JP6180491B2 - Automated password management - Google Patents

Description

  Within a data center, local passwords must be accessible to multiple people throughout the day and night. Traditionally, such password access relies on manual tasks (eg, maintaining password handwritten notes). Software-implemented solutions exist to improve manual operations. However, software-based techniques are overly “user centric”. For example, after the user changes the password locally on the machine (eg, server or client), the password management database is updated. However, this user retains knowledge of the new password after updating the database. The user continues to have that knowledge until the password is changed again at some stage in the future. Knowledge retention by one user is not very ideal for security reasons.

  Other conventional password management methods involve setting a single password on multiple machines. However, since the same password is used on multiple machines, one intrusion on one system can lead to intrusion on many other systems. Other techniques also have problems. For example, a “server centric” technique can use an Active Directory account and remotely change the password for each client while looping through the list of clients. However, to do this requires a high level of privilege for each target machine. This also requires a very tight integration of each machine, which makes a large rollout of password management systems impractical when many target machines are involved.

  Yet another way is to change passwords more simply every day. However, this is also not scalable for large numbers of machines. For example, a data center with 100 machines would be difficult if every day the system must issue a new password to each of the 100 machines, receive a switch confirmation, and do other similar things. Would have. Such systems are also seen to require the creation of a database record for the client prior to password switching by the system. This also leads to poor scalability by complicating the initial rollout of the password management service.

  Features and advantages of embodiments of the present invention will become apparent from the appended claims, the following detailed description of one or more exemplary embodiments, and the corresponding drawings listed below.

FIG. 3 is an illustration of a client architecture in one embodiment of the invention. It is a general | schematic flowchart in the embodiment of this invention. It is a general | schematic flowchart in the embodiment of this invention.

  While many specific details are set forth in the following description, embodiments of the invention are allowed to be practiced without these specific details. Well-known circuits, structures and techniques have not been shown in detail in order to avoid obscuring the understanding of this description. “Embodiments”, “various embodiments” and this class of expressions are intended to imply that the embodiment (s) so described may include specific features, structures or characteristics, but not necessarily all It indicates that an embodiment need not include that particular feature, structure, or characteristic. Some embodiments may have some, all, or none of the features described for other embodiments. “First”, “second”, “third”, etc. describe a common object and indicate that different instances of similar objects are referenced. Such modifiers do not imply that objects so described must be in a predetermined sequence in time, space, rank, or any other manner. “Connected” can indicate direct physical or electrical contact of each other's elements, and “coupled” can indicate cooperation or interaction of each other's elements, but they are directly There may or may not be physical or electrical contact. Also, although similar or identical numbers may be used to indicate the same or similar parts in different drawings, doing so will ensure that all drawings containing similar or identical numbers are It is not meant to constitute a single or the same embodiment.

  Embodiments include a robust automatic policy-based password management system. Implementations include, for example, strong account passwords, passwords that change at a set interval (eg, 90 days), unique passwords for all managed machines, when users change roles Ability to revoke access to (e.g. employee dismissal or leave), sharing of need-based passwords (e.g. password rights are known on device or data set basis), using secure methods Only some or all of the following characteristics: password transmission, password auditability, password access traceability enabled, and ability to change passwords at set times after the user has knowledge of passwords Can be included. Embodiments can be highly automated with little user management tasks. Embodiments can also be highly scalable. Furthermore, the implementation is policy driven and can therefore be customized based on different sets of requirements.

  FIG. 1 includes a client architecture in one embodiment of the present invention. This embodiment is a policy-driven automated local administrator password management system. Embodiments include a variety of components. Database 140 may include servers, lists of accounts, and / or access control lists for these accounts. Web application 130 may include a user interface that a user can use to search for servers and query passwords. It may be that the user 105 needs to be a member of the correct access control list (ACL) in order to have permission to look up the password. This activity can be logged in the audit database 120 when the password is looked up. Web service 135 can insert records into a server (eg, database 140 on the server) and / or passwords into a system (eg, target or managed server 155, 156, 157), You can include methods to do when such a record has not yet been set. The service 135 can also update the server password (eg, on the database 140 or managed servers 155, 156, 157) if a password record already exists on the managed server. The service 135 can also query the server that the password has been looked up and this sort of thing.

