Base Passwordstate Installation in Azure and AWS

­­­­­­Passwordstate is marketed as an on-premise web based solution for Enterprise Password Management.  However, “on-premise” doesn’t really mean it has to be based out of a physical bricks and mortar location.  On premise really means from a “location” where you’re in control of network access to the product, can configure the physical or virtual resources that service the product, and are responsible for granting permissions to known individuals and groups to be able to access the data stored within Passwordstate.

Based on this you can, if you choose to, host Passwordstate within a Cloud Service where that Cloud Service provides an extension to your own network, account directory and credentials.  Click Studios has tested and supports hosting of Passwordstate within both Azure and AWS.

The installation for Passwordstate is pretty much the same regardless of where you install it.  The majority of the changes relate to the configuration of the cloud platform.  This Blog will show you the key setup areas required to host Passwordstate on these platforms.

Hosting Passwordstate on Microsoft Azure

The specifics of your Passwordstate server will be dependent on your workload and the number of Users and Credentials stored within Passwordstate.  The System Requirements can be located here https://www.clickstudios.com.au/passwordstate-system-requirements.aspx and apply to both on-premise and virtual implementations.  As an indication our own Azure based instance has the following characteristics.

You have a number of options when it comes to SQL Server for your Azure hosted Passwordstate instance.  If you’ve simply provisioned an Azure Windows Server, and want to host your web and database server on the same machine, you can follow the standard installation instructions, located on the Documentation page on our website here https://www.clickstudios.com.au/downloads/version9/Installation_Instructions.pdf.  Alternatively, you may want to take advantage of the other services available within Azure such as the Azure SQL.  Azure SQL is Microsoft’s fully managed cloud relational database service that shares the same code base as their traditional SQL Server offerings.

One key point with setting up Passwordstate in Azure is that our installer is unable to create the blank database, used during setup of Passwordstate, if you have elected to use Azure SQL.  You are also unable to use the SQL Management Studio Tools as per our installation instructions.  Instead, you’ll need to login to Azure and create the blank database in Azure SQL by navigating to SQL Databases:

Now create a new database by clicking on Create and then Create SQL database,

This will take you to the Create SQL Database.  Set the Database name to passwordstate and choose an existing Azure SQL Server to host this database.  If you do not have an existing SQL Server in Azure you’ll need to create one and assign a Server Admin.  Take note of the Server Admin details as you’ll need these credentials to connect with SQL Management Studio Tools in one of the following steps.

Next, you’ll need to create a local SQL account called Passwordstate_user.  To do this right Click Master Database and select New Query.  Then copy and paste the following into the window and click Execute:

CREATE LOGIN passwordstate_user WITH password='<choose a password>’

GO

Now, you’ll need to assign db_owner rights for the passwordstate_user account to the Passwordstate database you’ve previously created.  To do this right click on the Passwordstate database, select New Query and run the following;

CREATE USER passwordstate_user FOR LOGIN passwordstate_user WITH DEFAULT_SCHEMA=[dbo]

GO

EXEC sp_addrolemember ‘db_owner’, ‘passwordstate_user’;

GO

Now when you install Passwordstate, for the Database Setting make sure to select the second tab connect to blank database and choose Microsoft Azure, entering your Azure SQL Database Server Name, SQL Server Instance Name, Database Name, and the passwordstate_user account and password you created.  Passwordstate will then proceed to populate the created database and the install will then finish as normal.

Hosting Passwordstate on AWS

When it comes to the database requirements for Passwordstate hosted in AWS you can select the database engine to be SQL Server Express, SE (Standard Edition) or EE (Enterprise Edition) depending on your requirements.  You’ll need to create a Database Instance in AWS  when logged in to the AWS console, and select Services and click on RDS as per the image below;

This allows you to create the RDS based on your choice of either SQL Server Express, SE or EE.  Click on Get Started Now, and then select the Database Engine that best suits your requirements.  In the example below I’ve selected the SQLExpress 2019 version;

Next, create a DB instance identifier name of anything you like.  In the example we’ve called it passwordstate.  Then create a Master username that you will use to administer this instance.  By default, the username is admin.  Take note of the password you are setting for this account:

Next on the Connectivity screen ensure you select ‘Yes’ for Public Access – This will allow you to connect to your RDS database instance from anywhere,

You should now be able to create your database.  Once it’s created, you can now connect to it using SQL Management Studio Tools.  This official Amazon guide shows how to find your connection details, and establish a connection: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToMicrosoftSQLServerInstance.html

Once you are connected, you will be able to use the SMSS tools to create the empty database, and a SQL account used to connection between the Passwordstate website and the AWS RDS database.  To do this right click on Databases and select New Database,

Call the database “passwordstate” and click OK,

Next, expand Security, right click on Logins and select New Login,

Select the account type as SQL Server authentication, and set the Login name to be passwordstate_user.  Now choose a strong password and click OK,

Now select the User Mapping menu, and assign the db_owner rights to the passwordstate database.  Click OK to save this,

Now when you install Passwordstate, for the Database Setting make sure to select the second tab connect to blank database and choose Amazon RDS, entering your Amazon instance in the Database Server Name field, Database Name, and the passwordstate_user account and password you created. 

Passwordstate will then proceed to populate the created database and the install will then finish as normal.

Migrating Existing Passwordstate Instances to the Cloud

The above details can also be used when migrating from an on-premise instance to the cloud.  Just remember to follow the documentation, located under Passwordstate General Administration here https://www.clickstudios.com.au/documentation/, the documents you want are Moving Passwordstate To A New Database Server and Moving Passwordstate To A New Web Server and theinstructions need to be performed in that order.  Finally, please remember to migrate them before decommissioning your existing instance.

Have feedback, then we’d love to hear it via support@clickstudios.com.au.

