[UPBEAT MUSIC] Hello, my name is Josef Pernecky. I'm a process engineer at One Identity. And today, we're going to talk about Connect for Safeguard Assets, version 7.1. Here we have an overview of, what is Connect for Safeguard Asset? It extends the capabilities of our Safeguard for Privileged Passwords to even manage accounts on assets which are not directly connected to our Safeguard for Privileged Passwords. For example, your user notebook, which is traveling around, has still internet connectivity, but not direct connectivity to Safeguard for Privileged Passwords.
In order to use Connect to Safeguard Assets, you need a Starling organization and an account within the United States or European Union data center. We are currently supporting assets with Linux, with various Linux systems like CentOS, Debian, and so on, Windows desktops, Windows servers, and MacOS.
For all that, to get it up and running, you need an agent installed on your asset and a valid token file, which you can download from Starling directly. Also, you need a local user. And on Windows, you need-- the log-on-as-a-service rights is required.
Here is a short overview of how it works. We have our Safeguard for Privileged Password appliance, which pushes tasks to our cloud for password changes, and so on and so on. The agent will then pull the cloud for those changes. This can be defined in which interval this will be done.
And if we find something to do, we will pull it down. We'll make the changes and pushes the result again back to the cloud, where Safeguard for Privileged Password pulls out the result, which you will then see in Safeguard for Privileged Passwords. You will see a complete demo video how to install and work with that. Please feel free to contact us if you found any bugs in the software. And thank you very much for your attention.
First of all, we need to prepare our asset. And in this demo video, we're going to use a Windows 2022 server, standalone server, as an asset. First of all, we create a new service account for using the agent. I will simply call it "svc_connect." Give that away. Give it a password. And Create.
We will also create a new administrative user for changing passwords later on. Going to close this. The next thing we need to do, we need to assign the log-on rights as a service to this new service account. We do that in the local security policy under local policies, user rights assignment.
And here, we have that log-on-as-a-service. And we're going to add the new service account here. And Apply. Also, we need to make that service account member of the local administrator groups, that the agent can do its work properly. And Apply.
Next, we need to log on to our starting cloud. I'm already logged in here. And I've subscribed for the Connect for Safeguard Assets service. You can simply click Subscribe here. And it will be added to your Starling account. Just click here.
And as this is a Windows machine, we need to download the Windows agent, and also the token file we need for the agent enrollment. As soon as we have downloaded all the files, we go into our Downloads folder and simply extract that one file here.
As soon as it is extracted, we copied the whole directory directly into our C drive. Paste it here. And also, we make a copy of the token file. And that's very important because the token file, each time you enroll, even if it fails, it will be deleted. So keep a copy of that. So I'm simply copying it now to the new directory, where I have my client in there.
So we are now prepared for enrollment. Also, you can manually edit the JSON file, which consists of all the configuration settings. I will do that right now and explain that later. Here we go. As you can see here, the delay between cycles for each time the agent pulls our cloud for new jobs to do is 30 minutes' default.
For demo purposes, now I'm going to change it to one minute. Feel free to fill in whatever you like, whatever fits to your organization. If we've done that, we're going to save it. Now we need a command line window. And I suggest using it as an administrator. I'm going to change to that directory.
We are now ready for the enrollment. And the enrollment command looks like this here-- the exe file, Enroll, minus minus ServiceAccountName-- the name of the service account we created earlier-- and the path to the token txt file. Just simply copy that to the command line.
Now that the agent is enrolled, let's have a look in the Starling Cloud if the agent ID matches also the asset now in the Starling Cloud. So we click here, Connect to Safeguard Assets. And have a look here on the agents. We see this is the number agent for the agent he just registered. Let's check if this matches. And it matches.
Now that our agent is successfully joined into the Starling, the next step we need to do is to join with our SPP into the Starling Cloud. Let's go to our SPP. Appliance Management. External Integration. Starling. And we click here on Join to Starling. We allow that. And now our SPP is joined to that.
As we have successfully joined Starling now with our SPP, we can now add the asset to SPP. So let's go over to Asset Management, Assets. We click on plus. We give it a name. And the name is Server1. Click on Next. The platform, now-- this is very important-- is now Starling Connect to Windows Server. Starling Connect.
We can now browse for the agent ID. And that is that one we just added, or enrolled. Select Starling Agent. And authentication type is Starling Connect. We click now. We can now test the connection. But remember, this can take up to one minute, because that was the interval we have set in our configuration file. So let's wait.
And now the connection has successfully succeeded. So we can continue creating that asset. Just clicking OK. We have that asset now in there. We can now add the account we created on that local server, which was localadmin1. Just simply click OK.
And of course, we need to set or already change the secret. I already changed that. So I'll fire up the job to the cloud. This will again take up to one minute. So we wait until this is submitted and finished. And the password has been rotated now via the Starling Cloud and the agent.
So for the final test, I've created a simple entitlement which gives me the password of that local admin account for that disconnected asset. So I'm going to just request it now. New Request. Server1, localadmin. And submit request.
We now have the password and I'm going to do a remote desktop to it. localadmin. I'm going to copy that password now. And we are now connected with a password we do not know, which has been changed, and is now under the full management of Safeguard. Thank you very much.
[UPBEAT MUSIC]