Overview of the Local Windows Connector
The EmpowerID Local Windows Server Connector enhances IT security and streamlines the management of local computer administrator accounts. It integrates with both on-premise and cloud-based Windows servers to efficiently manage local users and groups, particularly local administrators. The connector features automated password management for privileged accounts, ensuring security through password rotation and resets. Additionally, it supports compliance efforts with SOX, HIPAA, and PCI-DSS regulations via inventory tracking, attestation policies, and integration with EmpowerID's Privileged Session Manager for identity verification and session recording.
Technical Requirements
Ensure the following prerequisites are met before implementing the Local Windows Connector:
- Windows Server: Target systems must run a supported version of Windows Server.
- Administrative Privileges: Administrative access to the target Windows server is required.
- EmpowerID Account: An active EmpowerID account with the necessary permissions.
- EmpowerID Cloud Gateway Client: Install the client on a dedicated server within the same domain as the local servers.
- Windows Management Framework and PowerShell: The latest versions must be installed, with remote PowerShell enabled on each server.
Core Functionalities
Local Privileged Account Management
The connector automatically discovers and inventories local users and groups on Windows servers, including detailed insights into local administrators. This process provides full visibility into privileged accounts, which are often prime security targets.
- Role-Based and Attribute-Based Access Control: Enforces RBAC and ABAC policies to ensure only authorized users have privileged access.
- Audit Trails: Maintains a complete record of actions related to local users and groups, aiding compliance with SOX, HIPAA, and PCI-DSS.
Password Management
The connector automates password rotation for local privileged accounts, reducing the risk of password-related breaches. It integrates with EmpowerID's password vaulting and rotation policies to ensure secure password management.
- Windows Services and IIS Application Pools: Manages the identities and passwords used by Windows Services and IIS Application Pools, mitigating security risks.
Privileged Account Discovery
The connector extends its discovery and management capabilities to privileged accounts across Windows, Linux, Unix, and VMware ESXi systems, allowing centralized privileged identity management.
- Lifecycle Management: Includes recertification and ownership assignment to prevent unauthorized access.
Integration with the EmpowerID Framework
Seamless integration with the EmpowerID framework enhances the connector's functionality:
- IT Shop Integration: Supports access requests and approvals for managing privileged access.
- Privileged Session Manager Integration: Provides adaptive identity verification and session recording for enhanced security and compliance.
PowerShell Cmdlets Used
EmpowerID leverages PowerShell cmdlets to manage local Windows accounts, services, and IIS application pools. Below are key cmdlets:
| Functionality | PowerShell Cmdlet |
|---|---|
| Retrieve local user accounts | Get-LocalUser |
| Create a new local user account | New-LocalUser |
| Delete a local user account | Remove-LocalUser |
| Enable a local user account | Enable-LocalUser |
| Disable a local user account | Disable-LocalUser |
| Reset local user password | Set-LocalUser |
| Retrieve local groups | Get-LocalGroup |
| Create a new local group | New-LocalGroup |
| Delete a local group | Remove-LocalGroup |
| Add members to a local group | Add-LocalGroupMember |
| Remove members from a local group | Remove-LocalGroupMember |
| Retrieve local group members | Get-LocalGroupMember |
| Retrieve SMB shares | Get-SMBShare |
| Create a new SMB share | New-SMBShare |
| Remove an SMB share | Remove-SMBShare |
| Grant SMB share access | Grant-SMBShareAccess |
| Revoke SMB share access | Revoke-SMBShareAccess |
| Retrieve Windows services | Get-Service |
| Start a Windows service | Start-Service |
| Stop a Windows service | Stop-Service |
| Retrieve IIS application pools | Get-IISAppPool |
| Start an IIS application pool | Start-WebAppPool |
| Stop an IIS application pool | Stop-WebAppPool |
| Recycle an IIS application pool | Restart-WebAppPool |
| Set IIS app pool identity | Set-ItemProperty |
Schema Information
The following tables outline the schema for the EmpowerID Local Windows Connector, detailing attributes and their relevant properties.
User Attributes
| Display Name | Object Attribute | Attribute Type | Multi Value |
|---|---|---|---|
| Description | Description | string | No |
| DisplayName | DisplayName | string | No |
| HomeDirDrive | HomeDrive | string | No |
| HomeDirectory | HomeDir | string | No |
| LoginScript | LogonScript | string | No |
| MaxStorage | MaxStorage | INT | No |
| Members | Members | string | No |
| ProfilePath | ProfilePath | string | No |
Group Attributes
| Display Name | Object Attribute | Attribute Type | Multi Value |
|---|---|---|---|
| Description | Description | string | No |
| DisplayName | DisplayName | string | No |
| HomeDirDrive | HomeDrive | string | No |
| HomeDirectory | HomeDir | string | No |
| LoginScript | LogonScript | string | No |
| MaxStorage | MaxStorage | INT | No |
| Members | Members | string | No |
| ProfilePath | ProfilePath | string | No |
Inventory and Monitoring
The connector maintains accurate user and group information through inventory and membership reconciliation settings. The Account Inbox provides a centralized view of all user accounts and their status, giving administrators a complete overview.
User and Group Management
EmpowerID enables efficient local user and group management:
- User Management: Create, update, disable, and delete local user accounts.
- Group Management: Create and manage local groups, including mail-enabling or disabling groups.
Managing Windows Services and IIS Application Pools
The connector provides extensive management capabilities for Windows Services and IIS Application Pools:
- Windows Services: Inventory and manage services on connected servers, including starting, stopping, and configuring service identities.
- IIS Application Pools: Inventory and manage application pools, including starting, stopping, and recycling them.
Enhancing Security and Compliance
By leveraging the EmpowerID Local Windows Connector, organizations gain centralized control over privileged access, streamlined identity management, and enhanced security across Windows environments. Its integration with EmpowerID’s identity governance framework ensures a unified approach to managing local accounts, reducing risk, and maintaining compliance with industry standards.