Performance Improvements – How to Troubleshoot and Resolve Issues

From time to time we receive support requests from customers having performance issues with Passwordstate.  In a significant number of cases the issues contributing to, or even the direct cause of the performance issues, are related to configuration or environmental considerations within a customer’s network.

To begin with, let’s recap on a set of very simplified installations.  The following image outlines 2 different Passwordstate installations that are typically encountered by our Technical Support Team;

The top of the image above shows a simple Passwordstate instance, with the webserver and database installed on the same Windows Server.  This could be either a physical or virtual server.  In this example the customers client PCs are connected via Wi-Fi to a simple Switch with in-built Wi-Fi.   

The bottom of the image shows a larger setup, with a dedicated Passwordstate webserver, deployed in High Availability mode and stack of virtual servers.  In this example the webserver and database servers are installed on separate Windows Servers and all members in the example are connected over a traditional ethernet network.  The Passwordstate webservers site behind a load balancer. 

In all instances, when a user has been authenticated and navigates to a screen in Passwordstate, their web browser is rendered based on the HTML for the screen they are accessing on the webserver, validated by the permissions they have been assigned as recorded in the SQL database, and the results of the SQL query for the data they are requesting.  This by necessity requires multiple interactions (queries and responses) between the webserver and SQL database before the results are rendered in the user’s web browser.    

Common Performance Issue Symptoms

Using the 2 typical implementations above, we are on occasion advised that users are experiencing performance issues.  These can typically be broken down into the following types of performance issues;

  • Overall responsiveness in Passwordstate
  • Slowness in navigating through Folders and Password Lists
  • Passwordstate sessions abruptly terminated
  • Features not working correctly or at all

There is some duplication between the underlying causes for the above and a number of these can, when aggregated, result in a significant impact to performance of your Passwordstate implementation.     

Examples of Approach to Issue Identification and Resolution

The following are examples of approaches toward identifying the underlying cause of the performance issues and resolving these. 

Overall Responsiveness:  The overall responsiveness in Passwordstate can depend on a number of factors.  This includes;

  • network connectivity between the client PC, Passwordstate webserver and SQL database
  • it can be affected by the number of Folders and Password Lists on the Passwords Tab and Folders and Nodes on the Hosts Tab
  • misconfiguration of any Load Balancers and Reverse Proxies
  • excessive number of entries in the auditing table

To test and resolve these, it’s recommended to;

  • confirm the issue with responsiveness is widespread or confined to only some users
  • verify there are no inherent network connectivity issues between the clients PC, the Passwordstate webserver and SQL database
  • test local authentication as opposed to Cloud based SAML authentication
  • develop and test a User Account Policy that applies Load on Demand and Node Capping
  • review and remove unnecessary Folders and empty Password Lists
  • reduce the size of your auditing table to less than 500,000 entries by archiving
  • bypass the Load Balancers and/or Reverse Proxies.  If this resolves the issue please liaise with the vendor supporting these

Slow Navigation with Passwordstate:  This is usually affected by the number of Folders and Password Lists on the Passwords Tab and Folders and Nodes on the Hosts Tab.  As an example, on the Passwords Tab you have a folder hierarchy with 1000 Folders and underneath each of these a number of Password Lists.  By default, when you navigate to the Passwords Tab the underlying query will validate your access to view and then retrieve the details of the 1000 folders, along with the Password Lists contained within these folders.  This produces a substantial amount of data that will then need to be rendered within your web browser.  It can also be affected by;

  • setting the password records display grid to a very large number of records
  • poorly behaved Anti-Virus software

To test and resolve these, it’s recommended to;

  • again, confirm if the issue is widespread or confined to some users
  • set your Password Records display grid to no more than 10 records
  • use the Search capability to locate the Password Record rather than browsing through Folders, Password Lists and long display grids
  • use a User Account Policy that applies Load on Demand and Node Capping
  • review and remove unnecessary Folders and empty Password Lists
  • test if your Anti-Virus software is the cause by temporarily setting exclusions on the Passwordstate folder structure on your webserver.  You can also temporarily disable the AV software to test this.  Please note if this resolves the issue you should enable your AV software and remove any exclusions before contacting the vendor for a permanent fix.

Passwordstate sessions abruptly terminated:  This is usually caused by either badly behaved Anti-Virus software or Windows Patching having installed patches that require a subsequent reboot.  Windows patching has in some cases caused Passwordstate sessions to intermittently fail.    Some Anti-Virus Software products are known to kill sessions in IIS with the following types of error being reported in Passwordstate Error Console screen;

  • It appears the user’s session in IIS has been prematurely ended, causing the following error
  • Object variable or With block variable not set
  • Error Code = Incorrect syntax near the keyword ‘DEFAULT’
  • Error Code = Thread was being aborted
  • ApplyScreenCustomisations
  • There was an issue validating both the AuthToken session variable and cookie
  • The parameterized query
  • Specified argument was out of the range of valid values in conjunction with ApplyScreenCustomisations()

Some Reverse Proxies and Load Balancers can also cause these errors.  In order to rule these out please bypass them and monitor the Error Console.

Features not working correctly:  The single biggest cause of Passwordstate features, such as Self-Destruct Messages, Password Reset Portal, API issues, SAML Authentication and HA polling not working correctly is misconfigured Load Balancers and Reverse Proxies.  To determine if these are negatively impacting on the functioning of Passwordstate please bypass them and retest.

By working through some basic troubleshooting steps you can usually find what is causing the underlying performance issues with your instance.  If you are still experiencing issues after having worked through the above, or there are other errors being reported in the Error Console then please send these through to support@clickstudios.com.au for assistance.

Once again if you have feedback, we’d love to hear it via support@clickstudios.com.au.

Mitigating The Need for Internet Access

Mobile Client support, introduced back in Passwordstate 6.2 (2013), enabled access to your password credentials from iOS, Android, Windows Phones and Blackberry devices.  Its primary focus was providing remote access to managed credentials while away from your normal place of work, be it your day-to-day PC or LAN, or while out of the physical office. 

