Managing passwords for services

You can use the Privileged Access Service to store and retrieve passwords for accounts that are used to access services and in scripts. For example, it is common for organizations to run automated scripts to monitor the operation of computers and devices on the network or to perform administrative tasks without human intervention. In many cases, these scripts require service accounts with permission to perform privileged operations such as automatically archive or remove data from a database. If you have scripts or services that require access to password-protected systems, you might run the risk of having plain text passwords visible.

There are two main password management issues when passwords are required to perform automated or administrative tasks in services or scripts without user interaction:

  • Passwords that are hard-coded into scripts are vulnerable to any user who can open the script can see the password displayed as plain text.
  • Passwords that are changed periodically to adhere to an organization’s security policies require all scripts to be updated periodically to set the new password.

With Privileged Access Service, you can address both of these issues by doing the following:

  • Download the Centrify Client package.
  • Identify the computer’s service account passwords that need to be stored securely.
  • Identify which client computers are allowed to access the stored server account passwords.
  • Enroll the server and client computers as systems in the Privileged Access Service.
  • Grant the Agent Auth permission to the local and service user accounts that are allowed to access the stored and managed account passwords.
  • Modify or create scripts on client computers to replace plain text passwords with calls to the cgetaccount command included in the client package.

For more information about managing passwords used to access services and in scripts, see the following topics: