You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Connecting to Local Windows Servers


Local Computer Privileged Identity Management

Attackers frequently target local computer administrator accounts as a first step in order to gain privileged access to an organization’s IT network. Local admin accounts effectively “own the machine” having full access to all local resources including any databases. This access represents a potential audit risk for regulations such as SOX, HIPPA, PCI-DSS, FINMA, MAS, FISMA, and NERC. Local admin accounts can also serve as a steppingstone to a company’s most valuable network data. EmpowerID inventories your servers to discover, monitor, and control local users and groups including local administrators. Role and attribute-based access control policies control membership to the local administrators group and allow for access requests through the IT Shop.

All privileged identities can be assigned to policies that automate the rotation of their passwords. The EmpowerID system through its connectors resets the passwords in the managed system and update the vaulted information. For Windows servers, EmpowerID can go a level deeper and inventory and manage the identities that are used for Windows Services and IIS Application Pools. These identities are typically undermanaged and their passwords remain static due to the hassle of knowing one which systems they are being used and the effort required to update these systems when the password changes. EmpowerID handles these special identities by automating the system updates required each time their password is rotated.

Manage and Record Privileged User Sessions

Privileged accounts are both a necessity and a liability. These accounts, with their nearly unlimited access to system resources are essential for everyday IT operations yet abuse of privileged accounts is attributed as the cause of 62% of security breaches. In a Zero Trust model, only the minimal access required should be granted for the minimal time period and if possible, the access should be proxied and monitored.

EmpowerID’s Privilege Session Manager acts as a web-based gateway to provide authorized users with RDP access to on-premise or Cloud Windows servers but without exposing the servers to actual network access. This best practice approach avoids most common malware and hack exploits which rely on network connectivity to the servers they are targeting. In addition, strong adaptive identity verification is enforced and sessions can be optionally recorded as videos for later compliance investigation or verification. In all cases, the password of the privileged credential is never revealed to the end user eliminating the potential for sharing or misuse.

Windows Server Compliance and Recertification

EmpowerID allows your infrastructure team to breeze through audits. The sprawling and dynamic nature of virtual machine environments can pose a huge headache for auditors. It may be difficult to prove who has local system access to critical systems in order to complete a certification process. But producing this proof becomes almost automatic with EmpowerID. EmpowerID maintains an update to date audit and can provide complete control over who has access to which of your Windows Servers across all your Cloud and on-premise environments. Built-in attestation policies allow for rapid periodic recertification of local computer group memberships, eliminating the hassle of auditing this critical infrastructure. Risk-based separation of duties policies also allow you to define toxic combinations of access, so they can be detected, and remediated if discovered.

Getting Started