  More specifically, the managed client service 115 can include installed software services or communicate with each managed machine (155, 156, 157). The service can change the local administrator password according to policy, eg every 90 days, and update the database through the web service 135. The service also opens various ports via various forms of remote access on machines 155, 156, 157, such as the Change Password command, which will be discussed in detail below. (For example, .NET Remoting (via dotnet remoting (remote processing)) by the audit service 121 can be permitted. The above time period (90-day policy) is read from the local configuration file. Then update the back end of the database 140 via the web service 135 and thus remove the user 105 from the solution.The service will change the password (change password (password). Change)) A remote processing port is opened to allow remote invocation of the function, and in an embodiment, a call to Change Password is not accompanied by parameters. Initiate password changes and database 140 backend updates.

  In addition to the web service 135 that can automatically implement password changes, in one embodiment, password manual changes can be implemented via the module 110.

  The audit service 121 can query the audit database 120 for checking that the password has been checked and how long it has been (for example, GetViewedAccounts () (Get View Accounts (Checked Accounts Get))) use instruction). The service 121 can determine whether the time that has elapsed since being examined exceeds a threshold (eg, 2 hours). If so, the service 121 can remotely invoke a Change Password command (an example of which will be described later) on the target server in question. As a result, the password that the user previously knew is no longer valid.

  Since the audit service 121 can include a monitoring service, when a remote password change is not possible for the audit service 121 in contact with the server, the service 121 displays an alert monitoring service (eg, Microsoft Operations Manager (for example) in the event log). MOM) (Microsoft Operations Manager) can log events that are monitored. This raises a ticket or alarm for the staff manager to investigate the problem further.

  In an embodiment, an Enterprise Access Management (EAM) service 145 is on the server and can maintain an ACL for various users 150. Access to look up the password of the server (155, 156, 157) is controlled through such an ACL. The ACL is managed through EAM 145 that assigns an access or privilege level to each of the users 150. This allows granularity of per-device, per-data-set, and similar kinds of shared passwords (i.e., high accuracy of what rights a user has and what rights are not It becomes possible to control with).

  With regard to the development of the password management system, the service 135 can “insert” the record into the database 140 during the initial operation of the password management system. The record can include, for example, a server identifier, a server password, associated ACL privileges to access the server, and a description of the ACL. The system 135 can update this password record each time it subsequently connects to the database 140. This makes the deployment very scalable (eg up to 100,000 machines) and nevertheless maintains the granularity of the need to know access to different data set levels or devices. Records are also allowed to be inserted into the target machines 155, 156, 157 themselves.

  FIG. 2 includes a schematic flowchart in an embodiment of the present invention. Process 200 begins at block 205. Block 210 determines a list of passwords or credentials examined by the user. This determination can be based on an audit service 121 that audits activities logged in the audit database 120.

Block 220 determines whether the list from block 210 is empty. If so, the process ends at block 250. If not empty, block 225 makes a remote call to a Change Password command on the target machine. This can be done, for example, using the managed client service 115 and the following pseudo code:
// Change the password locally string sPath = string. Format ("WinNT: // {0} / Administrator", Environment.MachineName);
DirectoryEntry directoryEntry = new DirectoryEntry (sPath);
directoryEntry. Invoke ("SetPassword", password);
directoryEntry. CommitChanges ();

Generation of a new password can be accomplished using, for example, the managed client service 115 and the following pseudo code:
// Generate random password PasswordGenerator generator = new PasswordGenerator ();
string password = generator. Generate ();
Access to the machine is. This can be done via NET Remoting (dotnet remoting (remote processing) and the like.

In block 235, if the transaction is unsuccessful, a failure log in the audit database 120 and subsequent alert generation (eg, MOM alert) can be performed to track this problem. (Block 240). If the transaction is successful, success may be logged in the audit database 120 (block 245). For the transaction itself, the records in the database 140 can be edited using, for example, the managed client service 115 and the following pseudo code.
// Configure file-related information for inserting records into the database <add key = "accountName" value = "Administrator" //
<Add key = “permissionGroup” value = “databaseSupportTeam” />
<Add key = “changeFrequencyDays” value = “90” />

  FIG. 3 includes a schematic flowchart in an embodiment of the present invention. Process 300 may begin at block 305. During normal operation, a service (eg, Windows (registered trademark) Service (Windows Service), Linux (registered trademark) Daemon (Linux) daemon)) can wake up and perform the process 300 every 24 hours.

