Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
69 posts

Master Geek
+1 received by user: 2


  Reply # 1515032 17-Mar-2016 14:17
Send private message

Lias:

 

Andib:

 

Lias:

 

So this started a bit of a conversation at work. 

 

Different need from the OP, what do people do in large (by NZ standards anyways) enterprise environments.

 

Our IT team is ~80+, supporting ~5000 users. What sort of tools do people use to store passwords in big environments like this. Different teams within IT would need different access to different accounts, granular control etc.

 

My manager wants to know what other large enterprises are doing before he even talks to a reseller about costs/licensing.

 

 

 

 

 

 

Sent you a PM

 

 

 

 

Ta, appreciated that.

 

 

 

 

IT team of around 120 supporting 12000+ employees and we use Secret Server by thycotic


3132 posts

Uber Geek
+1 received by user: 1668

Subscriber

  Reply # 1515043 17-Mar-2016 14:25
Send private message

PolicyGuy:

 

Start with User Requirements - who needs (that's "needs" not "wants"!) access to what, &c.?

 

Then do Design of the groups and permissions in your Identity & Access Management (IDAM) system - Microsoft AD is amazingly adequate for this
In my experience, nobody should need more than two access IDs and therefore no more than two passwords - one ID is for their 'regular' persona, the other is for their Privileged User role. Typically, a PU logs in with their regular credentials, then uses the 'sudo' / 'access as' facility supported in their operating environment to execute privileged commands.

 

The password for 'root' or 'can do anything anywhere' userID is a very long and really hard to remember string. It is written down on paper, put in an envelope which is sealed and has '"root" password' written on the outside. That is put in another sealed envelope emblazoned "For Emergency Use Only" "Master Password" and put in the locked filing cabinet of the IT Manager / IT Operations Manager.  There will be a second copy in a different location - in one case I caused it to be stored in the Company Solicitor's office off-site. The attached process says that after each use (recorded in a Major Incident log, of course) it must be changed. There should be no 'root'-equivalent accounts

 

Make sure that there is only One Source Of Truth - ideally the HR / Payroll system which feeds the IDAM system automatically.
Do not permit direct manipulation of user details in Exchange / AD - make people change the HR system data then feed through.

 

 

We don't _yet_ have a proper Identity Management system.. It's something being looked into by others (who like myself are dead keen on it), We do have separate PU credentials, but no policy (yet) of only using them on secure workstations etc.. Something I'd like to implement but change here is glacial.

 

I'm more looking for something to store things like:

 

  • The umpteen billion distinct service accounts we have for things
  • DSRM password(s)
  • Local admin passwords
  • DMZ/Workgroup server passwords
  • Shared online account passwords
  • SQL SA passwords
  • ESXI host root passwords
  • IMM, UPS, etc passwords
  • etc.

 





Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


1526 posts

Uber Geek
+1 received by user: 143

Trusted

  Reply # 1515044 17-Mar-2016 14:28
Send private message

Keepass isn't suitable for an enterprise environment.

 

There is no auditablity, accountablity etc.

 

Also shared password....





CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 


1459 posts

Uber Geek
+1 received by user: 177


  Reply # 1515058 17-Mar-2016 15:17
Send private message

JamesL:

 

Keepass

 

 

We use Keepass as do many of our customers. We used to take local copies but with Keepass 2.x you can sync across HTTPS.

 

We now have the Keepass database in Sharepoint which allows online sync between many users (10-20 users) and enforces "2 factor" as the user has to authenticate with Sharepoint and then also type in the master password. We haven't had any issues with this.


77 posts

Master Geek
+1 received by user: 17


  Reply # 1515461 18-Mar-2016 10:36
Send private message
914 posts

Ultimate Geek
+1 received by user: 222

Subscriber

  Reply # 1515465 18-Mar-2016 10:43
Send private message

mentalinc:

 

Keepass isn't suitable for an enterprise environment.

 

There is no auditablity, accountablity etc.

 

Also shared password....

 

 

Fair point, that's why I mentioned we're a team of only 8 people - for us we don't really need the auditing and if someone leaves (although we've all worked together for 10+ years) we just change the master password.


49 posts

Geek
+1 received by user: 21


  Reply # 1515479 18-Mar-2016 10:50
Send private message

Large Government Org - Hundreds of IT staff, thousands of end users.... We use https://www.manageengine.com/products/passwordmanagerpro/

 

 


99 posts

Master Geek
+1 received by user: 54

Trusted

  Reply # 1515522 18-Mar-2016 11:32
Send private message

Just managed to convince a small IT team of 4 to shift to KeePass from Excel tongue-out

 

Was looking at the open source web application (Python/Django) RatticDB which looks promising as a step up from KeePass. Maybe not for a 500+ staff operation, but just throwing it out there.





 


1526 posts

Uber Geek
+1 received by user: 143

Trusted

  Reply # 1515830 18-Mar-2016 18:48
Send private message

meesham:

mentalinc:

 

Keepass isn't suitable for an enterprise environment.

