• Every unmanaged password; i.e. an accounts with a passwords property set to never to expire, is a risk to your business
• Supplying a fully audited controlled remote SSH Terminal and Remote Desktop access function to your support staff has cost and security benefits

Password Management

An administrator with knowledge of a 'never expire' system account password, can wreak havoc with your systems, leaving no audit trail, and may have simply been trying to help.

Companies have reported loosing days of computer time, due to an over enthusiastic administrator applying a fix, unknown to anyone but themselves. Others have reported losses through disgruntled employees.

Companies are failing to respect compliance standards unless they manage their unmanaged accounts and may face financial penalties through compliance failure. Or in the worst case, days with no system access with the financial losses that this would cause.

There are also many account passwords that are set never to expire. These accounts control: the running of Windows Services; the account that a databases runs as; accounts embedded in applications; the build-in administrator of imaged machines... Moreover there are 2 types of accounts, unique password accounts and synchronised password accounts, and what?s worse is that these accounts are the most powerful accounts that exist in your system.

ForestSafe can manages the passwords of any system account that require unique passwords e.g. Local Windows Build-in Administrator, and also the password of accounts that require synchronisation e.g. Windows Services.

	Local Passwords Make every local password in your system unique
	System Passwords Synchronise the passwords of any user accounts. E.g. a Windows domain user and a Windows service logon
	Grant Access Create a temporary local administrator account with the same password across a range of machines for local access

Security & Accountability

The system has several security levels. Some teams may require constant remote access to a known list of servers. Another team may want infrequent access to any server driven by a change record.

The system is designed to give audited control to enable any access to be established.

User Validation is the doorway to the remote access. All ForestSafe users must exist as Windows domain users. Access is via a Web Page either by credential entry or Single Sign On. Segregation of roles is focused on by COBIT and Sarbones-Oxley Act. It is vital that partitions exist between the various functions of a system so employees in one section cannot interfere with the work of others. Every ForestSafe function can be added or removed from the ForestSafe Administrators desktop using Administrator Role Management. Access to system functions is completely granular. Access Approval is available to apply an extra layer of authority between users and the hosts that are allowed to access remotely. A ForestSafe approval can to be configured immediately or in the future, and set to terminate at given time. During this period the Administrator requiring Approval has view of the approved target. Access Control Lists define which hosts Administrators are allowed to access, and also which user accounts they logon with. ForestSafe is configured to create hierarchicys of ?Host Containers?. Administrator Roles are mapped against any container in the hierarchy and will inherit any hosts present in the sub-containers. The ForestSafe Administrator is presented with a restricted list of choices based on either their current approvals, or if approval layer is not enabled, the contents of the host container associated with their Administrator Role. Target Identity ratification is a final security check, before allowing a remote access, that the host being accessed is the real host and not a ?Man in the Middle?. Every ForestSafe host configured for via SSH, requests a public key or fingerprint from the host on discovery. This key is stored against the host record and compared every time a remote access takes place. Remote Access Validation is the final doorway to remote system. Remote terminal validation is either by credential entry or Single Sign On. If Single Sign-on is disabled, the Administrator can be given access to the self service password vault to also retrieve the password.

Terminal Access Audited, Identity Managed Terminal Access to your remote systems via single sign-on or retrieved password.