Automatically randomize passwords for disclosed user accounts
How to create an Automation Policy to randomize managed user accounts after disclosure
The following steps will enable you to randomize a managed user account password after it has been disclosed for 24 hours or more. The 24 hour window is useful in allowing support staff to utilize the disclosed password for a period of time before it is randomized. If a shorter window of disclosure is required this can be be implemented by changing the report XML.
Configure Randomization task
First determine if you will use the default randomization task or require a new task
- Default task is applicable if you are randomizing the local Administrator account, if so this section can be skipped
- All other accounts will require a specific task to be created
If you need to create a randomization task for your specific user follow these steps:
- Navigate to Tasks > Jobs and Tasks > Arellia > Client Tasks > Local Security
- Right click on the Local Security folder and select New > Task
- Select Arellia > Client Tasks > Local Security > Randomize Local User Account as the task type
- Select the User radio button and specify the user account name to be randomized
- Configure any other desired task parameters (including the task name and description) and click OK
Create Automation Policy
- Download the report Current disclosed passwords - Over 1 day.xml
- Search the XML for the string ManagedAdmin and replace it with the name of your provisioned account you wish to randomize
- In the Arellia Security Manager console navigate to Reports > Local Security > Password Disclosure (a different location can be used if desired)
- Right-click on the Password Disclosure folder and select Import
- Import the downloaded Current disclosed passwords - Over 1 day.xml file
- Navigate to Policies > Automation Policies
- Click on "New Policy" and give the automation policy a name, such as "Randomize passwords disclosed in past 24 hours"
- Schedule the policy to run once every hour
- Select Report as the Data Source for the policy
- Click the pencil icon to select "Current disclosed passwords - Over 1 day" as the report to use
- Set the Evaluation Rule to Run for non-empty data
- Select the required randomization task
- If randomizing local administrator account use the Arellia > Client Tasks > Local Security > Randomize Local Administrator User Account Password task
- Otherwise if using a different account use the randomization task created in the previous section
- Click Edit input parameters and for the Selected Devices parameter specify that _ComputerGuid list should be used
- Under Completion Requirements set the Fail and Move on value to 30 minutes
You have now successfully created the required Automation Policy. If desired you can click the Test Automation Policy button which will force the policy to evaluate and start the randomization task.
You can view the Task Status under the Tasks tab in the console to see how many computers are running the randomization and their current status: