Safeguard for Privileged Passwords supports Windows systems.
To prepare Windows systems for Safeguard for Privileged Passwords
Create a service account on the asset and assign it a password:
If the Windows system is joined to a domain that will be managed in Safeguard for Privileged Passwords, you can use a directory account, such as a Microsoft Active Directory account to manage the asset. Enable the Password Never Expires option; once you add the asset to Safeguard for Privileged Passwords, you can have the service account password auto-managed to keep it secure.
If the Windows system is not joined to a domain, then use a local service account that has been granted sufficient permissions.
- Grant the service account sufficient permissions to change account permissions to allow changing account passwords. For more information, see Minimum required permissions for Windows assets.
Configure the system's firewall to allow the following predefined incoming rules:
- Windows Management Instrumentation (DCOM-In)
Windows Management Instrumentation (WMI-In)
- NetLogon Service (NP-In)
These rules allow incoming traffic on TCP port 135 and TCP SMB 445, respectively.
- Ensure the following ports are accessible:
Port 389 is LDAP for connections. LDAP port 389 connections are used for Active Directory Asset Discovery and Directory Account Discovery.
- Port 445 SMB is used to perform password check and changes.
- When possible, RPC ephemeral ports should also be accessible. For more information, see Service overview and network port requirements for Windows.
Change the local security policy:
Before Safeguard for Privileged Passwords can reset local account passwords on Windows systems, using a service account that is a non-built-in administrator, you must change the local security policy to disable the User Account Control (UAC) Admin Approval Mode (Run all administrators in Admin Approval Mode) option. For more information, see Change password or SSH key fails.
For additional information on ports, see Safeguard ports.