Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
69 posts

Master Geek
+1 received by user: 2


  Reply # 1515032 17-Mar-2016 14:17
Send private message

Lias:

 

Andib:

 

Lias:

 

So this started a bit of a conversation at work. 

 

Different need from the OP, what do people do in large (by NZ standards anyways) enterprise environments.

 

Our IT team is ~80+, supporting ~5000 users. What sort of tools do people use to store passwords in big environments like this. Different teams within IT would need different access to different accounts, granular control etc.

 

My manager wants to know what other large enterprises are doing before he even talks to a reseller about costs/licensing.

 

 

 

 

 

 

Sent you a PM

 

 

 

 

Ta, appreciated that.

 

 

 

 

IT team of around 120 supporting 12000+ employees and we use Secret Server by thycotic


3503 posts

Uber Geek
+1 received by user: 1967

Trusted
Lifetime subscriber

  Reply # 1515043 17-Mar-2016 14:25
Send private message

PolicyGuy:

 

Start with User Requirements - who needs (that's "needs" not "wants"!) access to what, &c.?

 

Then do Design of the groups and permissions in your Identity & Access Management (IDAM) system - Microsoft AD is amazingly adequate for this
In my experience, nobody should need more than two access IDs and therefore no more than two passwords - one ID is for their 'regular' persona, the other is for their Privileged User role. Typically, a PU logs in with their regular credentials, then uses the 'sudo' / 'access as' facility supported in their operating environment to execute privileged commands.

 

The password for 'root' or 'can do anything anywhere' userID is a very long and really hard to remember string. It is written down on paper, put in an envelope which is sealed and has '"root" password' written on the outside. That is put in another sealed envelope emblazoned "For Emergency Use Only" "Master Password" and put in the locked filing cabinet of the IT Manager / IT Operations Manager.  There will be a second copy in a different location - in one case I caused it to be stored in the Company Solicitor's office off-site. The attached process says that after each use (recorded in a Major Incident log, of course) it must be changed. There should be no 'root'-equivalent accounts

 

Make sure that there is only One Source Of Truth - ideally the HR / Payroll system which feeds the IDAM system automatically.
Do not permit direct manipulation of user details in Exchange / AD - make people change the HR system data then feed through.

 

 

We don't _yet_ have a proper Identity Management system.. It's something being looked into by others (who like myself are dead keen on it), We do have separate PU credentials, but no policy (yet) of only using them on secure workstations etc.. Something I'd like to implement but change here is glacial.

 

I'm more looking for something to store things like:

 

  • The umpteen billion distinct service accounts we have for things
  • DSRM password(s)
  • Local admin passwords
  • DMZ/Workgroup server passwords
  • Shared online account passwords
  • SQL SA passwords
  • ESXI host root passwords
  • IMM, UPS, etc passwords
  • etc.

 





Information wants to be free. The Net interprets censorship as damage and routes around it.


 
 
 
 


1586 posts

Uber Geek
+1 received by user: 156

Trusted

  Reply # 1515044 17-Mar-2016 14:28
Send private message

Keepass isn't suitable for an enterprise environment.

 

There is no auditablity, accountablity etc.

 

Also shared password....





CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 


1496 posts

Uber Geek
+1 received by user: 191

Trusted

  Reply # 1515058 17-Mar-2016 15:17
Send private message

JamesL:

 

Keepass

 

 

We use Keepass as do many of our customers. We used to take local copies but with Keepass 2.x you can sync across HTTPS.

 

We now have the Keepass database in Sharepoint which allows online sync between many users (10-20 users) and enforces "2 factor" as the user has to authenticate with Sharepoint and then also type in the master password. We haven't had any issues with this.


86 posts

Master Geek
+1 received by user: 21


  Reply # 1515461 18-Mar-2016 10:36
Send private message
919 posts

Ultimate Geek
+1 received by user: 224

Subscriber

  Reply # 1515465 18-Mar-2016 10:43
Send private message

mentalinc:

 

Keepass isn't suitable for an enterprise environment.

 

There is no auditablity, accountablity etc.

 

Also shared password....

 

 

Fair point, that's why I mentioned we're a team of only 8 people - for us we don't really need the auditing and if someone leaves (although we've all worked together for 10+ years) we just change the master password.


58 posts

Master Geek
+1 received by user: 24


  Reply # 1515479 18-Mar-2016 10:50
Send private message

Large Government Org - Hundreds of IT staff, thousands of end users.... We use https://www.manageengine.com/products/passwordmanagerpro/

 

 


106 posts

Master Geek
+1 received by user: 61

Trusted

  Reply # 1515522 18-Mar-2016 11:32
Send private message

Just managed to convince a small IT team of 4 to shift to KeePass from Excel tongue-out

 

Was looking at the open source web application (Python/Django) RatticDB which looks promising as a step up from KeePass. Maybe not for a 500+ staff operation, but just throwing it out there.





 


1586 posts

Uber Geek
+1 received by user: 156

Trusted

  Reply # 1515830 18-Mar-2016 18:48
Send private message

meesham:

mentalinc:

 

Keepass isn't suitable for an enterprise environment.

