You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Skip to end of banner
Go to start of banner

Overview of Privileged Session Manager

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Privileged Session Manager (PSM) is a collection of applications that facilitate accessing, monitoring, and recording privileged sessions, while ensuring compliance with auditing requirements. PSM enables authorized users to obtain privileged access to computers, with the flexibility to limit access to specific timeframes, monitor sessions in real-time, and terminate sessions at any time. PSM provides the ability to record sessions, which can be replayed as necessary. Moreover, access policies associated with PSM include time limits that allow time-constrained access to credentials and automatic session termination after the time limit expires.

Benefits

Manage and Record Privileged User Sessions

Privileged accounts are vital for everyday IT operations, but they pose a significant security risk due to their unrestricted access to system resources. In fact, 62% of security breaches are attributed to privileged account abuse. In a Zero Trust model, access should be granted only to the minimum necessary for the shortest duration possible. Additionally, access should be proxied and monitored whenever possible.

EmpowerID's Privilege Session Manager (PSM) provides a web-based gateway for authorized users to access Windows or Linux servers through RDP or SSH without exposing the servers to direct network access. This approach simplifies network security concerns, as users and servers can be located anywhere. The only requirements are access between the user and the PSM web interface, and between the PSM Gateway and the target servers. This eliminates the need for costly VPNs, which can slow down user experience and decrease productivity. This Zero Trust approach effectively prevents most common malware and hacking exploits that rely on network connectivity to the target servers. Furthermore, PSM enforces strong adaptive identity verification, and sessions can be recorded as videos for compliance investigations or verification purposes. In all cases, the password of the privileged credential is never disclosed to the end user, reducing the potential for sharing or misuse.

Zero Trust Zoning

On Windows, local administrators can access the cached passwords of the last x (usually 10) users who have logged into that computer. If a hacker can trick a user with local admin privileges into running malware on their computer, the hacker can access all cached passwords, potentially installing software or moving laterally to target higher value servers. The worst-case scenario is when the hacker gains access to domain admin credentials that were used to log into the compromised computer.

Recent history has shown that it's difficult to stop hackers, but limiting where they can go and which cached privileged credentials are available locally on compromised computers can help to reduce the damage they can do. This is achieved through zoning or tiering, which can be implemented at the user access level, similar to how network controls like subnets, routing tables, and firewall rules work. Microsoft proposes three basic tiers for granting credentials in a Windows network: AD domain controllers, servers, and workstations. However, organizations can implement as many zones as necessary with EmpowerID.

EmpowerID PSM is a valuable tool for enforcing a Zero Trust zoning or "micro-segmentation" strategy. PSM enables organizations to use pre-provisioned shared accounts for server access without revealing the passwords or elevating the access of the user's existing account. EmpowerID administrators explicitly define which vaulted privileged credentials will be available for use by administrators for specific servers, by zone. This is a best practice to avoid lateral movement or pass-the-hash attacks.

Self-Service Server Access Shopping

EmpowerID simplifies the process of requesting and launching privileged session access to servers by offering a familiar shopping cart interface for end users. Users can easily search for the computer they need access to and request the use of a vaulted credential for a specific time period. Access Request policies control time limits, approval processing, session recording, and privacy settings.

If a request requires approval, EmpowerID generates workflow tasks automatically and tracks their status. All participants receive email notifications, and all requests, decisions, and associated fulfillment actions are recorded for auditing purposes.

Adaptive MFA for Server Access

The primary goal of most hack attacks is to gain access to an organization's key servers or "own the box." Unfortunately, passwords remain the weakest link in an organization's security strategy. Multi-Factor Authentication (MFA) is the only proven method to address this security gap for server access. EmpowerID's adaptive MFA makes it easy for organizations to adopt more secure identity verification procedures by ensuring that users are not required to perform MFA on every server access attempt. Instead, users are prompted for MFA only when the circumstances warrant it.

EmpowerID offers users a variety of user-friendly options for MFA, including one-time passwords, FIDO/Yubikey tokens, third-party integrations such as DUO, and the EmpowerID Mobile phone app. With the mobile app, users can simply click to approve their identity verification request.

Server Discovery

EmpowerID offers one of the most extensive libraries of Identity Governance and Administration (IGA) system connectors available. The Privileged Session Management solution benefits from this diversity and utilizes these connections to automatically discover computers, virtual machines, and their privileged credentials. The Computer Identity Management module also enables the optional discovery and management of local computer identities and access.

EmpowerID has the ability to discover computers and virtual machines regardless of where they reside. It supports the most popular platforms for running virtual workloads, including AWS, Azure, and VMware VCenter. EmpowerID can also discover computer objects from your Active Directory or register them manually in user-friendly web-based workflows. This feature allows administrators to maintain an up-to-date inventory of the assets they are managing and simplifies the process of configuring servers for PSM access.

Features:

  • Access: With Privileged Session Manager, users can only access resources for which they have been granted permission. Users can request access and initiate a connection through the IAM Shop application. All sessions are proxied to the target resources through PSM servers, which provides extensive control over transmitted communication.

  • Live Monitoring, Recording, and Replay: Administrators can monitor live sessions (if the policy allows it), record sessions, and replay them for review, all from the EmpowerID website.

  • Credential Sharing: Computer credentials are encrypted and are used to initiate privileged sessions with the target resource upon request for automatic login. These credentials are not exposed to users, thereby enhancing security.

  • Auto-Login: When combined with Privileged Access Manager, Privileged Session Manager can be configured for automatic login, which improves security and compliance by not exposing account credentials to users.

Architecture

The PSM cluster consists of 3 dockerized Node.js applications, each with their own responsibilities. 

  1. Application

  2. Daemon

  3. Uploader


Session Flow

Below is the UML diagram that outlines a session from initiation to viewing recorded session at the end. A description of the flow follows the image.

  1. User requests access to a computer by checking-out a credential from the list of available credentials.

  2. User clicks the login icon to initiate the RDP session and is prompted to enter their Master password. 

  3. The connection request is submitted to the PSM Application along with the master password that the user enters.

  4. The PSM Application talks to an EmpowerID API Endpoint to authorize and receive the credentials to the target resource.

  5. If the authorization is successful EmpowerID returns the credentials to the PSM application server.

  6. The PSM Application connects to the target resource through the Daemon with the corresponding protocol.

  7. Input from the browser and response from the server are exchanged through a websocket connection.

Set Up Privileged Session Management

Create Privileged Access Policies

Enable Computers for Privileged Session Management

View Privileged Session Details

Connect to Live PSM Sessions

Terminate a Privileged Session

  • No labels