Privileged Account Management Use Cases

September 19, 2017

Why automate privileged account management:

  • Protect internal network from inside threats
  • Share server access with remote contractors
  • Store and share digital keys and certificates
  • Discover and reset default passwords
  • Rotate privileged account passwords periodically or after use
  • Decrease attack surface by limiting number of privileged accounts
  • Record sessions to servers and IoT devices
  • Monitor sessions to servers and IoT devices in real time
  • Control elevation of user permissions
  • Monitor and manage access to shared accounts
  • Enable limited permission elevation for regular users
  • Securely access devices in the cloud and in remote datacenters
  • Maintain strong passwords for privileged accounts
  • Discover and lock privileged accounts in the network
  • Delegate execution of privileged commands to regular users
  • Enable multi-factor authentication for local accounts
  • Provide access to cloud networks through a single entry point
  • Remove hard coded passwords from scripts, apps and configuration files


Xton Access Manager Competitive Advantages

August 18, 2017

Xton Access Manager Competitive Advantages

Xton Technologies XtonTech Privileged Account Management

Xton Access Manager Feature List

August 7, 2017

This is a short list of Xton Access Manager features. I will try to make this list smaller over time. I assume that the reader is more or less familiar with Privileged Identity and Access Management market. I will have another post introducing this market is a short way too. Also, after this feature list I will give a list of competitive advantages of Xton Access Manager as compare to other players on the market.

XtonTech Xton Technologies List of Features Product Description

Here is what Xton Access Manager does and what it is:

  • Identity Vault (Database for Secrets)
    • Browser accessed storage for accounts, passwords, certificates, keys, sensitive files
    • Folders and records, granular permissions and sharing, custom record types
    • Audit logs, syslog, alerts and notifications, AES-256 encryption
  • Automated Password Reset
    • Custom policies with inheritance
    • Shell, PowerShell, VBScript; domain or local
  • Discovery of Privileged Accounts
    • Continuous monitoring option
  • Access with Protected Identity
    • Session management: RDP, SSH, VNC
    • Session recording and monitoring

XtonTech Database for Secrets

August 1, 2017

One Key to Rule Them All

In the ideal world every person would have a single account used to login everywhere using some sophisticated form or authentication (maybe long password or maybe fingerprint or something that will be created in the future). This account would be used to authorize launching new equipment at work but also for something like purchasing new backpack at the eCommerce store at home. Machines would communicate with each other using generated keys after authorizations given by people using the same accounts used to ignite new equipment or to purchase a backpack.

Maybe we will get there eventually or maybe we will not because of concerns about too much centralization. The reality is that there are way too many accounts and passwords to remember, and keys and certificates to save, share, and find. These accounts come from local (not domain) computer accounts, IoTs (printers, cameras, thermostats and even coffee machines) that come with operating systems and root accounts with factory default passwords, shared accounts to portals “for everybody in the accounting” to use, application pool or database accounts, shared partner portal accounts and many others.

It is clear that remembering these accounts is not an option, writing them down in the notebook in the organization spread between multiple offices around the globe is not really an option too. Saving them in text files in some network folder sounds like an idea but there are better ways to handle this issue using some specialized software. Such software used to be pretty complex in the past but it exactly the case anymore. These days, simple Enterprise Identity Manager is a reality so it worth to research the topic.

Database for Secrets vs Password Vault

Xton Technologies Database for Secrets is a secure storage to keep sensitive information like passwords or certificates. Password managers (like LastPass or KeePass) provide similar functionality for individual users. They usually operate on a client desktop remembering numerous passwords to internet portals, banks and eCommerce sites.

Xton Database for Secrets is an enterprise version of this concept. It keeps all data in a central storage with WEB (browser) access that allows multiple users share the same information with record level permissions. Moreover, it also has field level permissions so some users can see all fields in the record but not passwords. Why would anyone need to see information about some account but not passwords? Because there is another part in Xton Access Manager called Session Manager that can log people in computer without disclosing the password.

You might think about Database for Secrets as about content management system (like SharePoint Server) with field level permissions and special functionality on top of it. Some people call such system a Password Vault or Secrets Vault because you can store there certificates, credit card number, keys, access codes, pictures with access codes – pretty much anything, not just passwords. The word Vault sounds to me like something from financial industry, not computer science, so I prefer Database for Secrets.

Automatic Password Reset

When Database for Secrets is implemented in the organization, it becomes a part of the process to look for the identity information in this database because it could be different every day. There are many people using the system and the access to computers, certificates, credit card expiration dates might change, certificates could be replaces and keys could be updated. The Database for Secrets become a single source of best known information about sensitive data.

