Securing default generic accounts (bt/bi/bu-admin)

Hey ​@Robert A. - I agree with the desire to make the ‘keys to the kingdom’ not be a weak part!

The gotchas around auto-rotation is making sure something doesn’t go Horribly Wrong™ and then you have a sev1 where you can’t log in and restore from backup might be the only, albeit bad, option. ** 

Recommendations on making this a bit more guard railed but also not providing an an automated approach from any number of tools (*not BT advised)

If you only have PasswordSafe:

1. Put the password in Secrets Save and audit who has access, who performs actions, and no API access to the credential
   1. Otherwise, if you keep it in a **physical vault** (i.e. not digital vault sprawl, excel sheet, notebook, or post-it), ensure the access to the vault is audited and correlated to actions in the console. 
2. Have those logs migrate off to a lovely SIEM solution where the folks who have access to the admin credentials aren’t the only ones monitoring the admin credential use
   1. Self regulation often doesn’t work in an operational setting - policies and procedures that are easier to follow than evade is my hope with this one
3. Have a reminder to rotate the credentials periodically and update the Secrets Safe

If you have PRA with web-jump:

1. Update the credentials in the console with web-jump so it’s recorded 
2. Update the vault in PRA
3. Monitor changes outside of sessions in PRA
   1. Those should be considered investigations and look at how to restrict this behaviour, if legitimate, from being easier than PRA
4. Same auditing notes for same reasons

** Docs and official notes:

The official guidance is that it’s recommended to change the password on the webGUI over the other tools:

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0017092

Our official stance on btupdater not being auto-rotated:

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0021131

Hi ​@tclowater,

thanks for your suggestions. Issue with the 1st solution, it’s terrible to manage as you would have 4 appliances with 2 regular used users which would result in constantly rotating and changing 8 passwords. 

The PRA solution would be the preferred solution here but requires extra software to be set up and used. I need to dig deeper if we the password storing solution we have will support this.

The thing that gets me is that a software solution which is supposed to secure access has such a flaw in its design and does not provide any solution itself to lock down those accounts or to personalise them. It’s like replacing one risk with another. Or this is clever marketing to sell products to secure the other products. 😉

One potential idea you could float past your Info Risk team is physical storage of the BTadmin password on a Yubikey or similar physical device and have said device locked in a secure room with a secure cabinet/safe with minimal access to it outside of those that should truly have that access.  Since Yubikey has a 32 character password limit, if you wanted to make the password say 64 characters you would need 2 devices, but thats also a blessing, because you can split that password in half and store the physical devices in different locations. This makes it tougher for someone to access the system account without proper knowledge or the device itself.

You noted that you have password safe, so the licensing model includes Secret Safe, just not workforce passwords. So you could create a restricted safe like TClowater stated and feed those longs to a SIEM so that your SOC team could monitor the usage as well.

Another option is the ideas portal that our product team reviews asking for a suggested method on handling auto-rotation of the btadmin (or equivalent - you can name it whatever) account. 

I think this is the general challenge with any vaulting solution - at the end of the line there is usually one credential that needs to be dealt with that’s high privileged. Sorry, I didn’t mean this as a “hey buy more!” - just giving options since I’m not sure which products people have when answering questions! 

PS. I LOVE that you asked, as I’ve seen some .. uhm… interesting choices for management of this account. This gives me hope that all passwords aren’t the same and everyone isn’t always logging in as full admin! 

We setup an “Application” within PS that is used to manage PS via web console…. Also, you can setup the btadmin credential for RDP into each appliance, but do not allow password checkout.  Updater Settings can be done this way too.

​@MikeK as the btadmin account is used for SUPI updates this is not an option. The biadmin account as a generic admin account is locked down as it’s “not needed” and the admins have their own personalized accounts. We have another solution in place for password management that I need to investigate a little more to see if this will help before beginning to implement another solution but thanks for the tip.

​@tclowater I have added an idea that is indirectly related to this topic which will also make life easier if you need to manage several appliances. Using Enterprise Updater as as SPOC which then connects to the appliances and remotely schedules updates. This way only one set of credentials would need to be managed. If it’s only one credential set and one that you do not need on a regular basis it’s not an issue but currently bt/buadmin are required for regular tasks and have permissions that allow you to do a lot of other things too.

​@MichaelF I’ve done that for the RDP connection to the appliances but the btadmin account is also used for SUPI updates and what if the update breaks the solution? I don’t feel comfortable using PS to secure PS. The admins already have a personalized admin accounts so they would be able to extract the password which would be OK but then it needs to be rotated/changed again and stored in a separate password vault in case PS should fail. OK I could use PS Cache to have access to the last password. At the end of the day I’m building a security solution for a security solution which feels odd.

Thanks all for your input I’ll need to see what I can implement or not as there are limits and guidelines I need to follow. Also building or even purchasing something extra is not an option, there are to many products in use already and I don’t want to add things to the list that are not needed.