareAccess |
Retrieve Windows services | Get-Service |
Start a Windows service | Start-Service |
Stop a Windows service | Stop-Service |
Retrieve IIS application pools | Get-IISAppPool |
Start an IIS application pool | Start-WebAppPool |
Stop an IIS application pool | Stop-WebAppPool |
Recycle an IIS application pool | Restart-WebAppPool |
Set IIS app pool identity | Set-ItemProperty |
Schema Information
The tables below detail the schema for the EmpowerID Local Windows Connector, outlining the attributes, their display names, types, and other relevant information.
User Attributes
Security Boundary Attribute | Display Name | Object Attribute | Security Boundary Type | Attribute Type | Multi Value | Security Boundary Attribute ID | Object Attribute ID |
|---|---|---|---|---|---|---|---|
Description | Description | Description | Local Windows Users | string | No | 22894 | 119 |
DisplayName | DisplayName | DisplayName | Local Windows Users | string | No | 22910 | 3 |
HomeDirDrive | HomeDirDrive | HomeDrive | Local Windows Users | string | No | 21841 | 51 |
HomeDirectory | HomeDirectory | HomeDir | Local Windows Users | string | No | 22060 | 50 |
LoginScript | LoginScript | LogonScript | Local Windows Users | string | No | 21840 | 97 |
MaxStorage | MaxStorage | MaxStorage | Local Windows Users | INT | No | 22058 | 115 |
Members | Members | Members | Local Windows Users | string | No | 26286 | 183 |
ProfilePath | ProfilePath | ProfilePath | Local Windows Users | string | No | 21842 | 94 |
Group Attributes
Security Boundary Attribute | Display Name | Object Attribute | Security Boundary Type | Attribute Type | Multi Value | Security Boundary Attribute ID | Object Attribute ID |
|---|---|---|---|---|---|---|---|
Description | Description | Description | Local Windows Users | string | No | 22894 | 119 |
DisplayName | DisplayName | DisplayName | Local Windows Users | string | No | 22910 | 3 |
HomeDirDrive | HomeDirDrive | HomeDrive | Local Windows Users | string | No | 21841 | 51 |
HomeDirectory | HomeDirectory | HomeDir | Local Windows Users | string | No | 22060 | 50 |
LoginScript | LoginScript | LogonScript | Local Windows Users | string | No | 21840 | 97 |
MaxStorage | MaxStorage | MaxStorage | Local Windows Users | INT | No | 22058 | 115 |
Members | Members | Members | Local Windows Users | string | No | 26286 | 183 |
ProfilePath | ProfilePath | ProfilePath | Local Windows Users | string | No | 21842 | 94 |
Inventory and Monitoring
The connector maintains up-to-date user and group information through inventory and membership reconciliation settings. The Account Inbox offers a centralized view of all user accounts and their status, providing a comprehensive snapshot for administrators.
...
The EmpowerID Local Windows Connector is an essential tool for efficiently and securely managing local Windows users and groups within an organization. Leveraging its core functionalities enhances security and compliance, while integration with the broader EmpowerID framework and Privileged Session Manager ensures unified and effective identity management across the enterprise. By incorporating the connector, organizations can achieve higher control and oversight over their local Windows environments, ultimately strengthening their IT infrastructure.
| Macrosuite divider macro | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|