Re: enterprise password manager

["Barbod Kiani" <B_Kiani () ISC IRANET NET>]

Try RBAC, IDM & checkout the following:

http://www.sun.com/software/products/rolemanager/ds_rolemanager.pdf

http://www.sun.com/software/products/opensso_enterprise/index.xml

Just FYI, can also apply the following general rules 2 ur security list (for 
ur passwd manager):

1) One time Passwd if got Trust level 1 (RSA-secureid be obtained)
2) Follow the passwd complexity guidelines (eg, Rainbows series)
3) Passwd filed for each ID populated, No blank space to any ids (Remember 
ONLY one uid 0)
4) Disallow the use of the same passwd
5) Passwd shadowing where is needed
6) An authorized Record of approved access by ur companies senior officers 
before doing any of the following u asked!
7) UUCP & such are disabled.
8) In ur known connections scripts or into ur console keys, no imbedded 
clear t passwd.
9) Using the same passwd provided by vendors prohibited.
10) No access to the single user mode is given to unknown & unsecure 
locations without a passwd.
11) Create specific passwd strings if need SNMP.


Respectfully yours,
Bob Kiani


----- Original Message ----- 
From: "martin" <martiniscool () gmail com>
To: <security-basics () securityfocus com>
Sent: Tuesday, September 08, 2009 6:47 PM
Subject: enterprise password manager


> Hi All
>
> I'm looking for a password manager for use in our company for storing
> customer's passwords.  Ideally, I would like on which can:
>
> 1.  Require a username and password to access (or using AD would be even 
> better)
> 2.  Give different passwords depending on group membership (again, AD
> groups preferable)
> 3.  Require that a user be a member of multiple groups in order to be
> given access to a password.  eg, a user must be in the engineers group
> AND in the managers group.
> 4.  Only give a lower level of access if a user is a member of a
> particular group.  eg, if a user is in the engineers group AND the
> contractors group, they will only be given a read only password (if
> available).  If they were only in the contractors group, they wouldn't
> get any password
> 4.  Obviously, use encryption
> 5.  Doesn't have to be free
>
> I'm also looking for something similar that can be used to store
> config files for routers, switches, firewalls etc.
>
> I know this is alot to ask, but I'd like to hear what other people are 
> using
>
> Thanks in advance
> M
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL 
> certificate.  We look at how SSL works, how it benefits your company and 
> how your customers can tell if a site is secure. You will find out how to 
> test, purchase, install and use a thawte Digital Certificate on your 
> Apache web server. Throughout, best practices for set-up are highlighted 
> to help you ensure efficient ongoing management of your encryption keys 
> and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------