Symantec Privileged Access Management

Hello, 

i'm working on a project in which the client wishes to manage several thousand Windows Service Accounts. 

The requirement is the following:
When PAM rotates the password on the Windows Service Account it must also update all of the target devices (member servers) on which a service or scheduled task has been configured to run as that account.

The windows service accounts are Active Directory Domain Accounts, but they are configured on member servers as the "Run AS"  account on services and scheduled tasks.

I've tested the following setup in PAM 3.3 but i am not able to discover the account on the member server (the account is configured as the Run As account to the w32tm windows service)

1. Created a Windows Proxy Application against the target device (windows member server)
    a. Set the Account type to AD and "Lookup domain using DNS servers"
    b. Enabled discovery of services and tasks

2. On-boarded AD account into PAM and linked it to the Proxy Application (created in step 1)
    a. enabled the account for credentials discovery

3. Configured the "Adobe Acrobat Update Service" service on target device to run as the account on-boarded in step 2 and started the service; It is running.

4. Ran a credential discovery using the on-boarded account
    only local accounts were discovered, not the windows service account on-boarded in step 2.


What am i missing?
Is this not a supported function / feature?

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Did you look at the Discover Services that Use AD Account section of the wiki? 
https://docops.ca.com/ca-privileged-access-manager/3-3/EN/implementing/protect-privileged-account-credentials/add-target-accounts-to-target-applications/discover-active-directory-services-and-scheduled-tasks

------------------------------
Principal Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 07-26-2019 10:01 AM
From: Sebastiano Alighieri
Subject: HOW TO: Manage Windows Service Accounts

Hello, 

i'm working on a project in which the client wishes to manage several thousand Windows Service Accounts. 

The requirement is the following:
When PAM rotates the password on the Windows Service Account it must also update all of the target devices (member servers) on which a service or scheduled task has been configured to run as that account.

The windows service accounts are Active Directory Domain Accounts, but they are configured on member servers as the "Run AS"  account on services and scheduled tasks.

I've tested the following setup in PAM 3.3 but i am not able to discover the account on the member server (the account is configured as the Run As account to the w32tm windows service)

1. Created a Windows Proxy Application against the target device (windows member server)
    a. Set the Account type to AD and "Lookup domain using DNS servers"
    b. Enabled discovery of services and tasks

2. On-boarded AD account into PAM and linked it to the Proxy Application (created in step 1)
    a. enabled the account for credentials discovery

3. Configured the "Adobe Acrobat Update Service" service on target device to run as the account on-boarded in step 2 and started the service; It is running.

4. Ran a credential discovery using the on-boarded account
    only local accounts were discovered, not the windows service account on-boarded in step 2.


What am i missing?
Is this not a supported function / feature?

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Hi Ed, thanks for the reply,

yes, we just "discovered" that piece of documentation ourselves.

so now we know how to set it up - see below screenshots. The only thing i didn't see documented is that the PAM Proxy Service must run as a domain account that has appropriate privileges on all member servers on which it needs to update the Service Account Password. But we figured that out.

Now the only piece missing is that the client doesn't actually know which service accounts run on which servers (or perhaps can't provide the full list) - which will present a challenge.

Here's how we go it to work

Configure the PAM Proxy Service Account to Run As a Domain Account that has appropriate privileges on all member servers to update windows services - this typically means the account must be a local admin.

Onboard the Windows Service Account as an Active Directory Account
Synchronize the Account (in this case, discovery allowed is checked but has nothing to do with what we're trying to accomplish)


Configure the Services / Schedule Tasks tab:
Change Service Using: Proxy Credentials
Login Using: Proxy Credentials

Optionally:
Discover Services: Using Proxy
Proxy Host: Specify the Proxy
Search Host: If you want to scan one or more hosts you must specify them one at a time on this field and click Discover Services. this will add services to the list at the top NOTE: you can add Services manually to the list at the top by clicking on the [+] button and specifying the appropriate values.


------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Original Message:
Sent: 07-26-2019 03:18 PM
From: Edward Vogel
Subject: HOW TO: Manage Windows Service Accounts

Did you look at the Discover Services that Use AD Account section of the wiki? 
https://docops.ca.com/ca-privileged-access-manager/3-3/EN/implementing/protect-privileged-account-credentials/add-target-accounts-to-target-applications/discover-active-directory-services-and-scheduled-tasks

------------------------------
Principal Support Engineer
Broadcom

Original Message:
Sent: 07-26-2019 10:01 AM
From: Sebastiano Alighieri
Subject: HOW TO: Manage Windows Service Accounts

Hello, 

i'm working on a project in which the client wishes to manage several thousand Windows Service Accounts. 

The requirement is the following:
When PAM rotates the password on the Windows Service Account it must also update all of the target devices (member servers) on which a service or scheduled task has been configured to run as that account.

The windows service accounts are Active Directory Domain Accounts, but they are configured on member servers as the "Run AS"  account on services and scheduled tasks.

I've tested the following setup in PAM 3.3 but i am not able to discover the account on the member server (the account is configured as the Run As account to the w32tm windows service)

1. Created a Windows Proxy Application against the target device (windows member server)
    a. Set the Account type to AD and "Lookup domain using DNS servers"
    b. Enabled discovery of services and tasks

2. On-boarded AD account into PAM and linked it to the Proxy Application (created in step 1)
    a. enabled the account for credentials discovery

3. Configured the "Adobe Acrobat Update Service" service on target device to run as the account on-boarded in step 2 and started the service; It is running.

4. Ran a credential discovery using the on-boarded account
    only local accounts were discovered, not the windows service account on-boarded in step 2.


What am i missing?
Is this not a supported function / feature?

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------