To prepare Windows systems for Safeguard for Privileged Passwords
1. Create a service account on the asset and assign it a password:
Directory Configuration:
If the Windows system is joined to a domain that will be managed in Safeguard for Privileged Passwords, you can use a directory account, such as a Microsoft Active Directory account to manage the asset. Enable the Password Never Expires option; once you add the asset to Safeguard for Privileged Passwords, you can have the service account password auto-managed to keep it secure.
-OR-
Local Configuration:
If the Windows system is not joined to a domain, then use a local service account that has been granted sufficient permissions.
2. The following minimum permissions are required for Windows assets to perform directory password management and sessions management tasks using Windows Management Instrumentation (WMI).
Local Account Management
Using a local account or domain account, Test connection, Check connection, Password check, and Account discovery tasks require the following permissions:
- Remote Enable permission on WMI's CIMV2 Namespace
- Enable Account permission on WMI's CIMV2 Namespace
- Remote Activation permission on computer via DCOM.
To set Remote Enable and Enable Account permissions:
- Open wmimgmt.
- Right-click WMI Control (Local) and select Properties.
- Select the Security tab.
- Expand the Root node.
- Select the CIMV2 node.
- Click the Security button.
- Add user/group and select Remote Enable and Enable Account.
- Click OK.
To set Remote Activation permissions
- Open dcomcnfg.
- Expand Component Services | Computers.
- Right-click My Computer and select Properties.
- Open the COM Security tab.
- Under Launch and Activation Permissions, select Edit Limits.
- Add user/group and select Allow for Remote Activation.
- Click OK.
Password change task requires the following permission:
- Member of Local Administrators group
Domain Account Management
Using a Domain account:
Test connection, Check connection, Password check, and Account discovery tasks
require the following permissions:
Password change task requires that the Service account has the following delegated
permissions:
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- Reset Password
3. Configure the system's firewall to allow the following predefined incoming rules:
- Windows Management Instrumentation (DCOM-In)
- Windows Management Instrumentation (WMI-In)
- NetLogon Service (NP-In)
These rules allow incoming traffic on TCP port 135 and TCP SMB 445 respectively.
4. Ensure the following ports are accessible:
- Port 389 is LDAP for connections. LDAP port 389 connections are used for Active Directory Asset Discovery and Directory Account Discovery.
- Port 445 SMB is used to perform password check and changes.
- For Windows server Server 2019, the RPC ephemeral are required (One way to activate them is by enabling the "Remote Scheduled Tasks Management (RPC)" Firewall rule on the windows asset).
More information regarding Ephemeral Ports can be found here.
5. Configure Windows Local Security Policy:
Before Safeguard for Privileged Passwords can change local account passwords on Windows systems, using a member of an administrators group other than built-in Administrator, you must change the local security policy to disable User Account Control (UAC) Admin Approval Mode ("Run all administrators in Admin Approval Mode") option.
1. Run secpol.msc from the Run dialog, or from the Windows Start menu, open Local Security Policy.
2. Navigate to Local Policies | Security Options.
3. Disable the "User Account Control: Run all administrators in Admin Approval Mode" option.
4. Restart your computer.
Troubleshooting
The most common causes of failure in Safeguard for Privileged Passwords are either connectivity issues between the appliance and the managed system, or problems with service accounts.Always verify network connectivity and asset power before troubleshooting. A local account password change can fail when you are using a Windows asset that is configured with a service account with Administrative privileges, other than the built-in Administrator.