WIXLIB

NIST SPECIAL PUBLICATION 1800-18CPrivileged Account Managementfor the Financial Services SectorVolume C:How-To GuidesKaren WaltermireNational Cybersecurity Center of ExcellenceInformation Technology LaboratoryTom ConroyMarisa HarristonChinedum IrrechukwuNavaneeth KrishnanJames Memole-DoodsonBenjamin NkrumahHarry PerperSusan PrinceDevin WynneThe MITRE CorporationMcLean, VASeptember 2018DRAFTThis publication is available free of charge /privileged-account-management

DRAFTDISCLAIMERCertain commercial entities, equipment, products, or materials may be identified in this document inorder to describe an experimental procedure or concept adequately. Such identification is not intendedto imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that theentities, equipment, products, or materials are necessarily the best available for the purpose.National Institute of Standards and Technology Special Publication 1800-18C, Natl. Inst. Stand. Technol.Spec. Publ. 1800-18C, 104 pages, September 2018, CODEN: NSPUE2FEEDBACKYou can improve this guide by contributing feedback. As you review and adopt this solution for yourown organization, we ask you and your colleagues to share your experience and advice with us.Comments on this publication may be submitted to: financial nccoe@nist.gov.Public comment period: September 28, 2018 through November 30, 2018All comments are subject to release under the Freedom of Information Act (FOIA).National Cybersecurity Center of ExcellenceNational Institute of Standards and Technology100 Bureau DriveMailstop 2002Gaithersburg, MD 20899Email: nccoe@nist.govNIST SP 1800-18C: Privileged Account Management for the Financial Services Sectori

DRAFTNATIONAL CYBERSECURITY CENTER OF EXCELLENCEThe National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standardsand Technology (NIST), is a collaborative hub where industry organizations, government agencies, andacademic institutions work together to address businesses’ most pressing cybersecurity issues. Thispublic-private partnership enables the creation of practical cybersecurity solutions for specificindustries, as well as for broad, cross-sector technology challenges. Through consortia underCooperative Research and Development Agreements (CRADAs), including technology partners—fromFortune 50 market leaders to smaller companies specializing in information technology (IT) security—the NCCoE applies standards and best practices to develop modular, easily adaptable examplecybersecurity solutions using commercially available technology. The NCCoE documents these examplesolutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cyber SecurityFramework and details the steps needed for another entity to recreate the example solution. The NCCoEwas established in 2012 by NIST in partnership with the State of Maryland and Montgomery County,Md.To learn more about the NCCoE, visit https://www.nccoe.nist.gov/. To learn more about NIST, visithttps://www.nist.gov.NIST CYBERSECURITY PRACTICE GUIDESNIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecuritychallenges in the public and private sectors. They are practical, user-friendly guides that facilitate theadoption of standards-based approaches to cybersecurity. They show members of the informationsecurity community how to implement example solutions that help them align more easily with relevantstandards and best practices, and provide users with the materials lists, configuration files, and otherinformation they need to implement a similar approach.The documents in this series describe example implementations of cybersecurity practices thatbusinesses and other organizations may voluntarily adopt. These documents do not describe regulationsor mandatory practices, nor do they carry statutory authority.ABSTRACTPrivileged account management (PAM) is a domain within identity and access management (IdAM) thatfocuses on monitoring and controlling the use of privileged accounts. Privileged accounts include localand domain administrative accounts, emergency accounts, application management, and serviceaccounts. These powerful accounts provide elevated, often nonrestricted, access to the underlying ITresources and technology, which is why external and internal malicious actors seek to gain access tothem. Hence, it is critical to monitor, audit, control, and manage privileged account usage. Manyorganizations, including financial sector companies, face challenges in managing privileged accounts.NIST SP 1800-18C: Privileged Account Management for the Financial Services Sectorii

DRAFTThe goal of this project is to demonstrate a PAM capability that effectively protects, monitors, andmanages privileged account access, including life-cycle management, authentication, authorization,auditing, and access controls.KEYWORDSAccess control, auditing, authentication, authorization, life-cycle management, multifactorauthentication, PAM, privileged account management, provisioning managementACKNOWLEDGMENTSWe are grateful to the following individuals for their generous contributions of expertise and time.NameOrganizationDan MorganBomgar (formerly Lieberman Software)David WellerBomgar (formerly Lieberman Software)Oleksiy BidniakEkran SystemOleg ShomonkoEkran SystemKarl KneisIdRampEric VintonIdRampMichael FaganNISTWill LaSalaOneSpan (formerly VASCO)Michael MagrathOneSpan (formerly VASCO)Jim ChmuraRadiant LogicDon GrahamRadiant LogicTimothy KeelerRemediantPaul LanziRemediantNIST SP 1800-18C: Privileged Account Management for the Financial Services Sectoriii

DRAFTNameOrganizationMichael DaltonRSATimothy SheaRSAAdam CohnSplunkPam JohnsonTDi TechnologiesClyde PooleTDi TechnologiesSallie EdwardsThe MITRE CorporationSarah KinlingThe MITRE CorporationThe Technology Partners/Collaborators who participated in this build submitted their capabilities inresponse to a notice in the Federal Register. Respondents with relevant capabilities or productcomponents were invited to sign a Cooperative Research and Development Agreement (CRADA) withNIST, allowing them to participate in a consortium to build this example solution. We worked with:Technology Partner/CollaboratorBuild InvolvementBomgar (formerly Lieberman Software)Red Identity SuiteEkran SystemEkran System ClientIdRampSecure AccessOneSpan (formerly VASCO)DIGIPASSRadiant LogicRadiantOne FIDRemediantSecureONERSASecureID AccessNIST SP 1800-18C: Privileged Account Management for the Financial Services Sectoriv

