Reporting on Mobile Client Usage

The Passwordstate native Mobile Client apps for Android and iOS were introduced in V9 Build 9000.  These replaced the old Mobile Client support providing remote access to managed credentials while away from your normal place of work (desk). 

The native apps are designed to work with the Passwordstate App Server, which brokers the connectivity between the client device and your Passwordstate instance.  It allows for storing password records that a user is authorized to access, locally on the smartphone, within an encrypted cache.  Users have the ability to use the biometric capability of the smartphone when accessing the data within the encrypted cache.  All authentication and access of credentials is audited and synced back automatically with Passwordstate on next connection.

But how do you know when your users are using the offline copy of their passwords.  How do you ensure that they are using them when and where required?

We Have a Report for That!

Passwordstate has over 100 different Audit events, including those relating to usage of the Mobile Apps.  As stated above all access to stored credentials within the encrypted cache, and all synchronizations of credentials between your Passwordstate instance and a Mobile Client, are audited.  These audit records are uploaded automatically each time the Mobile App successfully synchronizes with the App Server. 

This ensures you can report on the activity of your users that have been setup for Mobile Client usage.  To be able to do this Navigate to Administration->Reporting 

And select the Activity Report called Mobile Client Activity,

You can now filter the report based on User Account, Site Location and Duration in terms of the reporting period you select from the drop-down list,

and once you’ve clicked Run Report button the audit records matching the selected filters will be shown within the display grid.   

You can now export the results to Excel for further manipulation as required,

Make the report a Scheduled Report

Don’t forget you can setup the Mobile Client Activity report as a scheduled report and have it emailed through on a regular basis.  Simply navigate to Reports->Scheduled Reports and add a report like in the image below.

If you’d like to provide feedback, please send it to support@clickstudios.com.au.

How to Rotate Your Encryption Keys

Click Studios uses Symmetric Data Encryption within Passwordstate to protect your sensitive data.   It does this using 256bit AES (Advanced Encryption Standard) data encryption to encrypt (cipher) and decrypt (decipher) information. At a high level the process of encryption and decryption looks like this;

AES is the first and only publicly accessible cipher approved by the US National Security Agency (NSA) for protecting top secret information. 256bit AES is practically unbreakable by brute force based on current computing power, making it the strongest encryption standard available.  In short, by using symmetric encryption algorithms, data is converted into a form that cannot be understood by anyone not possessing the secret key to decrypt it.

NIST the National Institute of Standards and Technology, recommends that Symmetric Data Encryption Keys be changed every 2 years, or earlier based on an organization’s risk factors.  Your Passwordstate Encryption Keys shouldn’t be “set and forget”, they should be managed and rotated on a regular basis.

But Before You Start…

Make sure you have a backup of your Passwordstate Database and take a copy of your Web.config file.  The built-in Backup functionality is perfect for taking a backup and you can do this by navigating to Administration->Backups and Upgrades->Backup Now

If you’ve never used the built-in functionality, you’ll need to configure settings first under Administration->Backups and Upgrades->Settings.  Information on how to do this can be found here https://www.clickstudios.com.au/documentation/ for both Domain and Workgroup implementations.

Follow the Bouncing Ball…

Now that you’ve taken a backup of your Passwordstate database and have a copy of your Web.config file you’re ready to get started.  And it really is as easy as following the bouncing ball! 

Under Administration->Encryption Keys you’ll find 2 buttons, Export Keys and Key RotationExport Keys allows you to create a password protected Zip file containing your Encryption keys and we’ll cover more on that later.  First, we’re going to focus on Key Rotation.  To get started click on the Key Rotation button,

You’ll now be prompted to ensure you have a backup of your Passwordstate Database and a copy of your Web.config file.  Take the time to read through the information before clicking on the box next to I have read the notification above and understand some action is required of me before and after the key rotation.  If this check box isn’t ticked then you won’t be able to proceed with the Key Rotation.  Once you’re ready, and you’ve ticked the check box, you can click on the Begin Key Rotation button,

As you can see in the image above, The Encryption Key Rotation screen lists all of the tables, the number of records in each table and the Status for each.  To commence the rec-encryption process click on the Re-Encrypt Data button.

