Privileged Account (Access) Management (PAM)

Explore how to securely manage privileged credentials using password managers like LastPass, emphasizing encryption, a master password, and multi-factor authentication to securely store and share access.

Learn how to use a password manager with LastPass, including installation, master password, cloud versus local storage, and browser extension setup for secure, centralized password storage.

Learn to secure a LastPass password manager with multi-factor authentication by setting up Google Authenticator, scanning the barcode, and using one-time codes for login.

Create a password entry in LastPass, assign a URL, username, and notes, and organize it into folders. Enable multifactor authentication with Google Authenticator and use auto login for websites.

Explore how to add and autofill items beyond passwords in LastPass, including secure notes, addresses, payment cards, and bank accounts, with encrypted, convenient form filling.

Learn to share passwords and notes in LastPass, enable emergency access, and use the security dashboard, password generator, and dark web monitoring to strengthen account security.

Explore how privileged session management ensures destination integrity, tracks changes, and encrypts traffic, while monitoring, logging, and alerts safeguard privileged accounts and enable session recording for audit and compliance.

Deploy privileged access management solutions to control privileged credentials, enforce multi-factor authentication, secure administrator sessions with encryption and recording, and audit and report privileged usage through comprehensive logging and monitoring.

Design and build a Microsoft Azure lab to test PAM, creating a domain controller, Windows Server, Ubuntu Server, and a PAM solution for credential and session management.

Build a PAM lab on Azure by provisioning a resource group, NAT gateway, and virtual network to host one Windows workstation, two Windows servers, and one Linux server for testing.

Deploy a PAM lab on Azure by provisioning a virtual network, then create virtual machines—Windows 10 workstation, two Windows 2019 servers, and a Linux server—within the PAM network.

Build and connect an Azure lab of VMs, including a Windows 10 workstation and a Windows Server 2019 domain controller, configure private IPs, and prepare for Active Directory deployment.

Join Windows 10 and Windows Server 2019 to the domain by configuring the domain controller as DNS and applying domain membership. Demonstrate domain login via Active Directory in Azure lab.

Allocate at least two virtual CPUs and four gigabytes of memory for the pam server and domain controller, then restart the machines before installing pam on Windows server.

Install and configure a Thycotic privileged access management solution on a Windows Server 2019, using the free Secret Server for lab testing, and verify prerequisites and network connections.

Install and replace the self-signed certificate for the Thycotic Secret Server web interface on Windows Server 2019 in cloud lab. Bind the new certificate in IIS to ensure trusted access.

Demonstrate initial configuration of Thycotic Privileged Access Management, onboarding a Windows AD user, creating secrets and launchers, and connecting to remote machines via RTP and RDP launchers.

Learn to onboard Linux and Unix credentials to Thycotic Secret Server, then connect to an Ubuntu lab server using a username and password with the RTP launcher.

Onboard web credentials to Thycotic secret server by creating a web credential for mail dot com, and use the Firefox browser extension to auto-fill login details for seamless access.

Learn how secret templates define credentials in privileged access management, with templates for Active Directory, Amazon, and Cisco, enabling you to modify and tailor mandatory fields and attributes.

Explore how secret template lists in PAM customize credential data, enable location-based categorization, and link templates to specific environments like Sydney and London data centers.

Explore how to create and apply secret policies in Thycotic secret server. Learn to organize credentials into root folders, assign policies, and enforce Windows and other platform permissions.

Learn how remote password changing automates privileged account password updates via interval and check-in/out triggers, using a dedicated account to perform changes and enforce heartbeat synchronization.

Enable session recording as a global feature in your privileged access management solution to capture, store, and playback videos of user interactions for audit.

Learn to onboard Linux credentials and enable ssh key connectivity with the Thycotic secret server. Generate public/private keys, copy the public key to authorized_keys, and enable passwordless login.

Rotate Linux SSH keys by using the Thycotic secret server to auto rotate public and private keys, updating the authorized_keys on the Linux server every 30 days.

Learn how to use Thycotic secret server to proxy ssh access and grant sudo privileges without revealing passwords. Discover policy-based proxy setup, ip whitelisting, and privileged access control.

Set up users and groups in Thycotic secret server, assign the Windows admins group, and apply folder permissions to give group-based access to credentials, then verify by logging in.

Explore role based access control and team provisioning in Thycotic Secret Server, creating admin roles, assigning them to users and groups, and organizing users into teams.

Configure an approval workflow in the secret server to require approval for credential access, set up smtp email notifications, and grant time-bound access to credentials after the approver approves.

Explore advanced approval workflows in PAM, defining multi-step, multi-approver access requests and applying them to policies and Windows credentials for secure, scalable privileged access.

