You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Overview of the Local Windows Connector
- Phillip Hanegan
The EmpowerID Local Windows Server Connector is designed to enhance IT security and simplify the management of local computer administrator accounts, addressing the challenge of protecting these vulnerable accounts. It seamlessly integrates with both on-premise and cloud-based Windows servers, focusing on efficiently managing local users and groups, particularly local administrators. The connector features an automated password management system for Windows servers, enhancing security by managing password rotation and resets for privileged identities. Additionally, it supports compliance efforts with SOX, HIPAA, and PCI-DSS regulations through inventory tracking, attestation policies, and integration with EmpowerID's Privileged Session Manager for identity verification and session recording.
Technical Requirements
Before implementing the Local Windows Connector, ensure you have the following prerequisites:
Windows Server: Target systems should be running a supported version of Windows Server.
Administrative Privileges: Ensure you have administrative access to the target Windows server.
EmpowerID Account: An active EmpowerID account with the necessary permissions is required.
EmpowerID Cloud Gateway Client: Install the client on a dedicated server within the same domain as the local servers.
Windows Management Framework and PowerShell: Ensure the latest versions are installed, with remote PowerShell enabled on each server.
Core Functionalities
Local Privileged Account Management
The Local Windows Connector automatically discovers and inventories local users and groups on Windows servers, including detailed information about local administrators. This discovery process ensures comprehensive visibility into privileged accounts, often prime targets for security breaches.
Role-Based and Attribute-Based Access Control: The connector enforces Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) policies, ensuring that only authorized users have privileged access.
Audit Trails: Provides a complete audit trail of actions involving local users and groups, helping organizations meet compliance requirements such as SOX, HIPAA, and PCI-DSS.
Password Management
Automated password rotation for local privileged accounts is a key feature of the connector, reducing the risk of password-related breaches. It integrates with EmpowerID's password vaulting and rotation policies to ensure secure password management practices.
Windows Services and IIS Application Pools: Manages the identities and passwords used by Windows Services and IIS Application Pools, addressing potential security risks associated with these components.
Privileged Account Discovery
The Local Windows Connector extends its discovery and management capabilities to privileged accounts across Windows, Linux, Unix, and VMware ESXi systems, allowing organizations to manage all privileged identities from a single platform.
Lifecycle Management: Includes recertification and ownership assignment processes, ensuring regular review and maintenance of privileged accounts to prevent unauthorized access.
Integration with the EmpowerID Framework
Integration with the EmpowerID framework enhances the connector's functionality, making it a versatile tool for identity governance:
IT Shop Integration: Supports access requests and approvals, simplifying the process for managing privileged access.
Privileged Session Manager Integration: Provides adaptive identity verification and session recording for enhanced security and compliance.
PowerShell Cmdlets Used
EmpowerID leverages a variety of PowerShell cmdlets to perform operations on local Windows accounts, services, and IIS application pools. Below are the key cmdlets used:
Functionality | PowerShell Cmdlet |
|---|---|
Retrieve local user accounts | Get-LocalUser |
Create a new local user account | New-LocalUser |
Delete a local user account | Remove-LocalUser |
Enable a local user account | Enable-LocalUser |
Disable a local user account | Disable-LocalUser |
Reset local user password | Set-LocalUser |
Retrieve local groups | Get-LocalGroup |
Create a new local group | New-LocalGroup |
Delete a local group | Remove-LocalGroup |
Add members to a local group | Add-LocalGroupMember |
Remove members from a local group | Remove-LocalGroupMember |
Retrieve local group members | Get-LocalGroupMember |
Retrieve SMB shares | Get-SMBShare |
Create a new SMB share | New-SMBShare |
Remove an SMB share | Remove-SMBShare |
Grant SMB share access | Grant-SMBShareAccess |
Revoke SMB share access | Revoke-SMBShareAccess |
Retrieve Windows services | Get-Service |
Start a Windows service | Start-Service |
Stop a Windows service | Stop-Service |
Retrieve IIS application pools | Get-IISAppPool |
Start an IIS application pool | Start-WebAppPool |
Stop an IIS application pool | Stop-WebAppPool |
Recycle an IIS application pool | Restart-WebAppPool |
Set IIS app pool identity | Set-ItemProperty |
Schema Information
The tables below detail the schema for the EmpowerID Local Windows Connector, outlining the attributes, their display names, types, and other relevant information.