The status symbol of a Clock means that table hasn’t been re-encrypted yet.  The status of a Tick means the table has now been re-encrypted and the Flashing Blue Squares identifies the current table being re-encrypted.  A Status message of Please Wait… is shown at the bottom left-hand-side of the display grid listing the tables. 

As the tables are re-encrypted, they will cycle off the first page of the display grid and be replaced by tables awaiting to be re-encrypted.  When there are less tables awaiting to be re-encrypted, than take up the full display grid, you’ll start to see those tables that have been completed (shown by a status of Tick) moving back up the display grid.  Once complete you’ll be taken to the Key Rotation Complete Screen.  Again, take the time to read through the information before clicking the Start Passwordstate button.  This will log you off and you will need to log back into Passwordstate.

Don’t Forget… Take a copy of your New Encryption Keys

Now, cycling back to the Export Keys button.  Once you’ve successfully rotated your encryption keys it’s good practice to take a copy of them.  This can be done by navigating to Administration->Encryption Keys and clicking on the Export Keys button.  You’ll be taken to the Export Encryption Keys screen which tells you that the split secrets that make up your Passwordstate Encryption Keys are exported via a Password Protected ZIP file.  To begin the export process, click on the Export Keys button,

This will pop up the Password Protected Zip File dialog, which will require you to supply a password for the Zip file.  You will also be required to check the box stating that you cannot use the native Windows Compression to extract the contents of the Zip file.  Once that’s done you can click on the Export Keys button to create the Zip file containing the exported encryption keys.

The process of rotating your Passwordstate Encryption Keys is that simple and the effort required to rotate them is minimal.  There really is no reason not to be managing them appropriately.

We’d love to hear your feedback, send it to support@clickstudios.com.au.

Guide to set up Folder Structure and Permissions

You’ve decided that managing your organization’s passwords is essential.  You’ve selected a Password Management System that has the level of security you need, while retaining the flexibility to meet individual stakeholder’s requirements.  You anticipate there’ll be substantial interest and take-up as you roll out the solution.  The only question remains, how do you ensure that the way in which credentials are stored make them easy to locate, ensure they’re accessible to only those that need them, and make management of the solution as straightforward as possible.

Surely the best way to store all the credentials is in one big Password List stored in the root location?  That way you could just assign the permissions on a credential-by-credential basis!  Or maybe you should let everyone create their own Password Lists and store them all together.  If one user needs access to the same credential, they can just enter it in their Password List as well! …..No!  Absolutely Not!  Let’s rethink that approach!

Organizational Structure is Important

An organization’s structure lays out the official functional relationships governing the workflow and day to day operations in the organization. The structure makes it easier to add new positions and provides a flexible method for growth.  Without it, employees find it difficult to know who they officially report to and who has final responsibility over operational elements.  It provides a basis for segregation of duties to ensure appropriate governance.

Organizational structure improves operational efficiency. Departments work better together by focusing their effort on productive tasks without duplication.  The following diagram is a fictional organizational structure for the company An Example and we’ll be using it for this blog.

Using an organization’s structure is a good place to start when organizing your password credentials.  First, we’re going to create folders for all of the Level 1 entities in the diagram below.  These are the top-level functional bodies within this organization.  You’ll note that the CEO folder is grouped at Level 1 also.  There is no value in creating a CEO folder with all other folders nested beneath it so it’s grouped at the same Level as all other top-level folders.  Each of these top-level folders may or may not have additional folders nested beneath depending on the complexity of the organizational unit and the granularity of permissions you wish to set,

Next, we create the nested Level 2 folders for each of the Level 1 folders we’ve created.  The diagram below shows the examples of the two folders that will be nested beneath Operations (Chief Operating Officer), Operational Services and Metallurgical and Chemical laboratories.  Likewise, under Finance (Chief financial officer), we have IT and Legal (Legal matters).

Security Groups and Permissions

Most organizations that use Microsoft’s Active Directory (AD) will have AD Security Groups that closely match their organizational structure.  The group charged with IT Security will likely already have agreed and implemented your AD Security Groups and populated them with the appropriate user accounts aligned with the structure.  That’s the same in this example and it makes assigning permissions to your folders that much easier. 

If you aren’t using Microsoft AD and AD Security Groups you can still create your own Forms based User Accounts and Local Security Groups.  It’ll just mean there’s more initial work to create these and regular maintenance will be required to keep these up to date.

