Central Account Management and Logging
All Windows computers has a set of local users and groups. A default “Administrator” account has full control of the computer, whose password is set during the installation of the Windows Operating System – and often never changed. In many organizations the password of these local Administrator accounts are the same, and are rarely changed. If the passwords of these accounts are not regularly changed, secured and maintained, they present a high risk to the organization. Manual management of these accounts and their passwords typically require significant resources and effort.
Free Trial – download CAML now!
[2 Mar 2015] – We are excited to announce a free CAML v2 trial, use CAML on up to 3 computers, without a time limit.
Inobits’ CAML system is an on premise solution that maintains and protects the security of these accounts by regularly updating selected local accounts’ passwords (such as the ever-present local Administrator account) to a new, random password, unique for each computer. CAML also allows IT to manage the membership of each computer’s local “Administrators” group from the central CAML web application.
CAML allows IT to define sets of computers – defined by a combination of Operation System, IP Address or computer name criteria – allowing the application of different policies to different sets of computers.
CAML central web application allows IT staff to find a specific computer, browse the list of controlled accounts on that computer, and then request access to the password of that account. If the CAML policy for that computer requires approval, the Computer Set owner must approve the request. Once approved, the IT staff user will be able to see the password of the account in question. 24 hours after the account’s password has been disclosed, a new random password will be generated and set – meaning that the IT staff member will not have the use of that account indefinitely.
CAML also logs any and all logon activity on all computers where the CAML Agent runs. This means that it is possible to draw reports on where a certain user logged on, or even accessed network resources. As example, CAML would be able to report that AD Domain account “JohnSmith” logged on to ComputerX at 9:20am, and then later logged on as the local “Administrator” account on to ComputerX at 10:15am – and that only “JohnSmith” had the password for that Administrator account during that 24 hour period.
• Protection of sensitive accounts. All Windows computers have built-in accounts with far reaching rights – such as the local Administrator account. CAML facilitates the protection of these account by means of setting their passwords to unique, secret passwords, which can be disclosed to authorized IT staff upon request. All logon activities on managed computers are audited.
• Centralized Management. CAML manages all the participating computers from a central web application – CAML agent regularly reports and downloads instructions from the central CAML server. This enables authorized CAML users to manage sensitive local accounts’ passwords and local Administrator group membership from a central location
• Automated password management. CAML sets managed accounts passwords to new, random, unique password on a specified interval. This ensures compliance to password policies.
• Enterprise class scalability. CAML can effectively manage tens of thousands of accounts and computers. CAML is also bandwidth friendly and uses only around 100KB per day of traffic per day between each CAML Agent and the CAML Web Application.
• Regulatory compliance. CAML controls and audits the use of managed accounts to enable compliance to Sarbanes-Oxley, HIPAA, PCI, GLBA and others. CAMLAG can report who knew what the password for a specified account was during any specified period, and where and when that account was actually used to log on to a computer.
• Manage accounts on any Windows computer from a central location
CAML Agents announces all local accounts on a computer to the CAML server – where custom defined policies determines whether or not to “manage” each account. A typical policy will target the local Administrator account for management, but other policies can target other accounts – e.g. accounts whose names starts with “SalesManager”.
• Automatically set unique passwords on local Administrator accounts
CAML can be configured to set a new random, unique password for each managed account every X number of days.
• Passwords and communications are highly encrypted using unique keys for each computer
All passwords are encrypted using a combination of AES-256 and DPAPI encryption techniques. Each computer has its own unique set of encryption keys. Passwords are never stored unencrypted at any stage.
• Allow IT staff to request disclosure of a chosen computer’s local Administrator account’s password
IT staff (authorized CAML users) can request the disclosure of a specified account. The user would search for a computer, then browse the list of managed accounts on that computer, and then request the disclosure of its current password. If the computer belongs to a Computer Set (group of computers based on OS, IP or Computer Name pattern) which specifies that approval is required, the Computer Set Owner will be notified that they need to approve the request. Once the request is approved, the user will be able to see the current password. A new instruction will be sent to the computer to change that current password to a new, unknown password after 24 hours.
• Manage membership to the Local Administrators Group per computer
CAML users can search for a computer, then see a list of local users on the computer, and which users are currently in its local Administrators group. The user can then add or remove any of the existing accounts to the local Administrators group. Change instructions will be downloaded by the CAML Agent running on the computer every hour – meaning that changes will take effect within 1 hour or less.
• Audit disclosure of passwords
Whenever a current password is disclosed to someone, CAML audits the event. This means that CAML knows who has knowledge of the password in question, and can report on who has had access to which account’s password during a specified period of time.
• Audit any logon (Domain or Local accounts) to the computer
CAML Agents reports any and all logon events (interactive, network, etc.) of all accounts (Domain and local accounts) to the CAML Web Application. This means that CAML can report on which users logged on where and when. Combined with knowledge about who had access to which passwords, reports can overlay this information. As example, CAML would be able to report that AD Domain account “JohnSmith” logged on to ComputerX at 9:20am, and then later logged on as the local “Administrator” account on to ComputerX at 10:15am – and that only “JohnSmith” had the password for that Administrator account during that 24 hour period.
• Central reporting
CAML provides the following reports, viewable on a web page, and exportable to Excel:
- List of Managed Computers, including time of last communication
- List of Managed Computers which did not communicate with CAML Server within last X days
- List of Disclosure Requests for accounts on Specified Computer
- List of Disclosure Requests by Specified User, including status and any approval information if present
- List of Logon Events on Specified Computer
- List of Logon Events by Specified User, including managed accounts that user had disclosed password access to
• Target Windows XP or later
CAML works on any version of Windows – from Windows XP to Windows 8.1, and from Windows Server 2003 R2 to Windows Server 2012 R2. The CAML Agent requires the .NET Framework 3.5 SP1 to be installed on the computer.
CAML is different from other similar competitors in the following aspects:
• CAML is agent-based – CAML agent software must be installed on each computer. The Agent runs as a background Service. It communicates with the CAML Server every hour if possible. Computers can be part of an Active Directory Domain, or standalone (Workgroup configuration). Any Microsoft Windows computer running Windows XP or later, with .NET Framework 3.5 or later is supported – both servers and desktops.
• Works even if network connectivity is lost. CAML assigns a new, random, unique password to each managed account, and then keeps that secret. If the computer in question loses network connectivity, and there is need for IT to know what the local Administrator’s password is in order to fix the problem – there is no need for CAML to communicate with the computer in order to “Set” a new, known password. CAML can simply disclose the value of the password that is currently in effect for the account in question. Once network connectivity is restored, CAML will issue a new secret password to that account – once again unknown to anyone – which will be applied to the account 24 hours after the existing password was disclosed to the IT staff member.
• CAML does not require Active Directory. Because CAML is Agent based – it does not depend on Active Directory Group Policy. This means that computers outside Active Directory can be managed.
• Encryption Keys are unique for each Computer. CAML generates a new, unique encryption key for each Computer – which is used to encrypt password instructions sent to each computer. This means that if one computer is somehow compromised – only that one computer is compromised and not all other computers running the CAML software. If the central database is somehow compromised, each computer’s passwords are encrypted with different passwords