Moreover, since the Database for Secrets knows the passwords to computers, admins can schedule automatic password resets. It adds completely new level of password protection for the organization. The system can generate very long impossible to remember, hard even to write down and very hard to break passwords. Since everybody come to the Database for Secrets to get the latest password it does not matter how hard is the password to remember. In addition to that many users will access the destination remote computers using Session Manager without even the need to type the password.

Database for Secrets can change passwords very often like every day or several times a day. It can also change the password after certain event (for example after a user requested to see the password from the database). It ensures that passwords are strong and majority of the users who need to access remote system would not even know them.

Passwords for Scripts and Workflows

Modern companies attempt to automate many of the processes creating scripts and workflows running without human supervision moving data between different systems, generating reports or sending notifications. These scripts require access to the data in databases or to network resources to produce something useful. Usually, script or workflow developers hard code password to these resources to the scripts or to configuration files. First, it creates a security issue because all of a sudden it becomes easy to learn passwords or get keys to some important data or network devices. Second, it becomes hard to change these passwords or update keys because after that many processes on the organization that rely on the old passwords will stop working. It might be hard to identify and fix them – only until the next password update.

The best practice for these automation scenarios would be to make a script of a workflow to get the password to a requested resource from the Database for Secrets. This way, the password for the remote resource could be updated often and safe for all background processes. Also, the Database for Secrets will monitor the fact of requesting the password by the script for the proper use.


The admins could also make the Database for Secrets scan the network periodically trying to login to network resources using known accounts with popular passwords. These accounts might come from factory defaults (who would have known that the new printer has an account with factory default password that could be used to hack into the network). Also, it is customary to build new computers from the same pre-created image that often has some pre-built accounts. It results in many computers in the network with the same local accounts. Database for Secrets can find these accounts (and do it from time to time) so that admins can convert them to the managed account so the Database for Secrets will start resetting the passwords or maybe even disable these accounts completely.


An Enterprise Identity Manager comes in handy to manage company sensitive information and also access to various network resources like computers and databases. Item and field level permissions combined with the audit log and session recordings ensure strong control over the what is going on in the organization. Additional features like automated password reset, script and workflow integration as well as periodic discovery of well knows accounts allow administrators to have a good controls of their networks. Such software used to be pretty complex in the past but it exactly the case anymore. These days, simple Enterprise Identity Manager is a reality.

Welcome Xton Technologies

July 28, 2017

After many successful years at MetaVis culminated with business acquisition by the fiercest competitor we decided to entertain ourselves in the area of cyber security. Welcome, Xton Technologies, the company that builds, markets and distributes enterprise privileged accounts management software including:

  • Database for secrets that enables permission based sharing of secret information like passwords and security certificates for employees, contractors and scripts
  • Policy driven password reset
  • Centralized script execution for Windows, Unix and IoT devices
  • Agentless access to network resources without disclosing passwords or keys to end users capable to record and monitor RDP, VNC or SSH sessions.
  • Privileged account discovery

I will spend more time in the following posts discussing various aspect of this innovating software. For now, let’s enjoy variety of love locks on the Salzburg bridge on the picture below symbolizing patches of cyber security implemented by typical enterprise in attempt to match the speed of the modern world.

Xton Tech, Identity Manager, agentless RDP SSH VNC sessions

Makartsteg Bridge

Also, visit our WEB Site, help us spread the word, like our LinkedIn page, download the installer from our WEB site to try the software; or recommend us someone who might be interested.

MetaVis for Drives: Blurring Lines Between Local and Cloud Storage

July 21, 2014

“MetaVis for Drives” edition brings common migration, backup, import, export, administration and monitoring functions to popular storage locations like SharePoint, Microsoft OneDrive for Business,, Google Drive and Network Shares. Besides specific functions available for individual storage areas the Drives edition aims to unlock the content in specific vendors storage allowing content visibility and mobility between vendors applications and between local and cloud.

The Drives edition makes the following functionality available.

  1. Connect to Microsoft OneDrive for Business, Google Drive,, SharePoint locations to individual drives as well as to all users in a corporate account using single service administrator login with the ability to browse account structure and content in individual users personal locations using tree structure metaphor;
  2. Mass copy individual items from File System to OneDrive for Business, Google Drive and locations optionally preserving folder structure, fixing illegal characters and preserving retention and authoring properties;
  3. Mass copy individual items between Microsoft OneDrive for Business, Google Drive, and SharePoint locations optionally preserving folder structure, fixing illegal characters, preserving retention and authoring properties as well as preserving, mapping and enhancing metadata when applicable;
  4. Mass copy multiple users personal spaces from Google Drives, File Shares and SharePoint My Sites to OneDrive for Business optionally preserving folder structure, fixing illegal characters and preserving retention and authoring properties;
  5. Backup OneDrive for Business and Google Drive users content using central location and single login to local file shares, Amazon S3 or Azure storage;
  6. Monitor and generate actionable Administrator Dashboard current status and trend reports about storage distribution and user activity in OneDrive for Business tenancy;
  7. Perform Informant content scan applying policy groups with configurable rules and actions to perform pattern, PII, PHI, URL, vocabulary keywords detection to OneDrive for Business content;
  8. Mass provision multiple OneDrive for Business personal sites using single login from a central location;
  9. Mass detect and remove OneDrive for Business personal site owners

Please visit to learn more about functionality or MetaVis Platform.

