Privileged Access Management FAQs

Securden facilitates launching connections with remote IT assets and applications. To handle such cases, you can navigate to Admin >> Remote Connections >> Custom Application Launcher and add a time delay (measured in milliseconds) for Securden to wait before filling the data.

You can upload your SSL certificate to the Securden server by following the instructions below.

• Step 1: Download OpenSSL (if you don't already have it installed) from http://www.slproweb.com/products/Win32OpenSSL.html. Ensure the 'bin' folder under the OpenSSL installation is included in the 'PATH' environment variable.
• Step 2: Copy your certificate (e.g. certificate.pfx) and paste it in the system from where you can execute OpenSSL exe. The *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
• Step 3: Run the following commands to export the private key openssl pkcs12 -in certificate.pfx -nocerts -out securden-key.pem -nodes openssl rsa -in securden-key.pem -out securden-key.pem
• Step 4: Run the following command to export the certificate openssl pkcs12 -in certificate.pfx -nokeys -out securden-cert.pem Once you execute the above steps, you will get an SSL certificate and a private key.
• Step 5: Copy the certificate and private key created above and navigate to /conf directory and paste the keys.
• Step 6: In services.msc, restart Securden Vault Service. This replaces the self-signed certificate with your certificate.

You can download the Securden Password Vault mobile application from the App Store or Google Play Store. For that, you'll need to enter the server URL on the mobile application to access the interface.

Yes, it is possible to customize the server port to 443. To do this,

• Navigate to the Securden installation folder\Conf and open the server.properties file with WordPad or Notepad++.
• Restart Securden PAM service (Not required to restart Securden Web service as it is dependent of the PAM service)
• Try to access just the URL https://securden_server

Yes, password rotation can be achieved by enabling the 'Expired Password Rotation' Option available in the Admin >> Notifications >> Expired Password Rotation. Consequently, passwords will be rotated automatically for accounts that support remote password reset when they expire or are about to expire. The expiration days can be enforced by specifying the Password Age in the password policy. The new password gets updated in both the end machine and Securden database, so you don't have to manually change the passwords anywhere.

Yes, there is a way to convert a personal account to a work account but vice versa is not possible. To store personal information, try recreating the accounts being added by selecting the category as 'Personal'.

No, the application server has to be updated separately. However, the upgrade process will be completed in a few minutes, and the operation will be seamless.

Yes, both servers will be stopped during the upgrade process. Hence, we recommend scheduling a maintenance window to upgrade the servers.

Yes. The services should be stopped during the upgrade. Once the upgrade is completed, the services can be started.

You need to take a backup of the Securden installation folder after stopping the service.

Here’s a quick summary of the upgrade steps:

• Before initiating the upgrade, while the server is running, navigate to Admin >> Maintenance & Upgrades >> Product Upgrades section and check the steps to upgrade.
• Now, stop the Securden service on the secondary server first. We are doing this to avoid failover.
• Then, you can stop the service on the primary server. Take a backup of the Securden installation folder.
• Initiate the upgrade on the primary server. You can follow the upgrade steps in the section mentioned above.
• Once the upgrade is completed, start the service and log in to the primary server to check its version.
• Now, you can initiate the upgrade on the secondary server. Once it is completed, log in to check its server version.

Note: You should start or stop the Securden PAM Service alone. Web Service - Securden PAM is dependent on the main service. Hence, it will be started automatically once the main service is started.

As a security best practice, we recommend having the encryption key and database backup file in different locations.

Secure the encryption key in a safe drive or a remote location with strict access control that allows the key to be accessed only by the Securden application or the account used to run Securden services. And enforce MFA to secure user access to the Securden application.

However, if someone gets access to the database and the encryption key, they cannot decrypt the information as we have an application layer encryption in place. They need to install the exact version of the Securden application and restore the database. Even after restoring the database, they would have to log in as an admin/user to view passwords, which might not be possible if you enforce MFA for user authentication.

Instances like this are rarely encountered after a product upgrade. To prevent such occurrences, it is advisable to clear the browser cache and attempt logging in again.

• Navigate to Admin >> Configurations.
• Under the General section, locate 'Do you want to check the Active Directory port before initializing the connection with the AD? If yes, specify the time duration in seconds after which the check times out.' Increase the default Value in seconds to 4, if that doesn't work change the value to 5.

