Configure Windows Remote Target Accounts
Configuration steps for Windows Remote target accounts
This section describes the configuration steps for Windows Remote target accounts.
Prerequisites for Windows Remote Target Accounts
To configure Windows Remote target accounts, including Windows services, ensure that the following tasks are completed:
- Add a device (target server) with Password Management as the device type.If you are adding an AWS Windows device, use the private IP address in the Address field of the account. Some features do not function properly when you use the public IP address.
- Add a target application for the target server. This step includes associating Windows Remote with the host on which the Windows account resides. See Add a Windows Remote Target Connector.
- If the Windows Remote target account is of Administrator account type, the account requires Administrator rights on the Windows server.If your target account is to be used as a service account (that is, it is to be used to rotate passwords of other target accounts), we recommend that you prevent this account from being able to login interactively. To do this, assign the following User Rights to the Windows account:
- Deny log on locally
- Deny log on through Remote Desktop Service
To add a Windows Remote Target account using the CLI, see Windows Remote Target Connector CLI Configuration.
Create a Windows Remote Target Account
Follow these steps:
- SelectCredentials,Manage Targets,Accounts. The Target Account page appears with a list of existing accounts.
- SelectAdd. The Add Target Account page appears.
- Select theHost Namemagnifying glass to find an existing target server, filling the Host Name andDevice Name.
- Select theApplication Namemagnifying glass to find an existing target application on the target server, or select+to create a target application. Select or create a Windows Remote type of target application.The Windows Remote appears on the Add Target Account page.
- Enter theAccount Name. The account name must be unique for a given target application and must be the account name that the target system uses.
- Select thePassword View Policyfor the account.
- Enter an initial accountPasswordor select the Generate Credential key icon to generate a default password.
- On thePasswordtab, SelectDiscovery Allowedto discover accounts on the Windows remote system. Select the appropriate synchronization option:
- Update only the Credential Manager Server: Passwords are updated only in Credential Manager. Credential Manager and target system passwords can differ.
- Update both the Credential Manager Server and the target system: Password updates are performed both in Credential Manager and on the target system to maintain consistency.
- On theWindows Remotetab, do the following steps:
- Select theAccount Type:
- User: Use a regular user account.
- Administrator: Use an administrator account.
- Select the Change Process:
- If you selectedUseras yourAccount Type, selectUse the following account to change passwordand type the name of or use the magnifying glass icon to specify an account that is of the Administrator account type for the same Windows Remote application.
- If you selectedAdministratoras yourAccount Type, use eitherChange Processoption.
- (Optional) If you are adding or updating an account and you do not know the existing password, select theForce password changecheckbox. The existing password gets changed, even though the account is not in sync.
- SelectOKto save.
Your new Windows target account is added to the list of accounts on the Target Accounts page.
Configure PAM to Allow Non-Administrative Users to Unlock Windows Remote Target Accounts Without Administrative Privileges
This procedure describes how to configure PAM to enable local non-administrative user to unlock a Windows Remote target account that has been locked for some reason, such as in the following example scenario:
This feature provides self-service password unlock for privileged users who are inadvertently locked out of an account whose password they have permission to view. However, we strongly recommend that administrators that provision privileged account access consider the security and compliance policy implications of configuring this functionality. Self-service unlock events are included in the
session logfor auditing purposes.
- A user logs into PAM and accesses a target account for a Windows system and checks out the credentials. The target account is assigned a password view policy with the following options set:
- Check-out / Check-in
- Change Password on View
- Later on, the user attempts to login to the Windows system from an external terminal emulator using the password they checked out earlier but it is no longer valid for one of the following reasons:
- TheForce check-in afterperiod configured in the password view policy has expired and the password has been rotated
- A local administrator has changed the password on the Windows system.
- The user reattempts to use the password until they exceed the maximum number of allowed failed login attempts configured on the Windows system and the account is locked.
Configure the Server
Complete the following procedure to configure
Privileged Access Managerto allow non-administrative users to unlock locked Windows Remote target account
Follow these steps:
- Navigate toCredentials,Manage Targets,Accounts,
- Select the target account for the Windows system and selectUPDATE.
- In theUpdatedialog that opens, select the Windows Remote tab.
- Select theUse the following account to change passwordoption and specify the name of a target account that has privileges to unlock the account on the Windows machine.
- Set theUnlock locked accountoption.
- SelectOKto save.
The following unlock situations only apply when PAM is configured to allow non-administrative users to unlock Windows Remote target accounts without administrative privileges as shown earlier in this section.
Privileged Access Managerunlocks a locked Windows account and generates a new password when any of the following actions occurs:
- If the associated password view policy has the Change Password on View option set, a standard user checks-in the existing password associated with the locked account.
- APrivileged Access Manageradministrator with the necessary privileges rotates the password.
- A scheduled job rotates the password.
Unlock events are captured in the session log (Sessions, Logs). To isolate them, use the following filter parameters:
User Namefield indicates whether the unlock was performed by a standard user, an administrator, or a scheduled job.
Discover Windows Services and Scheduled Tasks
You can use account discovery to manage credentials of multiple Windows services and scheduled tasks.
PAMcan use the target account to manage changes and updates for any services and scheduled tasks that use this account. You do not have to update the password on an individual service or scheduled task basis.
This procedure is for local Windows accounts. To discover services and scheduled tasks for Active Directory accounts, see Discover Services and Scheduled Tasks for AD Accounts.
Before you run account discovery, go to the Account Discovery tab of the Windows Remote Target application. Select the discover option for services or tasks. You can select both.
Discover Services and Tasks
To discover new tasks and services on Windows remote accounts, follow these steps:
- On the Scan Profiles tab, selectRunfor the profile of the account you want to update.If a profile does not exist, follow these steps:
- Give the profile aName.
- On the Servers tab, select the Server that is associated with the remote account.
- Select theDiscovered Accountstab.Windows Remote accounts that have updates available display a green checkbox under the Updates Available column.
- Select theUpdatebutton for the Windows Remote account with updates available.The Update Discovered Accounts window appears. Available Services and Scheduled Tasks appear on their respective tabs.
- SelectYeswhen you are prompted to Update Selected Accounts.
- To see a list of services and scheduled tasks:
- SelectCredentials,Manage Targets,Accounts.
- Select the Services and Scheduled Tasks tabs to display the list accounts.
To remove tasks and services from a Windows Remote Target Accounts, follow these steps:
- SelectCredentials,Manage Targets,Accounts.
- Select the account that you want to modify.
- Select the Services or Scheduled Tasks tab.
- To delete a service or task, select theXnext to the entry.