Block 310 checks the last password change date. This can be done in harmony with examining the audit database 120 and the audit service 121. The “change date” can be stored in an encrypted form in the registry. In block 320, the result from block 310 is checked against a threshold. If the threshold is not met, the process can end at block 355. However, if the threshold is met, a new password can be generated at block 325 using, for example, the following pseudo code:
// Generate random password PasswordGenerator generator = new PasswordGenerator ();
string password = generator. Generate ();

In block 335, the web service 135 can determine whether a password record already exists. If not, a new record can be generated and inserted into the database 140 at block 350 using, for example, the following pseudo code:
// Insert a record into the database webService. InsertClientRecord (accountName, password, permissionGroup, account_description)
Records can be entered using the following pseudo code:
// Configure file-related information for inserting records into the database <add key = "accountName" value = "Administrator" //
<Add key = “permissionGroup” value = “databaseSupportTeam” />
<Add key = “changeFrequencyDays” value = “90” />

In block 340, the password on the target machines 155, 156, 157 can be changed. The following is a loop for implementing one or more such changes that are repeated as long as the machine requiring the change is identified at block 320.
for etch (string server in servers)
{String managerUrl = string. Format ("tcp: // {0}: 19010 / PasswordManager.rem", server);
IPpasswordManager manager = (IPpasswordManager) Activator. GetObject (typeof (IPpasswordManager),
manager. ChangePassword ();}

  Thus, in an embodiment, with respect to blocks 340 and 350, the client service running on each managed machine attempts to update its password in the database. This can be attempted at block 335, for example. The managed machine calls, for example, an UpdatePassword () (update password (password update)) method that requires only the machine name and password as parameters. The method therefore runs very quickly and the process can proceed from block 335 to block 340 (bypassing block 350). However, a record must exist in the database before such an update can occur. If the record does not exist, at block 350 the client must, for example, call the InsertRecord () (insert record (record insert)) method, which is more than the UpdatePassword () (update password (password update)) method. As a result, the run is slower than the UpdatePassword () (update password (password update)) method.

  In block 345, the registry (eg, audit database 120) can be updated. The process ends at block 355.

  In addition, in one embodiment, the password is changed locally on the managed client machine only after the database is always updated for the first time. This can avoid scenarios where the database cannot be updated after the password has been changed locally on the managed client machine (eg due to connectivity errors). This kind of situation can result in no one being able to query for a new password. Thus, in one embodiment, the password is not changed locally if the database is not accessible.

  Thus, embodiments can include a “managed client” that manages password changes every configured number of days without user interaction and then updates the backend system with the new password. . Further, the password can be changed within a set amount of time after the password is checked by the user. Monitoring of this state (eg, how long has passed since the password was changed) can be accomplished by the “audit service” instead of or in conjunction with the “managed client” service. Embodiments also include web services that include an “insert record” method. Therefore, no “preparation” is required to use the web service. For example, there is no need to create a record on the database prior to password expansion via a web service. A web service can be pushed to any machine, and its own record can be inserted into the database at web service startup. This gives scalability to 100,000 machines or more.

  Embodiments may use (a) gaining privileged access to a respective first password credential (eg, password or other element, resource within a first preceding time period (eg, 2 hours). Determining a first plurality of processor-based systems that have been examined (eg, by a human user), and (b) a first password credential within a first preceding time period Each first password credential for each of the first plurality of systems from an additional processor-based system remotely located from the first plurality of systems based on the determination that For example, it can be changed remotely (via a network extending over a large physical area).

  The same embodiment or another embodiment may be the same as the respective second password credential (the first password credential within a second preceding time period (eg, 90 days). ) Determine a second plurality of systems that have not been changed and a second plurality of systems based on a determination that the second password credential has not been changed within a second preceding time period Each second password credential for each of the systems can be remotely changed from the additional system.

  Changing each first or second password credential can include providing a unique password as an exchange for the old password. Each machine (eg, tablet, server, personal digital assistant, smart phone) can acquire a unique password.

  Embodiments can initially set up a password credential management account for the system and remotely insert records into the database from an additional processor-based system during initial setup of the account. However, it is permissible for the database not to have an existing record associated with the password credential management account. This can allow for account system scalability or rollout among a large number of machines to be managed. The "insert" of this record keeps a database of password records (stored on the machine to be managed or on some other independent machine) on the machine to be managed Can be on a server.

  Embodiments herein include specific technologies (e.g., Windows (R) Service (Windows Services), Linux (R) Daemon (Linux Daemon), .NET Remoting (dotnet remoting (remote processing)), The solution can be supported across any operating system, various platforms, and the like.

  Embodiments can be implemented in code and can be stored on a storage medium that stores instructions usable in a program of a system that performs the instructions. Storage media include, but are not limited to, floppy disks, optical disks, solid state drives (SSD), compact disk read only memory (CD-ROM), compact disk rewritable (CD-RW), and Any type of disk, including magneto-optical disks, semiconductor devices such as read only memory (ROM) and random access memory (RAM), such as dynamic random access memory (DRAM), static random access memory ( SRAM), erasable programmable read only memory (EPROM), flash memory, electrically erasable programmable read only memory (EEPROM), magnetic or optical card, or any other suitable for electronic instruction store. It can include type of media.