The architecture required a Mobile Gateway, installed on either your main Passwordstate webserver, or optionally, on a separate webserver hosted in your DMZ (Demilitarized Zone) talking back to your main Passwordstate instance. Once configured within Passwordstate, all that was required was a supported mobile device, capable of HTML5 rendering via its web browser.  Users would effectively login to Passwordstate, via the Mobile Gateway using their UserName and the preconfigured PIN. 

Under this architecture a user would access credentials live against their Passwordstate instance.  The implications being that network coverage using either, a WiFi connection for access inside your network, or cellular connection for access outside of your network, was required.  If there wasn’t an active network connection, you couldn’t talk to the Passwordstate instance, and you couldn’t access your credentials.    

Replacement under Version 9

The approach to mobile device access under V9 has been completely redesigned and the original Mobile Client support, as it existed under Version 6.0 through 8.9, has been deprecated. 

The new architecture requires the installation of a Passwordstate App Server.  This replaces the previous Mobile Gateway and is an extensible platform for future requirements.  Under the new architecture the App Server brokers the connectivity between the client device and the Passwordstate instance.  The App Server can again be installed on your main Passwordstate instance, or on a webserver within your DMZ.

The smartphone clients are now purpose-built iOS and Android apps, that authenticate using an independent credential set.  The smartphone apps allow for storing password records that a user is authorized to access, locally on the smartphone, within an encrypted cache.  Security has been increased, and also allows the option for using the biometric capability of the smartphone, when accessing the data within the encrypted cache.  All authentication and access of credentials is audited and synced back automatically with Passwordstate on next connection.    

Advantages of the new Architecture

From a usability perspective the primary benefit of the new architecture is that all the password credentials, and only those that the user has been authorized access to, can now be stored in an offline encrypted cache on their device.  This effectively provides the user with access to the credentials anywhere, anytime and regardless of the need for an active network connection. 

This cache is valid for the number of days set at Specify the number of days the user can access their offline cache before they need to re-authenticate again to the Passwordstate App Server.  This is set globally under Administration->System Settings->mobile access options->Mobile App Settings or individually under Administration->User Accounts-> “select a user” ->Edit User Details->Mobile Access Options.  The latter option overriding the global setting for that user. 

Please note that every time the user performs a sync within the Mobile App the time to live for the offline cache will be reset back to the specified number of days for that user.

From a security perspective the biggest benefit is that you potentially no longer need to have your Passwordstate Server running the “mobile gateway” internet facing.  As long as your staff have internal network access to the Passwordstate App Server, and can resync their offline encrypted cache before it is due to be wiped, then you potentially no longer need Passwordstate to be internet facing. 

Note that this currently only applies to the use of the Mobile App.

Levels of Security on the Mobile App

There are a number of levels of security associated with the use of the Mobile App, ranging from the length of time an offline cache can remain valid, the password strength for each user’s Master Password, protection against brute force dictionary and Man-in-the middle attacks,

Add to this the previously mentioned biometric capability of most current smartphones and access to the offline cache is kept secure.

How to Source and Install the App Server

To source and install the App Server you need to be on Passwordstate Version 9.  Simply navigate to Administration->System Settings->mobile access options and click on the Download App Server Installer.  Both the installer file and install guide are sourced from your existing Passwordstate Installation and the file is located under \inetpub\Passwordstate\downloads,

If you don’t have V9 installed then you’ll first need to perform a Manual Upgrade to Version 9.  Instruction for this can be found at https://www.clickstudios.com.au/documentation/ and is located under Upgrade Instructions on the page.

The use of the Passwordstate App Server and native iOS and Android apps can mitigate the risk of having your Passwordstate instance internet facing in some use cases.  Each organization should look at their usage requirements and perform internal risk assessments to ensure their design, risks and associated mitigating factors are appropriate for their business.

Once again if you have feedback, we’d love to hear it via support@clickstudios.com.au.

One Time Passwords and The Browser Extension

This week’s blog almost sounds like a modern take on one of Aesop’s fables, except instead of featuring animals with human attributes we’re using a modern “technology take” on the story.  There’s no moral taught in this story (blog), just another nifty feature to make your life easier.

Most Users of Passwordstate that have created Password Lists would know that there are a number of templates that can be used when creating them.  You don’t have to use these, however for those of us that don’t regularly create Password Lists, the Add Shared Password List Wizard can streamline the creation and permissions processes.

Add Shared Password List Wizard

So, let’s set the scene first.  Your organization has recently signed up for a new Cybersecurity defense solution and enrolled a pilot group of users.  This has proven to be very successful and you’ve been tasked with extending the enrolment, via the web-based Administration Console, to all users within your organization.

The problem is, the administration console requires multi-factor authentication, in this case a Username, Password and OTP (One-Time Password) to enable login.  This is a pain as you’re using two sources for the information.  You’re using Passwordstate for the Username and Password and a Mobile App for the One-Time Passwords.  But you don’t have to.  Instead, you can create a Password List based on the One-Time Password Authenticator template.

First navigate to the Passwords tab and right click on Passwords Home and select Add Shared Password List.   This will bring up the Add Shared Password List Wizard.  Enter the details for the Password List and choose the One-Time Password Authenticator template as per the image below; 

Enter all the details you require and click Next.  This will take you to the Permissions section where you’ll then be able to specify the Security Groups or Users you want to assign permissions for (for this Password List).  Once you’ve entered all your details click Next.  This will take you to the Confirmation section allowing you to review your details before clicking Finish to create the Password List.  The details for the Password List I’ve created are as follows;

Please note you can modify an existing Password List and simply select the Enable One-Time Password Generation to add the OTP section to all Password Records in that list.  However, in the scenario above I’ve elected to keep all Password Records requiring the additional One-Time Password authentication together in the one purpose designed Password List.

