Help Center> Cloud Bastion Host> User Guide> Policy> Password Rules> Creating a Password Rule
Updated on 2024-04-11 GMT+08:00
View PDF

Creating a Password Rule

With password rules, you can let the CBH system periodically change the passwords of multiple managed host resources at a time, improving the managed resource account security.

With password rules, you can:

  • Change passwords of managed resource accounts manually, periodically, or at a scheduled time.
  • Change the passwords of multiple managed resource accounts to different passwords randomly generated by the system, the same password generated by the system, or the same password you specify.

Constraints

  • Password change rules apply only to hosts configured with SSH, MySQL, SQL Server, Oracle, RDP, or Telnet protocols.
  • To enable a password change rule for Windows hosts, enable the SMB service and open port 445 in the security group.
  • Before relating to an account of a Windows 10 resource, set server parameters by referring to Setting Parameters of Windows 10 Servers.

Prerequisites

  • You have the operation permissions for the Password Rules module.
  • The configured OS type of the resource whose account password you want to change must be the same as the actual OS type of the resource.

Creating a Password Change Rule

  1. Log in to the CBH system.
  2. Choose Policy > Password Rules > Password Rule.

    Figure 1 Password Rule

  3. Click New in the upper right corner of the page to switch to the New ChangePassword Rule dialog box.
  4. Configure the basic information.

    Figure 2 Creating a Password Change Rule
    Table 1 Parameter for password change rules

    Parameter

    Description

    Rule Name

    Name of a password change rule. The rule name must be unique in the CBH system.

    Timing

    The options are Manual, Fixed-Time, and Cycle.

    • Manual: Manually trigger the password change rule to change the password of the managed resource account.
    • Fixed-Time: The password change rule is triggered by the CBH system to change the password of the managed resource account at a fixed time. This type of rule is executed only once.
    • Cycle: The password change rule is periodically triggered by the CBH system to change the passwords of the managed resource accounts. This type of password change rule is triggered periodically.

    Execute Time

    Date when the password change rule is executed. The default execution time is at 00:00 every day.

    Cycle Frequency

    Password change interval.

    • The unit is day.
    • You need to set the End Time for this type of rules. Otherwise, the rule will be executed indefinitely.

    Method

    How the password is changed. The options are Generate different passwords, Generate the same password, and Specify the same password.

    • Generating a different password: The system randomly generates different passwords for managed resource accounts in compliance with password requirements.
    • Generating the same password: Randomly generate the same password for managed resource accounts in compliance with password requirements.
      NOTE:

      A password randomly generated by CBH contains 20 characters, including uppercase letters, lowercase letters, digits, and the following special characters %, -, _, and? A random password must contain at least an uppercase letter, a lowercase letter, and a special character.

    • Specifying the same password: You manually change passwords of managed resource accounts to the same preset password you specify.

    Options

    The following options are supported:

    • Allow to change the sudo account password: To change the password of sudo account, select this option, or the password of the sudo account cannot be changed. This option is not selected by default.
    • Priority use of the sudo account to change password: To let the system automatically search for the corresponding sudo account and use it to change the account password, select this option. If no sudo account is available, the password can be changed using the current account. This option is selected by default.
    • Allow to change the SSH Key: To let the CBH system automatically change SSH public keys, select this option.
    NOTE:

    The Allow to change the SSH Key option is included in version v3.3.36.0 and later only. To use this function, upgrade your CBH system to V3.3.36.0 or later by referring to Upgrading the CBH System Version.

  5. Click Next and start to relate the ACL rule to one or more accounts or account groups.

    • After a password change rule is related to an account group, accounts automatically obtain the permissions of the rule the instant they are added to the account group.
    • If a password change rule is related to multiple managed resource accounts, batch changing passwords is available.
    Figure 3 Relate Accounts

  6. Click OK. You can then view the new password change rule in the rule list.

    To obtain the new password of the managed resource accounts, export host resource details by referring to Batch Editing Host Information.

Setting Parameters of Windows 10 Servers

  1. Log in to a Windows 10 server.
  2. Start the Windows Remote Management (WinRM) service.

    1. Search for Windows Components.
    2. In the navigation pane on the left, choose the local service. In the window displayed on the right, locate Windows Remote Management(WS-Management).
    3. Right-click Windows Remote Management(WS-Management) and choose Start from the shortcut menu.

  3. Configure WinRM.

    1. Run the cmd command as the administrator and run the following command:
      winrm qc
    2. Perform twice. After the command output is displayed, enter y as prompted.
    3. Run the following commands:
      winrm set winrm/config/service '@{AllowUnencrypted="true"}'
    4. Run the following commands:
      winrm set winrm/config/service/auth '@{Basic="true"}'

  4. (Skip this step if you are already an administrator.) Run the following command to add a user to the user group:

    For example, run the following command to add appuser01 to the user group:

    net localgroup "Remote Management Users"  appuser01  /add

  5. In the power shell dialog box, run the following command to add a firewall:

    New-NetFirewallRule -DisplayName "WinRM-5985" -Direction Inbound -LocalPort 5985 -Protocol TCP -Action Allow

Follow-up Operations

CBH gives you the ability to manage all password change rules on the rule list page, including managing related resources, deleting, enabling, or disabling one or more password change rules, and immediate execution of a password change rule.

  • To quickly relate a synchronization rule to more accounts or account groups, select the rule and click Relate in the Operation column.
  • To delete a command rule, select the rule and click Delete in the Operation column.
  • To disable password change rules, select the ones you want to disable and click Disable at the bottom of the list. When the status of those rules changes to Disabled, they become invalid.
  • To change the password of a managed account immediately, click Execute in the Operation column.
Parent topic: Password Rules