In Securden, when a password is added/modified by a user, it is compared with the passwords that are owned by that user. However, when an account with the same password is shared, we do not check if the password is reused.

If an account is created by "admin", that account's password is compared with the accounts that are owned by "admin". Hence, it is possible to have two accounts (1 owned and 1 shared) with the same password and still not shown as 'Password is reused' for that user.

Absolutely not. In the on-prem model, there is no cloud component involved. There is absolutely no data flow outside of your environment. Internet connectivity is not required for the functioning of the product. There is only one reporting feature that requires internet connectivity – dark web monitoring. Even in the case of this optional dark web monitoring feature, only partial hashes of the passwords are taken and are compared against the dark web. You may disable this reporting feature if you don’t need that.

Yes. We release major and minor upgrades periodically. The upgrades are released as upgrade packs. You may download the upgrade pack and apply through the upgrade manager tool that comes with the product. The upgrade process typically takes only a minute or two. The upgrade process is NOT sequential. That means, you may move to the latest version from ANY version you might be in in a single hop. So, you may plan upgrades at your convenience.

Very simple. It just requires a revised license key. Whenever you need to increase the license count, you may write to sales@securden.com. You will receive the revised license key immediately. We will co-term the additional licenses with the existing subscription and pro-rate the pricing for the remaining subscription period alone.

Yes, you are correct. Agents are not required for managing local account passwords, as it is carried out using WMI. As a prerequisite, Securden needs device connectivity, admin credentials (for remote operations), and WMI for all local users. By default, WMI remains disabled for all local users except for the built-in administrator accounts. Below are the links that would help you enable WMI on specific computers and in bulk using GPO:

Enabling WMI access on a specific Windows machine:
https://www.securden.com/documents/WMI-Access-for-All-Users.pdf

Enabling WMI on multiple machines:
https://www.securden.com/documents/WMI-Access-For-All-Users-GPO.pdf

You can manage the local admin accounts on non-domain joined computers by adding the accounts to Securden first. Then you need to open TCP port 135 AND Windows Management Instrumentation (WMI) service should be running. Once you ensure these, you will be able to manage local admin accounts.

Complete information about the ports used by Securden PAM is available in this document. Please refer to that:

No, you need not install any agent on the target system. Securden simply uses the Windows RDP.

There are two ways in which you can launch connections – Web-based RDP and using native apps. While web-based RDP works out-of-the-box, for launching connections using native apps, a lightweight Securden launcher utility needs to be installed on client machines. Nothing needs to be installed on target systems.

Once the primary server is up and running again, the data stored on your secondary server gets automatically synced with the primary. However, you need to ensure there are no network disruptions between the servers.

Also, once the primary is back online, it remains in 'Standby' mode. You are requested to visit the HA page on your primary server to make it the 'Master' again. If the primary server goes down, by default, administrators or super administrators will receive the failover email.

Yes, users can manage personal accounts using Securden without a separate folder assigned by the administrator. When users add accounts to the PAM interface, they can choose if the accounts are Work or Personal accounts.

Note: The personal accounts added to Securden cannot be accessed by anyone other than the user who added them.

The users can filter and view their personal accounts by navigating to Accounts, clicking on the drop-down symbol against All Accounts and clicking Personal Accounts.

Jump hosts (called remote gateway in the UI) can be configured for all types of remote connections. When a remote gateway is configured in Securden, all remote connections (SSH and RDP) will be routed through the designated gateway.

As of now, we don't have a specific option to manually trigger email notifications for testing purposes. However, you can simulate this by creating an account, setting its expiration for tomorrow, and configuring the account expiration notification to be sent one day in advance. This way, you'll receive an email notification for expiration.

• Download the license file (Securden-PAM-License.txt)
• Log in to Securden web interface and navigate to Admin tab
• Find License under General section
• Apply the downloaded license file

You can add an Active Directory account into Securden Unified PAM in one of the following two ways:

1. By discovering the account from Active Directory
2. By adding the account manually

(i) Discovering the account from the Active Directory:
This method leverages Active Directory to automatically discover and import accounts.

