+1 for Secretserver, works well and we use it to manages our local password changes on all our servers and network gear. It works very well and support is very good. -Greg
From: [email protected] [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Wednesday, November 5, 2014 11:31 PM To: [email protected] Subject: RE: [NTSysADM] Has anyone implemented this solution? I forgot to mention that Secret Server also appears to have the ability to set/change local admin passwords, but we have not implemented this feature yet: http://thycotic.com/products/secret-server/features/change-network-passwords/ http://thycotic.com/products/secret-server/features/discovery/ -Aakash Shah From: Aakash Shah Sent: Wednesday, November 5, 2014 10:53 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Has anyone implemented this solution? In case you're looking for more options, our security team manages and runs Secret Server: http://thycotic.com/products/secret-server All of the credentials for the services provided by the organization are stored in here (no personal/individual credentials though). It has auditing features and has ACLs that can be based on users/groups. It previously was set up with RSA 2fa, and was recently switched to Duo 2fa. -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Matthew Topper Sent: Wednesday, November 5, 2014 7:08 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Has anyone implemented this solution? With the discussion seemingly moved to password vaults, we've been using one called PasswordState: http://www.clickstudios.com.au/ I've been very happy with it, particularly with its auditing features. Matthew Topper From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Free, Bob Sent: Wednesday, November 05, 2014 9:30 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Has anyone implemented this solution? We have thousands of local passwords in ours. Plus the *NIX accounts. Don't know how that compared to a gazillion but then, you are the numbers guy, not me :) Here's an example of one that does a lot both in scalability and functionality http://www.beyondtrust.com/Products/PowerBrokerPasswordSafe/ That's said, this is a big stretch from the original dilemma but it's a pretty elegant solution. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, November 05, 2014 4:28 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Has anyone implemented this solution? I LOL'ed. That being said - I've never seen a vaulting solution that properly handled a gazillion local admin passwords. Do you have a specific solution to which you are referring? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Free, Bob Sent: Wednesday, November 5, 2014 6:01 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Has anyone implemented this solution? OTOH, I have found the entire thread invigorating. :-D From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Wednesday, November 05, 2014 12:12 PM To: ntsysadm Subject: [spam] [dkim-failure] Re: [NTSysADM] Has anyone implemented this solution? :-P -- Espi On Wed, Nov 5, 2014 at 12:08 PM, Free, Bob <[email protected]<mailto:[email protected]>> wrote: [cid:[email protected]] From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Micheal Espinola Jr Sent: Wednesday, November 05, 2014 12:03 PM To: ntsysadm Subject: [spam] [dkim-failure] Re: [NTSysADM] Has anyone implemented this solution? *vigor ? -- Espi On Wed, Nov 5, 2014 at 11:59 AM, Free, Bob <[email protected]<mailto:[email protected]>> wrote: Passwords can go in a vaulting solution and have all kinds of rigor wrapped around them. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Matthew W. Ross Sent: Wednesday, November 05, 2014 9:13 AM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Has anyone implemented this solution? Just curious, but what would you use as an alternative? ACLs can be ignored if you have physical access to the machine. Online syncing solutions (like LastPass) are a little scary for me, if your keeping those keys to the kingdom in them. (Not to say LastPass and others like it are not great for personal password.) The only other option I can think of is a hand-written list, kept on something non-digital. Please enlighten me to the (I'm sure glaringly obvious) solution I'm not thinking of! Sm:)e. --Matt Ross Ephrata School District Matthew W. Ross <[email protected]<mailto:[email protected]>> , 11/5/2014 9:07 AM: Yes, if the file it's in is encrypted. --Matt Ross Ephrata School District Kennedy, Jim <[email protected]<mailto:[email protected]>> , 11/5/2014 5:35 AM: Are you two ok with storing important passwords in text document on a share and using ACL's to secure that? From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Matthew W. Ross Sent: Tuesday, November 4, 2014 7:52 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Has anyone implemented this solution? If you don't trust Windows based ACLs, how do you secure anything in Windows? --Matt Ross Ephrata School District Michael B. Smith <[email protected]<mailto:[email protected]>> , 11/4/2014 4:46 PM: Do you trust Windows ACL-based security? If not - well, you might have a lot of other concerns as well. -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Kurt Buff Sent: Tuesday, November 4, 2014 7:41 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Has anyone implemented this solution? Yes, they are stored in plain text in the AD field. That's something to think about, and something to test in the lab. Kurt On Tue, Nov 4, 2014 at 4:18 PM, Kennedy, Jim <[email protected]<mailto:[email protected]>> wrote: > My kid just pointed out that in the fine print it states the passwords > are stored in plain text. Yea the are restricted access but still..... > > > Comments mention you can get then encrypted with Premier. > > ------ Original message------ > > From: Kurt Buff > > Date: Tue, Nov 4, 2014 3:51 PM > > To: [email protected]<mailto:[email protected]>; > > Subject:Re: [NTSysADM] Has anyone implemented this solution? > > Cool. I'll see if I can lab this up, and if I get it working, I'll > report back. > > Thanks! > > Kurt > > On Tue, Nov 4, 2014 at 12:35 PM, Kennedy, Jim > <[email protected]<mailto:[email protected]>> wrote: >> Ok, got one confirmation from Twitter that it deployed with no >> problems and works as advertised. >> >> -----Original Message----- >> From: [email protected]<mailto:[email protected]> >> [mailto:[email protected]<mailto:[email protected]>] >> On Behalf Of Kurt Buff >> Sent: Tuesday, November 4, 2014 2:42 PM >> To: [email protected]<mailto:[email protected]> >> Subject: [NTSysADM] Has anyone implemented this solution? >> >> If so, how did it go? Any gotchas? >> >> Blog article on implementation >> >> http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-autom<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.technet.com_b_askpfeplat_archive_2014_05_19_how-2Dto-2Dautom&d=AAMFaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=tWCPp3g-pvgnZ8p6e3ndzixcHRvZZJxkRQdkD-uUsoQ&s=DK0MXDcOUb9tURz4P32T8bmZDzy8OU2LA2YFtr_fcuo&e=> >> ate-changing-the-local-administrator-password.aspx >> >> Code for the project >> https://code.msdn.microsoft.com/Solution-for-management-of-ae44e789<https://urldefense.proofpoint.com/v2/url?u=https-3A__code.msdn.microsoft.com_Solution-2Dfor-2Dmanagement-2Dof-2Dae44e789&d=AAMFaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=tWCPp3g-pvgnZ8p6e3ndzixcHRvZZJxkRQdkD-uUsoQ&s=kvqDLlwOzPJUXN7UPD5DdVIf-JiYO4TtfNiNhLyQcl0&e=> >> >> I might have the chance to implement, but wanted feedback before I >> put it up in a lab. >> >> Thanks, >> >> Kurt >> >> > > ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ ________________________________ ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ ________________________________ ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ ________________________________ ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ ________________________________