Add a Password Record for MFA

Now that we have the Password List, enabled for OTP setup, I’m going to add-in the credentials for our Cybersecurity defense solution.  To do this navigate to the Password List and click on Add underneath the Password Record grid.  Enter all the details for the Password Record and importantly, scan the QR code that was supplied by the issuer. 

If you don’t have a QR code you can enter the Issuer, Secret and algorithm specified by the issuer and click Save.  The image below shows the completed Password Record;

Access all Details via Browser Extensions

Now when you browse to the web-based Administration Console the Browser Extension will automatically form fil the Username and Password Fields.  But where’s the OTP details?    When the Browser Extension identifies the Password Record it will, in the Browser Extension menu, provide a right arrow-head next to that record.  Clicking on this will bring up the details for the Password Record including the Username, Password and One-Time Password as per the image below;

You’ll note the OTP shows the time to live for the current OTP code.  This allows you to ensure you have sufficient time to copy and paste that OTP code before it regenerates.

It really is as simple as that.  Now you can use a consolidated approach to storing the Password Credentials for sites requiring multifactor authentication with One-Time Passwords.

If you have feedback, we’d love to hear it via support@clickstudios.com.au.

Searching in System Settings and Feature Access

There’s no denying that Passwordstate has a significant number of options for configuration and customization.  That can sometimes make it hard to remember exactly where a configuration option lives (or is hiding).  That’s why in V9 we introduced a search facility, to find exactly where you need to go, so that you can configure that option.

Search Settings Locations

The Search Settings exists for 2 different areas in Passwordstate, System Settings and Feature Access.  To locate either of these simply navigate to Administration->System Settings or Administration->Feature Access as per the screenshots below; 

In both areas you’ll find the Search Settings dialog at the top of the screen, located just under the page title.  So how does the Search function in these areas operate?

Practical Example of Search Settings

Let’s use a practical example of the Search Settings.  In this scenario you’ve been working as part of the Business Integration Team, looking at what’s required to integrate your Passwordstate Instance into a new organization that’s been formed through the merger / acquisition of another business.

The two original Business Names are to be replaced with a new Entity Name.  The integration Team have suggested renaming the Passwordstate instance to reflect the new Entity Name.  You remember that once you’ve changed the existing Passwordstate instance URL you’ll need to also change this so it appears correctly in all emails, permalinks, etc.  But where to look?

What you could do is search for URL, which instantly drops down a list of the Tab’s and Settings that match the search criteria you’ve entered, as per the screenshot below;

On selecting the first result in the list you are taken to that Tab and the relevant area is highlighted in yellow showing you where you need to make that setting, again as per the screenshot below;

Note the Search Settings criteria is “sticky” until you use the eraser to clear it.  This means that if you remembered you also needed to make changes to the Mobile Access URL for your App Server you can simply select that result (3rd in the list of the search results) and navigate to that tab and make your changes there too. 

It also means that you don’t have to re-enter your search criteria if you selected an option from the results drop down that didn’t match exactly the area you were looking for. We think the Settings Search is a nifty little improvement.  As always, we welcome your feedback via support@clickstudios.com.au.

Top Ten Golden Rules for People New to Passwordstate

With the release of Passwordstate V9 we’re seeing a lot of interest from potential customers about the existing and new features that are included in our product.  However, we all sometimes get side-tracked by the “bright shiny objects” and miss or skip over the foundational items that are important.

Whether you’re still considering purchasing Passwordstate, or if you’ve already purchased it, there are some Golden Rules that you should be aware of.

Input your License Details

Click Studios sends out your License Keys via email to your Nominated Contacts.  Every time you renew your Annual Support and Upgrade Protection, or purchase additional Licenses or Subscriptions, the updated License Key details you are emailed need to be updated in your Passwordstate License Information. 

The email, with a subject line of Passwordstate License Keys, contains details that are color coded, making it easier for you to know what needs to be updated.  If the email contains any red bolded text, then these are the only details that need to be updated.  Simply navigate to the Administration->License Information screen, select each License Type that corresponds to the block in the email containing the red bolded text, and Cut & Paste the red text into the corresponding field, example being;

The example above (with redacted details) shows updating the Expires and Registration Key details from an email into the License Type of Annual Support.  If the Passwordstate License Keysemail contains no red bolded text then all details in the License Type block will need to be input.  Please also note that when you Cut & Paste the details into the fields make sure there are no leading or training spaces.

Private Password Lists are Private

Passwordstate is Secure by Design!  This means we use a consistent Security design including techniques to protect access to your credentials. 

A Private Password List can only be accessed by the Password List Administrator, which is the person who created the Private Password List.  Security Administrators can see what Private Password Lists have been created, who created them but they cannot view any Password Records in the Private Password Lists or manage any permissions or settings for them.

Passwords can only be stored in Password Lists

People like to talk about Password Vaults so let’s use a like analogy.  Passwordstate uses the concept of Password Lists.  Think of each Password List like a separate Bank Security Deposit Box.  You have access to the Bank (Passwordstate login), know the Room (Folder) to go to and are on the permitted entry list, have the key (granted permissions) to open that Security Deposit Box (Password List) and view/use the contents (Password Records).  Your visit to the Bank, Room, access to the Security Deposit Box, and viewing of the contents is audited (Passwordstate Event Auditing).

Now using this analogy, you can only store your contents (Password Records) in a Security Deposit Box (Password List).  If you were trying to Store the contents directly in a Room (Folder) you’d have your contents strewn across the floor where anyone with access to that Room could see and use/steal your contents (Password Records).

