cnr1 line1 cnr
  IBC Online Services  
password management



Password Provisioning and Remote Access

Every unmanaged password, an account with a password property set to never to expire, is a risk to your business. At best these are the high level accounts running your windows services, or at worst every local windows administrator.
Giving a fully audited controlled remote SSH Terminal and Remote Desktop access function to your support staff has cost and security benefits.
ForestSafe manages the need for your support teams to know any passwords apart from their own computer accounts, the password of which is known only to them

Enhanced Security by not storing passwords

ForestSafe does not suffer from the 'keys to the kingdom' problem as passwords are not stored in the database, but generated as they are required. This ensures that ForestSafe does not introduce another point of attack into your environment.

The Security model

The system has several security layers. Some teams may require constant remote access to a known list of servers. Another team may want infrequent access to any server driven by a change record. The system is designed to give audited control to enable any access to be established at any level.

Password Vault Flow Diagram

User Validation is the doorway to the remote access.

ForestSafe is configured to trust a set of Windows domain accounts. Their domain group membership maps to ForestSafe Administrator groups. Access is via a Web Page either by credential entry or Single Sign On. For UNIX only shops, a Virtual ForestSafe Domain can be trusted through to LDAP.

Aegregation of roles is required by COBIT and Sarbanes-Oxley Act. It is vital that partitions exist between the various functions of a system so employees in one section cannot interfere with the work of others.
Every ForestSafe function can be added or removed from the ForestSafe Administrators desktop using Administrator Role Management. The mapping of any system function to the Administrator group is completely orthogonal.

Access Approval is setup to apply an additional layer of authority between users and their password retrievals. A ForestSafe approval period can to be configured to start immediately or in the future, and set to terminate at given time. During this period the ForestSafe user requiring Approval has view of the approved target. Administrators can be setup as being approvers or requiring approval.

Access Control Lists define which machines Administrators are allowed to access and which accounts they are allowed to use to logon.
ForestSafe is configured to create hierarchical "Host Containers". Administrator Roles are mapped against any container in the hierarchy and will inherit any hosts present in the sub-containers. The ForestSafe Administrator is presented with a restricted list of choices based on either their current approvals, or if approval layer is not enabled, the contents of the host container associated with their Administrator Role.

Target Identity ratification ensures the host being accessed is the intended host and not a "Man in the Middle".
Every ForestSafe host configured for via SSH, requests a public key or fingerprint from the host on discovery. This key is stored against the host record and compared every time a remote access takes place.

Remote Access Validation is the final doorway to remote system.
Remote terminal validation is either by credential entry or Single Sign On. If Single Sign-on is disabled, the Administrator could be given access to the self service password vault to retrieve the required account password. If single sign-on is used alongside the approval layer, the approver could grant the remote access, and the approved user could logon without revealing the password. Moreover we allow support staff to logon to Windows Domain machines using their own domain account, placing the account temporarily into the local Administrator group.

Policing the security

Released password monitoring. If a released password has not been used within a specified time, the password can be forced to be scrambled preventing logon. All account logon activity is monitored on the dashboard. Detailed reports on user accesses are accessible by clicking the dashboard.

Scrambled password monitoring. All managed computer accounts can be regularly checked to ensure that every account password set by ForestSafe has not changed on the machine. All exceptions are monitored on the dashboard.

Securing the Application
ForestSafe leverages Windows Active Directory security to control access to the ForestSafe application. This ensures granular access control of the components of the application and the resources controlled by the application. Active Directory groups are used to control access for various ForestSafe administrators.
1 - ForestSafe Administrators map to corresponding Active Directory Security Groups; any function of the system can be mapped to any ForestSafe Administrator

ForestSafe Platforms
ForestSafe scales across any configuration of any platform. It will manage all your Windows Domain computers, and all your AIX or Solaris computers. It can also manage the accounts of your routers and firewalls, and old legacy kit that only supports Telnet. If you have any in-house systems with accounts that need management, a sophisticated template command mechanism enables you to bring these accounts under the management of ForestSafe.

