ID-Archive White Paper
| Abstract |
| ID-Archive™ is software from Hitachi ID for the problem of managing thousands of administrator credentials. ID-Archive enables organizations to regularly randomize administrative passwords on workstations and servers, while maintaining the ability of IT staff to retrieve current credentials for devices into which they must login. |
Overview of Credential Archiving
In most organizations, local administrator access to servers and workstations, required by data center and desktop support staff, is managed using static, well known passwords. Over time, as technicians leave the organization, this creates a security exposure, where ex-staff know administrative passwords, giving them access to sensitive IT assets.
This problem arises because it is difficult to coordinate updates to local administrator passwords on large numbers of servers and workstations.
ID-Archive is software from Hitachi ID for the problem of static local administrator passwords. It periodically randomizes the local administrator passwords on workstations and servers, either remotely or using a local agent (mostly on workstations). Updated passwords are archived in a central database, which IT support staff access using their own, personal credentials.
With ID-Archive, access to local administrator accounts is secured, authenticated, logged and expired. Passwords are not shared between devices and are changed regularly.
Technical Challenges for an ID-Archive Architecture
It is perhaps easier to describe a basic process for periodically randomizing and archiving administrator credentials than it is to implement a process that scales well to thousands of devices, that is secure, and that is fail-safe.
The following sections describe some of the technical challenges such a system must address. ID-Archive incorporates architectural solutions for each issue raised here.
Workstation Location and Connectivity
A password management system can easily make connections to servers, which have fixed network addresses, are always on and are continuously connected to the network. It is much harder for a central password management server to connect to workstations, for several reasons:
- Workstations are mobile. Notebooks in particular frequently move from site to site.
- Even when physically static, workstation IP addresses may change dynamically, due to use of DHCP.
- Workstations are often turned off and do not respond to network inquiries when deactivated.
- Workstations may be unplugged from the network, either to move them or for periods of disuse.
- Workstations may be attached to the network in a location protected by a firewall or may be equipped with a software firewall. Firewalls may block requests inbound to the workstation, may assign un-routable local IP addresses and may perform address and TCP port translation to prevent inbound connections.
In short, while it is easy for workstations to contact a central server, it is nearly impossible for the reverse to happen.
To manage workstation administrator credentials, ID-Archive includes a service, which installs on each workstation and which contacts a central server and coordinates each workstation password update.
This architecture has several important advantages:
- The workstation service uses only HTTPS to communicate with the central server and works even when the workstation is connected behind NAT devices, firewalls or application proxies.
- The workstation service does not randomize credentials unless it has established connectivity with the central credential server. This avoids a situation where the central server does not know the new password value for a workstation.
- Dynamic IP addresses have no impact on this architecture.
- Physical relocation and long periods of detached network connectivity may delay updates to local passwords, but do not introduce a failure whereby the credentials for a workstation are unknown.
Policy Distribution
Security policies change. For example, which local IDs should have their passwords randomized, or how often is a matter of policy, and may change from time to time.
It is desirable to have an easy mechanism to distribute such policies to workstations in an ongoing manner, without having to distribute fresh software packages to each device.
ID-Archive addresses policy distribution by defining policy settings locally, and having workstations periodically check with the central server for new policies that affect them. As with password updates, communication is initiated by workstations, which pull updates from a central server.
Web User Interface
ID-Archive is configured and accessed using a pure-HTML web interface. Both the ID-Archive administrator, who configures the system and defines policies, and ID-Archive users, who access information about workstations and retrieve administrative credentials when required, sign into ID-Archive with a web browser.
Typically ID-Archive authenticates users using their existing credentials on a widely available directory, such as Active Directory. Other forms of authentication, such as SecurID tokens, are also supported. In either case, ID-Archive can and should be configured in such a way that its users do not have to remember yet another login ID and password to use it.
All communication between users and the ID-Archive server, and between the ID-Archive service on protected devices and the ID-Archive server is over HTTPS. This means that client devices make SSL-encrypted connections to the ID-Archive server, and check that the server's certificate matches its DNS name, before initiating any meaningful communication.
Timing and Load
In a large organization, if every workstation were to attempt to access a single, central server at the same time, the server would experience spikes of extremely high load, separated by long periods of zero activity.
To smooth out the transaction load, and therefore reduce the consumption of disk, network bandwidth, server CPU and to minimize service delays, the ID-Archive workstation service adds a random delay to the interval between server connections -- both for policy download and password updates.
For example, workstations may be configured to contact the central server every 8 hours, plus or minus some random interval of up to an hour, for a new password and possibly a policy update. In this way, traffic is smoothed out, server load and bandwidth are reduced, and workstations get faster responses from the ID-Archive server.