You cannot nest a folder or password list beneath an existing Password List

And building on the Bank Security Deposit Box analogy, you can’t nest a Folder or Password List beneath an existing Password List.  This would be like trying to store 2 Bank Security Deposit Boxes in the same space (if you wanted to nest Password Lists) or even worse, try to fit another Room inside the Bank Security Deposit Box (if you wanted to nest a Folder under a Password List).  Trust me it’s not practical and most of us in IT won’t fit in there.

Password Lists can only exist under Passwords Home (small regional Bank with Bank Security Deposit Boxes in the one room) or under Folders as outlined above.

Logically build your Navigation Tree

Now you’ve got the idea about Folders and Password Lists let’s try something else.  Organisations usually have functions separated out.  It makes it easier to focus on specific tasks and ensures a segregation of duties (it’s not wise for the same person to handle the finances, raise purchase orders pay the accounts and do the financial reporting).  This then leads to people involved in related tasks being grouped together in teams or departments.

Try to logically build your navigation tree to align with your company structure (departments and teams).  It typically makes management of your Password Lists easier and you can use Security Groups that align with the structure to manage access to Shared Password Lists and Records.

Admin Rights under the Navigation Tree

As stated previously in this week’s blog, Passwordstate is Secure by Design!  As a Security Administrator in Passwordstate you don’t have exclusive power over all configurations and functions within your Passwordstate Installation.  Likewise, the number of Security Administrators should be restricted to as low as possible, but more than just one (for when one of them isn’t there).

As an example, you need to be explicitly granted permission to Password Lists and Folders under the Passwords Tab.  Without being granted permissions you won’t be able to see all details in the navigation tree.

Backups…Don’t Skip Them!

If you don’t have a backup of both your Web.config file and your Passwordstate database then we won’t be able to assist in recovering your password credentials! Having current and tested backups of your Passwordstate Instance is critical.

Don’t be one of the statistics that has to report to Management that your Passwordstate Instance is effectively dead, you have no current backups and subsequently no access to your systems or accounts.  We deal with support calls all too regularly where someone forgot setting up their organizations Passwordstate Backups.  If you follow the documentation located on our website, and setup the backups correctly, then you’ve one less thing to keep you awake at night! 

Use Security Groups to your Advantage

You know how you can setup Active Directory Security Groups, and assign permissions to resources based on the Security Group membership?  Well guess what, you can do the same in Passwordstate.

You can synchronize AD Security Groups with Passwordstate and use them to provide access to Hosts, Folders, Password Lists, Password Records and even Administrative functionality in Passwordstate itself.  If you don’t have an Active Directory Integrated version of Passwordstate you can still create Local Security Groups and achieve the same results.  Make your life easier and use Security Groups to your advantage, instead of trying to manage permissions based on individual user names.

Assess your risk and use 2FA where needed

It makes business sense to assess the level of risk in providing access, to privileged accounts or highly confidential password credentials, to your employees.  In situations such as these you could decide that Single-Sign-On or a simple username and password don’t offer the level of protection you need.

In these cases, look to use 2FA as an additional level of protection.  This can be offered on Security Group Membership, implemented as part of a User Account Policy or even configured at the Password List Level.  Take the time to consider the risk of unintended use and implement the access security accordingly.

Ask for a Quote

So, you’ve taken the step and trialed and subsequently purchased Passwordstate.  Now you’re ready to expand the number of users in Passwordstate, or perhaps you’re looking to rollout additional functionality with our subscription based modules.  In either case simply contact us via sales@clickstudios.com.au and not only will we provide you with the quote, we’ll also ensure the new licenses and/or subscriptions are correctly co-termed with your existing Support Expiry Date.  Let us help you get the order right the first time.

As always, we welcome your feedback via support@clickstudios.com.au.

Installing Passwordstate on a Windows 10 PC

One of the issues faced by small businesses, especially in today’s Cloud First World, is there is very little in the way of computing infrastructure that is hosted out of a bricks and mortar premises.  A lot of small business utilising SaaS (Software as a Service) based applications typically have an Internet modem/router, a number of individual or shared PCs, a local printer and a small network switch connecting all these together. 

This type of setup may make it seem hard when you need to centrally manage your accounts and passwords.  But it doesn’t need to be.  Passwordstate will quite happily exist on a Windows 10 PC with only modest resources.  In fact, I recently purchased a small form factor PC (Intel i5 NUC) with 16Gb of Memory and a 1 TB SSD hard drive, along with a copy of Windows Professional for under $1,000 AUD or $750 USD.  This handles the Passwordstate workload for 5 users with ease.  The minimum system requirements can be found here.

Assuming you’ve got either an existing Windows 10 PC, or a brand new PC, you’ll want to do the same thing.  That is install a completely fresh copy of the Windows 10 operating system.  Don’t be tempted to just delete some “stuff” off of the existing PC and then use it as is.  You’ll be forever chasing down why things aren’t working properly, if not immediately, then at some stage in the future.  Just bite the bullet and perform a clean install.

Hardware and Operating System Prerequisites

You’ll need to ensure the edition of the operating system is Windows 10 Professional.  Once the base install has been done ensure that you’ve applied all the operating system patches by going to Settings->Windows Update->Check for Updates.   

When prompted to create an account, create a local account as you’re effectively creating a Passwordstate appliance that will only need to have one (1) login.  This won’t be a shared PC, it’ll be dedicated to running your Passwordstate Instance.  From now on anytime you need to login to the PC itself you’ll be using this account.

Next, you’ll need to confirm the version of PowerShell and .Net Framework that is installed.  A clean install of Windows 10 that is fully patched should be running PowerShell 5. To confirm the version you have, simply search for Windows PowerShell, select Run as Administrator, and type in $PSVersionTable and hit return.  You should see a response like the one below, 

If your result shows the PSVersion lower than 5 you’ll need to install the latest.  Just search for “how to install PowerShell 5” in your browser and pick one of the top responses and follow the instructions.  You’ll also need to have the correct .Net Framework installed.  This can be also confirmed in PowerShell (running as Administrator) by typing,

Get-ChildItem ‘HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP’ -Recurse | Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match ‘^(?!S)\p{L}’} | Select PSChildName, version

Your result needs to be 4.7.2 or higher.  If you need to upgrade to the latest version search for “Install the .NET Framework on Windows 10“ in your browser and pick one of the top responses and follow the instructions.