Supported Platforms:

AIX/SOLARIS/HPUX/Linux (with Telnet: Cisco, OS/390)

Machine Types:

Single Windows Domain workstations and servers
UNIX SSH and Telnet
Any device that supports SSH or Telnet

A complete Enterprise Password Management system for all Microsoft Windows local and shared user accounts. The password of every 'built in Administrator' account can be managed with a single "Local Windows Account Policy" entry, each administrator is given a unique password.
If the 'Built in Administrator' account has been used as the Logon User to a Windows Service, then "Shared Account Policy" is used to synchronise the local user account and the service logon account. Most Windows systems e.g. Services, MSSQL, IIS App Pools are managed out of the box. Moreover, a customisable Shared Account interface means any in-house custom Windows application account passwords can be also be managed: uniquely or synchronised with any other ForestSafe managed accounts.

Non Windows
Management for UNIX, Cisco and Firewall accounts, and any platform that supports SSH or Telnet The password of every host's root account can be managed with a single "Local Windows User Policy" entry, each root account is given a unique password.
Any account passwords can be managed and an advanced extendable template system means that any in-house custom application can be managed: uniquely or synchronised with any other ForestSafe managed user/s.
The most secure method for UNIX user account management is using SSH Key encryption, the ForestSafe UNIX default. ForestSafe has central SSH Key management. It also stores fingerprints to prevent 'man in the middle attacks'.
ForestSafe can also communicate via telnet. Using telnet, user accounts on any hardware supporting Telnet, e.g. Cisco Router and OS/390 Mainframe are supported.
Any Windows account password can be shared with any UNIX user account.

Remote Terminal Access
Windows systems are accessed through a Web based Remote Terminal, and UNIX systems are given access through a Java based SSH terminal. EESM have licensed and embedded MINDTERM in the ForestSafe Web application, the industry's leading Java SSH Terminal, from APPGATE.

Remote Terminal

The system has successfully retrieved the password
2 - The Remote Desktop opens in a new web page. Any number of Remote Desktops can be open at the same time.
Support users are required to enter a Reason why Terminal Access is required, and like every page in the ForestSafe system, every change or remote access is logged to the ForestSafe Audit Log. All account access information can be retrieved through the ForestSafe Audit report.
1 - Here the user has selected a UNIX server
UNIX server access runs in an SSH terminal window in a new web page.

Account Provisioning

Temporary account provisioning
ForestSafe can create a temporary Administrator account with a common password across a range of machines for a controlled time period. E.g. giving staff local machine access to carry out weekend tasks.

Permanent account provisioning
It can also create a new Administrator account with a unique password across a range of machines and manage the password, or let the user manage the password. Any new or replaced machines will receive provisioned accounts automatically.

Password Retrieval through API (CLI)
A console application is available that can be configured to retrieve the password of any account that is managed by ForestSafe. E.g. The ForestSafe API could be called from an EXPECT script, to solve the issue of hardcoded passwords. For additional security, the API is also available as a DLL.

High Availability
The system will run on a single Windows 2003 Server, or can be deployed over 6 servers in a redundant and highly available configuration.

ForestSafe provides enhanced security and productivity by allowing administrators to have the correct access to perform their jobs. Enhanced access is only allowed for the duration required. This means that your business can show adherence to security and compliance standards while maintaining an efficient cost conscious business process. In addition if you are considering deploying an Enterprise Management system such as IBM's TADDM, and don't want the overhead of managing agents across your infrastructure, ForestSafe can also be integrated to allow it manage the credentials for you.


Home About Us Products Services Partners Contact Us
    ForestSafe Managed Backup Service    
    NovaBackup Online Backup    
    IT Support Website Design    
      Search Engine Optimisation    
cnr4 line002 cnr3
Chinese Traditional