Currently PAM does not monitor any privilege activities performed by Admins using Administrative Tools installed on their workstations, e.g SAP Admins use "SAP Gui" for their day to day administrative jobs, Email Server admins use web browsers or other admin tools installed on their workstation, similarly Network admin activities which either use Putty, Web Browsers or Java Clients for administering Routers/Switches and Firewall.
PAM for Desktop OS is not a solution, because PAM for Desktop OS records every event and not just the privileged/administrative activities, e.g it will record if the admin plays music, browse Internet, check his/her emails etc and recording/monitoring such non-administrative(personal/private) activities are neither required nor acceptable.
Likewise "Run as User" feature also wont help in all such scenarios where Admin Tools/consoles(SAP GUI, Web Browser, Java Clients etc) could be run by any ordinary user, because we can't restrict users to run the "consoles/admin tools" via "Run as User" feature only.
For a comprehensive monitoring of Privilege Activities I have following suggestions:
1) First PAM Admin creates rule that specifies that monitoring/recording should start once a connection is established to a specific port e.g 5555 on the PAM Agent(Linux/Windows Servers).
2) A light version of "PAM for Desktop OS" i.e "Client/Light Agent" should also be installed on the Admins Workstations.
3a) if a connection is established on port 5555, then Agent(installed on Linux/Windows Servers) should verify that the source machine(admin workstation) is registered with PAM Manager i,e Client/light Agent is installed on the source(admin) machine, if yes then ask the "Client/light Agent"(running on the Admin Workstation from the where the connection is being established) to start monitoring the session of that client window(SAP Gui, any Java Client or web browser) that has established the connection on the Agent(server). If "Client/light Agent" is not installed on the source machine(from where admin is working) then PAM Agent(installed on Linux/Windows Server)notify the PAM Admin, kill the session and additionally create a firewall rule(host-based firewall) on the host(server) to block that source to connect on the specific port.
3b) In addition to the PAM Agent(Linux/Windows server) verifying the source machine as a registered "client/light agent" everytime a network connection is initiated, client agent should have a list of machines(Servers and network equipments e.g Firewall, Switches and Routers) if the destination matches the list, then "Client Agent" should start recording/monitoring the session. That's how we will be able to monitor/record the network equipments too. The list of Destinations should be distributed by PAM Manager to all registered Agents(light agents installed on workstations).
4) If admin stops/disables the "Client/light Agent" on his/her workstation, all of his network connection(ethernet, wireless) should be down too, so that he/she can't do any activity bypassing the PAM(recording/monitoring).
by: Muhammad S. | over a year ago | Supported Applications
Comments
I am articulating the Requirements first and then will discuss about the possible solutions.
There are 2 Entities -
1. Client - From which Outbound Connection is getting initiated.
2. Server - The Destination system which Client is connecting to.
Now, as I see, this is the scenario of 2 Stage Network Communication Control & Monitoring, which needs to happen both on the Client and the Server.
2.1) Outbound (On the Client) - Fine Grained Network Control on the System from which a Server is being Connected.
a) This is the Client Box and any outbound connection from it, needs to be mandatorily Controlled by PAM.
b) PAM should maintains a White-list of Destinations to be allowed defined by some rules.
c) If the Rule(s) matches then Connection will be initiated and Monitoring will start.
d) Bringing down the PAM agent will block all network communication from the box and hence no way of bypassing it.
2.2 ) Inbound - ( On the Server)
a) Server needs to use a White-list of Clients from which it can accept the connections.
b) PAM manager should maintain the White-list and the Agent running on the Server before allowing any connection should use that list to take the decision.
c) If the Connecting Client is in the White-list then the Session will be allowed and Monitoring will start.
d) If the Connecting Client is NOT in the list then Session needed to be dropped and a Firewall rule needs to be created on the Server side for blocking further communication from the client.
So now few comments based on the above scenarios
1) These are the Classic Use Cases for Network Intrusion Detection and Prevention Software and Not of PAM in general.
2) Our Current solution and future direction of the Product is towards Fine Grained Access Control on the System whether it is Client or Server.
3) More fine Grained Access control will be there in the future releases and specific rules will be there for Client & Server.
2.1)
No, here you didn't understand me. let me explain again(seriously its a lot of typing in a foreign language ;-( ).
e.g a PAM Agent(a Linux/Windows Server) named "DB_Server" is running Oracle Database Server, and Oracle Database server listens on port 1521, so any one who wants to perform any administrative activity has to connect
on port 1521 on "DB_Server". So a PAM Admin creates a rules that if a connection is established on "DB_Server" on port 1521, record the session. How:
a) On PAM Manager, there should be a list of Servers(PAM Agents) and their specific ports and Network Equipments(routers, firewall etc).
b) PAM Agents.. either the Servers(Linux/Unix/Windows) or "PAM for Desktop"(windows 7/10 etc) gets a list of the Linux/Unix/Windows Servers(PAM Agents... where SAP/Oracle/Email Service runs) and Network Equipments and their ports of interest.
c) as soon a connection establishes on the PAM Agent(Server) on a specific port, PAM Agent first check if the connections is from the registered Desktop/Workstation(where PAM for Desktop is installed)..if yes then instruct the "PAM for Desktop OS" to start monitoring the session, else at least alert(email) the PAM Admin. Similarly since the list of Server PAM Agents(where SAP/Oracle/Email Service runs) and Network Equipment(where no agent is installed) is also with the registered Desktop(where PAM for Desktop OS is installed) client can itself decide whether to record the session(based on target's IP and port) or not rather waiting for the instructions from Server PAM Agent.
2.1 a)
No. you didn't get me here too. Client Box(where PAM for Desktop OS is installed) gets a list of Servers(PAM Agents) and their specific ports so that as soon a connection is initiated.. either via web browser or via any Java Client Software etc, PAM for Desktop OS starts recording/monitoring *that* session only. I may be wrong but I think this might be the proper way to record privilege activities when performed by administrators from their own workstations(win 7/10 etc) using a special Administration Software or a Web Browser.
2.1 b)
The List only serves the purpose of recording the sessions when an Administrator uses a special client software(a Java client, web browser etc) from his/her workstation to perform the privilege activities as described above.
2.2 a,b,c)
Yes, otherwise how we can monitor/record a session initiated from a workstation(win 7/10) using a Java Client or Web Browser to perform some privilege activities on the Server.
2.2 d)
At least an Alert should be triggered to notify PAM Admin.
Firewalls and IDS/IPS only prevents attacks while the points and steps shared by me were to make PAM smart enough to record the sessions when privilege activities are performed using Administrative Tools(Java client, web browsers, email server management tool) installed on the Administrator's workstation where "PAM for Desktop OS" is installed which only starts recording when a connection is established to the Servers/Network Devices that are in the List. Such an approach will only record the privilege activities and make PAM a *comprehensive* Privilege Activity Monitoring/Recording Solution.
Thanks for the update. We will look into this in future release.
If I follow this correctly, I think it is an expanded version of what we want to do regarding desktop support. Also, I appreciate the typing in a foreign language. I know it can be very difficult, and I appreciate you making the effort where it would be easier to just not do it.
We currently have a set of use cases around PAM being able to be run on a workstation. These existing use cases are around the use case of wanting to enable Privileged access to a desktop or workstation to perform a set of administrative tasks when approved via a given process. In this model, the agent is running, potentially autonomously, and there is a "local agent policy" that would be set to dictate how the agent could / should respond when it could not phone home.
However in the use case you are working through above, we would extend this idea, to where the workstation agent had more options. Fundamentally at the end of the day the use case this Idea addresses is "There are applications / activities that I need to be able to record and see what was done from the workstation point of view. I definitely see the value in this and agree that we should look to address these additional use cases.
Its Great to know that you find the value in this Idea ;-)
Any Privilege Management solution would be considered immature/incomplete if it doesn't record/audit the admin/privilege activities performed by database, system, email and network admins using Administrative Tools(Putty, SAPGUI, Toad for Oracle, Java client for Cisco ASA firewall etc) installed on their workstation or via web browsers.
Yes you got it right, I am asking for a mechanism to record/audit activities performed by admins via special tools or web browsers from their desktop/laptop/smart phones/tablets.. and per my understanding the most complete, efficient and smartest way to achieve the target is to have a solution that works on the principle(use case) I shared in this Idea.
By implementing this idea, if Desktop Version would become smart enough to record the session on its own when the connection is being established with the
Production Servers/Network Devices in the list distributed by the PAM Manager, this approach will be definitely appreciated by Admins(sys, dba, email)
because it will reduce the workload of recording/auditing from/off the Production Servers.
