サポートと今すぐチャット
サポートとのチャット

Safeguard Privilege Manager for Windows 4.7.1 - Administration Guide

TitlePageProxy Copyright Table of Contents About this guide What is Safeguard Privilege Manager for Windows? Installing Safeguard Privilege Manager for Windows Configuring Client data collection Configuring Instant Elevation Configuring Self-Service Elevation Configuring Temporary Session Elevation Configuring privileged application discovery Deploying rules Removing local admin rights Reporting Client-side UI customization Using Microsoft tools Maintaining a least privileged use environment Database Planning Product Improvement Program About us

Using the Server Configuration Wizard

NOTE: This feature is available only in Professional and Professional Evaluation editions.

After installing the Console, you must configure a Server. Configuring the Server sets up the backend services needed to automatically deploy the Client, as well as enabling reporting, discovery and remediation.

To use the Privilege Manager for Windows Server Configuration Wizard to set up the Server

  1. Start the Privilege Manager for Windows Server Configuration Wizard.

    1. Open the Console.

    2. Under the Getting Started section of the left navigation menu, click Setup Tasks.

    3. Select the Configure a server icon in the Basic Setup right pane.

  2. The Privilege Manager for Windows Server Configuration screen appears.

    1. Click Browse to locate a Server through Active Directory.

    2. Click Test to verify the connection of the selected Server to the ScriptLogic PA Reporting Service. If the test fails, check to see if there are network or firewall problems.

    3. Click the Clear the server name link if you want to configure another Server. The displayed service remains installed.

  3. Click Setup/configure the Privilege Manager Server on this computer to install a new Server or configure one on the local computer.

  4. In the Privilege Manager for Windows Server Setup Wizard that appears, set the port for the web service.

    1. Click Reset to set the Port Number to its default. The ScriptLogic PA Reporting data collection web service listens for incoming data from the clients on port 8003, by default. The firewall must be configured to allow communication over any port you select.

    2. Select the Add an application exception to the firewall for this service option to automatically add UDP and TCP rules (named ScriptLogic PA Reporting Svc) to the Windows Firewall exceptions list to allow inbound traffic for the service on the local computer.

  5. Under the optional Server Email Notification Configuration section, select the Server to use for email notifications of Self-Service requests and scheduled reports.

    Configure the following fields:

    1. Host Name: Enter the SMTP Server name of the email account from which you are going to send your emails.

    2. SMTP Port: Enter the port number.

    3. SMTP User Name and Password: If necessary, enter the authentication information and check the SSL check box.

    4. From Email: Enter the corresponding email.

    NOTE: You must enter the SMTP Password each time you configure the Server or an error is received.

  6. Click Send Test Email to send an email to the account specified in the From Email field.

    1. If Privilege Manager succeeds in sending the email, the corresponding message appears.

    2. Log into an email program with the corresponding account and locate the sent email folder, with Privilege Manager Test Email in the subject.

  7. Click Next.

  8. Select an SQL Server instance to use for the PA Reporting database.

    1. Select Download and install a local instance of SQL Server 2014 SP2 Express to be used by the server wizard. Then, click Next.

      NOTE: By default, the SQL Server installed via the Console uses Windows authentication.

  9. To connect to an existing local or remote SQL instance, select Use an existing SQL Server instance (requires at least Microsoft SQL Server 2014), and click Next.

To use the Privilege Manager for Windows Server Configuration Wizard to set up the Server when using a remote SQL database

  1. Enable TCP/IP protocol for the selected SQL Server instance.

  2. Enable the Console host to address the remote SQL Server.

  3. Allow the firewall to communicate between the SQL database and the Console host on the port that the remote SQL Server is configured to listen on.

    NOTE: If a domain controller hosts the Safeguard Privilege Manager for Windows Console, Microsoft does not recommend running a database on a domain controller computer. In this case, either connect to a remote SQL database instance or use another computer to install the Console and download SQL Server 2014 SP2 Express via the Privilege Manager for Windows Server Configuration Wizard.

  4. Set up a Super User group, credentials for the Data Collection Web Service Account, and the database service account.

    1. Verify the default user group and user accounts will be granted administrative privileges in the Privilege Manager for Windows Reporting database. This group is configured as the Super User group. If a different group is required, click Browse to locate it using Active Directory.

    2. In the Data Collection Web Service Account section, enter the password of the account that is used to run the data collection service. This account requires local administrator rights.

    3. Use the SQL Server Express Service Account section to enter a new account for the SQL Server service, if you selected the option to download and install a local instance of SQL Server 2014 SP2 Express.

    4. Use the SQL Server Administrator Password section to supply a password for the SQL Server System Administrator (sa) account.

