All accounts with non-expiring passwords are a risk to your organisation and should be managed.
These are local Windows (Domain and Workgroup) accounts and UNIX passwords. Also Shared password accounts, such as Windows Service Logins and IIS Pool identities running as local or domain accounts, Databases, Lotus notes etc.
ForestSafe manages accounts by setting their passwords to a value that is known only to the ForestSafe system. This action is known to the system as Scramble or Scrambling the password.
It carries this out by Applying ForestSafe Policy to computers. There a single Policy for Local Administrator Accounts and another for Shared Accounts. ForestSafe Policy consists of multiple Policy Items. A Local Policy item contains a Local Account Name and may refer to a single computer where the account resides, or ANY computer where the account may reside.
Here is an example of ForestSafe Local Policy.
|
Platform |
Domain |
Account |
Host Name |
MemberOf |
Action |
|
Windows |
HUB |
BuildAdmin |
* |
Domain Computer |
Scramble |
|
Windows |
HUB |
Installer10 |
s03app* |
Legacy Domain Computer |
Delete |
|
Windows |
WORKGROUP |
OldBuildAdmin |
* |
* |
Scramble |
|
Windows |
* |
Administrator |
* |
* |
Rename to x7896 |
|
Windows |
* |
x7896 |
* |
* |
Scramble |
|
UNIX |
n/a |
Debiantemp |
*eb10 |
UNIX Computer |
Delete |
The Local Policy system , works by reverse patter matching computers details with all the Local Policy Items .
In this example the BuildAdmin account is being scrambled on every Domain Computer in the HUB domain. The Installer10 account is only being scrambled on HUB computer with hostname starting s03app which belong to the Legacy Domain Computer group . The OldBuildAdmin is being scrambled on all workgroup machines. The Administrator account is being renamed and then scrambled on ALL windows computers on ALL domains. And DebianTemp account is being scrambled on all UNIX Computers with hostnames ending with eb10.
Using both Domain and MemberOf on a single windows domain can mean the same thing. However the product also scales to Enterprise Level, where ForestSafe manages multiple domains centrally. Express only manages a single Windows Domain by Default.
There is a configurable delay that can be employed to leave local account passwords unchanged for a time after the system has discovered the computer on which they reside. This can be used to allow time for engineers to complete their build work before ForestSafe takes change of the password.
Here is an example of 3 shared accounts:
|
Account |
Account Type |
Identity |
|
Forestsafeservice |
Windows Domain |
Domain=HUB |
|
Windows Service |
Host=serhubapp01, Service=ForestSafe |
|
|
Forestsafepool |
Windows Domain |
Domain=HUB |
|
Windows IIS Pool |
Host=serhubiis01, Pool=ForestSafe |
|
|
Orasync |
UNIX Local |
Host=aixora22 |
|
UNIX Local |
Host=aixora23 |
|
|
UNIX Local |
Host=192.166.14.87 |
|
|
UNIX Local |
Host=192.166.14.170 |
The first 2 are the accounts that run the ForestSafe service and IIS pool respectively. These are typical of how many Windows application are configured.
In the last example the orasync account exists locally on 4 UNIX servers and is kept synchronised on all of them. Platforms can be mixed and matched, any account can be synchronised with any other