Also we would have the option to not to install the agent on the Servers at all(agent installation is itself a big and worrisome task) because anyone tries to administrate the System(email, database, ERP etc) would be recorded guaranteed.
a few more suggestions or the other way of accomplishing the Idea has come to me. Before sharing it first let me iterate the already shared and discussed points:
1) PAM Admin first creates a list of targets(systems to be monitored) which may be running Agents(Linux or Windows Servers), Network Equipments(Routers, Switches, Firewall) or Server(Linux or Windows systems) without any agents installed. The list contains (a) Ip of the Target System and (b) Ports of Interest, e.g if a server machine(IP: 10.0.0.1) runs oracle that listens on port 1521 for DBA or privilege activities the list should looks like
IP: 10.0.0.1, port(s) 1521, 1522 etc
Similarly Firewall listens on port 4444 for Administrative / privilege activities, so the item in the list should look like:
IP: 10.0.0.254 port 4444
2) The list should be distributed to all the pam agents(Desktop versions), so that if a connection is ever initiated to any of the targets in the list, desktop version starts recording that session,.. this approach will also reduce the additional processing of auditing/recording on the production server.
3) If a connection is initiated from a non-registered system(i.e from a system where PAM Desktop Version is not running) on the servers(where pam agents are installed), agent should notify the PAM Admin about that connection. Obviously this feature is only available for the Systems where PAM Agents are installed, Servers without the PAM Agents and Network Equipments wouldn't get benefited.
*** ** ** ****
Now the new part for this Idea:
Now to make the Desktop Version more smart and efficient, in PAM Manager there should be an option to create the hashes of the Softwares that are used to Manage/Administrate the Servers(e.g Putty, MobaXterm, vnc clients, Toad/PLSQL for Oracle, Java client for Cisco ASA firewall etc), those hashed are then distributed to all the Desktop Versions of PAM, which then keep an eye on those Softwares. As soon someone fires those apps/softwares Desktop Version starts monitoring/recording.
This approach obviously does not help when both the Admins and Business users run the same application for their tasks, e.g SAPGUI the client of SAP ERP is used by both i.e SAP Admins and Ordinary/Business users, its their credentials that let them perform the tasks they are authorized to. So in such a scenario
both the "IP Address & Port based List of Targets" and "Software/App hash match" approach wouldn't work/help.
For such a scenario I think the best would be to also get some help from ldap based directory server(MS AD, OpenLDAP etc). i.e like the List of Targets, Software Hashes of the apps being used by Admins,.. PAM Manager should also provide the feature to browse the LDAP directory server to mark/select the OU where in that organization IT Users(app admins, dba, mail server admins, firewall admins etc) accounts are created. That information should also be distributed to Desktop Versions of PAM. Now when someone whose account is under that OU login on his/her system(windows 10) and runs the SAPGUI, only then Desktop Version starts recording.
Similarly Remote Desktop client "mstsc.exe" could be used by admins to perform administrative tasks, and by any regular/ordinary user to access any info or software available on the terminal server. So if our PAM Manager provides all the three features:
a) IP address and Port based list of targets
b) Software Hashes
c) ldap integration to mark/select OU under which IT user accounts are created.
then by combining all the 3 features(conditions) we can create a rule that if the mstsc.exe is executed(identified by software hash), and the target server is available in the list and the user account loged in on the source machine(Windows 10 Desktop) exists under the specific OU, only then Desktop Version would start recording that session.
I know there has not been an update on this Idea in a while, and I wanted to just provide a quick update. Joy and I really like this idea, and it is something we have discarded or been dismissive of. Right now, this capability is too big to fit into the release we are working on for the 1H CY '18 of PAM, so we could not include it. With that said, as I mentioned before we have a list of enhancements we want to do for PAM as it relates to properly supporting desktop environments, and this "selective recording" of administrative privilege activities from a desktop perspective is included in this list. With our team at the moment, we have looked toward our 2H CY '18 release as the release vehicle for significant improvements around how PAM handles the desktop / laptop privilege environment which includes giving the agent more autonomous intellect and recording abilities. Neither Joy or I can say hand-on-heart as of this update that this idea will be included there because this is one of several improvements required, but I am more inclined to think that this idea will be addressed as an outcome of some of the other work we know needs to be done. we will likely go another few months with no update to this Idea, but please do not read / interpret that as a lack of interest, just that we won't be able to comment on it again until we have a better picture of the release following our 1H CY'18 release of PAM.
I have marked this as "planned" because it is part of a bigger set of enhancements around PAM for desktop / workforce environments. though I am acknowledge as Planned it IS NOT committed to at this point