Overview of the Local Windows Connector

Owned by Phillip Hanegan
Jul 29, 2024
4 min read

The EmpowerID Local Windows Server Connector is designed to enhance IT security and simplify the management of local computer administrator accounts, addressing the challenge of protecting these vulnerable accounts. It seamlessly integrates with both on-premise and cloud-based Windows servers, focusing on efficiently managing local users and groups, particularly local administrators. The connector features an automated password management system for Windows servers, enhancing security by managing password rotation and resets for privileged identities. Additionally, it supports compliance efforts with SOX, HIPAA, and PCI-DSS regulations through inventory tracking, attestation policies, and integration with EmpowerID's Privileged Session Manager for identity verification and session recording.

Technical Requirements

Before implementing the Local Windows Connector, ensure you have the following prerequisites:

  • Windows Server: Target systems should be running a supported version of Windows Server.

  • Administrative Privileges: Ensure you have administrative access to the target Windows server.

  • EmpowerID Account: An active EmpowerID account with the necessary permissions is required.

  • EmpowerID Cloud Gateway Client: Install the client on a dedicated server within the same domain as the local servers.

  • Windows Management Framework and PowerShell: Ensure the latest versions are installed, with remote PowerShell enabled on each server.

Core Functionalities

Local Privileged Account Management

The Local Windows Connector automatically discovers and inventories local users and groups on Windows servers, including detailed information about local administrators. This discovery process ensures comprehensive visibility into privileged accounts, often prime targets for security breaches.

  • Role-Based and Attribute-Based Access Control: The connector enforces Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) policies, ensuring that only authorized users have privileged access.

  • Audit Trails: Provides a complete audit trail of actions involving local users and groups, helping organizations meet compliance requirements such as SOX, HIPAA, and PCI-DSS.

Password Management

Automated password rotation for local privileged accounts is a key feature of the connector, reducing the risk of password-related breaches. It integrates with EmpowerID's password vaulting and rotation policies to ensure secure password management practices.

  • Windows Services and IIS Application Pools: Manages the identities and passwords used by Windows Services and IIS Application Pools, addressing potential security risks associated with these components.

Privileged Account Discovery

The Local Windows Connector extends its discovery and management capabilities to privileged accounts across Windows, Linux, Unix, and VMware ESXi systems, allowing organizations to manage all privileged identities from a single platform.

  • Lifecycle Management: Includes recertification and ownership assignment processes, ensuring regular review and maintenance of privileged accounts to prevent unauthorized access.

Integration with the EmpowerID Framework

Integration with the EmpowerID framework enhances the connector's functionality, making it a versatile tool for identity governance:

  • IT Shop Integration: Supports access requests and approvals, simplifying the process for managing privileged access.

  • Privileged Session Manager Integration: Provides adaptive identity verification and session recording for enhanced security and compliance.

PowerShell Cmdlets Used

EmpowerID leverages a variety of PowerShell cmdlets to perform operations on local Windows accounts, services, and IIS application pools. Below are the key cmdlets used:

Functionality

PowerShell Cmdlet

Functionality

PowerShell Cmdlet

Retrieve local user accounts

Get-LocalUser

Create a new local user account

New-LocalUser

Delete a local user account

Remove-LocalUser

Enable a local user account

Enable-LocalUser

Disable a local user account

Disable-LocalUser

Reset local user password

Set-LocalUser

Retrieve local groups

Get-LocalGroup

Create a new local group

New-LocalGroup

Delete a local group

Remove-LocalGroup

Add members to a local group

Add-LocalGroupMember

Remove members from a local group

Remove-LocalGroupMember

Retrieve local group members

Get-LocalGroupMember

Retrieve SMB shares

Get-SMBShare

Create a new SMB share

New-SMBShare

Remove an SMB share

Remove-SMBShare

Grant SMB share access

Grant-SMBShareAccess

Revoke SMB share access

Revoke-SMBShareAccess

Retrieve Windows services

Get-Service

Start a Windows service

Start-Service

Stop a Windows service

Stop-Service

Retrieve IIS application pools

Get-IISAppPool

Start an IIS application pool

Start-WebAppPool

Stop an IIS application pool

Stop-WebAppPool

Recycle an IIS application pool

Restart-WebAppPool

Set IIS app pool identity

Set-ItemProperty

Schema Information

The tables below detail the schema for the EmpowerID Local Windows Connector, outlining the attributes, their display names, types, and other relevant information.