User Attributes
Security Boundary Attribute | Display Name | Object Attribute | Security Boundary Type | Attribute Type | Multi Value | Security Boundary Attribute ID | Object Attribute ID |
|---|---|---|---|---|---|---|---|
Description | Description | Description | Local Windows Users | string | No | 22894 | 119 |
DisplayName | DisplayName | DisplayName | Local Windows Users | string | No | 22910 | 3 |
HomeDirDrive | HomeDirDrive | HomeDrive | Local Windows Users | string | No | 21841 | 51 |
HomeDirectory | HomeDirectory | HomeDir | Local Windows Users | string | No | 22060 | 50 |
LoginScript | LoginScript | LogonScript | Local Windows Users | string | No | 21840 | 97 |
MaxStorage | MaxStorage | MaxStorage | Local Windows Users | INT | No | 22058 | 115 |
Members | Members | Members | Local Windows Users | string | No | 26286 | 183 |
ProfilePath | ProfilePath | ProfilePath | Local Windows Users | string | No | 21842 | 94 |
Group Attributes
Security Boundary Attribute | Display Name | Object Attribute | Security Boundary Type | Attribute Type | Multi Value | Security Boundary Attribute ID | Object Attribute ID |
|---|---|---|---|---|---|---|---|
Description | Description | Description | Local Windows Users | string | No | 22894 | 119 |
DisplayName | DisplayName | DisplayName | Local Windows Users | string | No | 22910 | 3 |
HomeDirDrive | HomeDirDrive | HomeDrive | Local Windows Users | string | No | 21841 | 51 |
HomeDirectory | HomeDirectory | HomeDir | Local Windows Users | string | No | 22060 | 50 |
LoginScript | LoginScript | LogonScript | Local Windows Users | string | No | 21840 | 97 |
MaxStorage | MaxStorage | MaxStorage | Local Windows Users | INT | No | 22058 | 115 |
Members | Members | Members | Local Windows Users | string | No | 26286 | 183 |
ProfilePath | ProfilePath | ProfilePath | Local Windows Users | string | No | 21842 | 94 |
Inventory and Monitoring
The connector maintains up-to-date user and group information through inventory and membership reconciliation settings. The Account Inbox offers a centralized view of all user accounts and their status, providing a comprehensive snapshot for administrators.
User and Group Management
Administrators can efficiently manage local user accounts via the EmpowerID interface:
User Management: Create, update, disable, and delete local user accounts.
Group Management: Create and manage local groups, including actions such as mail-enabling or disabling groups.
Managing Windows Services and IIS Application Pools
The connector provides extensive management capabilities for Windows Services and IIS Application Pools:
Windows Services: Inventory and manage services on connected servers, including starting, stopping, and configuring service identities.
IIS Application Pools: Inventory and manage application pools, including the ability to start, stop, and recycle them.
Enhancing Security and Compliance
The EmpowerID Local Windows Connector significantly enhances an organization's security posture and compliance practices:
Centralized Management: Reduces the risk of unauthorized access by providing centralized control over local accounts.
Real-Time Monitoring: Detects and responds to potential security incidents swiftly.
Compliance Support: Automated auditing and reporting streamline compliance with regulatory standards.
Conclusion
The EmpowerID Local Windows Connector is essential for efficiently and securely managing local Windows users and groups within an organization. Leveraging its core functionalities enhances security and compliance, while integration with the broader EmpowerID framework and Privileged Session Manager ensures unified and effective identity management across the enterprise. By incorporating the connector, organizations can achieve higher control and oversight over their local Windows environments, ultimately strengthening their IT infrastructure.