You may from time to time be tempted to use individual users instead of Security Groups to assign permissions.  Whilst this can be done it should always be used as the exception to the rule…the rule being use Security Groups whenever you can!

In the example above we’ve created a Folder under IT called Desktop Support.  We’ve thencreated a Shared Password List called Production Desktops

The permissions for accessing Production Desktops and the Desktop Support Folder is based on the AD Security Group Desktop Support.  Only members of this AD Security Group have been given Admin Access to the Password List.  IT staff not in the Desktop Support AD Security Group have no access.

Permission Model Types

It’s probably worthwhile recapping on the two permission models you can use within Passwordstate, Standard and Advanced

The Standard Permission Model applies the permissions in a bottom-up approach.  When you apply the permissions to the Production Desktops Password List the access is applied to all Folders in that hierarchy i.e. An Example->Finance->IT->Desktop Support.

Using the Advanced Permissions Model applies permission in a top-down approach.  If we were to apply the Desktop Support Security Group at the IT Folder Level it would provide access to IT->Desktop Support-Production Desktops Password List and IT->Legal and any Password Lists or subfolders located under the Legal Folder.  Note the image below is just to show the Advanced Model and doesn’t apply to the Desktop Support example we are using,

Both Permission Models are valid and can be used effectively.  The most appropriate model is the one that best suits the way in which your and/or your Security Administrators prefer to work.

Restrictions that can be Applied

There are a number of restrictions that can be applied to manage the folder structure and where Password Lists are placed.  The first is limiting who has permission to create new Folders in the root of Passwords Home.  This can be found by navigating to Administration->Feature Access->folder options and clicking on the Set Permissions button, 

The second is limiting who has permission to create Password Lists in the root of Passwords Home.  If you’ve gone to the extent of creating an organised folder structure then the last thing you’ll want is for Shared or Private Password Lists to be inadvertently dumped in the root.  This also applies to restricting who is allowed to Drag-N-Drop Password Lists around in the structure you’ve created.  These permissions can be set by navigating to Administration->Feature Access->password list options and againclicking on the Set Permissions button for each of the settings you wish to restrict,

Additional Items for Consideration

As you build your Folder structure and start creating Password Lists there are a couple of other points to consider with links to our blog entries below;

Performance Improvements: https://blog.clickstudios.com.au/performance-improvements-how-to-troubleshoot-and-resolve-issues/

Optimal sizing of your Password Lists: https://blog.clickstudios.com.au/password-list-performance-testing/

In Summary

With a bit of thought and alignment you can effectively build a folder hierarchy and manage your Password Lists by using;

  • The Organizational Structure as your basis,
  • Using Security Groups to your advantage,
  • Using the appropriate Permission Model, and
  • Restricting who can apply structural changes

This will ensure your Passwordstate instance accommodates changes and growth while minimizing the on-going management effort.  We’d love to hear your feedback, send it to support@clickstudios.com.au.

Troubleshoot HA Polling Issues

We’ve recently had a few technical support calls querying how to diagnose High Availability issues.  To make things easier, with identifying the health of all Passwordstate Servers, we included the health status under the Authorized Web Servers screen in Passwordstate 9.0 Build 9000.  This uses a traffic light approach of “green is good”, “red needs investigation”.

So, if your HA server shows a status of red what do you do next?

Recap on HA Implementations

To start with let’s recap on Passwordstate’s High Availability offerings.  The following logical diagram shows 2 variations of Passwordstate with High Availability.  The solution, as depicted by the Green Dot 1, is an Active / Passive implementation.  This allows the Passwordstate High Availability instance to be enabled, and will provide read only access to requests in the event of an issue with the Passwordstate Primary Instance.  All access events are audited and synced with the Passwordstate Primary Instance once recovered.

The solution, as depicted by the Blue Dot 2,shows an Active / Active implementation.  This requires a Load Balancer redirecting the End User’s Passwordstate traffic to either the Passwordstate Primary Instance or the Passwordstate Secondary Instance.  This offering allows users to update data in both the Primary and Secondary instances of Passwordstate.  It requires Basic Availability Groups, or Always On Availability Groups to be implemented in Microsoft SQL Server Standard and above.

