UseCase6_PasswordPolicy - sandersdHES/PAMEmergingTech GitHub Wiki
This use case demonstrates how to change, reset, and enforce password policies for accounts managed in PAM360. It also shows how to handle policy violations and perform bulk password resets that synchronize directly with target systems.
Privileged account passwords are a critical part of enterprise security. In PAM360, administrators (or authorized users) can manage these passwords efficiently across systems—while maintaining compliance with defined password policies.
Key benefits include:
- Centrally managed password lifecycle
- Auto-enforcement of complexity rules
- Audit trails and notifications
- Remote sync with connected machines
As an Administrator or a Password User with the right permissions:
- Go to Resources > [Windows Resource]
- Under Account Actions, select Change Password
- Enter a new password
- Check the box for “Apply password changes to the remote resource”
This ensures that the password is updated both in PAM360 and on the remote Windows machine, keeping them in sync.
Passwords are automatically stored and encrypted, and can be retrieved or rotated as needed.
PAM360 includes built-in password policies and enforcement rules. By default, the platform offers:
- Low: Minimal constraints
- Medium: Moderate complexity
- Strong: Strict password rules
- Offline password file: For file-based access only
You can also define custom policies with the following parameters:
- Minimum/maximum length, required character types
- Restrictions on dictionary words, repeated characters, or login names
- Enforcement of expiration rules
- Reuse prevention
- Sequence blocking
-
From the Dashboard, click on Policy Violations at the top
-
This provides an overview of passwords that do not comply with the policy assigned to their resource
- Go to Resources
- Click Policy Violations
- You will see a detailed list of all non-compliant accounts
To resolve the violations:
- In the Policy Violations screen, click Reset All Passwords
- You can also reset selected accounts individually
- In the reset dialog:
- Set Password Allocation to Generate unique passwords for every account
- Enable Apply password changes to remote resource(s)
- Enable Send email notification to users
- The system will prompt you to select the users that will receive the email notifications. Let’s only send the email to the Administrators.
Once triggered:
- The system attempts to reset and sync passwords across all affected accounts
- If remote sync is configured, changes are applied directly to the machines
- You can monitor the operation via Audit > Resource Audit
An email is sent to the selected users, summarizing:
- Affected accounts
- New password status
- Operation success/failure per resource
Go back to Resources and confirm that:
- Passwords were successfully changed
- Accounts now show as compliant with their assigned password policies
As a final test, try connecting to one of the resources (e.g., a Linux machine) using the newly reset password to verify proper synchronization.
This use case illustrates how PAM360 simplifies and secures password management by:
- Providing centralized tools to change or reset passwords
- Enforcing strong password policies
- Offering bulk remediation for non-compliant accounts
- Keeping systems and PAM360 synchronized
- Maintaining complete audit visibility and user notifications
With these capabilities, PAM360 ensures that password hygiene and policy enforcement are not only automated, but also auditable and secure.