Add a Windows Remote Target Connector
Add a Windows Remote Target Connector
The Windows Remote target connector lets
PAMmanage Windows accounts and the passwords for services and scheduled tasks that are local to the Windows server. The Windows Remote Target Connector is an alternative to the Windows Proxy Connector, but does not require that you install software in the Windows domain.
Two other Windows connectors are available:
- Windows Proxy Connector - functions similar to this Windows Remote Connector but you must install the connector on a remote server in your target domain. See Add a Windows Proxy Connector.
- Active Directory Connector - manages passwords of Active Directory accounts. See Active Directory Target Connector.
This connector uses Samba commands and remote Windows API calls to make updates to the account, services, and scheduled tasks passwords. To complete discovery and password changes for services and scheduled tasks, the connector might incur extra overhead.
To add the target connector using the CLI, see the Windows Remote Target Connector CLI Configuration.
Prerequisites for Using the Windows Remote Connector
- To configure Windows Remote target accounts, first create a device (target server) that is assigned a device type of Password Management.Use the private IP address of an AWS or Azure Windows device. Some features do not function properly when you use the public IP address.
- Prepare the target server for using the Windows Remote Connector with the following information:
- Ports Used by the ConnectorThe Windows Remote Connector requires these ports to be open in the firewall:
- SMB: port 445
- WMI: port 135 and port range from 49152 through 65535 or 1024 through 4999
- Disable the Guest AccountIf the guest account in the domain or on the target server is enabled, the connector tries to verify its password, which does not exist. Disable this account to prevent a false password verification
- User Access Control workaroundIf User Access Control is enabled on the target server, and the account for password management is a local administrator, the connector needs access to perform SMB and WMI operations. To give the connector access, add the LocalAccountTokenFilterPolicy registry setting to remove remote restrictions:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = dword:00000001WMI traffic is encrypted. When a password is updated through WMI, the password is encrypted.
- Review Group or Local Policy Security OptionsThe default values for network security on Windows systems allow the Windows Remote Connector to function. However, if certain settings are set too restrictive, Windows Remote password management fails. To ensure that Windows Remote operates effectively, verify the following settings in the Group or Local Policy Security Options. Go to Start, Administrative Tools, Local Security Policy, Local Policies, Security Options.
- Network security: Restrict NTLM: Incoming NTLM trafficAllow all, orNot Defined
- Network security: Restrict NTLM: NTLM authentication in this domainDisable,Not Defined, orDeny for domain accounts
- Set the Local System ContextThe Windows Remote Connector can be run in the context of a local system. This scenario allows successful management and updates of the local Windows accounts, service passwords, and scheduled task passwords. The Windows Remote Administrator account that you add to the appliance must be part of the Local Administrator group on the target server.
Add the Target Application and Connector
Follow these steps in the UI:
- SelectCredentials,Manage Targets,Applications.
- Fill in the following fields:
- Host Nameof the target server
- Device Name
- Application Name:The name must be unique.
- In theApplication Typefield, selectWindows Remote.
- (Optional) Select a Password Composition Policy.
- If you are using target groupings, add Descriptors.
- Select theWindows Remotetab.
- For theAccount Type, select one of the following options:
- Local Accountis only able to manage local accounts on target servers.
- Domain Accountis able to manage Windows Domain accounts. We recommend using the Active Directory connector to manage Domain Accounts.For the Domain Account, a drop-down list becomes active, with the following options:
- Target Server is Domain Controller(For domain administrator accounts only)
- Domain Controllers are on servers(with Specify Servers text field)Enter one or more servers, which are separated by commas.
- Lookup Domain Controllers in DNS
- Lookup Domain Controllers in specified(with Specify DNS text field)Enter one or more DNS servers, which are separated by commas.
- Domain Name:Specify the Windows domain of the managed account.
- Active Directory Site:This field is not active for the Target Server is Domain Controller option. If you enter a value is, it is used to narrow the search for domain controllers, using the specified name. If the field is empty, we search for all domain controllers in DNS.
- DC replication time (in ms):Enter the frequency of replication in milliseconds.
- ForActive Directory Connect Timeout, enter the timeout for connecting to AD, in milliseconds.
- ForActive Directory Read Timeout, enter the timeout for reading from AD, in milliseconds.
- On theAccount Discoverytab, select Discover Services and Discover tasks. (Optional) Specify a filter for Accounts.If you do not specify a filter, all accounts are discovered from the Windows server. Use only the * character in filters. Example: User*
- SelectOKto save the application.