Configure Just in Time access to Windows machines

This topic describes how to configure Just in Time (JIT) access to target machines for local and domain admins.

 

Just in Time access is available only to users authenticating to the PVWA using LDAP.

Overview

There are cases where managing the local administrator passwords is not possible at the initial stage of deployment.

Just in Time access can be used as an intermediate step towards full implementation of Vaulting the local administrators. You can grant Windows admins on-demand, ad-hoc privileged access to Windows targets for a limited period of time (the default is for 4 hours).

During this time, domain users can request access to a system as a local administrator. If authorized, the system temporarily adds the logged-on Windows users into the target system's local administrator group, without the need to manage the credentials of the local administrator on that target. This enables your organization to introduce privileged controls and help establish habitual security, before moving into a robust Privileged Access Security program.

 

Just in Time access is not supported in a distributed Vaults environment.

Workflow

The workflow starts when an end user requests access to a designated ad-hoc target machine, and is subsequently added to the local admin groups.

The end user is notified that they have been granted access (or not), and once granted, is able to access the target machine using their own login for a limited period of time (by default, 4 hours). After this period, the user is automatically removed from the local admin group.

Configure the platform to allow Just in Time access

Perform the following configuration on the platform of the account on which Just in Time access is required.

Configure the access period

Configure the period of time granted to the end user for accessing the target machine for the specific platform and the timeout for adding the ad-hoc user to the target machine.

To configure the access period:

  1. Open the platform that you created (the duplicated platform) for editing. Click the ellipses button on the right side of the window, and then click Edit.
  2. In the left pane, right-click Automatic Password Management, and then select Add Additional Policy Settings.
  3. In the Properties area, scroll to the end of the list, and edit the following properties:

    Property

    Description

    DomainUserAdHocAccessLimit

    The amount of time, in minutes, after which an ad hoc user is automatically removed from the target machine. Any change to this value does not affect users who have already logged on to the target machine and will be removed according to the previous value.

    AdHocConnectionTimeout

    The max amount of time, in seconds, for attempting to connect to the target machine in order to add an ad hoc user to the local admin group. The default value is 30 seconds.

  4. Click Save.