Moreover, if the time of a password update is somewhat random, the updating process is more likely to "catch" a workstation in a network-attached state, sooner or later, than if the password update attempt happens at exactly the same time every day.
Diverse Password Policies
Different devices may have different security profiles and different technical capabilities, and so both require and support passwords of different length and complexity. For example, workstation administrative passwords may be set to 10 characters long, and change weekly, while server passwords may be 20 characters long, and change daily.
ID-Archive supports groups of target devices. Devices may be attached to a group by their IP address (by subnet) or by a regular expression match on their NetBIOS or DNS name. Policy settings, including password lifespan, lists of user IDs whose passwords will be managed, policy checking interval, password length and password character composition are applied groups of devices defined in this way.
Credential Access Controls
Different IT staff may require access to different groups of devices. For example, a desktop PC support technician may require local administrative access to workstations in a particular building, but not to any servers. Conversely, a platform server administrator may require administrative access to a subset of servers in a data center, but not to any workstations.
ID-Archive supports access controls by defining groups of devices (workstations and servers), as defined earlier. ACLs are used to connect ID-Archive application users to device groups.
Note that ID-Archive users may sign into ID-Archive either with an application login ID and password, or with an ID and password validated against an external system or directory, such as Windows Active Directory or LDAP.
Race Conditions
Consider a workstation on which the ID-Archive service determines that the time has come to change passwords.
If it simply changes passwords and then attempts to contact a central server to upload the new value, it may find that it is off-line, and so must either roll back the change, or store the new value and periodically test for connectivity, in the hopes that the new password can be uploaded before anyone needs to use it.
To avoid this problem, the workstation service first connects to an ID-Archive server, and asks that server to generate a new, random password for a given local user. It then changes the password locally, and the ID-Archive server changes the password in its own database. Finally, the workstation sends a confirmation message to the ID-Archive server.
In the event that the ID-Archive server did not receive a confirmation message -- perhaps the workstation was turned off, or disconnected -- it will retain both the old and new passwords. The new password is assumed to be current, and the old password is archived. In fact, old passwords are archived in general, as a fail-safe mechanism.
High Availability
Once deployed, ID-Archive becomes an essential part of an organization's IT infrastructure, since it alone houses administrative credentials to thousands of networked devices. An outage in ID-Archive would mean that administrative access to a range of devices is interrupted -- a major outage to IT service.
Since servers occasionally break down, ID-Archive supports load balancing and data replication between multiple physical servers. Any data updates written to its credential database are replicated, in real time, across all servers.
In short, ID-Archive incorporates a highly available, replicated, multi-master architecture.
To provide out-of-the-box data replication, ID-Archive includes a built-in database engine, which stores the same data tables, including encrypted credentials, on each server. These files are in an industry standard format (.DBF), accessible by almost every spreadsheet and reporting program available. Data replication is handled by this built-in engine, making it both simple and advisable for organizations to build a highly-available ID-Archive server cluster, spanning multiple servers, with each server placed in a different physical site.
This multi-site, multi-master replication is configured at no additional cost, beyond that of the hardware for additional servers, and with little administrative effort.
Data Protection
Administrative credentials are sensitive data, and must be protected accordingly. Both the live data maintained by ID-Archive and backups of its data set require protection against would-be intruders. To provide this protection, ID-Archive must be configured on a hardened, locked-down server, in a physically secure site.
To ensure further protection, ID-Archive encrypts administrative passwords for all devices. A privacy key, embedded in the ID-Archive software itself, is used to encrypt a site-specific encryption key, which is stored in the registry of each ID-Archive server. The site-specific encryption key is a 128-bit random number, and is used to encrypt and decrypt randomized passwords for devices protected by ID-Archive. The encryption algorithm used to protect both the site-key and randomized passwords is 128-bit AES.
Logging and Reporting
ID-Archive logs all attempted and completed password updates. This data can be used to track not only current administrator passwords for workstations and servers, but also device IP addresses and network connectivity.
ID-Archive also logs all attempts by its users to lookup devices and to display credentials. This creates a chain of accountability, making it clear who accessed what device and when.
Updating Service Credentials
In some cases, administrative credentials are stored in files or the registry, and used by services, such as web servers, instant messaging services, etc. Where ID-Archive randomizes these credentials, it will therefore invalidate the password stored by the service program, and trigger a service outage.
To address this problem, ID-Archive includes a plugin architecture, where every password update can be followed by one or more calls into a plugin library to update cached passwords. For example, if ID-Archive is configured to update the password of an ID which a Windows server uses to run a service program, then ID-Archive can use an included plugin program (DLL) to contact the Service Control Manager, and notify it that the service's password has been changed.
Both Hitachi ID and organizations that deploy ID-Archive can write new plugin libraries to notify new kinds of service programs of completed password changes.
