Iraje Discovery Tool manual version 8

Introduction

This document is the user manual for the Discovery Tools in Iraje PAM. It explains all the discovery tool modules and how to use them.

Purpose

The main purpose of the various Discovery Tools in Iraje PAM is to get the details of admins which are configured or added in PAM and which are not added also to get the details of devices which are configured in PAM and which are not added with potential open ports on those devices & to sync the connections which are out of sync. This manual will help the users get familiar with the Iraje PAM application and how to use it effectively in their environment.

The discovery capabilities are key to ensure proactive management and better governance of the super user accounts within the organization.

Target Audience

Admins Using Iraje PAM.

Iraje PAM Login Page

The user will login into the dashboard using his ID & Password, select the Domain & use Multi-Factor Authentication.

After login, the user will be redirected to Iraje Dashboard

Iraje PAM has 3 levels of roles in PAM:

  • Admin

  • Group Admin

  • Super Admin

According to user’s role the dashboard is available to the User.

Discovery Tools

In Iraje PAM there are total of 4 types of Discovery Tools Module.

  • Discover Hidden Admins:Discover Admins which are not configured in PAM.

  • Discover Hidden Devices: Discover Devices which are not configured in PAM.

  • Discover Active Ports: Discover Open or Active Ports on Devices which are configured and not configured in PAM.

  • Discover Password Sync: Discover Devices or Connections configured in PAM

Discover Hidden Admins

The main purpose of Admin Discovery is to get the details of admins which are configured or added in PAM and which are not added. The actual functioning takes place in Access Control Manager. We will see how it works, click on Access Control Manager.

You will now be able to enter Access Control Manager. After Clicking on the Access Control Manager, It will display the last login time-stamp when Access Control Master was logged in.

Click on the Directory Access

Choose Admin in Select Group

Click on Configure Access Control Manager to access connection details

Here we can Add a New Connection, Update already existing Connections. All this is explained in detail in Access Control Manager Manual and New Connection Creation Manual. We will click on the ACM Password Security Manager.

In ACM Password Security Manager tab, we are able to see the connections and its status (i.e. Sealed or Open) & Password expiry of the connections. All this is explained in detail in Access Control Manager Manual. Here we will click on Discover ACM tab

In Discover ACM tab, you will see various groups configured in Iraje PAM. We will select one Group (for ex. LTFS_SYSADMIN group). We will then click on Select Connection(s) to retrieve all the connections in that Group. We can also perform Admin Discovery scan on multiple Groups. Just select on the Groups you want the scan to be performed on.

When you retrieve all the connections, you can either select Go which will perform Admin Discovery on all the connections in the selected Group, or either you can select a specific connection and click on Go

When we click on Go, PSEXESVC Service gets invoked and it runs on that selected IP address/es. Below we can see the service has started running on 10.3.1.100.

PsExec let users execute processes on remote systems without the need to have any kind of client software present on the remote computers. PsExec provides full interactivity for console applications. The program can be used to launch command-prompts and run tools such as ipconfig which otherwise don't have the ability to display information about the remote system. PsExec.exe is present in the PAM Server. It runs from the PAM server to the remote server.

It runs the below command from PAM server to the remote server.

PsExec.exe -u [domain]\[username] -p [password] \\[Machine Name] cmd

Once the PsExec.exe prompt goes, you will see progress bar in Admin Discovery for the connection.

Once the progress bar hits 100% or is at full, a prompt will be shown as below. Once you click on OK, you can then fetch the results on Admin Discovery in Dashboard.

Go to Admin Discovery in Dashboard.

You will see the scan result from Access Control Manager.There are will be some Non Configured Admins on IP address we scanned. We can get more details about the Admins by clicking on View Details.

Discover Hidden Devices

The client can discover the devices from their network which are not configured in PAM by going to Device Discovery in Iraje PAM Dashboard

The main purpose of Device Discovery is as follows:

  • User has to mention Valid IP Range to start Device Discovery Scan. Ex.: 10.0.0.1 – 10.0.0.50

  • If you want to scan specific ports, then you need to tick the custom port checkbox. It will only display devices which are using that port(s).

  • After clicking on search button, you will get device discovery results screen.

  • After clicking on search button, you will get the below device discovery results screen.

Discover Active Ports

The client can discover the open ports in their network by going to Device Discovery in Iraje PAM Dashboard

Scanning for Open Ports:

The result displays devices which are not configured in PAM. Client needs to be notified about these devices and request those devices to be configured inside PAM to avoid Security Breaches.

Open ports can expose your business's computer or network to security breaches. Discovering and closing open ports is essential for keeping the network safe. You can identify open ports by Device Discovery by specifying an IP range & clicking on Start. Once scan is completed, there will be prompt saying Scan Complete. We can then check the results populated in the table. Its like running the “netstat” command to quickly identify open ports via command prompt

Scanning for Custom ports:

There is an option in which a user can scan a specific port available on a device, if it is enabled by the client on any IP address in the specified IP range.

A custom port is unique and different than default ports. We can specify multiple custom ports by using comma (,)

Discover Password Sync

The client can sync the connections which are out of sync in the PAM by going to Sync Center in Iraje PAM Dashboard

The prerequisite to Sync Center is creation of IBKUSER

IBK user

IBKUSER is Iraje Backup User. It’s mainly used to sync connections which are out of sync. IBKUSER can be created in Windows & Linux. Demonstration of creation of IBKUSER on Windows & Linux is as follows:

Creation of IBKUSER in Windows

For creating an ibkuser in a Windows server perform the following steps:

  • Step 1: Go to Active Directory.

  • Step 2: Right click on Users then select New & select User.

  • Step 3: Enter basic details of the ibkuser.

  • Step 4: Enter Password and check on Password never expire.

  • Step 5: Go to Properties of ibkuser.

  • Step 6: Go to Member Of tab & Click on Add and do as following

  • Step 6.1: Add Administrators & click on OK.

  • Step 6.2: Administrators is created.

  • Step 7: Now create a connection of that target server where ibkuser was created.

Creating IBKUSER in Linux
  • Step 1: Go to any UNIX Device via Access Control Directory and switch user to root.

  • Step 2: Create an ibkuser as follows

  • Step 3: Enter following command #cat /etc/sudoers

  • Step 4: Go to where # Allow members of group sudo to execute any command & add

  • Step 5: Go to Sync Center from Iraje PAM Dashboard

Go to On demand scan, select the connection and click on Scan.

  • Step 6: Go to the sync center- Scan Status and check status of the synced IP connection.

  • Step 7: Go to Sync Center

Go to On Demand Scan, select the connection and click on Scan & Sync

  • Step 8: Go to sync center.

Go to Scan Status and check status of the synced IP connection.

Sync Center Modules

There are 4 sub modules in Sync Center

The graph:
Shows connection details like total connections, connections in sync & connection not in sync

Scan Status:
This shows status of connections, whether they are working or not. A green tick indicates that a connection is working. A red tick indicates that a connection is out of sync.

On Demand Scan:
This module scans the connections and syncs them

Sync Center Setting:
This module lets you scan and sync connections on a daily, weekly or monthly basis.