Configure Windows Remote Target Accounts

Configuration steps for Windows Remote target accounts
capam332
This section describes the configuration steps for Windows Remote target accounts.
2
Prerequisites for Windows Remote Target Accounts
To configure Windows Remote target accounts, including Windows services, ensure that the following tasks are completed:
  • Add a device (target server) with Password Management as the device type.
    If you are adding an AWS Windows device, use the private IP address in the Address field of the account. Some features do not function properly when you use the public IP address.
  • Add a target application for the target server. This step includes associating Windows Remote with the host on which the Windows account resides. See Add a Windows Remote Target Connector.
  • If the Windows Remote target account is of Administrator account type, the account requires Administrator rights on the Windows server.
    If your target account is to be used as a service account (that is, it is to be used to rotate passwords of other target accounts), we recommend that you prevent this account from being able to login interactively. To do this, assign the following User Rights to the Windows account:
    • Deny log on locally
    • Deny log on through Remote Desktop Service
To add a Windows Remote Target account using the CLI, see Windows Remote Target Connector CLI Configuration.
Create a Windows Remote Target Account
Follow these steps:
  1. Select
    Credentials
    ,
    Manage Targets
    ,
    Accounts
    . The Target Account page appears with a list of existing accounts.
  2. Select
    Add
    . The Add Target Account page appears.
  3. Select the
    Host Name
    magnifying glass to find an existing target server, filling the Host Name and
    Device Name
    .
  4. Select the
    Application Name
    magnifying glass to find an existing target application on the target server, or select 
    +
    to create a target application. Select or create a Windows Remote type of target application.
    The Windows Remote appears on the Add Target Account page.
  5. Enter the
    Account Name
    . The account name must be unique for a given target application and must be the account name that the target system uses.
  6. Select the
    Password View Policy
    for the account.
  7. Enter an initial account
    Password
    or select the Generate Credential key icon to generate a default password.
  8. On the
    Password
    tab, Select
    Discovery Allowed
    to discover accounts on the Windows remote system. Select the appropriate synchronization option:
    • Update only the Credential Manager Server: Passwords are updated only in Credential Manager. Credential Manager and target system passwords can differ.
    • Update both the Credential Manager Server and the target system: Password updates are performed both in Credential Manager and on the target system to maintain consistency.
  9. On the
    Windows Remote
    tab, do the following steps:
    1. Select the
      Account Type
      :
      • User
        : Use a regular user account.
      • Administrator
        : Use an administrator account.
    2. Select the Change Process:
      • If you selected
        User
        as your
        Account Type
        , select
        Use the following account to change password
        and type the name of or use the magnifying glass icon to specify an account that is of the Administrator account type for the same Windows Remote application.
      • If you selected
        Administrator
        as your
        Account Type
        , use either
        Change Process
        option.
      • (Optional) If you are adding or updating an account and you do not know the existing password, select the
        Force password change
        checkbox. The existing password gets changed, even though the account is not in sync.
    3. Select
      OK
      to save.
Your new Windows target account is added to the list of accounts on the Target Accounts page.
Configure PAM to Allow Non-Administrative Users to Unlock Windows Remote Target Accounts Without Administrative Privileges
This feature provides self-service password unlock for privileged users who are inadvertently locked out of an account whose password they have permission to view. However, we strongly recommend that administrators that provision privileged account access consider the security and compliance policy implications of configuring this functionality. Self-service unlock events are included in the
session log
for auditing purposes.
This procedure describes how to configure PAM to enable local non-administrative user to unlock a Windows Remote target account that has been locked for some reason, such as in the following example scenario:
  1. A user logs into PAM and accesses a target account for a Windows system and checks out the credentials. The target account is assigned a password view policy with the following options set:
    • Check-out / Check-in
    • Change Password on View
  2. Later on, the user attempts to login to the Windows system from an external terminal emulator using the password they checked out earlier but it is no longer valid for one of the following reasons:
    • The
      Force check-in after
      period configured in the password view policy has expired and the password has been rotated
    • A local administrator has changed the password on the Windows system.
  3. The user reattempts to use the password until they exceed the maximum number of allowed failed login attempts configured on the Windows system and the account is locked.
Configure the Server
Complete the following procedure to configure
Privileged Access Manager
to allow non-administrative users to unlock locked Windows Remote target account
Follow these steps:
  1. Navigate to
    Credentials
    ,
    Manage Targets
    ,
    Accounts
    ,
  2. Select the target account for the Windows system and select
    UPDATE
    .
  3. In the
    Update
    dialog that opens, select the Windows Remote tab.
  4. Select the
    Use the following account to change password
    option and specify the name of a target account that has privileges to unlock the account on the Windows machine.
  5. Set the
    Unlock locked account
    option.
  6. Select
    OK
    to save.
Unlock Situations
The following unlock situations only apply when PAM is configured to allow non-administrative users to unlock Windows Remote target accounts without administrative privileges as shown earlier in this section.
Privileged Access Manager
unlocks a locked Windows account and generates a new password when any of the following actions occurs:
  • If the associated password view policy has the Change Password on View option set, a standard user checks-in the existing password associated with the locked account.
  • A
    Privileged Access Manager
    administrator with the necessary privileges rotates the password.
  • A scheduled job rotates the password.
Logging
Unlock events are captured in the session log (Sessions, Logs). To isolate them, use the following filter parameters:
  • Column=Details
  • Value=PAM-CM-5030
For example:
The
User Name
field indicates whether the unlock was performed by a standard user, an administrator, or a scheduled job.
Discover Windows Services and Scheduled Tasks
You can use account discovery to manage credentials of multiple Windows services and scheduled tasks.
Symantec PAM
can use the target account to manage changes and updates for any services and scheduled tasks that use this account. You do not have to update the password on an individual service or scheduled task basis.
This procedure is for local Windows accounts. To discover services and scheduled tasks for Active Directory accounts, see Discover Services and Scheduled Tasks for AD Accounts.
Prerequisite
Before you run account discovery, go to the Account Discovery tab of the Windows Remote Target application. Select the discover option for services or tasks. You can select both.
Discover Services and Tasks
To discover new tasks and services on Windows remote accounts, follow these steps:
  1. Select
    Credentials
    ,
    Discovery
    .
  2. On the Scan Profiles tab, select
    Run
    for the profile of the account you want to update.
    If a profile does not exist, follow these steps:
    1. Select
      Add
      .
    2. Give the profile a
      Name
      .
    3. On the Servers tab, select the Server that is associated with the remote account.
    4. Select
      Run
      .
  3. Select the
    Discovered Accounts
    tab.
    Windows Remote accounts that have updates available display a green checkbox under the Updates Available column.
  4. Select the
    Update
    button for the Windows Remote account with updates available.
    The Update Discovered Accounts window appears. Available Services and Scheduled Tasks appear on their respective tabs.
  5. Select
    OK
    .
  6. Select
    Yes
    when you are prompted to Update Selected Accounts.
  7. To see a list of services and scheduled tasks:
    1. Select
      Credentials
      ,
      Manage Targets
      ,
      Accounts
      .
    2. Select the Services and Scheduled Tasks tabs to display the list accounts.
To remove tasks and services from a Windows Remote Target Accounts, follow these steps:
  1. Select
    Credentials
    ,
    Manage Targets
    ,
    Accounts
    .
  2. Select the account that you want to modify.
  3. Select
    Update
    .
  4. Select the Services or Scheduled Tasks tab.
  5. To delete a service or task, select the
    X
    next to the entry.