Network Architecture
The ID-Archive network architecture is illustrated in Figure [link].
ID-Archive Network Architecture Diagram (1)
The diagram illustrates that two types of services connect to ID-Archive: workstations, where IT staff request access to credentials, and workstations or servers that download policy and subsequently request new passwords to apply to local credentials.
All access to ID-Archive is over HTTPS, and by default both user web browsers and the ID-Archive service check the server certificate, to ensure that they are really communicating with the intended ID-Archive servers.
ID-Archive is a sensitive security appliance, so can be deployed behind a firewall.
For high availability, multiple ID-Archive servers can be deployed, in a replicated and load-balanced arrangement. Each server has a full set of data, which protects against failures such as disk crashes. New credentials written to any server are automatically replicated to all servers.
Push and Pull Modes
ID-Archive supports both server passwords, in "push mode," and workstation passwords, in "pull mode:"
Push Mode
When managing passwords on servers, ID-Archive normally operates in "push mode." This means that periodically the ID-Archive server will initiate communication with each target system, using an agent program installed locally on the ID-Archive server and randomize the administrator passwords on that target system.
The new password(s) will be encrypted and archived in the ID-Archive server's replicated storage, where IT staff may retrieve them.
Pull Mode
When managing passwords on workstations, ID-Archive normally operates in "pull mode." This means that a local agent is installed on each workstation and this agent software periodically contacts the central ID-Archive server, over HTTPS, to request a new administrator password.
The same approach applies not only to workstations, but also to any type of device which is numerous, or which is only sporadically reachable over the network. Examples include "server farms" of Windows or Unix servers or target systems in remote locations.
Once the local password has been set, a confirmation is sent to the ID-Archive server, which stores the new value. The new password(s) are encrypted and archived in the ID-Archive server's replicated storage, where IT staff may retrieve them.
Platform Support
Pull mode agents, installed locally on devices, and scalable to tends of thousands of devices, are provided for:
- Windows 2000 and XP workstations.
- Windows 2000 and 2003 servers.
- Unix and Linux servers and workstations.
Plugins are currently provided to update passwords, after randomization, in:
- The Windows Service Control Manager.
- The IIS Web Server.
Push mode agents, installed on the ID-Archive server itself and scalable to thousands of devices, are provided for:
|
Directories
|
File/print
|
Mainframes |
|
LDAP (any),
Active Directory,
Windows NT domains,
Novell eDirectory,
Novell NDS,
Unix NIS and NIS+,
Kerberos/DCE (any)
|
Windows NT/2000/2003, Novell NetWare, OS2 LanManager, Samba
|
MVS / OS/390 / zOS, RACF, CA-ACF2, CA-TopSecret, VM/ESA, Siemens BS2000, Tandem NonStop, Unisys MCP
|
|
Unix
|
Midrange
|
Database |
|
AIX, DGUX, Digital Unix, HPUX, IRIX, Linux,
NCR, OSF4, SCO OS, Solaris, SunOS, Tru64,
UnixWare, Unisys, passwd, shadow, Trusted
Computing Base
|
HP MPE, OS/400/iSeries, OpenVMS
|
DB2/UDB, Informix, MSSQL, ODBC, Oracle, Sybase
|
|
ERP
|
Messaging
|
WebSSO |
|
SAP R/3 4.0+,
PeopleSoft 7.5+,
Oracle Applications 11i+,
JDE OneWorld
|
MS Exchange 5.5, MS Exchange 2000/03/07, Novell GroupWise, Lotus Domino/HTTP, Lotus Notes/ID files, HP OpenMail
|
RSA ClearTrust, Entrust getAccess, Netegrity SiteMinder, Oracle COREid, SAP portal
|
|
Flexible agents
|
Hardware tokens and Smartcards
|
Miscellaneous |
|
API (application programming interface) integration,
LDAP attributes,
MQ Series,
SQL commands,
Telnet/TN3270/TN5250 sessions,
Unix/Windows cmd-line integration,
web forms,
web services (SOAP, XML)
|
RSA SecurID, Secure Computing SafeWord, Vasco Digipass, GemPlus, Precise Biometrics
|
RADIUS (various), Local and cached Windows passwords. Peregrine ServiceCenter, Remedy ARS, Clarify eFrontOffice, NAI Magic, Tivoli ADSM, IBM OLAP, IBM Tivoli Access Manager Connected Backup
|
ID-Archive Development Roadmap
Multiple Signatures
Currently, ID-Archive supports IT staff signing in with either application or existing directory credentials to access archived passwords.
In a future release, support for multiple authorizers will be introduced, whereby one administrator requests access to a password, and one or more additional people must review and approve that request before the initial administrator is granted access to the credential.
This enhancement will create an extra level of protection for very sensitive resources.