User Attributes

Security Boundary Attribute

Display Name

Object Attribute

Security Boundary Type

Attribute Type

Multi Value

Security Boundary Attribute ID

Object Attribute ID

Security Boundary Attribute

Display Name

Object Attribute

Security Boundary Type

Attribute Type

Multi Value

Security Boundary Attribute ID

Object Attribute ID

Description

Description

Description

Local Windows Users

string

No

22894

119

DisplayName

DisplayName

DisplayName

Local Windows Users

string

No

22910

3

HomeDirDrive

HomeDirDrive

HomeDrive

Local Windows Users

string

No

21841

51

HomeDirectory

HomeDirectory

HomeDir

Local Windows Users

string

No

22060

50

LoginScript

LoginScript

LogonScript

Local Windows Users

string

No

21840

97

MaxStorage

MaxStorage

MaxStorage

Local Windows Users

INT

No

22058

115

Members

Members

Members

Local Windows Users

string

No

26286

183

ProfilePath

ProfilePath

ProfilePath

Local Windows Users

string

No

21842

94

Group Attributes

Security Boundary Attribute

Display Name

Object Attribute

Security Boundary Type

Attribute Type

Multi Value

Security Boundary Attribute ID

Object Attribute ID

Security Boundary Attribute

Display Name

Object Attribute

Security Boundary Type

Attribute Type

Multi Value

Security Boundary Attribute ID

Object Attribute ID

Description

Description

Description

Local Windows Users

string

No

22894

119

DisplayName

DisplayName

DisplayName

Local Windows Users

string

No

22910

3

HomeDirDrive

HomeDirDrive

HomeDrive

Local Windows Users

string

No

21841

51

HomeDirectory

HomeDirectory

HomeDir

Local Windows Users

string

No

22060

50

LoginScript

LoginScript

LogonScript

Local Windows Users

string

No

21840

97

MaxStorage

MaxStorage

MaxStorage

Local Windows Users

INT

No

22058

115

Members

Members

Members

Local Windows Users

string

No

26286

183

ProfilePath

ProfilePath

ProfilePath

Local Windows Users

string

No

21842

94

Inventory and Monitoring

The connector maintains up-to-date user and group information through inventory and membership reconciliation settings. The Account Inbox offers a centralized view of all user accounts and their status, providing a comprehensive snapshot for administrators.

User and Group Management

Administrators can efficiently manage local user accounts via the EmpowerID interface:

  • User Management: Create, update, disable, and delete local user accounts.

  • Group Management: Create and manage local groups, including actions such as mail-enabling or disabling groups.

Managing Windows Services and IIS Application Pools

The connector provides extensive management capabilities for Windows Services and IIS Application Pools:

  • Windows Services: Inventory and manage services on connected servers, including starting, stopping, and configuring service identities.

  • IIS Application Pools: Inventory and manage application pools, including the ability to start, stop, and recycle them.

Enhancing Security and Compliance

The EmpowerID Local Windows Connector significantly enhances an organization's security posture and compliance practices:

  • Centralized Management: Reduces the risk of unauthorized access by providing centralized control over local accounts.

  • Real-Time Monitoring: Detects and responds to potential security incidents swiftly.

  • Compliance Support: Automated auditing and reporting streamline compliance with regulatory standards.

Conclusion

The EmpowerID Local Windows Connector is essential for efficiently and securely managing local Windows users and groups within an organization. Leveraging its core functionalities enhances security and compliance, while integration with the broader EmpowerID framework and Privileged Session Manager ensures unified and effective identity management across the enterprise. By incorporating the connector, organizations can achieve higher control and oversight over their local Windows environments, ultimately strengthening their IT infrastructure.