Background & Challenge

With cyberattacks against the healthcare sector on the rise, IT teams must remain highly vigilant against the evolving tactics of malicious actors. To strengthen its defensive posture, a major hospital recently upgraded its use of RankEZ PAM from a basic enterprise password vault to a comprehensive privileged access management (PAM) platform.

The shift was prompted by routine penetration testing, which uncovered operational practices that left privileged passwords vulnerable to capture. Specifically, when Domain Administrators connected to remote endpoints to troubleshoot issues, they inadvertently left password hashes behind. This created an opening for Pass-the-Hash attacks, allowing hackers to potentially scrape system memory and infiltrate the network as privileged users. According to a Senior Systems Analyst at the hospital, RankEZ PAM combined with a structured tiering model now serves as their primary defense to prevent these compromises.

Solution

High-Security Architecture and Tiering The hospital has been a RankEZ customer since 2012, originally utilizing RankEZ PAM solely for managing encryption keys before expanding its role to secure all passwords and enforce complexity policies for privileged and service accounts. To address the vulnerabilities identified in penetration tests, the security team implemented Microsoft’s Privileged Access Workstations (PAWs). This credential tiering system isolates critical administrative applications on dedicated privileged workstations, while routine tasks are routed through remote desktop services.

The hospital relies on a strict three-tier architecture:

• Tier 0: Domain Admins

• Tier 1: SysAdmins

• Tier 2: Users and developers

To ensure that their PAM best practices effectively aligned with this new tiering system, the hospital worked with RankEZ's professional services team. Together, they validated the RankEZ PAM deployment, ensuring secure web interfaces and proper Remote Desktop Protocol (RDP) configurations. The rollout started with Tier 0, expanded to Tier 1, and eventually became mandatory for all technical and development teams. Today, RankEZ PAM rotates passwords automatically every day without disrupting operations, while credential checkout features and two-factor authentication provide additional security.

Distributed Engines To meet the hospital's rigorous security standards, the IT team deployed Distributed Engines—a Windows service that processes background tasks like password rotation, discovery, and heartbeats. The architecture utilizes one Distributed Engine for Tier 0 and another for Tier 1, which are connected exclusively via an encrypted RDP tunnel. This ensures that passwords remain invisible across tiers and that direct access between them is impossible.

This enterprise-scale setup has significantly enhanced RankEZ PAM's performance. Web servers are now dedicated entirely to front-end management and user logins, while the Distributed Engines handle heavy backend processing, allowing for faster logins and simultaneous password changes across the network.

Benefit

Since implementing this high-security architecture alongside RankEZ's top-tier PAM solution, the hospital consistently passes penetration tests without any password-related vulnerabilities.

The IT team has successfully integrated RankEZ PAM into their SIEM infrastructure for centralized data analysis, creating custom dashboards to visualize syslogs and track thousands of successful, secure connections. Furthermore, this visual approach has helped hospital executives instantly grasp the value of the security design. While previous penetration tests highlighted abstract problems, seeing the tiering model and RankEZ PAM working together has provided leadership with a clear understanding of their multi-layered security investments.

Quote

If we didn’t use RankEZ PAM and work within this tiering model, our environment would be easily compromised. It’s our mitigation against Pass-the-Hash.” This was stated by the Senior Systems Analyst for IS Infrastructure Services at the hospital.

Additionally, highlighting the satisfaction of hospital executives with the clear value of the security design, the same analyst noted: “Now, I show them the security design and they get it immediately. They see the tiering model and they see RankEZ PAM right in there. A picture is worth a thousand words.