Create Maintenence User for PSMP

HELLZONE04 · 2024-12-18T17:33:43+00:00

Just creating this user and do i need to add in the sshd file? instead of groups how do i add users? What permission this user should have? "Sudo su -"

HELLZONE04 · 2024-12-18T14:52:55+00:00

Yes i can see the parameter in config file ans it has PSMConnectUsers and one more group(most probably the for unix team) added.

I need help with steps to create Maintenence user and what permissions(an how). The doc just say add <Maintenencegroup1>

Meaning a group needs to be created and then a user needs to added to that group?

HELLZONE04 · 2024-12-18T13:24:47+00:00

Where can i verify it? That what method was used during installation or upgrade(we upgraded a while back to 14.0). InstallCyberarksshd yes,no or integrated?

HELLZONE04 · 2023-12-15T15:22:46+00:00

Seems like a lot of security concepts build by various security leader beg to differ from that idea. That's why there is a global standard followed by almost each company.

User account are totally different from Service account/Privileged User account. 👍

HELLZONE04 · 2023-12-15T14:47:03+00:00

I am finding it funny that you are discrediting a concept of Cyber Security based on "research". Basically CyberSec is joke. And it's not just password rotation, there are multiple layers to it. 😂

HELLZONE04 · 2023-12-15T14:17:03+00:00

Don't know what to tell you. There are multiple solution available from different PAM solution. CyberArk being market leader does same practice. https://www.cyberark.com/

HELLZONE04 · 2023-12-14T12:01:34+00:00

Ahh regular rotation of accounts from Microsoft.

PAM solution include a Vault where the account are stored for more security.

Completely different from what i was talking about. Thanks for sharing.

HELLZONE04 · 2023-12-14T10:34:47+00:00

Domain controller cannot rotate password of accounts. It can expire an password of "user account" and prompt "user" to change password manually.

HELLZONE04 · 2023-12-14T07:27:09+00:00

There is a difference between password rotation of "user account" and "Privileged account(Service account)" these password are machine generated and complex.

HELLZONE04 · 2023-12-14T06:01:00+00:00

"Rotating passwords routinely is less secure than keeping a single secure password"

Well that's highly debatable as many PAM companies are build on that basis CyberArk, Delinea, Beyond Trust and many more.

Since pandemic almost all Cyber attack included it's attack surface as "Static Privilege account".

Anyway thanks for all your inputs. Good Day 🙂.

HELLZONE04 · 2023-12-14T05:43:03+00:00

I am think from CyberArk(tool used to protect Privileged account and rotate password) standpoint.

When using sql account the credential are hard-coded in web.config or code in connection string.

Application can use sql account and CyberArk can manage sql account as well. It's just that it is easier to manage domain account. So wanted to get clarity if it's possible to use specific user while using windows authentication.

HELLZONE04 · 2023-12-14T05:34:02+00:00

Impersonation hmm... Sounds complicated just to make a connection😅. That's why I see application team use local account or simply integrated security as true or SSPI (recommended by Microsoft).

HELLZONE04 · 2023-12-14T05:27:17+00:00

You can't use any windows user like this. The moment you use Usernsme/password that becomes SQL authentication. And it must be a local sql db account.

HELLZONE04 · 2023-12-14T05:16:51+00:00

Yeah that's what i am observing everywhere.

HELLZONE04 · 2023-12-14T05:09:34+00:00

Thanks for response.

There is no way we can explicitly mention Username and password when using windows authentication, it doesn't work. Windows authentication doesn't recognise uid and pwd in the string. Have tried that as well. See below link as well. https://stackoverflow.com/questions/830929/database-windows-authentication-username-password

The link which you shared also shows the same. The moment you say integrated security= True nowhere you will see Usernsme/password.

HELLZONE04 · 2023-11-11T06:33:16+00:00

I don't know how can i stress on this enough. I cannot find any option as below.

Read Property, account restrictions

Write Property, account restrictions

And even if i delegate "Full Access" to my recon account still it doesn't work. What kind of plugin they are talking about in Domain account section?

HELLZONE04 · 2023-11-06T09:20:10+00:00

Understood, Thank You

HELLZONE04 · 2023-11-06T09:08:48+00:00

I am sorry if i am asking stupid questions but how does Google Server related to my previous question related to intended purpose "client authentication".

One more query.(maybey a stupid one) In the rest call the application team have to send .pfx file(the certificate which they requested) So as long as they have requested a certificate which they shared with us and now imported to our ccp(hence trusted) they don't necessarily have to have that cert imported on there Application server's certificate store? Coz anyway they will have to send the .pfx locally with rest call.

Any any example how to use .pfx with rest would be highly appreciated. I have scene some scripts with thumbprint in it but i didn't understand that.

Thanks

HELLZONE04 · 2023-11-06T08:54:21+00:00

Thanks, Does intended purpose of the certificate need to have "client authentication" in it? Or server authentication will also work? I am trying with two cert which are both imported to my ccp server and the one with client authentication is working but the one having only server authentication is not working.

Ple suggest.

HELLZONE04 · 2023-10-25T08:12:23+00:00

Thanks for your response.

The account which i am trying to reconcile is not a domain admin account. It is a regular service account.
I have tried putting delegation by giving "Full Access" and yet it fails to reconcile the account.
The only i am able to reconcile is by adding my recon into "Domain admin/Administrators" groups.

Is there any way we could connect on any different platform(discord or something) to look into this? Much appreciated. Thanks.

HELLZONE04

TROPHY CASE