DRAFTTechnology Partner/CollaboratorBuild InvolvementSplunkSplunk EnterpriseTDi TechnologiesConsoleWorksNIST SP 1800-18C: Privileged Account Management for the Financial Services Sectorv

DRAFT1Contents21 Introduction .131.1Practice Guide Structure . 141.2Build Overview . 251.3Typographic Conventions . 3672 Product Installation Guides .32.1Microsoft Active Directory . 382.1.1How It’s Used . 392.1.2Virtual Machine Configuration . 3102.1.3Installation . 4112.1.4DNS Configuration . 4122.1.5Group Policy Object Configuration . 5132.1.6Scripts . 5142.1.7Splunk Universal Forwarder . 8152.2Bomgar Privileged Identity . 8162.2.1How It’s Used . 8172.2.2Virtual Machine Configuration . 8182.2.3Prerequisites . 9192.2.4Installing Privileged Identity . 9202.2.5Configuration . 13212.2.6Installing Privileged Identity Application Launcher . 16222.2.7Configure Bomgar Privileged Identity with IdRamp SAML Authentication . 17232.2.8Configuring Microsoft SQL Server Access. 20242.2.9Configuring Twitter Account Launching . 33252.2.10 Configuring Multifactor Authentication with RSA . 36262.2.11 Splunk Universal Forwarder . 40272.3TDi ConsoleWorks . 41282.3.1How It’s Used . 41292.3.2Virtual Machine Configuration . 41NIST SP 1800-18C: Privileged Account Management for the Financial Services Sectorvi

DRAFT302.3.3Installation . 42312.3.4Configuration of Back-End Authentication . 42322.3.5Creating Users. 45332.3.6Creating Tags . 47342.3.7Creating SSH Consoles . 47352.3.8Creating Web Consoles. 49362.3.9Assigning Tags to Consoles . 50372.3.10 Creating Profiles for Users . 51382.3.11 Assigning Permissions to Profiles . 52392.4Ekran System . 53402.4.1How It’s Used . 54412.4.2Virtual Machine Configuration . 54422.4.3Prerequisites . 54432.4.4Installing Ekran System . 54442.5Radiant Logic . 55452.5.1How It’s Used . 55462.5.2Virtual Machine . 55472.5.3Prerequisites . 55482.5.4Installation . 56492.5.5Configure FID . 56502.5.6Configure Logging . 58512.5.7Configure SSL . 61522.5.8Splunk Universal Forwarder . 62532.6IdRamp . 63542.6.1How It’s Used . 63552.6.2Prerequisites . 63562.6.3Installation . 63572.7OneSpan IDENTIKEY Authentication Server . 65582.7.1How It’s Used . 65592.7.2Virtual Machine Configuration . 65602.7.3Prerequisites . 65NIST SP 1800-18C: Privileged Account Management for the Financial Services Sectorvii

DRAFT612.7.4Installation . 66622.7.5Configuration . 66632.7.6Creating a Domain and Policies . 68642.7.7Importing DIGIPASSes . 72652.7.8Configuring to Use Radiant Logic as a Back-End Authentication Server . 73662.7.9Integration with TDi ConsoleWorks . 77672.7.10 Installing User Websites . 77682.7.11 Creating Component Records in IDENTIKEY Authentication Server . 78692.8Base Linux OS . 80702.8.1Virtual Machine Configuration . 80712.8.2Domain Join Configuration . 81722.9Microsoft SQL Server Installation on Ubuntu Linux . 83732.9.1How It’s Used . 83742.9.2Virtual Machine Configuration . 83752.9.3Firewall Configuration . 84762.9.4Installation and Initial Configuration . 84772.10 Samba File Server . 86782.10.1 How It’s Used . 86792.10.2 Virtual Machine Configuration . 86802.10.3 Firewall Configuration . 87812.10.4 Installation and Configuration . 87822.11 Remediant SecureONE . 89832.11.1 How It’s Used . 89842.11.2 Virtual Machine Configuration . 89852.11.3 Installation and Initial Configuration . 90862.11.4 Domain Configuration . 90872.11.5 Managing Systems . 91882.11.6 Adding New Users . 92892.11.7 Requesting Privileged Access to Protected System . 93902.12 RSA Authentication Manager . 95912.12.1 How It’s Used . 95NIST SP 1800-18C: Privileged Account Management for the Financial Services Sectorviii

DRAFT922.12.2 Installation and Initial Configuration . 95932.12.3 LDAP Integration. 98942.12.4 Token Assignment . 99952.12.5 Software Token Profiles and Token Distribution . 100962.13 Splunk . 101972.13.1 How It’s Used . 101982.13.2 Installation . 101992.13.3 Queries. 1011002.13.4 DemoBomgar-AD-Auth-UnauthV1 . 1011012.13.5 DemoRadiant-AD-Event-Details . 1021022.13.6 SSL Forwarding . 102103Appendix A List of Acronyms .

Gaithersburg, MD 20899 Email: nccoe@nist.gov . DRAFT . Dan Morgan Bomgar (formerly Lieberman Software) David Weller Bomgar (formerly Lieberman Software) Oleksiy Bidniak Ekran System Oleg Shomonko Ekran Syste