Iraje PAM Unauthorized access manual (windows) version 8

Introduction

Unauthorized accesses in the datacentre are dangerous and risky for any organization. Even after implementing a PAM solution, users have the habit or inclination to access devices directly bypassing PAM. Such accesses not only bypass security but also there is no trace of such activities and when an incident happens, its not possible to find the root cause as the session has been taken outside PAM and the PAM has no audit trails of activities done outside PAM.

Its very important to find such bypasses and alert the security teams on the same. The reason not to block such accesses and just alert the security team is to ensure that in case of disaster there is an opportunity to access the datacentre though it gets alerted.

Purpose

Train the admins on how to use the Iraje PAM Unauthorized access alerts module. This manual will help the admins get familiar with the Iraje PAM application and how to use it effectively in their environment.

Target Audience

Auditors, Risk Managers, IT Security Teams, Admins using PAM

Operating Procedure

Iraje PAM provides agent-based solution for unauthorized access alerts on Windows devices.

Iraje PAM provides facility where Super or Group admin PAM users are notified for below activities:

  • If any user connects to any target server from any privileged or local Id from any other source IP address apart from PAM server IP address.

  • If the login is outside the PAM source IP, then Iraje agent will throw an automatic alert for bypass ID.

This feature helps to track outside PIM logins to avoid security risks by preventing users accessing their servers in non-monitored environment Iraje Unauthorized access alerts are available for Windows & Linux OS.

Pre-requisites for Windows OS:

Following are the pre-requisites for Windows devices to get un-authorized alerts :

  • Port '3001' needs to be opened in firewall from Target device to PAM device (Source: Target Server IP & Destination: PAM Server IP)

  • We need to Install 'Iraje agent setup' on Windows device where alerts need to be notified from that device or 'Iraje agent setup' can also be pushed through SCCM

  • We need to do white-listing of 'Iraje Agent Service' from antivirus on both PAM server & Target server

Work-flow for Iraje PAM unauthorized access alerts on Windows Devices

Step 1: Open ‘Iraje Agent Setup’ file & select Agent setup according to Target Server I.e 32-bit or 64-bits

Step 2: Select the required setup file & click on ‘Next’

Step 3: Click either on ‘Everyone’ or ‘Just me’ & then click on ‘Next’

Step 4: On ‘Primary IP’ - ‘PAM Primary Server IP’ and On Alternate IP - ‘PAM HA server IP’

Click on ‘Next’ & Installation is complete. To confirm that successful installation is done we need to check services on target device i.e To check if Iraje Agent service is added to services console or not

Step 5: To enable Alerts for unauthorized access or Agent tampered , click on Alert & enable 'PIM Login By Outside Agent'

Step 6: Below alerts are received on email or SMS to Super or Group Admin users

Reports

Agent Reports are critical to security to identify the outliers who are bypassing PAM solution to take direct access on the critical assets. This is to identify the people violating security policies of the organization. This is one of the most critical reports for the Audit and Compliance of the organization. These reports are unique to Iraje PAM as unauthorized access report on Linux/Unix/AIX/Sun Solaris is innovative and there is no other PAM solution as of Mar 2020.

Agent Tampered Report

This report gives details about Iraje agents tampered by any external software on target Windows servers

Agent Summary Report

This report gives details about status of agents installed on Windows servers

Unauthorized Access Report

This report gives details about unauthorized alerts sent to admins

Non Deployed Agent Report

This report gives details about the devices on which the Windows Agent has not been deployed