Your High Availability Server along with your Primary Server will show up on the Authorized Web Servers page.  This page is available at Administration->Authorized Web Servers and details the Polling Health, Last Poll Time, Server Role and HA Mode along with the Install Path.  Our test environment is shown in the screenshot below;  

Note the Host Names must be entered in their NETBIOS name format not FQDN (Fully Qualified Domain Name).

High Availability: Active-Passive Implementation

When running your Passwordstate High Availability model in Active / Passive mode your HA Server will initiate the polling.  It does this through the Passwordstate Windows Service attempting to contact the Primary instance’s API.  When it successfully connects to the API it will complete the poll and your Primary instance will record the Polling Health status as green for your HA Server.

If your Polling Health status isn’t showing as “green is good” you’ll need to investigate the cause.  The first thing you can check is if the API is functional.  To do this try creating a password using the password generator icon in the top right-hand side of your Passwordstate User Interface;

When clicking on the password generator a password should be generated in the dialog box as shown above.  If this works successfully then the API is functioning correctly.

You can also check if the connection to your API is functioning correctly by opening a web browser and typing in the URL for your Passwordstate instance with the following appended to the URL /api/highavailability/primarypoll/polltest.  If the connection is successful, you’ll see the following result;

If the connection fails, in this example because the Application Pool wasn’t running, you’ll see an error message like;

It does this via a GET request to the specified Uri (URL) as an asynchronous operation.  For more information on the GET request please see https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient.getasync?view=net-5.0 .

Connection issues are always caused by issues with an incorrectly configured Load Balancer, Reverse Proxy or Firewall issues between the two Passwordstate instances.  You can also check the Authorized Webserver Host Names are the Netbios names and not the FQDN.

High Availability: Active-Active Implementation

When running your Passwordstate High Availability model in Active / Active mode your High Availability Server (secondary instance) writes its Polling Health status directly into the Passwordstate Database.  As with Active / Passive implementations this will then show the Polling Health status as green for your HA Server. 

Again, the biggest issue we find with a Passwordstate instance not correctly participating in an Active / Active HA implementation is incorrectly configured Firewalls or your Passwordstate Windows Service isn’t started. Again, check the Authorized Webserver Host Names are the Netbios names and not the FQDN.

Knowing where to look when you experience HA Polling Issues is straightforward.  Unfortunately Click Studios can’t tell you how to resolve your Load Balancer, Reverse Proxy or Firewall issues as the number of suppliers for these is huge and growing. You will need to log a call with the vendor responsible for the equipment if you are unable to identify and resolve the issue.

Got feedback?  We’d love to hear it!  Send it through to support@clickstudios.com.au.

Where Can You Upload Documents in Passwordstate?

One of the key remits, or areas for active consideration for our development team, is the flexibility of use of Passwordstate. Since its first release, way back in August 2004, our developers have continually looked at how they can add flexibility and value to the core concept of secure password management.

Back in August 2020 we published a blog entry that gave suggestions on what else can be recorded in Passwordstate.  From Credit Card details, to Software Licenses and SSL Certificates.  If you haven’t read that blog entry the link is here https://blog.clickstudios.com.au/what-else-can-i-record-with-passwordstate/.

But what if you need to add documents, such as Operating Procedures, Process Documentation, Contract details etc.  Where can you add those, so that the documentation is located logically right alongside the information or credentials, that you’ve chosen to protect with Passwordstate?

Password Lists and Records

The first areas that documents can be added to is both at the Password List and Password Record levels. 

We have customers that add policy or ownership documentation to each Shared Password List, outlining who the business or IT owner is for the Password List, the functional roles allowed access to the list and who to contact when requesting changes be made.  Don’t forget, the Password List may not hold traditional Password Records.  As an example, it may function as a “light” contract management database, holding all software contracts for a particular business unit.  

Likewise, we have customers that add documents to individual Password Records, this can be a process or guideline document that states what a particular credential can be used for.  Alternatively, using the “light” contracts management database angle above, it may hold the contract details such as period of coverage, service level agreements and contact numbers for a single contract.

