10/11/23, 3:51 PM Privileged Remote Access Integration with Password Safe

BeyondTrust Privileged Remote Access Integration with

Password Safe

Overview
The Endpoint Credential Manager (ECM) service integration with Password Safe enables automatic password injection to authorized systems
through an encrypted BeyondTrust connection and removes the need to share and expose credentials to privileged accounts. In addition to the
automatic rotation and retrieval of managed local accounts, Password Safe can also retrieve linked accounts, giving domain admins and other
privileged users access to those credentials on the targeted system. If enabled within the Privileged Remote Access /login administrative
software, Password Safe Managed RDP and shell systems can be searched and accessed from the Privileged Remote Access desktop and web
access consoles.

The integration enables:

One-click password injection and session spawning

Credentials never to be exposed to authorized users of BeyondTrust
Access to systems on or off the network with no preconfigured VPN or other routing in place
Passwords to be securely stored in Password Safe

The BeyondTrust ECM service enables communication between Password Safe and Privileged Remote Access. The ECM service is pre-installed
with Password Safe, and configuring Secure Remote Access in Password Safe configures the API user, group, and registration. Once a Secure
Remote Access connection is configured within Password Safe, users see a list of administrator-defined credentials for the endpoints they are
authorized to access. A set of these credentials can be selected when challenged with a login screen during a remote session, and the user is
automatically logged in, having never seen the username/password combination.

Password Safe handles all elements of securing and managing the passwords, so policies that require password rotation after use are inherently
supported. Privileged Remote Access handles creating and managing the access to the endpoint, as well as recording and controlling the level of
access granted to the user. This includes what the user can see and do on that endpoint.

Note: In the case where you need to deploy the ECM plugin separately, as opposed to using the ECM service that is bundled with Password Safe, the ECM is deployed to a hardened
Windows Server inside the firewall, typically in the same network as the Password Safe instance.

If you are not using the bundled ECM plugin, Contact Support for assistance integrating BeyondTrustPrivileged Remote Accessand
Password Safe.

For more information on installing and using the ECM plugin, please see Configure the Endpoint Credential Manager Plugin for
Integration with Privileged Remote Access.

Prerequisites
Password Safe Cloud or On-premises 21.2 or later release
Privileged Remote Access
TCP Port 443 must be open for communication between the Password Safe API and the Privileged Remote Access API
Searching and accessing Password Safe Managed Systems from the PRA access consoles requires:
A deployed Jumpoint in PRA.
The Password Safe installation must use the same user authentication method as Privileged Remote Access.
The Endpoint Credential Manager software must be version 1.6 or higher.

For integrations with Password Safe Cloud, a resource broker can be installed on the same server as the Jumpoint. For large scale deployments,
these services may need dedicated systems.

https://www.beyondtrust.com/docs/privileged-remote-access/how-to/integrations/beyondinsight-password-safe/index.htm 1/1