Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Changing the vault service account password automatically

Created: 26 Apr 2013 • Updated: 06 Aug 2013 | 3 comments
GRInfosec's picture
1 Agree
0 Disagree
+1 1 Vote
Login to vote
Status: Reviewed

Good morning,

This is in relation to "Case # 04044870 - Changing the vault service account automatically".

 

DESCRIPTION

Our end goal is very simple: ability to change the vault service account password programmatically.

We can easily change it on a Windows Service, Scheduled Task, Active Directory, or using any sort of API, command line tool, etc, but we can't do this (or at least not easily) if the password has to be changed through a GUI, which is the case at the moment.

We just want to automate the following: http://www.symantec.com/business/support/index?page=content&id=TECH48035

 

USE CASE

The EV account can search through all our emails and restore them in any given mailbox. From a pure confidentiality point of view, this is less than ideal, but there's no alternative if you want to use an email archiving and restoring solution.

 
We can't audit what this user is doing in our Exchange mailboxes due to the huge amount of logs this is currently generating. Exchange 2010 can't handle that and also there's the question about how do you actually differentiate whether this action was done by a human being or an automated task.
 
The main problem occurs when our sysadmins are requested to search and restore old emails into mailboxes. In this situation they need to use the EV account. How can we make sure they are not using it for other purposes if we can't monitor what's going on?
 
 
SOLUTION
 
One way to alleviate this situation would be to change the EV password and store it in a secure location. Then make sure our sysadmins have to request this new password and use it via recorded sessions. After that the password has to be changed automatically and should not be known publicly.
 
EV does not offer any command line tool or similar to change the password programmatically so we are struggling to achieve a minimum level of security in this case.
 
Another alternative would be to provide information about what your GUI (http://www.symantec.com/business/support/index?page=content&id=TECH48035) is doing in the background so that we can replicate this using a scripting language.

 

Kind Regards,

Javier

Comments 3 CommentsJump to latest comment

Andy Nash's picture

Nice idea and solution, I've added an internal suggestion its ID is 900057.

Thanks & regards,
--Andy

0
Login to vote
GRInfosec's picture

Hi Andy,

Thanks for your reply.

Is there any way to check the status of this internal suggestion?

 

Regards,

Javier

0
Login to vote
GRInfosec's picture

Hi,

 

Is there any update on this?

Has it been considered at all?

 

Regards,

Javier

0
Login to vote