Explore discovery capabilities in privileged access management to identify unknown assets and credentials, integrate with Active Directory and cloud platforms, and onboard them via automated rules and onboarding workflows.

Discover and onboard aws credentials to the secret server using the discovery capability. Set up an aws discovery source, run scans, and manage privileged aws accounts for secure cloud access.

Define discovery rules to automate onboarding of AWS and Active Directory accounts into the PAM solution, using 24-hour scans, admin keyword criteria, and automatic password generation.

Enforce ssh command filtering using Thycotic Secret Server by creating a Linux block commands blacklist, applying it to the Linux policy, and validating blocked commands during a session.

Integrate Thycotic secret server with SAML identity providers for seamless authentication, while enabling ServiceNow or BMC ticketing integration for approved privileged access and HSM-based key protection.

Explore the reporting and hardening features of Thycotic Secret Server, generating predefined activity and access reports, auditing user actions, and applying security hardening checks to improve PAM risk posture.

apply application whitelisting to run only authorized software, protecting systems from malicious code. use software restriction policies, AppLocker, and Windows Defender Application Guard to tighten control on workstations.

Apply software restriction policies and application whitelisting in Windows via domain group policy to manage what runs on domain machines, then test by blocking Notepad.

Configure Microsoft Windows AppLocker via group policy to create executable, Windows Installer, script, and packaged app rules for allowed or blocked software, with enforcement or audit options.

Compare Windows Defender application control (WDAC) and AppLocker as modern and legacy restrictions, and configure Endpoint Manager policies on Windows 10+ to enforce components and store apps, with scope.

Install and configure the Delinea secret server on a Windows server, add the web server role, use the express edition for SQL, and note prerequisite issues like no internet access.

Install secret server and privilege manager by configuring prerequisites such as IIS and SQL Server Express, resolving dotnet 4.0 and WCF activation, then complete the installation.

Install the privilege manager on the existing secret server, connect to the localhost SQL Server Express, verify Thycotic PM database configuration, use admin credentials, skip email setup, and complete installation.

Connect to the linear secret server and privilege manager using the domain controller address, then log in and create secrets like Active Directory accounts to secure resources.

Explore the linear privilege manager for endpoint privilege management and application control, enabling elevated access, discovering privileged accounts, removing local admin rights, and enforcing password rotations and auditing on endpoints.

Install the linear privilege manager agent on a Windows workstation, connect to the server with the base URL and install code, then restart to manage privileged endpoint access.

Block an application across Windows endpoints using Privilege Manager by creating a blocking policy for Notepad, uploading the executable, enabling the policy, and applying it to the Windows group.

Learn how the Linear Privilege Manager enables developers to install Visual Studio without admin rights by applying workstation policies that grant only approved software and secure endpoint access.

Create workstation policies in Privilege Manager to block malware-prone applications for standard users and allow any Microsoft-signed apps, reducing endpoint risk and preserving system operation.

Explore how the linear privilege manager creates application policies to run specific programs with elevated access, using filters, executables, and justification or approval workflows.

Configure client system settings in Linear Privilege Manager to empower users to perform essential tasks, such as installing devices, printers, backups, and limited network changes, without full admin access.

Manage local users and groups from the linear privilege manager, create admin accounts, rotate passwords regularly, and manage group memberships to improve visibility and security across workstations.

Explore reporting and admin functions in the Delinea platform, including file inventory, policy events, application user activity reports, and role-based admin controls for Windows, Mac, and Linux.

Explores clustering and high availability for linear secret server in privileged access management, showing a two-server setup with a load balancer, prerequisites, and using a shared SQL server for redundancy.

Enable clustering on the secondary secret server, copy files from the primary node, and configure IIS with an application pool and virtual directory to support a redundant database setup.

Set up two secret server nodes connected to the same database, enabling high availability with shared configuration; ensure clustering license and upgrade both servers for consistency.

Learn the topology of a redundant PAM environment with a linear secret server, DR sites, three cluster servers, and a load balancer ensuring continuous admin access.

Learn how to install a free trusted certificate for your secret server, bind it to the default site, and access PAM via a domain name to avoid certificate warnings.

Configure the distributed engine on the linear secret server to connect remote sites via the site connector and remote agents, validating the setup and adding sites and engines.

Learn how the distributed engine and site connectors enable multi-site privileged access management by connecting remote engines to the secret server, enabling discovery scans and centralized administration.

Explore how the distributed engine in privileged access management securely connects remote and local sites by installing the site connector, activating engines, and assigning secrets to the closest resource path.