 

There is no auditablity, accountablity etc.

 

Also shared password....

 

 

Fair point, that's why I mentioned we're a team of only 8 people - for us we don't really need the auditing and if someone leaves (although we've all worked together for 10+ years) we just change the master password.

 

 

That means there are 8 people who could break something or do something wrong and no way to prove who did it.... Which may be required if it turns into an HR type event




CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 




488 posts

Ultimate Geek
+1 received by user: 80

Trusted

  Reply # 1517301 21-Mar-2016 23:58
Send private message

Lias:

 

 

 

We don't _yet_ have a proper Identity Management system.. It's something being looked into by others (who like myself are dead keen on it), We do have separate PU credentials, but no policy (yet) of only using them on secure workstations etc.. Something I'd like to implement but change here is glacial.

 

I'm more looking for something to store things like:

 

  • The umpteen billion distinct service accounts we have for things
  • DSRM password(s)
  • Local admin passwords
  • DMZ/Workgroup server passwords
  • Shared online account passwords
  • SQL SA passwords
  • ESXI host root passwords
  • IMM, UPS, etc passwords
  • etc.

 

 

 

 

 

Most of these requiremetns integrate with Active Directory or at the least, RADIUS. I'd say you could make your requiremetns list slimmer by migrating the authentication to AD or RADIUS and then setting up AD to report on usage of passwords and logins via the security log. I've made a point of eliminating standalone accounts where possible, so there is now not allowed SA passwords and services must run as AD users (without interactive permissions, of course)....

 

 

 

Good luck.




488 posts

Ultimate Geek
+1 received by user: 80

Trusted

  Reply # 1517307 22-Mar-2016 00:00
Send private message

Andib: We use Password Manager Pro for our team of 30.

 

I got my quote on Friday afternoon, US$520 / user.

 

Of course I replied with a simple request to justify the price and was met with a simple answer "we dont set the price".

 

Um, so clearly, nice product, but not for us, not at that price....


914 posts

Ultimate Geek
+1 received by user: 222

Subscriber

  Reply # 1524678 2-Apr-2016 16:01
Send private message

Not sure if you're still looking but TeamPass is one you can look at, it's open source and self hosted. I've only done some brief testing with it so far so YMMV.


3132 posts

Uber Geek
+1 received by user: 1668

Subscriber

  Reply # 1524890 2-Apr-2016 22:25
Send private message

gundar:

 

Lias:

 

 

 

We don't _yet_ have a proper Identity Management system.. It's something being looked into by others (who like myself are dead keen on it), We do have separate PU credentials, but no policy (yet) of only using them on secure workstations etc.. Something I'd like to implement but change here is glacial.

 

I'm more looking for something to store things like:

 

  • The umpteen billion distinct service accounts we have for things
  • DSRM password(s)
  • Local admin passwords
  • DMZ/Workgroup server passwords
  • Shared online account passwords
  • SQL SA passwords
  • ESXI host root passwords
  • IMM, UPS, etc passwords
  • etc.

 

 

 

Most of these requiremetns integrate with Active Directory or at the least, RADIUS. I'd say you could make your requiremetns list slimmer by migrating the authentication to AD or RADIUS and then setting up AD to report on usage of passwords and logins via the security log. I've made a point of eliminating standalone accounts where possible, so there is now not allowed SA passwords and services must run as AD users (without interactive permissions, of course)....

 

Good luck.

 

 

It's kinda slowly happening, new stuff in the last few years is mostly done like that, but we're dealing with a 20+ year old AD with 5000 odd active current users, not too far shy of a thousand internal Windows servers, plus Linux and AS/400. The amount of legacy systems that prevent us moving forward is simply staggering. Throw in the sort of politics you usually see in large enterprises and the very limited amount of maintenance windows we have and it's not going to be tidy for years if not decades :-)

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


3132 posts

Uber Geek
+1 received by user: 1668

Subscriber

  Reply # 1524891 2-Apr-2016 22:27
Send private message

gundar:

 

Andib: We use Password Manager Pro for our team of 30.

 

I got my quote on Friday afternoon, US$520 / user.

 

Of course I replied with a simple request to justify the price and was met with a simple answer "we dont set the price".

 

Um, so clearly, nice product, but not for us, not at that price....

 

 

I _think_ that's only per password administrator, not per person with access to the vault, but don't quote me.





Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


:)
2876 posts

Uber Geek
+1 received by user: 85

Subscriber

  Reply # 1525077 3-Apr-2016 10:02
Send private message

CYaBro: I've been meaning to try this one out but just haven't got around to it.
https://www.clickstudios.com.au/

 

 

 

We used PasswordState in our previous organization, across Australia and New Zealand. It is a fantastic tool, provided it's set up correctly. I would definitely recommend this tool.

 

 

 

We are currently working on password safe options at work - We are using KeePass at the moment, which is big bag of crap for an environment our size. I will see what options we're looking at and will report back here. 






1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.