Backup accounts
Solutions of Privileged Access Management class are a combination of hardware, software and organizational tools that protect privileged accounts from unauthorised use.
One of the Indeed PAM protection mechanisms is isolation of account passwords in the Indeed PAM Core storage, encryption of those, as well as change of passwords to random or user-specified values on schedule or upon request.
The Indeed PAM Core storage is a critical element. If it is damaged, then all the resources become inaccessible, since account passwords are unknown either to administrators or users.
It is highly recommended to assign a backup account for every resource. This account must possess local administrator privileges (Windows) or have rights to execute SUDO command (Unix\Linux).
This would allow to restore resource accessibility in case the data storage of Indeed PAM Core fails. Therefore, you should assign an employee who is responsible for storing the backup accounts and passwords.
Access to Indeed PAM
To provide for security of Indeed PAM components, it is recommended to install the system according to arrangement 2. In this case, the following components are installed on a single server:
- Indeed PAM Core
- Indeed PAM IdP
- Indeed PAM Management Console
- Indeed PAM User Console
- Indeed Log Server
- Indeed Pam EventLog
- Microsoft SQL Server or PostgreSQL
Placing the key components of Indeed PAM and data storage to a single server allows to reduce risk of their unauthorized use. The following ports must be open to provide for correct operation:
Protocol | Port | Description |
---|
Inbound and outbound |
---|
TCP/UDP | 53 | DNS |
TCP/UDP | 389/636 | LDAP/SSL |
TCP | 3268/3269 | Microsoft Global Catalog/SSL |
TCP/UDP | 88 | Kerberos |
TCP/UDP | 464 | Kerberos |
Inbound |
---|
TCP | 80/443
| Indeed PAM Core/SSL Indeed PAM Management Console/SSL Indeed PAM User Console/SSL Indeed PAM IdP/SSL Indeed Log Server/SSL |