Download Passwordstate and Install SQL Express

Assuming you’ve already downloaded Passwordstate, you’ll need to extract all the files from Passwordstate.zip into a directory on the PC.  If you haven’t downloaded Passwordstate yet then follow the prompts here

To extract the files just open the Passwordstate.zip file and select the Extract All from the File Explorer Extract->Compressed Folder Tools Menu. This will extract all the installation files as well as copies of the documentation.  In this you’ll find the following documents;

\Installation Instruction\1_Preinstallation_Checklist.pdf

\Installation Instruction\2_Quick_Install_Guide.pdf

\Installation Instruction\3_Installation_Instruction.pdf

I’d thoroughly recommend running through the 1_Preinstallation_Checklist.pdf to ensure you’re ready to start.  It’ll cover off on the requirements for the Web Server and Database Server and link to other documents as required.   One of these linked documents will take you through how to download and install Microsoft SQL Server Express.  This needs to be done before you commence the Passwordstate installation.  When you install SQL Express you’ll be prompted to create an sa account.  Remember the password you specify for this as you’ll need it later on!

Once you’ve covered off on all of the checklist items, you’re ready to start the Passwordstate installation.  Open up either the 2_Quick_Install_Guide.pdf or 3_Installation_Instruction.pdf and get ready to go.

Install Passwordstate

Click on the Passwordstate.exe file that has been extracted.  You’ll probably be prompted by User Access Control asking Do you want to allow this app to make changes to your device, as per the image below, 

Just click on Yes to continue.  You’ll then be presented with the InstallAware Wizard that’ll guide you through the installation process.  Click Next,

Specify the destination folder you want Passwordstate to be installed in.  I would highly recommend that you keep the default destination folder to ensure you have no issues with future In-Place Upgrades etc.  Then click Next,

You’ll now be prompted to supply the preferred URL that will be used when you browse to your Passwordstate website.  By default, this will be the name of your PC.  If you’re just running the Passwordstate Instance on your local network you can keep this as is.  Note that you’ll be initially using a Self-Signed SSL certificate for this website.  Again, if you’re running just on a local network this is fine.  Click Next to continue,

You’ll be presented with the Completing the InstallAware Wizard for Passwordstate screen.  The Wizard will now configure Passwordstate on your computer.  Once completed you’ll be presented with the screen below.  Take note of the URL that is presented (in the red circle) as this is the URL that you’ll be browsing to in the next section and click on Finish.

First Time Configuration and Initialization

Now that Passwordstate is installed you’ll need to create and initialize the database and create a Passwordstate Admin Account.  To do this open your web browser and browse to the Passwordstate URL that was created.  If you used the defaults, you’ll just need to type in the PC name immediately after typing https:// .  This will open the following web page,

From here you’ll need to select Primary Instance and click Begin.  You’ll now be prompted for your Database settings,

You’ll need to supply the Database Server Name, which is the PC Name you are using, specify SQLEXPRESS as the SQL Server instance Name, the sa account for the SQL Login Name and Password that you used when installing SQL Express.  Once you have supplied these details click on the Test Connection button.  If everything is correct the Status at the bottom left will change from Not tested to Connection Okay and the Next button will become available to click on.  Once clicked on you’ll be taken to the System Settings section.

Here all you really need to be concerned with is selecting the Authentication Method to be Forms Based Authentication and… very importantly…creating an Emergency Access Account.  The Emergency Access Account is the “break glass” account that let’s you into the Administration area of Passwordstate in the event you can’t logon as normal with a User Account.  It’s intended to be restricted to the person that handles all the Passwordstate Security Administration, it has an elevated level of auditing and doesn’t allow access to Password Records or Lists.  Once you’ve supplied these details click on Next,

You’ll now be prompted to create the first Account.  This will be the Admin Account and is typically used by the person that handles all the Passwordstate configuration and support.  This Admin Account is granted the role of Security Administrator for this purpose.  Enter the details and click Next,

Your setup is now complete… but you’ll need to export your Encryption Keys first.  The Encryption Keys are split into 4 secrets, with 2 of the split secrets stored in your Web.config file. The other 2 split secrets are stored within the Passwordstate database. It is absolutely crucial that these are backed up!   In the event of a disaster, and you are unable to locate a copy of your Web.config file and database, Click Studios will be unable to help you rebuild your Passwordstate environment.  Enter a password to encrypt the .zip file backup and click on Export Keys (and then store them somewhere safe),

And that’s the base install pretty much completed.  Now you can click on the Start Passwordstate button and logon.  Now when you open a browser and type in the Passwordstate URL you’ll be prompted with the Forms Based Authentication login screen below,

and on entering the Admin Account details you’ll be logged into Passwordstate and be presented with the Passwordstate Guided Tour dialog.  As a new user to Passwordstate it’s worthwhile doing this.

And that’s it, you’re now ready to start adding User Accounts, and your users can start adding Password Lists and Password Records for all their passwords.  For small businesses a Windows 10 Machine, on a local LAN and using Forms Based Authentication is a simple and effective way to get Passwordstate up and running.  Now there’s no excuse to not centrally managing your passwords!

As always, we welcome your feedback via support@clickstudios.com.au.

Branding Options for your Passwordstate Instance

Branding within Passwordstate offers customers the ability to configure their Instance to more closely match an organization’s corporate look and feel.  This can be as simple as providing a custom URL (Uniform Resource Locator), making it easier for your users to remember the name of your Passwordstate Instance, to using custom logos, corporate colours and consistent naming conventions.

