Vaulting Computer Credentials

EmpowerID's Privileged Access Management (PAM) feature allows you to protect and manage any type of credentials used within your organization to include privileged accounts used to log in to managed computers. In EmpowerID, these type of credentials are computer credentials. Computer credentials are vaulted user names and passwords for Windows computers or SSH keys for Linux computers that users can check out to initiate RDP or SSH sessions to those respective computers using EmpowerID's Privileged Session Manager. When you vault a computer credential, you specify the type of computer credential you are creating and link it to the Shared Credential policy for that credential type.

To initiate vaulting a computer credential, users need to have an access assignment that includes the Computer PAM User Full Access Management Role. This Management Role allows users to view and connect to computers, vault credentials and link them to computers. Users who vault computer credentials are the owners or Access Managers for those computer credentials. Access Managers have the ability to approve or deny access requests for the computer credentials they own, as well as to terminate any RDP or SSH sessions to those computers.

To vault computer credentials

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Computers find page by expanding Resources and clicking Computers.
  2. Click the All Computer Credentials tab and then click the Add Shared Credential button.
  3. In the Password Vault Data form that appears, do the following:
    1. Select the type of Computer Credential you are creating from the Type drop-down. The options available include the following:
    2. EmpowerID encrypts the user name, password and notes information for all credential types.
      • Default Credentials - This is a standard credential type that you can select to vault any set of credentials that has significance in your environment.
      • Domain Admin - Select this credential type if the credentials you are vaulting are those for the administrator account in a domain you are managing in EmpowerID. Users requesting access to this type of credential will be granted domain administrator permissions for all computers in the domain that you link to the credential.
      • Domain User - Select this credential type if the credentials you are vaulting are those for a non-administrator account in a domain that you are managing in EmpowerID. Users requesting access to this type of credential will be granted the permissions associated with the user account for each computer in the domain that you link to the credential.
      • When initially entering the password for a domain user account, EmpowerID validates the password information you enter against the directory password hash for that account. This ensures that you are vaulting the correct credentials.
      • Local Admin - Select this credential type if the credentials you vaulting are those for an administrator account for a local computer that you are managing in EmpowerID. Users requesting access to this type of credential will be granted administrator permissions on the local computer.
    3. Type an appropriate name and display name for the Computer Credential in the Name and Display Name fields, respectively.
    4. As a best practice, if you are vaulting a Computer Credential you should not name the credential the same as the account to which it is linked.
    5. Select the Shared Credential policy to which the Computer Credential should be linked from the Shared Credential Policy drop-down. When selecting the Shared Credential policy, you have the below default options for computers:
      • Computer Creds - Allow Multi-Check-Out - No Password Reset - Select this policy if the credentials you are creating are those for initiating an RDP or SSH session to a computer where more than session is allowed (credential check out) is allowed and you do not want the password for the account to be reset by the EmpowerID system when any one user checks in those credentials.
      • Computer Creds - No Multi-Check-Out - Password Reset - Select this policy if the credentials you are creating are those for initiating an RDP or SSH session to a computer where more than one session is not allowed and you do want the password for the account to be reset by the EmpowerID system when the user checks in those credentials.
    6. Type a description in the Description field.
    7. If you are vaulting credentials for a domain admin, type the managed user account in the Managed User Account field and then click the tile for the account to select it. This field only appears on the form if you select Domain Admin from the Type drop-down.
    8. For EmpowerID to know about the domain admin account, the domain that hosts the account must be a domain that EmpowerID is managing.

    9. Type the user name for the account you are vaulting in the User Name field.
    10. If you are vaulting credentials for initiating an RDP session with a Windows computer, type the password for the account you are vaulting in the Password field.
    11. If you are vaulting credentials for initiating an SSH session to a Linux computer, check the SSH Key box and then browse for and select the SSH Key for the computer.
    12. Optionally, type any desired notes in the Notes field.
    13. Click Save.
    14. If you have yet to enter your master password for this session, EmpowerID prompts you to do so. Enter your master password and click OK.
    15. If you have not created a master password for yourself, EmpowerID prompts you to do so. Type the desired password in the Password and Confirm Password fields and then click OK.
    Now that you have vaulted the computer credential, you need to link it to one or more managed computers or a managed domain to allow users to access those computers using the computer credential. For information on linking computer credentials to one or computers, see Linking Credentials to Managed Computers. For information on linking computer credentials to domains, see Linking Computers to Managed Domains.