To add a document to a Password List simply click on the Password List then Documents then Add Document;

and when adding documents to a Password Record, click on the action icon next to the record, select View Documents and Add Document;

In both examples you’re then prompted with the Add New Document dialog.  Just fill in the File Name and Description and the use the Select button to open File Explorer, select the file you want to add and click Open, and the Save;

Your document is now added against either the Password List or Password Record depending on where you’ve decided to upload it. 

Hosts

The next area you can add documents to is Hosts.  This is especially useful for Process and Work Instructions that are specific for certain servers. 

For instance, you may have an application server with temperamental services that requires special attention every time a Microsoft update is applied (we’ve all experienced this haven’t we).  While it would be nice for those application vendors to improve the resiliency of their software it sometimes takes them years.  In the mean time you could add a document reminding your System Admins to restart the badly behaving service or restart a series of them in a particular order.

To add a document to a Host, simply select the Host in question and click on the Add Document as per the screen shot below;

This will bring up the same Add Document dialog previously shown.  Again, simply fill in the File Name and Description and the use the Select button to open File Explorer, select the file you want to add and click Open and then Save.

What Do Lots of Password Lists and Hosts Need?

If you read the heading above then you’ll know where this is headed – that’s right, Folders. If you’ve got lots and lots of Password Lists or Hosts then you really should be making your life easier by organising them.  This is where Folders are essential, they allow you to logically organise Password Lists and Hosts into meaningful collections.

And you’ll have guessed what you can do with Folders as well.  That’s right, you can add documents to Folders.  But why would you want to do this?  Let’s use the example that you’ve got your High Availability systems distributed across geographically dispersed Data Centres.  When it comes to patching you may have procedures to only patch certain servers in each data centre on specific days.  This can be summarized in a document at the Folder Level.  Or you may have a process instruction that states system reboots for particular systems requires coordination with a key business stakeholder.

Again, the process is the same for adding the documents as it is with Hosts, Password Lists and Password Records.

How Do You Restrict This?

Firstly, only those users that have been granted access to those specific Password Lists, Password Records, Hosts and Folders have access to add Documents to those objects.  Secondly you can enable or disable documents being uploaded, limit the size of the documents being uploaded and restrict uploaded documents to specific extensions by navigating to Administration->System Settings->miscellaneous as per the screenshot below;

Note: you can also link off to external systems containing documentation by using the External Links feature on Folders and Hosts.  This may be a useful method of linking to documentation stored with SharePoint or a Wiki based system;

Adding documents to Passwordstate can be extremely beneficial, you really just need to think how can I make this work for me.  As always, if you’ve got any feedback you’d like to share please send it to support@clickstudios.com.au.

Self Destruct Messaging Implementations

Passwordstate includes a Self Destruct Messaging portal as part of the core software.  Self Destruct Messaging typically allows you to send emails or messages within an application, containing content considered to be highly confidential, to be viewed for a specified period of time.

In the case of Passwordstate’s Self Destruct Messages, the content that you share is stored only within the Self Destruct Messaging portal.  Access to be able to send Self Destruct Messages relating to a Password Record is permissions based and you can control both the ‘Time to Live’ and number of times the data or Password Record can be viewed.

How are Self Destruct Messages Sent

In this example we’ll use a scenario where we want to temporarily share a password record with a contractor that doesn’t normally have access to Passwordstate.  The Self Destruct Messaging portal we are using is the embedded implementation, meaning it is automatically included as part of your Passwordstate website and can be access by appending /selfdestruct to your Passwordstate URL.  The version of Passwordstate used in this example is V9 Build 9300.

To share the Password Record with the contractor we simply, click on the Action Menu next to the record and select Send Self Destruct Message;

This brings up the Self Destruct Message Screen where we can compose our message.  We specify the period of time the message is alive for and the number of times it can be viewed.  Both these fields are drop down lists where you can select from predefined options.  Once complete click Next;

Next, we enter the contractor’s email address, change the subject line as appropriate and click Next,

In this case we’re using Passphrase Protection, so we’ll need to set the Passphrase and advise the contractor what that is (in a separate email) and then click Send Message,

The contractor now receives the following email,

To access the details of the Password Record, the contractor will need to click on the URL, noting the ‘Time to Live’ for the Self Destruct Message is 30 min from the email being sent.  This will bring up the Self Destruct Message portal screen requiring authentication using the Passphrase separately emailed to them and then clicking Next,

The Self Destruct Message is then displayed (I’ve redacted the details in the image below),

The person that sent the Self Destruct Message will receive an email confirming when the message has been viewed by the recipient.