All of these are done to project an image of consistency across business applications, make it easier for the user to remember what an application is, and ensure as many barriers to adoption and use are removed as possible.

Passwordstate’s branding options are located under Administration->System Settings->branding.  Here, you’ll find the options for changing the appearance of your instance.  For information on how to change your Passwordstate URL please refer to this previous blog https://www.clickstudios.com.au/blog/how-to-change-your-passwordstate-url/.

Where are the Branding Options?

The following branding examples have been performed in my sandpit environment to demonstrate what you can do.  Here at Click Studios we use the default settings, with the exception of the login screen background image.  After all…we think the branding is pretty cool straight out-of-the-box.

Website and Dialog Logos

 For the purpose of this blog, we’ll make a number of changes from the default Passwordstate branding. 

The first is we’ll change the Main Page display.  Under Show Passwordstate Build Number we’ve selected Only Security Administrators to see the Build Number at the top of the screen.  Next, we’ll enter the wording that appears on the Web Browser tab for any Passwordstate sessions, in this example we’ve changed it to Click Studios Passwordstate

This will produce the following result for everyone.  Security Administrators will still see the version number in its usual location next to the Main Page Title and Logo,

To create the Grey Passwordstate Logos I’ve simply created a green box (same color as the Base Color) in Microsoft Paint 3D, grabbed a Passwordstate logo from our dev environment and pasted it over the top.  In my case I’ve saved it as a .png file with the dimensions of 208 Wide x 24 High (pixels), however you can also save it in .gif or .jpg formats.  Note there is a difference in the sizes between the Title Logo and Dialog Logo.  To upload the new logo’s simply click on the buttons to Upload New Logo as per the image below,

Whilst the Dialog Logo is a little “yuck” with the green box on white – it’s only for the purpose of proving the branding has been done.  The Title Logo results are shown in the images above and the Dialog Logo is show below;

Base Color and Login Screen Background Image?

Now for the base color change.  Again, I’ve simply fired up Paint 3D with a copy of the Click Studios logo.  Then I’ve selected the green in the logo, grabbed that colour to get the Hex color code and input it below,

As the image above shows, you can create a Cascading Style Sheet (CSS) to describe how HTML elements are to be displayed.  This does require some knowledge of HTML coding so we won’t go into it here.  Lastly, I’ve decided to upload a wallpaper I’ve previously created as the Login Screen Background Image using the Upload Background button in the image below,

and once you’ve saved the changes that’s it.  Customising the Passwordstate branding really is as simple as that.

As always, we welcome your feedback via support@clickstudios.com.au.

Passwordstate Backup Functionality Explained

You’ll have to indulge me upfront this week. I’ve dusted off my old CTO and Management soapbox and here comes the Backups 101 lecture.

Our driving philosophy is Password management should be affordable for everyone. Because it’s important! You’ll see this on our website, social media pages and in correspondence from us.  There’s no escaping the message, it’s not just lip service or a marketing angle, it’s in our DNA. But you know what is also important…backups!

Backups, the creation of a copy of your organization’s data and information, configuration files, anything that is of material significance for your organization, that needs to be recovered in the event of a failure. This includes and is not limited to hardware or software failures, data corruption, human-caused events, virus or malware incidents, upgrades gone wrong… you get the idea here. If you have data/information that is critical for your business, and you don’t have a backup regime that is regularly tested to prove it works, then you may as well not bother with the data or information in the first place! In fact, and you may not have realised this, you are planning for the business to fail!

And here comes the “Click Studios kicker”… that includes backups of your Passwordstate Instance. If you don’t have a backup of both your Web.config file and your Passwordstate database then we won’t be able to assist you in recovering your password credentials! Having current and tested backups of your Passwordstate Instance is critical… now that’s off my chest let me put the soapbox away and get into this week’s blog.

Backups and Results

With the introduction of Passwordstate V9 we’ve introduced a significant number of improvements to features. One of those is Backups and Upgrades. We’ve made significant changes on top, and beneath the covers, to give our customers an even more robust backup solution. In order to do this, we’ve also had to change the method used for backups.

For the uninitiated, the built in Backup functionality is offered to customers as part of the core Passwordstate software. It’s primarily intended for organizations that don’t have an Enterprise Backup solution that caters for Microsoft SQL and File System backups. Additionally, the built-in backup functionality is tightly integrated with our In-Place upgrade, so you’ll always ensure that you’ve successfully captured a backup before an upgrade. The Backups functionality is located by navigating to Administration->Backups and Upgrades,

From here, if you are using the built-in backups feature, you’ll see the status of your backups with either a green tick or red cross. The Backup Detail section will provide summary information on paths used for the backup and any error messages. Beneath the grid there are options for your backup Settings, performing a manual backup using Backup Now and options for notifications, purging logs, verbose logging and performing an upgrade.

Backups and In-Place Upgrade Settings

First let’s look at your backup settings. Passwordstate V9 introduces a range on new settings and options,

The first of these (Green Dot 1) is specifying an Account that is to be used for running the backup and upgrades. The philosophy behind this is consistent with using a Privileged Account Credential for discovery jobs and resets. The benefits include restricting access in Passwordstate to the account details, having a history of change and a known password for the encrypted .ZIP files that are produced.

The account must have sufficient permissions to destination paths, ability to interact with SQL etc. The following table details the permissions required, at the time of writing this blog for Domain Accounts using Network Shares or Local Folders, but please check for any updates here

For Local Accounts using Local Folders the easiest method is to use an Account that is a member of the Local Administrators group on your server. To check for any updates since writing this blog please refer to this document

Backup Schedule and Settings

The second section (Green Dot 2) details the Backup Schedule and Settings. Here you’ll specify you want to;

  • Enable Backups, specify the number of Backups To Keep, the Backup Start Time and to Backup Every selected period
  • Specify the path for the Web Files Backup to be saved to, including where Encryption Keys are backed up to
  • Specify the path for the Database Backup to be saved to
  • If you want to perform a backup at the beginning of all In-Place Upgrades (highly recommended)
  • The ability to deselect Backup Database if your Enterprise Backup solution handles your SQL Database requirements
  • A check box to select if you have installed your Database on a different server to where Passwordstate is installed
  • A check box to select if you want to Backup Split Secrets into a separate .ZIP file at the path specified for Web Files Backup
  • And lastly if you want to Password Protect Backup Zip Files using the Password from the Password Record of the Account used to perform the backup (Green Dot 1 in the image above, again highly recommended).

