One Identity Safeguard for Privileged Passwords 7.4

One Identity Safeguard for Privileged Passwords 7.4 - Appliance Setup Guide

Package contents Front and back panels Operating conditions and regulatory compliance Setting up the hardware appliance Lights Out Management (BMC) Warnings and precautions Standardized warning statements for AC systems

Virtual machine

Using the virtual appliance and web management console Setting up the virtual appliance Support Kiosk Virtual appliance backup and recovery

Completing the appliance setup Cloud deployments

Cloud deployment considerations AWS deployment Azure deployment OCI deployment Virtual appliance backup and recovery

System requirements and versions

Web client system requirements Web management console system requirements Supported platforms Licenses Long Term Support (LTS) and Feature Releases

Preparing Windows systems

SPP supports Windows systems. For more information, see How to: Configure Windows Assets in Safeguard.

NOTE: Microsoft has started hardening DCOM servers which may change your configuration decisions. For more information, see https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26414 and https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c.

To prepare Windows systems for SPP

Create a service account on the asset and assign it a password:
- Directory Configuration
  
  If the Windows system is joined to a domain that will be managed in SPP, you can use a directory account, such as a Microsoft Active Directory account to manage the asset. Enable the Password Never Expires option; once you add the asset to SPP, you can have the service account password auto-managed to keep it secure.
  
  -OR-
- Local Configuration
  
  If the Windows system is not joined to a domain, then use a local service account that has been granted sufficient permissions.
Grant the service account sufficient permissions to change account permissions to allow changing account passwords. For more information, see Minimum required permissions for Windows assets.
Configure the system's firewall to allow the following predefined incoming rules:
- Windows Management Instrumentation (DCOM-In)
- Windows Management Instrumentation (WMI-In)
- NetLogon Service (NP-In)
These rules allow incoming traffic on TCP port 135 and TCP SMB 445, respectively.
Ensure the following ports are accessible:
- Port 389 is LDAP for connections. LDAP port 389 connections are used for Active Directory Asset Discovery and Directory Account Discovery.
- Port 445 SMB is used to perform password check and changes.
- In some cases, RPC ephemeral ports are required to be accessible for SPP to perform Service Discovery on the Windows platform (for example, Windows Server 2019 requires the ports, however Windows Server 2012 does not). For more information, see Service overview and network port requirements for Windows.
Change the local security policy:

Before SPP can reset local account passwords on Windows systems, using a service account that is a non-built-in administrator, you must change the local security policy to disable the User Account Control (UAC) Admin Approval Mode (Run all administrators in Admin Approval Mode) option. For more information, see Change password or SSH key fails.

For additional information on ports, see Safeguard ports.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

One Identity Safeguard for Privileged Passwords 7.4 - Appliance Setup Guide

Preparing Windows systems