• Launch AD Discovery: Access the account discovery feature in Securden, from Accounts >> Add >> Discover Accounts.
• Configure AD Parameters: Provide the necessary details such as the AD domain, credentials, and specific organizational units (OUs) or groups to target for the discovery.
• Import: Once the discovery process is complete, the accounts get imported into the Securden vault/PAM

For detailed steps, please refer to the Securden Unified PAM Administrator Guide.

(ii) Adding an AD account manually to the Securden server:
When you manually add an AD account to Securden, ensure that it is added as a Windows domain account type. Additionally, the account should have:

• The domain controller’s IP address
• The username should match the same account name
• The password should be updated
• The connectivity from the Securden server to the Active Directory

Once these fields are filled in correctly, the account will be added to Securden and synchronized with the Active Directory. Once synchronized, any changes made to the account in the AD will automatically be reflected in Unified PAM.

Only super administrators have the implicit permission to view passwords of work accounts stored in the database. By default, administrators cannot view passwords of users unless they are explicitly shared by the owner to the administrator. Even when sharing these accounts, the owners can select the level of access to the account the administrator can have.

There are four permission levels with which you can share an account:

• Open Connection allows launching RDP, SSH sessions with target machines, and auto-filling credentials for web applications without showing the underlying password in plain text in the GUI.
• View lets the user view the details and password.
• Modify allows editing of the password.
• Manage grants all privileges and is considered concurrent ownership.

Yes, absolutely. When a user leaves the organization, it's possible to transfer their accounts to someone else who is allowed to access their credentials. This can be executed in three simple steps:

• First, select the user about to leave the organization and click on the Transfer Ownership button present against each user in the left side pane of the Users section.
• Select what items you want to share from the list.
• Once the preferences are set, select the user to which the accounts are to be transferred from the drop-down and click Transfer.

You will have to just point the backup location in the product to the cloud storage (drive location) and the backup gets pushed to the destination drive in an encrypted state. In case the server crashes or goes down, you can download the latest DB backup from the cloud storage and get the product back online by performing disaster recovery.

Securden only facilitates launching connections through custom application launchers on the Windows operating system (OS). Hence, when users log in from Android devices, they won't see the options for connecting via custom application launchers.

This patch accountmanagement_views.pye would help you overcome the issue faced with the uploaded documents. You can also try using the steps mentioned below:

1. Navigate to \Privileged_Account_Manager\pam\accountmanagement
2. Rename accountmanagement_views.pye to accountmanagement_views.pye.old
3. Download accountmanagement_views.pye and paste it on the above-mentioned location
4. Restart Securden PAM Service
5. Now, you can check the issue by uploading the document.

As of now, the local accounts cannot be discovered by deploying agents on the endpoints. The agent based (account) discovery feature is currently unavailable. For domain members, you can use the Windows Account Discovery for discovering the local accounts. However, for workgroup, we recommend you get the accounts added manually or imported via csv in bulk.

By default, Securden comes with PostgreSql, has a backend database. You can find the details of the database in the 'server.properties' file under the \PAM\conf folder. With regards to migrating the backend database, we have a detailed guide. You may refer to the guide and try migrating the database.

These are the steps to refresh passwords for IIS App Pools, Schedule Tasks, and other Windows dependencies in Securden.

1. To refresh the passwords for dependencies, start by ensuring the particular machine is discovered in Securden. If not, navigate to Accounts >> Add >> Discover Accounts to import into Securden.
2. Once the machine is imported into Securden, it will automatically retrieve all dependencies. Now, select the account from Securden and attempt to change the password. The changes made will automatically propagate to dependencies as well. This method allows you to refresh the accounts of IIS/Schedule tasks.
3. If you wish to automate the process, go to the Folders tab and choose the specific folder containing the account you're looking for. On the right side of the Securden GUI, select 'Remote Password Reset.' Now, you can define the periodicity for rotating the passwords.

No, it is not possible to migrate from MS-SQL server to PostgreSQL. The only option would be for us to perform a fresh installation using PostgreSQL.

In order to identify the accounts used in the task scheduler, you should ensure that the account and the computer on which the service account runs are imported into the Securden server. Once they are imported, Securden can fetch its dependencies, including the task scheduler.

Securden discovers the local accounts on the computers through Windows discovery. Once the local admin accounts are discovered, we do not have an option to synchronize those accounts based on the changes made. Hence, when a local account is deleted from a server, Securden Unified PAM will not remove it from the UI automatically.

