Breakglass account and key management

Hades · 24 Feb 2009 at 17:44

I'd be interested in peoples experience with tools to manage privaledged keys (userid's). e.g. tools that you use to sign-out an emergency userid, or possibly tools that allow you to sign-out an id and also track the actual usage of it.

Does anyone have an experience or recommendations?

ace2109 · 24 Feb 2009 at 22:29

the company i work for used to have a generic username and password (Both the same) and when you typed them in while someone was logged on automatically logged them off not saving any work or anything. The only downside to it was you could also logon using the same username and password which gave you access to certain computer settings. This was on a windows NT Domain but we recently upgraded all our servers to win2k3 and this no longer works.

Hades · 24 Feb 2009 at 23:04

Thanks for the reply. But what I'm really after is some kind of tool that's used to manage userid's in the following way:

1) Something breaks. An alert occurs.
2) Operations team phones out 24/7 support.
3) Support bod drags himself out of bed. Asks for the sysadmin userid.
4) Ops use the 'breakglass' system to checkout the sysadmin password to him.
5) Ops manager approves the use of the userid.
6) Support bod fixes problem.
7) Ops check the userid back in, resetting the password so it can't be reused by the support bod.

s0ck · 25 Feb 2009 at 00:06

Subscribed

Nikumba · 25 Feb 2009 at 12:08

When you have a situation like that, can you just not re-enable the sysadmin account, hand over the password.

Once done, change the password and then disable the account?

Granted its not a bit of software, but you could probally script it

Kimbie

Hades · 25 Feb 2009 at 16:59

Nikumba said:
When you have a situation like that, can you just not re-enable the sysadmin account, hand over the password.

Once done, change the password and then disable the account?

Granted its not a bit of software, but you could probally script it

Kimbie

That's what's happening at the moment. And what will still need to happen. But what I'm looking for is something which tracks the usage of it:

Option 1 - A system (e.g. web based) that you "check out" the current password. When you "check in" the userid after it has been used you will probably have to manually reset the password. But you then store the password in the system. What this gives you is that it is clearly audited when (and who) checked out the password. It also stores the current password so it can't be viewed without signing it out again. The person who signs it in and out would not be the person who needs it. It would be a central team of "trusted" people and it would require dual control. So the user would not know the new password.

Option 2 - A more complete solution which has an agent on the machine itself. This agent will change the password for you and track any commands you enter. This is a better solution but more complex (do they exist?)

slylittlefox · 25 Feb 2009 at 17:13

Is this on a *nix or Windows box?

Curiosityx · 25 Feb 2009 at 19:17

Have you considered such things as two factor authentication, smart cards or implementing a PKI? You could achieve what you have outlined above to some degree.