MetaVis Feature of the Day: OneDrive for Business Management

June 24, 2014

OneDrive for Business management screen is a part of MetaVis Platform. This simple wizard displays all users in Office 365 tenancy with the information about whether OneDrive for Business personal site has been created for each user. The wizard allows to export this information as a report to Excel spreadsheet. The wizard also allows to mass provision OneDrive for Business personal sites for multiple selected users.

In addition to this, MetaVis OneDrive Management Suite can help to load content to users personal sites using a central administrator location from file systems, network shares, shared on-premises or hosted SharePoint sites, Google Drives, SharePoint My Sites or other OneDrive personal sites.

Please visit to read more about MetaVis OneDrive Management Suite.

MetaVis Feature of the Day: SharePoint Visual Topology

June 23, 2014

SharePoint Farms as well as Office 365 tenancies have complex hierarchical structures. Many products of MetaVis Platform organically, by the virtue of software organization, provide a neat way to visualize this structure. Almost every product of MetaVis Platform allows to start exploring SharePoint Farms starting with Central or Tenant Administration and drill down to WEB Applications, Site Collections, sub-sites hierarchies, lists and folder trees inside the lists displaying all these objects as nodes of the tree on the screen.

True, that the main objective of the platform is to perform some actions with these hierarchies like move or migrate sites, backup site collections or manage security. However, the mere capability to visualize farm structure on the screen with interactive expanding of any node WEB Application or Folder one alike is a value-able addition to SharePoint administrators tool box. MetaVis Architect Suite can even visualize site content types, fields and lists relationships as well as site map in a site collection on graphical two-dimensional entity-relationship diagram.

All these functions work well with all SharePoint versions, with no server side agent installed on the servers, for on-premises, cloud of Office 365 environments.

Please visit for more information about MetaVis Architect Suite for SharePoint.

MetaVis Feature of the Day: Actions in Administrator

June 19, 2014

MetaVis Administration Suite is not just a monitoring and reporting application (which is interesting function by itself). The real power of MetaVis Administrator is in the ability to change SharePoint environment for multiple selected objects at a time. Using the software, SharePoint administrators can mass change lists properties like versioning or content approval settings, grant or revoke permissions, backup or archive sites and even move lists to the other location – all of it for multiple objects simultaneously. This is a real time saver.

At the same time, graphical interactive dashboards allow quickly locate objects that need attention by drilling down through farm or tenancy hierarchies looking for specific parameters like rate of change or volume of access.

MetaVis Administration Suite works for on-premises or cloud SharePoint servers alike including Office 365 and OneDrive for Business tenancies. It requires no server side installations even for on-premises servers and is a perfect choice for managing hybrid on-premises and cloud environments.

Please visit for more information about MetaVis Administration Suite.


MetaVis Feature of the Day: Organize SharePoint Farms

June 18, 2014

Left in ungoverned state when too many many people can create sites SharePoint farms tend to grow to disorganized structures that are hard to navigate, manage and secure. Sometimes it is not bad because at the initial phase of introducing SharePoint to the organization it might be desirable to have this organic, almost viral, grow of SharePoint use. Introducing governance policies and rules helps to mitigate the organization problem with the ongoing farm growth. However, the existing disorganized structure remains. MetaVis Migration Suite provides an excellent way to restructure existing SharePoint farms into new manageable scheme.

For example, take a sub-sites somewhere deep in the site hierarchy and promote it to a new site collection together with all its sub-sites, lists, content, permissions and even navigation and look and feel. Alternatively, do the opposite operation: take a site collection and move it all as a sub-site of the other site collection. MetaVis Migration Suite can help to rearrange lists from different sites or site collections into a single location. It can also help to split large and messy site into several logical sub-sites or site collections every time taking vital structural information like permissions, fields, content types or workflows with lists and sites to their new location.

MetaVis Migration Suite works with on-premises and hosted SharePoints alike including Office 365 shared sites and OneDrive for Business tenancies. The desktop application is easy to install (no server side agents required) and looks much like Windows Explorer offering hierarchical representation of SharePoint farms with intuitive drag-and-drop or copy/paste interface.

Please visit for more information about MetaVis Migration Suite.