Are You Changing the Administrative Passwords on Your Offline Systems?
Historically, IT departments were able to directly manage all their systems because they were connected to the corporate network. IT could, at any time, reach out and connect to the systems to make changes immediately. But in today’s mobile-first and cloud-first world, most organizations operate with many disconnected systems - including air-gapped machines.
Even when disconnected, systems still need automatic and regular changes to the credentials on powerful administrator and root accounts. Otherwise, organizations cannot meet regulatory compliance mandates and are at risk from cyberattacks like pass-the-hash.
Privileged identity management solutions have long been able to change privileged passwords on connected systems. However, they often missed systems that were disconnected from the network.
Privileged Account Management for Disconnected Systems
Bomgar Privileged Identity can automatically update privileged account passwords on both connected and disconnected servers, desktops and laptops with Disconnected Account Management technology.
With Disconnected Account Management, all systems receive regularly scheduled password changes – despite the size of the enterprise and irrespective of connectivity – so that there are no privileged access security holes in the IT environment.
How Disconnected Account Management Works
Install Tenant Application
IT administrator creates different tenants (i.e. groups of systems) with different password policies
Each tenant generates different installer packages suitable for those user machines
IT administrator downloads a specially crafted application for each tenant
Pre-configured application is installed in each machine
Application automatically registers itself with either a public or private server
Application receives policy that defines how often to change the password, and how to generate new and unique local passwords
Application changes the root or administrator password on a regular schedule indefinitely
Share Secrets, Policies and Synchronized Clocks: Remote Application vs. Central Service
The central service and the remote application refer to the same time clock
Both know the policy of when passwords get changed
A common secret defines the sequence of passwords that will be generated
Manage via Secure Web Interface
Policies for passwords are controlled by the web portal
Delegation of access is provided per tenant
Authorized IT administrators can retrieve the current password being generated on a remote machine at any time
Shows how long the current password will be valid as well as the next password to be generated
Benefits of Disconnected Account Management
Change administrative passwords on offline systems automatically
Mitigate pass-the-hash attacks
Meets regulatory compliance requirements for password change frequency
Work connected or disconnected from the network/domain
Support Windows, Mac, Linux, UNIX, as well as embedded devices that support Python