In Securden, when a user is deleted or disabled from the Active Directory, we disable the user, and he will be restricted to logging into the Securden UI. However, when a user is removed from an AD group and if the user is still present on the AD, then we pull the changes into Securden, and the user will not be part of the particular AD group anymore. Whereas the user will be active within Securden and will be able to login to the Securden UI with his AD credentials.

Securden Unified PAM allows designated approvers to verify and approve privilege elevation requests within the same user group. For security reasons, self-approval is not allowed.

Yes, Securden Unified PAM can integrate with Google SAML-based SSO and allow users to log in to the PAM portal.

Yes, you can configure Securden Unified PAM to allow one-time access to a target device. If a user logs off or disconnects, they will need to request access again for subsequent sessions.

Yes, Securden allows users to access multiple target devices simultaneously. However, you should ensure the server on which Securden Session Manager (SSM) is deployed has enough RDS CAL licenses to perform this operation.

Securden Unified PAM can be configured to time out a web session if there is no keyboard or mouse activity. You can set the timeout duration to suit your requirements. To do this, you need to log in as a super administrator and navigate to Admin >> Customization >> Configurations >> How long should the web session be active (in minutes) when things are idle? Enter the desired time period (in minutes) and click Save.

At present, other than native RDP recording, all other recording types have fast-forward options. Alternatively, ‘seek’ can be used to traverse Native RDP recordings.

Currently, we support exporting accounts in XLS format alone. Hence, as a workaround, we recommend exporting the accounts in XLS format and then converting the data into a CSV file. You can navigate to Accounts >> More >> Export Work Accounts, based on your preference, you can either choose 'Yes' or 'No' to mask or display the passwords on the exported XLS file.

It is not recommended to run both the old and new servers concurrently. As a security best practice, we always recommend decommissioning the old server once you have completely migrated to a new server to avoid any data overwriting issues between the servers.

To migrate the Securden Installation from one server to another, you may follow the instructions available in the help documentation.

Yes. When attempting to sync, only the active users from Azure AD will be synchronized with the Securden server.

This can occur if ‘Schedule Sync’ under the ‘Groups’ tab is enabled. In that case, you need to check the option configured under Groups >> Select the Azure AD Group >> More Actions >> Group Setting >> ‘When importing users, what should be the user role?’. For this setting, select the required custom role from the drop-down menu.

We don't have the option to enforce two-factor authentication based on user roles. However, enforcing two-factor authentication specifically for Admin/Super Admin roles can be achieved by importing groups from Active Directory.

Please follow the steps below:

• Create a group in Active Directory (AD) and add users with Admin/Super Admin roles.
• Import the group from the Groups tab by selecting "Import Groups from AD" and assigning the desired role.
• Configure two-factor authentication (2FA) and choose the desired method of authentication.

Whenever a new user is added to this AD group, use the ‘Sync’ button on the Securden server to add the respective user to the group. The sync can also be scheduled to run periodically.

We do not have the option to export Work/Personal Accounts to XML/CSV format. However, we can export accounts in the XLS format.

Please follow the steps below:

• Navigate to the Account tab, click the More drop-down menu, and select Export Work Accounts for work accounts or Export Personal Accounts for personal accounts.
• You can also achieve this through Offline Access, which provides all passwords accessible to the user as an HTML file.
• Navigate to the Account tab, click the More drop-down menu, and select Offline Access.

• Navigate to Admin >> Remote sessions and Recordings >> Domain Account-Assets Association.
• On the page that opens, click ‘Add’
• Provide a Name (Asset Identifier) and Description for this association.
• Select the devices that will be part of this association.
• Choose whether to associate the assets with Users/User Groups or Associate with Accounts/Folders or both.
• Click ‘Save.’

The specified association is applied to the chosen users and accounts.

You can create a password policy that denies any special characters by declaring the special characters you want to exclude under 'Denied characters'.

• Navigate to Admin >> Account Management >> Password Policy
• Click Add Policy or Edit Policy icon beside an existing policy to make amendments to an existing password policy.
• In the Denied Characters field, input all the characters that you wish to exclude: @ % + /! # $ ^ : , () []} {~ - _ .

You can retain the check box unchecked for 'minimum special characters' under 'Enforce Complexity Rules'. This will make sure that no special characters are allowed for passwords created using this policy.

