Creating a Password Rule
With password rules, you can let the bastion host periodically change the passwords of multiple managed host resources at a time, improving the managed resource account security.
With password rules, you can:
- Change passwords of managed resource accounts manually, periodically, or at a scheduled time.
- Change the passwords of multiple managed resource accounts to different passwords randomly generated by the system, the same password generated by the system, or the same password you specify.
Constraints
- Password change rules apply only to hosts configured with SSH, MySQL, SQL Server, Oracle, RDP, or Telnet protocols.
- To enable a password change rule for Windows hosts, enable the SMB service and open port 445 in the security group.
- Before relating to an account of a Windows 10 resource, set server parameters by referring to Setting Parameters of Windows 10 Servers.
Prerequisites
- You have the operation permissions for the Password Rules module.
- The configured OS type of the resource whose account password you want to change must be the same as the actual OS type of the resource.
Creating a Password Change Rule
- Log in to your bastion host.
- Choose Policy > Password Rules > Password Rule.
- Click New in the upper right corner of the page to switch to the New ChangePassword Rule dialog box.
- Configure the basic information.
Table 1 Parameter for password change rules Parameter
Description
Rule Name
Name of a password change rule. The rule name must be unique in a bastion host.
Timing
The options are Manual, Fixed-Time, and Cycle.
- Manual: Manually trigger the password change rule to change the password of the managed resource account.
- Fixed-Time: The password change rule is triggered by the bastion host to change the password of the managed resource account at a fixed time. This type of rule is executed only once.
- Cycle: The password change rule is periodically triggered by the bastion host to change the passwords of the managed resource accounts. This type of password change rule is triggered periodically.
Execute Time
Date when the password change rule is executed. The default execution time is at 00:00 every day.
Cycle Frequency
Password change interval.
- The unit is day.
- You need to set the End Time for this type of rules. Otherwise, the rule will be executed indefinitely.
Method
How the password is changed. The options are Generate different passwords, Generate the same password, and Specify the same password.
- Generating a different password: The system randomly generates different passwords for managed resource accounts in compliance with password requirements.
- Generating the same password: Randomly generate the same password for managed resource accounts in compliance with password requirements.
- Specifying the same password: You manually change passwords of managed resource accounts to the same preset password you specify.
NOTE:
A password randomly generated by a bastion host contains 20 characters, including uppercase letters, lowercase letters, digits, and the following special characters %, -, _, and? A random password must contain at least an uppercase letter, a lowercase letter, and a special character.
Options
The following options are supported:
- Allow to change the sudo account password: To change the password of sudo account, select this option, or the password of the sudo account cannot be changed. This option is not selected by default.
- Priority use of the sudo account to change password: To let the system automatically search for the corresponding sudo account and use it to change the account password, select this option. If no sudo account is available, the password can be changed using the current account. This option is selected by default.
- Allow to change the SSH Key: To let the system automatically change SSH public keys, select this option.
NOTE:- The Allow to change the SSH Key option is supported in version 3.3.36.0 and later only. To use this function, upgrade your bastion host to the latest version by referring to Upgrading the CBH System Version.
- If you select the key pair automatic login mode when managing host resources, enable Allow to change the SSH Key, or manual password change may fail.
- Click Next and start to relate the ACL rule to one or more accounts or account groups.
- After a password change rule is related to an account group, accounts automatically obtain the permissions of the rule the instant they are added to the account group.
- If a password change rule is related to multiple managed resource accounts, batch changing passwords is available.
- Click OK. You can then view the new password change rule in the rule list.
To obtain the new password of the managed resource accounts, export host resource details by referring to Batch Exporting Host Resource Information.
- Click Execute in the Operation column. In the dialog box displayed, confirm the execution. The policy updates passwords immediately.
Setting Parameters of Windows 10 Servers
- Log in to a Windows 10 server.
- Start the Windows Remote Management (WinRM) service.
- Search for Windows Components.
- In the navigation pane on the left, choose the local service. In the window displayed on the right, locate Windows Remote Management(WS-Management).
- Right-click Windows Remote Management(WS-Management) and choose Start from the shortcut menu.
- Configure WinRM.
- Run the cmd command as the administrator and run the following command:
winrm qc
- Perform twice. After the command output is displayed, enter y as prompted.
- Run the following commands:
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
- Run the following commands:
winrm set winrm/config/service/auth '@{Basic="true"}'
- Run the cmd command as the administrator and run the following command:
- (Skip this step if you are already an administrator.) Run the following command to add a user to the user group:
For example, run the following command to add appuser01 to the user group:
net localgroup "Remote Management Users" appuser01 /add
- In the power shell dialog box, run the following command to add a firewall:
New-NetFirewallRule -DisplayName "WinRM-5985" -Direction Inbound -LocalPort 5985 -Protocol TCP -Action Allow
Follow-up Operations
You can manage all password change rules on the rule list page, including managing related resources, deleting, enabling, or disabling one or more password change rules, and immediate execution of a password change rule.
- To quickly relate a synchronization rule to more accounts or account groups, select the rule and click Relate in the Operation column.
- To delete a command rule, select the rule and click Delete in the Operation column.
- To disable password change rules, select the ones you want to disable and click Disable at the bottom of the list. When the status of those rules changes to Disabled, they become invalid.
- To change the password of a managed account immediately, click Execute in the Operation column.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.