RE: Admin password management

["Cornwell, Kay (NIH/NIGMS) [E]" <CornwelK () nigms nih gov>]

I have not used this product in an ISP environment, ours is a smaller
enterprise environment.  But I would suggest looking at E-DMZ's Password
Auto Repository product (hardware device, 2nd device provides failover).


That is supposed to handle Windows, Unix, SQL and Oracle passwords and
provides a web based retrieval process that is logged.  You can specify
who has authorization to retrieve a password or you can have a web based
authorization process (email is sent to an authorizer and you can set
multiple levels - requires 1 2 or more authorizers to approve).

The requestor must input a reason for retrieval. Passwords for the
windows environment can be changed on an automatic schedule - I believe
that you can also do this for other platforms and Oracle, or you can
have password changes occur manually (i.e. use PAR to generate a random
password, type it in and tell PAR change was successful and then it
registers the password change.

I did not price the product myself so not sure about cost. We have been
using it here with success. 


E-DMZ Password Auto Repository 

http://www.e-dmzsecurity.com/

Kay Cornwell, MS
GSEC, GSLC, GSAE


-----Original Message-----
From: mamo [mailto:mamo74 () gmail com] 
Sent: Wednesday, May 20, 2009 8:48 AM
To: security-basics () securityfocus com
Subject: Admin password management

Hi all.

I am responsible for the security of a small ISP. I need to manage the
admin password of all the machine of the ISP (around 200 system mainly
with linux, windows and solaris OS).
By admin user I mean stuff like root, oracle, Oracle sys, MSsql SA,
Bea admin password etc. We have a policy that require users to
authenticate with nominal username/password (and sudo on UN*X) but
there are situations where accessing with admin password is required,
but it is not acceptable to share the password with all the group that
work on IT Assurance activity.

I would like to have a product that:
- Log who take what password
- Log who change the password
- Permit to generate a new random password
- Have a "decent" security
- Permit to profile who can see what password (it is not mandatory)
- Permit to add a note to the activity (why the users had the need to
take the admin password)

I am looking for a product that will be used by around 50-100 people
that manage the ISP (not like keepass or password safe where the user
has the encrypted db with all the password on the PC).
I would appreciate to be able to do this activity with Open Source
product, but I can evaluate also commercial product.

Do you have any experience to share of product that match may
description?

Thank you.
Mamo

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep
available. Comprehensive course materials and an expert instructor means
you pass the exam. Gain a laser like insight into what is covered on the
exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------