    NOTE: If you plan to use the configured server domain-wide, ensure the provided Database Super User Group includes every user account that may address the PAReporting database. Otherwise, a user that has no rights to the database will encounter an error. An example use-case is if you use the configured server from other consoles to run either by domain or organizational unit level admins.

  5. To install a list of SQL Server Management Objects (SMOs) if the local computer is missing them, click Next. These prerequisites are required to connect to SQL Server instances on the network.

  6. Select the existing SQL Server instance running remotely or locally, if you selected the option to use an existing SQL Server instance.

    1. In the SQL Server Instance Name field, specify the name in the following format:

      SQLSERVER\INSTANCENAME.

    2. To view the server instances available on your network, use the (Browse) button.

    3. When using Windows authentication, ensure that the Windows account currently logged into the Console meets the following requirements:

      • It has the system administrator server role on the specified SQL Server instance.

      • It has db_owner role for the master database.

      • It has db_owner role for the PAReporting database, when you are upgrading a database previously created with the Privilege Manager for Windows Server Configuration Wizard.

    NOTE: If you target a remote SQL database, it must use Windows authentication for runtime access to data. However, you can use SQL authentication to set up the database.

  7. To install the prerequisites and launch the services, click Next.

    NOTE: During installation, a command prompt window may appear for a short period of time. This is normal.

  8. To exit the Privilege Manager Server Setup Wizard, click OK, then Finish.

  9. To ensure proper functioning of the Server, allow the following programs through the Windows firewall:

    1. On the client computer: CSEHost.exe.

    2. On the Server host: PrivilegeAuthority.exe, which is configured by default during Server configuration, provided that the firewall is turned on.

Modifying the Server

You must configure the settings for the Server on the Console where it was installed. However, any administrator with the rights to a specific GPO can update its data collection settings. Also, the administrator running the Console can view reports of data collected by any Server by selecting Browse and the preferred Server from the Privilege Manager Server Configuration screen (under Setup Tasks > Configure a Server).

To change the reporting database settings

  1. Use the Privilege Manager Server Configuration screen to remove the Server.

  2. Restart the wizard to reinstall the service and set the SQL database settings.

    NOTE: You may configure the following settings:

    • Connect to another instance.

    • Modify the authentication parameters.

    • Set up a new data collection service.

Removing the Server

If you do not want to use a Server, you can clear its settings and/or remove it from a host computer.

Removing the Server from the host computer

To remove the Server's settings or remove it from the host computer

  1. Open the Privilege Manager Server Configuration screen (under Setup Tasks > Configure a Server).

  2. To clear the settings which the Console uses to connect to reporting information, select Clear the server name. The locally running Server will not be stopped or disabled. This will not uninstall the Server.

  3. To uninstall the Server from the local computer, click Remove the Privilege Manager Server from this computer. When you remove the Server:

    • You stop the web data collection service.

    • The shared folder with the Client file is no longer shared.

    • The database does not receive data sent by the corresponding Clients until a new Server is installed, provided that it is installed within the network timeout parameters.

Removing a Server running remotely

To remove a Server running remotely

  1. Connect to the computer that hosts the Server.

  2. Remove the Server using the Privilege Manager Server Configuration screen.

NOTE: If a domain administrator or the administrator of a nested Organizational Unit (OU) uninstalls the Server, they may render the reporting function unavailable on other Console computers or computers downstream from the parent OU. Also, if you have reinstalled the Server, report generation starts from the last installation.

Offline installation of the Server and Data Collection service

Safeguard Privilege Manager for Windows does not directly support offline installation. However, you can set up the Server and Data Collection service of the Console if you install some dependencies manually beforehand.

To set up the Server and Data Collection service offline

  1. Install the following components:

    • Microsoft System CLR Types for Microsoft SQL Server 2014

    • Microsoft SQL Server 2014 Shared Management Objects

    • Microsoft SQL Server 2014 SP2 Express

  2. Set up the SQL Server manually. For example, you can run the following command to initiate the SQL Server installer with some pre-configuration in place:

    SQLEXPR_2014_ENU.exe /IACCEPTSQLSERVERLICENSETERMS /ACTION=Install /FEATURES=SQL /INSTANCENAME=PAReporting /SECURITYMODE=SQL /SAPWD=<sql-system-admin-password> /SQLSVCACCOUNT=<sql-service-account> /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /AGTSVCACCOUNT=<sql-service-account> /TCPENABLED=1 /SQLSVCPASSWORD=<sql-service-password> /AGTSVCPASSWORD=<sql-service-password>

  3. Once you are done, you can configure the server in the Console using the Use an existing SQL Server instance option during server setup.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択