Application accounts can take many forms and are scattered all over the network. They include database logins, certificates for software signing, embedded build script passwords, configuration files, and application services. These accounts are used to access critical data and business capabilities, making them prime targets for outside attacks or insiders looking to steal data or cause damage.
Application accounts need to be inventoried and undergo strict policy enforcement for password strength, account access, and password rotation. Centralized control and reporting on these accounts is critical.
Embedded application account passwords are very high risk, as they can be viewed by any individual with server access. Sometimes these passwords are encrypted in configuration files (e.g. DPAPI encryption of web.config files), which is a better alternative to storing them in clear text. However, individuals with server access are likely to have the permissions necessary to access configuration files and can reverse the encryption.
To protect passwords used by application accounts, organizations must remove all embedded passwords from scripts, configuration files and source code and replace them with logical tokens and an API that accesses passwords stored in a secure, enterprise password management system.
Logical tokens reduce risk because the password is not exposed and can be committed to source code control and deployed through test, stage and production environments. The appropriate password for the token can be resolved in the correct environment using the API often without any recompilation or code changes to the business application.
Application Server API
Secret Server provides an extensive Application Server API, which can be used for privileged account management for Windows, Mac, UNIX and Linux systems. Support is included for both Java and .NET, including advanced capabilities for both in-house and third-party ASP.NET applications. Simple access to the vault can also be achieved using Integrated Windows Authentication and username/password/RADIUS if needed through an extensive suite of web services.