PAM Design Reference

  1. The identity store (LDAP) provides an identity repository specifically reserved for the privileged users of the organization. 标识存储(LDAP)提供专门为组织的特权用户保留的标识存储库。
  2. MFA enables two or three authentication factors to improve the authentication level for privileged users (see NIST 800-63B for a more detailed description of authentication factor requirements). MFA启用两个或三个身份验证因素来提高特权用户的身份验证级别(有关身份验证因素要求的详细说明,请参阅NIST 800-63B)。
  3. The user interface provides login authentication and a user-to-PAM-system interactive interface through which users interact to establish or request work sessions for each system that they administer or access to perform their work functions. 用户界面提供登录身份验证和用户到PAM系统交互式界面,用户通过该界面进行交互,以便为他们管理或访问以执行其工作职能的每个系统建立或请求工作会话。
  4. Policy management maintains the enterprise privileged-user access and control policies, such as limiting privileged user sessions to four hours. 策略管理维护企业特权用户访问和控制策略,例如将特权用户会话限制为四小时。
  5. Password management maintains and enforces the enterprise password policies. 密码管理维护并实施企业密码策略。
  6. Session management enforces the enterprise access and control policies within each work session, such as limiting sessions to SSH or RDP or limiting allowed application use on the target system. 会话管理在每个工作会话中强制执行企业访问和控制策略,例如限制SSH或RDP会话或限制目标系统上允许的应用程序使用。
  7. The password vault provides secure storage of the current password for each privileged account managed by the PAM system. 密码保险库为PAM系统管理的每个特权帐户提供当前密码的安全存储。
  8. Emergency access provides PAM use in unpredicted or emergency situations when access to privileged accounts is required by unanticipated users (privileged or nonprivileged). 紧急访问可在不可预测或紧急情况下,特权或非特权用户需要访问特权帐户时,提供PAM使用。
  9. Automated account discovery searches the enterprise for evidence and identification of privileged accounts, such as domain administrators or accounts that directly or indirectly (through inheritance of privileges) have privileged-account-level authority. 自动帐户发现搜索企业以查找特权帐户的证据和标识,例如域管理员或直接或间接(通过继承权限)具有特权帐户级权限的帐户。
  10. Session monitoring provides a mechanism to identify, log, and alert on anomalous activity 会话监控提供了一种机制,用于识别,记录和警告异常活动。
  11. Session replay provides session review and investigations. 会话重播提供会话审查和调查。
  12. Security monitoring, logging, and auditing provides log storage, analysis, and alerting components, generally referred to as security information and event management (SIEM). 安全监视,日志记录和审计提供日志存储,分析和警报组件,通常称为安全信息和事件管理(SIEM)。
  13. UBA monitors the activity of the privileged users for activity or actions that are considered to be unexpected or outside a recognized pattern of activity. UBA监视特权用户的活动,以查看被认为是意外或在识别的活动模式之外的活动或操作。
  14. High availability/replication ensures the availability of the PAM solution. 高可用性/复制确保了PAM解决方案的可用性。
  1. Web:https://www.nccoe.nist.gov/sites/default/files/library/sp1800/fs-pam-nist-sp1800-18-draft.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *