Symantec Privileged Access Management

 View Only
Expand all | Collapse all

Prevent users from change privileged accounts passwords after they log in

  • 1.  Prevent users from change privileged accounts passwords after they log in

    Posted Mar 23, 2018 12:17 PM

    Hi there,


    I'm using PAM 3.1.1 and I have a doubt.


    If I configure an automatic login (with SSH Applet) to allow, for example, a user to log into a server with root account, this user just have to click on SSH button on his access page, with no need to check nor insert the root password, since root account credentials are stored and hidden.


    But if the user is root on the server, he can change own (and any other PAM managed account) password, so that automatic login won't work anymore, since the password stored by PAM is different from the one existing on the server.


    I have same the same doubt above windows-based accounts management.

    If I use PAM to make a user login as an Administrator, how can I forbid him to change Administrator password or, worst, the PAM Proxy log on account password, supposing I don't want it to run as LocalSystem?


    Is there any way to prevent users from change account password?


    Thanks for helping me,


    Best regards,


  • 2.  Re: Prevent users from change privileged accounts passwords after they log in
    Best Answer

    Posted Mar 23, 2018 04:50 PM

    There is no way to prevent root from changing a password.  It is our recommendation that you not allow your users root access.  Instead, allow your users to use sudo.  You can configure sudo to limit what users can do and you can also configure PAM to use Command Filtering, and also prevent specific commands from being executed in ssh sessions.  There is no Command Filtering for RDP. 


    You can mitigate the affects of your users having the capability to change passwords on their systems.  First of all you should enable session recording.  If a password is changed on a system you can review those recordings and see who did it.  You can then have a discussion about why they should not be doing that.  Secondly, you can use the scheduled jobs to verify your target accounts.  This will help you to know which accounts are out of sync between PAM and the Target server.  You can also configure PAM to change passwords for an account using another, controlling account.  Using this methodology, the account whose password is being changed does not have to be in sync.  The controlling account itself must be in sync, but you can limit access to these accounts.


    If this is  not sufficient please open a ticket so that Support may discuss this in detail with you.