Self Destruct Messaging Implementations

The example used above is based on the embedded implementation, which is part of your existing Passwordstate instance.  The Self Destruct Messages under this model can only be used where you can also access your Passwordstate website.  This means that if your Passwordstate instance isn’t internet facing then you’ll also not be able to share Self Destruct Messages over the internet.

You can however implement the Self Destruct Message portal a couple of other ways.

  • The first, using a Push\Pull implementation.  This works by sending messages from your core Passwordstate website to a Microsoft SQLite database.  When the customer accesses the Self Destruct website, it reads the Self Destruct Message directly from that SQLite database and the message is deleted when they are finished with it.  This implementation doesn’t require any open ports to your Passwordstate website, or your Passwordstate database and requires no management of the SQLite database.  It enables the hosting of your Self Destruct Messaging website in a DMZ.  To configure this option, you’ll need to specify the URL for the site and generate an Encryption Key.  Instructions are located under the Administration Tab->System Settings->self destruct messages->Push\Pull Deployment Self Destruct Install Guide button.
  • The Second, is via your AppServer hosted within your DMZ.  This implementation requires you to connect to the AppServer to read the Self Destruct Messages.  This method doesn’t use the SQLite DB. Instead, it uses connectivity back to the Passwordstate database, hosted on your internal network. A port, typically the SQL port 1433 needs to be open.  If you are already using the AppServer as internet facing, in order to sync with your Mobile Apps on Smartphones, it makes sense to use this.  However, you should perform an internal risk assessment to ensure the solution meets your requirements.

There are multiple implementations available for the Self Destruct Messaging Portal and you are encouraged to select the model that best suits your organizational requirements. 

As always, if you’ve got any feedback you’d like to share please send it to support@clickstudios.com.au.

New Upgrade Process

With the release of Passwordstate V9 Build 9300 we’ve changed the way that Passwordstate is upgraded.  The old In-Place Upgrade Capability is deprecated and no longer functions for any previous build of Passwordstate.  If you try to perform an In-Place Upgrade, on builds prior to 9300, you’ll receive the following error message;

Upgrade error detected – It appears the file /upgrades/passwordstate_upgrade.zip is corrupt. Please delete this file and then restart the upgrade process again.

This is by design as the In-Place Upgrade Capability has been blocked by Click Studios.  Build 9300 removes the In-Place Upgrade Capability and all upgrades are now performed by our new Common Software Installation Process.

What is CSIP

The new Common Software Installation Process, or CSIP for short, uses InstallAware’s Windows Installer software as the engine for upgrading your Passwordstate instances.  It uses code developed by Click Studios to accurately detect aspects of your configuration, ensuring the deployment of the correct assemblies that your instance needs when upgrading.

CSIP handles both new installations as well as upgrades to existing installations.  There are two flavours currently available from our website and Content Delivery Network (CDN), 

  • For customers already using Passwordstate V9 the correct download is the one available underneath the Passwordstate 9 (Build 9300) header.
  • For customers upgrading from a build earlier than 8995 the correct download is the one available underneath the Passwordstate 8 (Build 8995) header.

Check the Checksum First!

We strongly recommend comparing the checksum of the downloaded file against the checksum information published on our website at the time you download the file.  Each time a new build is released the checksum value will be different and you should confirm it against the value published on our site.

In the example below I’ve downloaded the CSIP package for an existing V9 installation and have compared the checksum value to ensure the download hasn’t been tampered with;

Performing an Upgrade

The process of upgrading is very straightforward.  But before you do, please ensure you’ve read the Upgrade Instructions document.  The link for this is located at the bottom of https://www.clickstudios.com.au/passwordstate-checksums.aspx  

Once you’ve read this, and taken any steps required, simply extract the contents of the downloaded ZIP file and run the passwordstate.exe as an Administrator on your Passwordstate webserver.  This will perform various checks and you will be prompted to click the checkbox to confirm a backup has been taken of the Passwordstate folder and database (LHS of image below).  Please make sure you have a successful backup of these and then click Next

You’ll now be presented with the License Agreement Screen (RHS of image below).  Take the time to review the License Agreement and if you want to accept the terms of the license agreement click the checkbox.  Now you can click Next to begin the upgrade.