Learn how to implement dns round-robin load balancing for a multi-node privileged access management setup by assigning multiple ips to the same dns name, for test environments, with reliability caveats.

Create a Unix secret for the Linux server and test username and password connectivity. Place the secret in the Linux secret folder to support discovery rules.

Enable remote graphical access to a Linux server using rdp by installing xrdp, starting and enabling the service, and opening the firewall, then verify the xrdp configuration.

Connect a Linux server in graphical mode via RDP using secret server after enabling xrdp, by duplicating the SSH template to an RDP/SSH template and launching remote desktop to 172.16.0.150.

Explore how to create and map custom launchers in Privileged Access Management to automate connections via WinSCP to SftP servers, using predefined launchers and secret templates.

Explore how to use custom launchers in privileged access management with SecureCRT on Windows to connect to Linux servers, replacing Putty, by configuring command line options, path, and secret templates.

Set up discovery scans to identify Linux and Unix environments using a secret server. Enable discovery, configure sources and credentials, and scan host ranges to onboard privileged accounts.

Configure a VMware ESX/ESXi discovery on the linear secret server to identify and onboard ESX credentials, using an IP range and ESX secret.

Demonstrates workflow approvals in a privileged access management system using the linear secret server, enabling standard users to request and admins to approve SSH account access.

Learn to configure multi-tier workflow approvals in privileged access management using the linear secret server, setting timeouts and thresholds to escalate to admins when first approvers don't respond.

Learn to act on discovery findings by cleaning up unused privileged accounts and onboarding remaining accounts to the secret server, including importing Linux SSH credentials and enabling password rotation.

Learn how secret search filters on the linear secret server enable pattern-based discovery by identifying admin-related secrets in a chosen folder and authenticating against Linux hosts.

Integrate Active Directory with linear secret server to centralize privileged access management by syncing groups and users, creating an Active Directory secret, and enabling directory service synchronization.

Learn how to integrate Active Directory with a privileged access management platform to onboard AD users and groups, enforce security controls, and manage AD-based passwords and permissions.

Enable multi-factor authentication for user two on the linear secret server using totp with authenticator apps like Google Authenticator or Duo, then verify the code at sign-in.

Enable remote password changing on the linear secret server to automatically rotate secrets using a privileged account, with heartbeat monitoring and randomly generated passwords at expiry.

Learn how dependencies in the secret server of PAM coordinate password rotations across scheduled tasks, application pools, and services on Windows and Linux, updating accounts to minimize downtime.

Discover Active Directory and Windows service accounts by creating a discovery source, running a discovery scan, and onboarding accounts to the linear secret server with optional password generation.

Discover how to install protocol handler and connection manager for the linear secret server, enabling automated login via RDP or SSH with browser add-ons across Windows, Mac, and Linux.

Explore how the linear secret server mobile app on iOS or Android provides access to defined secrets, with local or domain logins and autofill, plus browser integration.

Enable quantum lock to double encrypt select secrets on the linear secret server, requiring a quantum lock password and controlled access for multiple users.

Learn how quantum lock uses double encryption to protect secrets in privileged access management, how password resets work, and why sharing access enables recovery.

Enable syslog integration from the linear secret server to a SIEM solution to forward logs and configure IP address, port, protocol, time zone, and log formats for centralized security monitoring.

Set up event pipelines on the linear secret server to automate actions, such as enabling two factor authentication for admin accounts, via policies that link pipelines to groups.

Demonstrates how unlimited admin enables emergency access to secrets on the linear secret server, and why separation of duties and defined roles are essential for safe break the glass procedures.

Learn to configure backups for the Linear Secret server, store them on a network share, enable a schedule, and prepare to restore the database and web files in a disaster.

Learn how to restore a linear secret server from backups by restoring web application files and the database using settings and SQL management studio.

Enable session recording on the linear secret server, use on-demand processing, 30-minute inactivity timeout, six-hour max length, and 90-day retention; save videos to a disk and monitor via session monitoring.

Privileged behavior analytics uses machine learning in the linear secret server to monitor how secrets are used and identify risky activities. It flags potential compromises through alerts and dashboards.

Explore secret server reporting in PAM to run predefined and custom reports, track user activity, and understand access to secrets and folders.

Enable Secret Server session connector to deliver a native remote desktop experience via remote desktop services, after installing the protocol handler and configuring advanced settings.

Explore how the proxy capability of the linear secret server sits between users and destination servers, terminating on the proxy and starting an RDP or SSH session to the destination.

Summarize the PAM course coverage of privileged accounts, their risks, and security considerations, including LastPass, the Thycotic Secret Server lab, and Windows application restriction controls.