Security


Password Checkout for Cloud Services

Secure and share administrative credentials for cloud service providers such as AWS and OpenStack.

X11 Protocol Support

Record and monitor sessions carried out within a X Session.

Secured password vaulting

Store credentials, keys, and other secret information in the Enterprise Credential Vault.
Read more ›

Advanced authentication for privileged accounts

Create a layered defense for your sensitive assets and resources with multi-factor authentication, step-up authentication, and Smart-card support. Read more ›

Database privileged account monitoring

Know what your privileged users are doing with the rights they have to business-critical databases. Read more ›

Comprehensive privileged account management

Securely delegate privileged account authority across database, application and cloud environments. Read more ›

Large image of how Privileged Account Manager works.

Single sign-on to Linux and UNIX servers

Authorized users can access servers without entering additional credentials or complex commands.

Single sign-on to the Linux or UNIX server directly from the MyAccess page.

Secure remote desktop proxy (RDP)

Privileged Account Manager creates a secure Remote Desktop Proxy (RDP) tunnel to the target Windows host, without exposing the administrative password to the user.

AD and LDAP authentication

Privileged Account Manager supports authentication against both Active Directory and LDAP identity stores—including NetIQ eDirectory—for accessing Windows servers.

Secure remote privileged command execution

Privileged Account Manager allows administrators to execute privileged commands on a UNIX host from a Windows desktop, without requiring users to start an SSH session from the Windows desktop.

Single configurable port

All agent traffic is encrypted and directed through a single port for easy product configuration and deployment in multi-firewall environments.

Database encryption

The Privileged Account Manager credential vault is a secure embedded database with two levels of encryption. The passwords are encrypted with AES 256 bit keys, and the database is encrypted with a separate AES 256 bit key.

Policy management


Auto Discovery of Privileged Accounts

Quickly identify privileged accounts across Windows, Unix, Linux, and Active Directory.

LDAP Credential Vault

Leverage existing LDAP directories, including Active Directory, as a secure credential vault.

Simplified Agent Deployment and Management

Leverage third party software deployment solutions to easily deploy and manage agents where required.

Web-based console

Privileged Account Manager is managed via an intuitive web-based console which can be accessed throughout your intranet and extranet zones. The interface includes a command control console that enables the configuration of all privileged user management policies. Read more ›

The Administrator Interface.

Task-based wizards and drag-and-drop interface

Privileged Account Manager stores Windows administrative passwords in a credential vault that resides within Command Control.

Windows group and policy enforcement

A GUI-based, drag-and-drop user interface greatly simplifies the rule-creation process and virtually eliminates the need for complex, manual scripting.

Reusable script and command libraries

Privileged Account Manager includes sample libraries of policy objects that can be simply dragged and dropped to build powerful, yet visually easy to understand, security rules.

Hierarchical rule structure

Rules can be visually constructed without scripting then dragged and dropped to create rule hierarchies that determine the processing order.

Intuitive failover and load balancing

Host agents can be visually configured in hierarchical domain structures that automatically determine load-balancing and failover between components.

Risk analysis


Risk-based privileged session control

Powerful risk-analysis tools record and play back user activity—down to the keystroke level. You define high-risk activity controls and enforce them with automatic session termination or access revocation. Read more ›

Color coded keystrokes.

Privileged analytics

Risk analysis engine examines user activity in real time and applies color-coded security risk ratings so that you can detect and address threats faster.

Real-time keystroke logging

Keystroke logs are updated in real time throughout the duration of a user's session on any UNIX, Linux or Windows host.

UNIX, Linux and Windows session playback

Playback recorded user-session keystrokes in an intuitive interface that is indexed and highly searchable. Read more ›

Auditing and reporting


Windows auditing service

The Windows audit service enables administrators to view real-time and historical user activity performed on local or remote Windows hosts. Audited activity includes all actions performed during a privileged session—the user inputs as well as the resulting processes.

Automatic data filtering for continuous compliance

Create pre-defined rules to pull events from your audit log files using comprehensive filters and schedules. Read more ›

Automatic notifications

Users can be automatically emailed a daily summary of events awaiting approval.

Indelible audit record

All auditor activity is indelibly recorded on the event record, including the viewing of keystroke log activity, status changes and any notes recorded during the analysis.

Workflows

For events that require further analysis, a workflow process escalates events to the appropriate reviewers—either by sending an email notification or flagging the event in the compliance auditor console.

FTP auditing

Add an additional layer of security to your FTP transactions by using this replacement daemon for fully audited and authenticated FTP transactions.

Drop in UNIX/Linux shell replacement

Privileged commands can be executed on-demand with a 'usrun' statement or the user shell replaced to provide command authentication and/or total session auditing.

ACL restrictions

Determine which records individual auditors are allowed to view and prevent users from authorizing their own activity.