Securden does not restrict the creation of duplicate folders. However, a folder path will be displayed, allowing users to differentiate multiple folders with the same name using the folder path.

No. During import, all the accounts from a single file will be imported using only one account type. If you want to have different account types, you need to upload multiple files with each file mapped to a specific account type.

Securden allows you to take a periodic backup (automated) of the entire database, and this helps you recover the data from the backup in the event of unlikely scenarios, like a disaster or installation failure. To access backup files, backup needs to be stored in ‘Device storage/Network drive or cloud storage’.

In addition to this, the Securden Super Administrator can take a periodic encrypted HTML backup, and the individual users can take offline access to have the credentials accessible offline.

As mentioned above, you can take a backup of the database and use it for recovery of data. As a best practice for handling such situations, it is recommended to have a standby server configured in the same subnet thus ensuring nil network disruption and uninterrupted access to passwords in the event of the primary server going down for any reason.

Yes, you can set up the High-Availability architecture at a disaster recovery site outside the corporate premises. The only requirement is that you need to ensure there is network connectivity between the primary and secondary servers.

To ensure proper synchronization between the organization (primary server) and the disaster recovery vault (secondary or high-availability server),

• Ensure that both the servers are on the same product version
• Ensure there is no network disruption between the primary and the secondary servers

Yes, the offline codes can be generated specifically for a user, if the following configuration is enabled.

• Navigate to Admin >> Customization >> Configurations
• Under Offline Access, go to the question "Do you want to allow offline automatic approval for privilege elevation requests if the user who is raising the request has already generated offline access codes?"
• After completing the above steps, a dialog box labeled ‘Configure Offline Automatic Approval’ will appear. Here, you can define the maximum number of codes a user can generate for specific purposes, such as application access and full admin access. Additionally, you can set the maximum duration for which the user can maintain elevated access.
• Once configured, click ‘Save’.

There are two concepts here – folder owner and account owner. Adding an account to the folder will not make the folder owner the account owner. Folder owners will be allowed to edit the accounts they own AND those added to the folder by others.

If you are a folder owner, you should be able to edit the accounts that you have imported to the folder. You won't have permission to edit the account only if there's a permissions conflict, such as when another administrator has shared the account with you at the 'View' level.

You can find out what prevents you from editing an account from the "Reports" section. In Reports >> Account Access Report, click the specific account that you can't edit. You can trace the sharing mechanism to see what permissions are assigned to you.

Yes, only owned accounts can be edited. You can use the “transfer ownership” feature to own an account. The current owner of the account will have to transfer the ownership to you.

Alternatively, the Super Administrator can transfer account ownership from one user to another. This can be done from the ‘Accounts’ tab. Select the required account from the ‘More’ drop-down and then select ‘Transfer Ownership’.

Yes, Securden offers support for migrating from other password management solutions. While we offer out-of-the-box support to migrate passwords from LastPass and KeePass, migrating from other solutions is also simple.

Typically, if your existing solution allows exporting of data as a CSV or XLSX, the process would be very simple. If they offer export in other formats too, our team can help. There would be some manual effort involved in recreating certain settings and policies, for which you can contact https://www.securden.com/password-manager/technical-support.html

• A built-in Administrator handles key administrative tasks in PAM, including user onboarding, approving or rejecting privilege elevation requests, and other essential activities. The Super Administrator role can be disabled if it's not needed, as it holds the highest level of privilege and full control over all privileged accounts within PAM.
• Super Administrators function as an emergency "break glass" account, where they have the ability to bypass standard access controls and access all passwords (for work accounts) stored in Securden. This feature is designed to ensure password access during critical emergencies.
• A Super Administrator has all the capabilities of an Administrator but also can view all work accounts added to the product, a privilege that an Administrator does not have.
• Ownership and sharing concepts do not apply to the Super Administrator. Instead, an Administrator is responsible for owning and managing the sharing of accounts.
• Scheduled tasks for backing up all work accounts as an encrypted HTML file can only be created by Super Administrators. To activate this feature, navigate to Admin > High Availability > Passwords Backup (Encrypted HTML File).
• Super Administrators can manage the settings for other Super Administrators. To configure this, log in as a Super Administrator and go to Admin > Configurations > ‘Only Super Administrator can control other Super Administrator(s)’.