When using a Domain account both the Web Files and Database backups can be saved to either a Network path or a Local folder. The format for this is \\Server\Share or Drive:\Folder. If you are using a Local Account then only Drive:\Folder is supported.

One additional manual step you may want to consider, especially if you’re not licensed for the High Availability Module, is to keep a print out of the Account Password Record (along with any other accounts that are required to recover systems) in your company safe or wherever you keep a physical print out of these accounts.

Backup File Naming Conventions

Green Dot 3 allows you to specify the prefix for each of the types of backups. The defaults are examples and you can change these to match any internal naming convention. Each of the backups will have the date and time appended to the file name in the format of YYYYMMDDHHMMSS where,

YYYY = Year

MM = Month

DD = Day

HH = Hour (24 Hour Clock)

MM = Minute

SS = Seconds

Test Permissions

Once you’ve entered all the options as they apply to your environment it’s a good idea to test them using the Test Permissions button. This will run through a simulated backup ensuring that the supplied Account has correct permissions, it can write to the paths supplied, PowerSell is the correct version and that it all SQL requirements can be met,

And that’s it. We can’t stress enough the importance of ensuring Passwordstate is backed up successfully. Full instructions on how to configure your backups can be source from our documentation page here https://www.clickstudios.com.au/documentation/

As always, we welcome your feedback via support@clickstudios.com.au.

Password Strength and Generator Policies in Detail

This week’s blog builds on the entry last week https://blog.clickstudios.com.au/bad-passwords-pwned-accounts-and-prevention/.    

Now that you’ve decided to block the use of Bad Passwords in your organization, using the Bad Passwords feature in Passwordstate, you can take the next step and setup Password Strength Policies and ensure your randomly generated passwords, using Password Generator Policies, match these.

What are Password Strength and Password Generator Policies?

Aren’t they the same thing and we’re just using two different terms to confuse you?  No…. they are similar sounding but have distinct purposes.

A Password Strength Policy represents the rules for determining the strength of a password.  This is where you would effectively copy or represent the attributes that your organization’s password rules use.  It enables you to specify the mixture of alphanumeric characters, case, special characters and length a password must conform to.  It provides an indication of the strength of a password, works with the Password Generator Policy and is applied to one or more Password Lists.

A Password Generator Policy is similar in that you specify the mixture of alphanumeric characters, case etc. but not the specifics such as the required number of alphanumeric characters, case, special characters etc.  It is used to generate random passwords, in accordance with the specified strength policy.

Both Password Strength and Password Generator Policies are applied at the Password List level.  So… for any Password List, the password for a record will be generated using the Password Generator Policy, in accordance with the rules stipulated by the Password Strength Policy.

How do you setup a Password Strength Policy?

First navigate to Administration->Password Strength Policies and click Add beneath the grid.  Alternatively, if the policy already exits then click on the policy name you wish to edit.  In our example the Complex Passwords policy already exists so I’m going to edit it.  This brings up the Edit Password Strength Policy screen and I’ve selected the policy settings tab.  From here you can name, describe and provide the password attributes that your organization has stipulated must be used in a password.  These typically include the use of upper and lower case characters, numbers, special characters and length.

In the example below, Complex Passwords, we’ve stipulated that each password that is used must include 2 UpperCase, 2 LowerCase and 2 Numeric characters and the preferred length is 12.

In addition, we’ve specified the Password Strength Compliance as needing to be Excellent and that Compliance is Mandatory

With Excellent you must meet the rules for the mixture of alphanumeric characters, case, special characters and length as stated in the policy.  You can elect to use other strength compliance modes in the drop-down list if desired.  If Compliance is set to Mandatory then the new password is unable to be saved unless it meets the strength compliance category that had been selected.

On the test password strength tab you can test the policy settings you have stipulated by typing in a password and it’ll give you feedback on where you’re falling short compared to the rules you’ve setup.

How do you setup a Password Generator Policy?

Navigate to Administration->Password Generator Policies and click Add beneath the grid.  Again, if the policy already exits then click on the policy name you wish to edit.  In our example the Custom Strong Click Studios Generator policy already exists so again I’m going to edit it.  This brings up the Edit Password Generator Policy screen and I’ve selected the alphanumerics & special characters tab.  From here you can specify the minimum and maximum length of the passwords, select the alphanumerics attributes that your organization uses, include specific special characters and decide if you wish to use a specific pattern for your passwords. 

In the example below, we’ve stipulated that each password that is generated will be between 10 and 20 characters, includes UpperCase, LowerCase Numbers, and special characters. 

You’ll note that while the alphanumerics section states what type of characters to include there is no minimum setting for any of these.  The minimum number of each attribute is taken from the Complex Passwords Strength Policy that I’ve created.

On the word phrases tab you can optionally include word phrases as part of the generated password;

and you can also generate passwords in bulk on the generate passwords tab.

Can you access both via an API?

Yes, you can access Password Generator and Password Strength Policies via both the Standard and Windows Integrated API.  Simply navigate through to Help->Web API Documentation and select the Standard API Documentation or Windows Integrated API Documentation buttons for more details,

We hope this helps to explain the differences between the Generator and Strength Policies and how you use them.  As always, we welcome your feedback via support@clickstudios.com.au.