 

There is no auditablity, accountablity etc.

 

Also shared password....

 

 

Fair point, that's why I mentioned we're a team of only 8 people - for us we don't really need the auditing and if someone leaves (although we've all worked together for 10+ years) we just change the master password.

 

 

That means there are 8 people who could break something or do something wrong and no way to prove who did it.... Which may be required if it turns into an HR type event




CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 




488 posts

Ultimate Geek
+1 received by user: 80

Trusted

  Reply # 1517301 21-Mar-2016 23:58
Send private message

Lias:

 

 

 

We don't _yet_ have a proper Identity Management system.. It's something being looked into by others (who like myself are dead keen on it), We do have separate PU credentials, but no policy (yet) of only using them on secure workstations etc.. Something I'd like to implement but change here is glacial.

 

I'm more looking for something to store things like:

 

  • The umpteen billion distinct service accounts we have for things
  • DSRM password(s)
  • Local admin passwords
  • DMZ/Workgroup server passwords
  • Shared online account passwords
  • SQL SA passwords
  • ESXI host root passwords
  • IMM, UPS, etc passwords
  • etc.

 

 

 

 

 

Most of these requiremetns integrate with Active Directory or at the least, RADIUS. I'd say you could make your requiremetns list slimmer by migrating the authentication to AD or RADIUS and then setting up AD to report on usage of passwords and logins via the security log. I've made a point of eliminating standalone accounts where possible, so there is now not allowed SA passwords and services must run as AD users (without interactive permissions, of course)....

 

 

 

Good luck.




488 posts

Ultimate Geek
+1 received by user: 80

Trusted

  Reply # 1517307 22-Mar-2016 00:00
Send private message

Andib: We use Password Manager Pro for our team of 30.

 

I got my quote on Friday afternoon, US$520 / user.

 

Of course I replied with a simple request to justify the price and was met with a simple answer "we dont set the price".

 

Um, so clearly, nice product, but not for us, not at that price....


919 posts

Ultimate Geek
+1 received by user: 224

Subscriber

  Reply # 1524678 2-Apr-2016 16:01
Send private message

Not sure if you're still looking but TeamPass is one you can look at, it's open source and self hosted. I've only done some brief testing with it so far so YMMV.


3503 posts

Uber Geek
+1 received by user: 1967

Trusted
Lifetime subscriber

  Reply # 1524890 2-Apr-2016 22:25
Send private message

gundar:

 

Lias:

 

 

 

We don't _yet_ have a proper Identity Management system.. It's something being looked into by others (who like myself are dead keen on it), We do have separate PU credentials, but no policy (yet) of only using them on secure workstations etc.. Something I'd like to implement but change here is glacial.

 

I'm more looking for something to store things like:

 

  • The umpteen billion distinct service accounts we have for things
  • DSRM password(s)
  • Local admin passwords
  • DMZ/Workgroup server passwords
  • Shared online account passwords
  • SQL SA passwords
  • ESXI host root passwords
  • IMM, UPS, etc passwords
  • etc.

 

 

 

Most of these requiremetns integrate with Active Directory or at the least, RADIUS. I'd say you could make your requiremetns list slimmer by migrating the authentication to AD or RADIUS and then setting up AD to report on usage of passwords and logins via the security log. I've made a point of eliminating standalone accounts where possible, so there is now not allowed SA passwords and services must run as AD users (without interactive permissions, of course)....

 

Good luck.

 

 

It's kinda slowly happening, new stuff in the last few years is mostly done like that, but we're dealing with a 20+ year old AD with 5000 odd active current users, not too far shy of a thousand internal Windows servers, plus Linux and AS/400. The amount of legacy systems that prevent us moving forward is simply staggering. Throw in the sort of politics you usually see in large enterprises and the very limited amount of maintenance windows we have and it's not going to be tidy for years if not decades :-)

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.


3503 posts

Uber Geek
+1 received by user: 1967

Trusted
Lifetime subscriber

  Reply # 1524891 2-Apr-2016 22:27
Send private message

gundar:

 

Andib: We use Password Manager Pro for our team of 30.

 

I got my quote on Friday afternoon, US$520 / user.

 

Of course I replied with a simple request to justify the price and was met with a simple answer "we dont set the price".

 

Um, so clearly, nice product, but not for us, not at that price....

 

 

I _think_ that's only per password administrator, not per person with access to the vault, but don't quote me.





Information wants to be free. The Net interprets censorship as damage and routes around it.


:)
2897 posts

Uber Geek
+1 received by user: 98

Subscriber

  Reply # 1525077 3-Apr-2016 10:02
Send private message

CYaBro: I've been meaning to try this one out but just haven't got around to it.
https://www.clickstudios.com.au/

 

 

 

We used PasswordState in our previous organization, across Australia and New Zealand. It is a fantastic tool, provided it's set up correctly. I would definitely recommend this tool.

 

 

 

We are currently working on password safe options at work - We are using KeePass at the moment, which is big bag of crap for an environment our size. I will see what options we're looking at and will report back here. 






1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.