Oftentimes, helpdesk operators are given access to accounts with privileges covering a broad range of tasks.
A better approach is to apply delegated permissions for the specific task in hand, and then to remove those privileges once the action has been completed.
STEALTHbits Privileged Activity Manager (SbPAM) can allow AD rights to be dynamically added to a helpdesk operator account at the point it is required. To do this you will need to create a new Activity.
Step 1) Create a new Activity called ‘Helpdesk Password Reset’ and assign it to the Active Directory Platform:
Step 2) In the Pre-Session area, add a new step:
Step 3) Choose the ‘Add ADUC Permission’ as the Step Type. For AD Object Type, select ‘user’; for AD Organizational Unit, enter the Distinguished Name of the OU you wish to set the permission on; for AD Rights to be Added, select ‘Reset Password’:
Step 4) in The Session area, add a new step called ‘Monitor for User Login’:
Step 5) In the post-session area, add a new step called ‘Remove ADUC Permission‘, Be sure to enter the same information as in step 3 above:
You should see an activity that resembles the following:
Step 6) Add the new Activity to an Access Policy
This Activity will allow users to be given the dynamic right to reset passwords on the given OU.
Martin is Vice President of Product Strategy at Stealthbits.
Martin is an experienced technologist, with over 30 years in the Privileged Access Management and security space. Prior to Stealthbits, Martin led the privileged access team at BeyondTrust where he took their password management solution from unknown to a recognized leader in the industry within 3 years. At BeyondTrust he also drove the development of their first SaaS PAM product as well as a new micro service-based platform for DevOps security. Prior to BeyondTrust, Martin held key management positions at Quest/Dell, Novell, Fortefi and Symantec. He is a recognized expert and a regular speaker for security events and webinars.