  Embodiments of the invention can be described in terms of data such as instructions, functions, procedures, data structures, application programs, configuration settings, code, and the like. When data is accessed by a machine, the machine may perform tasks, define abstract data types, set low-level hardware contexts, and / or other as described in more detail herein. You can respond by performing an action. Data can be stored in volatile and / or non-volatile data storage. For purposes of this disclosure, the term “code” or “program” encompasses a wide range of components and constructs, including applications, drivers, processes, routines, methods, modules, and subroutines. Thus, the term “code” or “program” can be used to refer to any set of instructions that perform one or more desired operations when executed by a processing system. In addition, alternative implementations may include processes that use fewer than all the disclosed actions, processes that use additional actions, processes that use the same actions in different sequences, and individual processes disclosed therein. It can include processes where actions are combined, subdivided, or otherwise changed.

Although the present invention has been described in connection with a limited number of embodiments, those skilled in the art will recognize many modifications and variations therefrom. Since such modifications and variations are encompassed within the spirit and scope of the invention, the appended claims are intended to protect them all.
[Item 1]
An article comprising a non-transitory machine-accessible storage medium, wherein when executed, the system
Determining a processor-based first plurality of systems for which each first password credential is examined within a first preceding time period;
The first from a processor-based additional system remotely located from the first plurality of systems based on a determination that the first password credential has been examined within the first preceding time period Remotely changing each of the first password credentials for each of the plurality of systems;
An article comprising said non-transitory machine-accessible storage medium comprising instructions that enable
[Item 2]
The above system is
Determining a second plurality of systems in which each second password credential has not been changed within a second preceding time period;
Each said second for each of said second plurality of systems from said additional system based on a determination that said second password credential has not been changed within said second preceding time period. Changing the password credentials of 2 remotely,
Item according to item 1, comprising instructions enabling
[Item 3]
The remote change of each said second password credential includes providing a unique additional second password for each of said second plurality of systems. Goods.
[Item 4]
The remote change of each said first password credential includes providing a unique additional first password for each of said first plurality of systems. Goods.
[Item 5]
The above system is
First setting up a password credential management account for an additional one of the first plurality of systems;
Remote insertion of records into the database from the processor-based additional system upon initial setup of the password credential management account;
Including instructions that enable
The database does not have an existing record associated with the password credential management account;
Item according to item 1.
[Item 6]
6. The article of item 5, comprising instructions that allow the system to remotely enter the record with a password.
[Item 7]
The above system is
First setting up a password credential management account for an additional one of the first plurality of systems;
Remotely inserting a password record into the additional one of the first plurality of systems upon initial setup of the password credential management account;
Including instructions that enable
The additional one of the first plurality of systems does not have an existing password record associated with the password credential management account;
Item according to item 1.
[Item 8]
The above system is
The additional one of the first plurality of systems, wherein each first password credential has not been changed within an expired threshold time period that has occurred since the first password credential was examined. And determining
Automatically remotely changing the first password credential for the additional one of the first plurality of systems from the additional system based on the expiration of the threshold time period;
Item according to item 1, comprising instructions enabling
[Item 9]
Determining a first plurality of systems in which each first password credential has not been changed within a first preceding time period;
From an additional processor-based system remotely located from the first plurality of systems based on a determination that the first password credential has not been changed within the first preceding time period Remotely changing each said first password credential for each of the first plurality of systems;
Including the method.
[Item 10]
Determining a processor-based second plurality of systems for which each second password credential has been examined within a second preceding time period;
From the processor-based additional system remotely located from the second plurality of systems based on the determination that the second password credential has been examined within the second preceding time period, the second Remotely changing each of the second password credentials for each of the plurality of systems;
10. The method according to item 9, comprising:
[Item 11]
The additional one of the first plurality of systems, wherein each first password credential has not been changed within an expired threshold time period that has occurred since the first password credential was examined. And determining
Automatically remotely changing the first password credential for the additional one of the first plurality of systems from the additional system based on the expiration of the threshold time period;
The method according to item 10, comprising:
[Item 12]
10. The item of item 9, wherein remotely changing each said first password credential includes providing a unique additional first password for each of said first plurality of systems. Method.
[Item 13]
First setting up a password credential management account for an additional one of the first plurality of systems;
Remote insertion of records into the database from the processor-based additional system upon initial setup of the password credential management account;
Including
The database does not have an existing record associated with the password credential management account;
10. The method according to item 9.
[Item 14]
The remote change of each said second password credential includes providing a unique additional second password for each of said second plurality of systems. Method.
[Item 15]
Memory,
Determining a first processor-based system coupled to the memory, wherein (a) each first password credential is examined within a first preceding time period; and (b) the first The first plurality from an additional processor-based system remotely located from the first plurality of systems based on a determination that the first password credential has been examined within one preceding time period A processor for remotely changing each said first password credential for each of said systems.
[Item 16]
The processor
Determining a second plurality of systems in which each second password credential has not been changed within a second preceding time period;
Each said second for each of said second plurality of systems from said additional system based on a determination that said second password credential has not been changed within said second preceding time period. Remotely change the password credential of No. 2,
Item 16. The system according to Item 15.
[Item 17]
The item of item 16, wherein remotely changing each said second password credential includes providing a unique additional second password for each of said second plurality of systems. system.
[Item 18]
16. The item of item 15, wherein remotely changing each of the first password credentials includes providing a unique additional first password for each of the first plurality of systems. system.
[Item 19]
The processor
First, set up a password credential management account for an additional one of the first plurality of systems,
During the initial setup of the password credential management account, the record is inserted remotely into the database from the additional processor-based system
The database does not have an existing record associated with the password credential management account;
Item 16. The system according to Item 15.
[Item 20]
The processor
Determining a first plurality of systems whose respective first password credentials have not been changed within a second preceding time period;
From an additional processor-based system remotely located from the first plurality of systems based on a determination that the first password credential has not been changed within the second preceding time period Remotely changing each of the first password credentials for each of the first plurality of systems;
Item 16. The system according to Item 15.

105 User 110 Module 115 Managed Client Service 120 Audit Database 121 Audit Service 130 Web Application 135 Web Service 140 Database 145 EAM
150 User 155 Managed Server 156 Managed Server 157 Managed Server 200 Process 300 Process

Claims (12)

A method performed by at least one processor comprising:
Its in the first expiration threshold time period password credential is generated from being examine of respectively, wherein each of the first password credential There are not been changed first plurality of processors - Determining at least one of the base systems;
Automatically changing the respective first password credentials for each of the at least one of the first plurality of processor-based systems. Determining at least one of a second plurality of processor-based systems having respective second password credentials that have not been changed within a first preceding time period;
2. The method of claim 1, comprising automatically remotely changing the respective second password credentials for each of the at least one of the second plurality of processor-based systems. .   Automatically remote changing the respective second password credentials to provide a unique additional second password for each of the second plurality of processor-based systems. The method of claim 2 comprising.   Automatically remotely changing the respective first password credentials to provide a unique additional first password for each of the first plurality of processor-based systems; 4. A method according to any one of claims 1 to 3, comprising. First setting up a password credential management account for an additional one of the first plurality of processor-based systems;
Remote insertion of a password record into the additional one of the first plurality of processor-based systems upon initial setup of the password credential management account;
The additional one of the first plurality of processor-based systems does not have an existing password record associated with the password credential management account;
5. A method according to any one of claims 1 to 4.   A program for causing a computer to execute the method according to any one of claims 1 to 5. A computer-readable recording medium storing the program according to claim 6. Memory,
A processor coupled to the memory ;
Its in the first expiration threshold time period password credential is generated from being examine of respectively, wherein each of the first password credential There are not been changed first plurality of processors - Means for determining at least one of the base systems;
Means for automatically remotely changing the respective first password credentials for each of the at least one of the first plurality of processor-based systems. Means for determining at least one of a second plurality of processor-based systems having respective second password credentials not changed within a first preceding time period;
Means for automatically remotely changing said respective second password credentials for each of said at least one of said second plurality of processor-based systems. The described system. To supply a unique additional second password for each based system - the automatically to remotely change the respective second password credential, the second plurality of processors The system of claim 9, comprising:   Automatically remotely changing the respective first password credentials to provide a unique additional first password for each of the first plurality of processor-based systems; 11. The system according to any one of claims 8 to 10, comprising: First means for setting up a password credential management account for an additional one of said first plurality of processor-based systems;
Means for remotely inserting a password record into the additional one of the first plurality of processor-based systems upon initial setup of the password credential management account;
The additional one of the first plurality of processor-based systems does not have an existing password record associated with the password credential management account;
The system according to any one of claims 8 to 11.

Images