Skip to content

Mirror Accounts

Mirror Account Concepts

In certain cases it is beneficial to architect device access in a such way that a user accesses a remote asset endpoint using the privileged account related to the original user account instead of sharing the same account among all users. In this model each user uses unique privileged account to access the asset endpoints. At the same time the administrators can assign least privilege access to the original user account.

There are several benefits of using mirror accounts for the privileged access:

  • The asset endpoint is set to track privileges access for the individual users while it is not desirable to elevate each individual user permission to access the endpoint.

  • The asset endpoint grants different permissions to privileged accounts related to different users.

  • The network security is designed with Microsoft Enhanced Security Admin Environment.

To support these scenarios, the session launcher allows a user to select a mirror account, unique for every user, when establishing WEB Session to the asset endpoint.

Mirror account is selected based on the search criteria that the asset owners specify using a custom asset field called Mirror Account. The search criteria might include user login, name or user directory providing each user a unique red forest account to connect to the destination asset.

What is Enhanced Security Admin Environment

The Enhanced Security Admin Environment (ESAE) architecture (often referred to as red forest, admin forest, or hardened forest) is an approach to provide a secure environment for Windows Server Active Directory (AD) administrator identities.

Designed to protect most critical assets in the organization, ESAE recommends to use special accounts managed in a separate user directory branch or better yet in a separated Active Directory (red forest) mirroring regular user accounts. The approach allows to keep least privileges for the regular accounts while allowing red forest account to only access critical infrastructure.

While ESAE approach is deprecated by Microsoft in favor of traditional PAM architecture to better accomodate cloud and hybrid environments, it remains a popular solution for on-premises networks. In addition to this, tiered models such as red forest are applicable to broad range of non-Microsoft applications.

How to configure Mirror Accounts

  • Add string field called Mirror Account to the asset type that should support mirror account functionality.

  • Define a search criteria to search for mirror assets.

Design the search query so that each user will find unique asset using this search criteria.

Mirror account field contains a search criteria that might include the following placeholders

  • ${user.name} - is the account name of the currently logged in user.
  • ${user.lastName} - is the last name of the currently logged in user.
  • ${user.firstName} - is the first name of the currently logged in user.
  • ${user.directory} - is the directory name of the currently logged in user.
  • ${user.mail} - is the email of the currently logged in user.

For example, when the value ${user.name}-ESAE is specified in the Mirror Account field and the current user login is baker the session launcher will use the following search condition to search for the mirror accounts: baker-ESAE.

Mirror Account Field

In this example, assume that the asset vault contains the mirror asset that could be found using this search criteria.

Mirror Asset

When a user starts a WEB Session for the asset with defined Mirror Account search criteria, the session launcher displays the mirror assets found by the specified search criteria in the Credential Type field in addition to member assets and other options to provide credentials to the session.

When a search criteria generated from the current user profile and a search query specified in the Mirror Account field finds multiple assets, the first ten of them are presented in the list of Credentials Type on the Session Launcher screen.

Mirror Account WEB Session launcher

When launched, the application will use the credentials on the mirror asset to establish the access to the remote asset endpoint.

Note that different users will have different mirror accounts displayed in the session launcher potentially granting different privileges in the session.