This will present you with the image below (LHS) stating that CSIP is now ready to configure Passwordstate on this computer (webserver).  Click Next and the upgrade will commence (RHS).

When CSIP has completed installing your upgraded files you will be presented with confirmation that the first phase of the upgrade has completed.  You are then requested to log into your Passwordstate instance, and complete the database upgrade phase.  This process is exactly the same as in previous builds of Passwordstate.  Click Finish to close CSIP.

The upgrade of the core product really is that simple.  As always, if you’ve got any feedback you’d like to share please send it to support@clickstudios.com.au.

Linking Multiple Websites to One Password Credential

Our Technical Support Team recently assisted a customer with an issue related to form-filling credentials for a website where the website redirects to a secondary page.  This can happen when the primary URL for the website redirects the user to another URL for part of the login process. 

Example: Microsoft Advertising

The example we’re using for this is Microsoft’s Advertising login.  The primary URL we’re using takes us to the username webpage of https://ads.microsoft.com/and automatically form-fills the email address as our username;

However, the password webpage is located at https://login.live.com/ and because of this the Browser Extension doesn’t correctly form-fill the password;

Linking Multiple Website URLs

To fix this we need to add in the additional URL for the credentials in Passwordstate.  To do this, login to Passwordstate, select the Password Record and using the Action icon select Link Account to Multiple Web Site URLs;

From there you’ll need to add in the additional URL, in this case https://ads.microsoft.com/ as the URL above is https://login.live.com/ ;

Once this is saved, you’ll either need to logout and then back into you Browser Extension, or alternatively wait at least a minute before retrying.  Once you’ve done that credentials in our example now correctly form-fill on both screens.  The Enter Password Screen is shown now form-filling below;

As always, if you’ve got any feedback you’d like to share please send it to support@clickstudios.com.au.

Dipping the Big Toe in the Water – Trialling Scheduled Password Resets

We were having this discussion the other day about “dipping your toe into the water” and one of the new hires in our Technical Support Team had never heard the saying before.  So… the hunt was on during lunch to find the history of the saying.  According to idiomorigins.org it’s a metaphor that means “to try something new or start a new project cautiously without over-commitment or too much risk.  It dates from the late 20th century and derives from the obvious allusion of dipping a toe into water to test the temperature”.

Or another way to look at it, is to “start doing something slowly and carefully, because you’re not sure whether it will be successful or whether you will like it”.  That sounds like a great angle for trialling scheduled password resets in your organization.

What are Scheduled Password Resets

Scheduled Passwords Resets are part of the Privileged Account Management (PAM) functionality provided in the core Passwordstate product.  It enables customers to perform on-demand or scheduled password resets across multiple different systems and platforms. It uses a flexible and extensible design, through the use of PowerShell scripts, to allow password resets across your IT Infrastructure and Business Systems.

But why is this so desirable?  As an example, let’s work on the basis that you’ve got a couple of hundred PCs in your business.  Each of these has a Local Account.  As part of a best practice approach, the credentials for each of these Local Accounts should be unique and reset periodically, in accordance with your organization’s password management policy. 

That’s a lot of effort when you have to manually logon to each PC, reset the password and record the details in your password management system.  Passwordstate allows you to record the accounts for all these hosts, perform an initial reset on the account to allow it to be managed and then schedule regular password resets for the Local Account.

What you need before you get started

The only real prerequisites for performing automated password resets on local accounts, is to enable PowerShell Remoting and have a Shared Password List that has been setup with the Enable Password Resets setting selected.

PowerShell Remoting is enabled by default for Windows Server 2016 and above but not for Windows 10 Clients.  You can enable it via group policy as per the following article by TechRepublic (as an example) https://www.techrepublic.com/article/how-to-enable-powershell-remoting-via-group-policy/

To enable PowerShell remoting on some test machines, login to each of them and start PowerShell, choosing to Run as administrator, and execute enable-psremoting -force as per the screenshot below;

Next, you’ll need import the required PCs or Servers into Passwordstate.  To do this you’ll need to setup a Host Discovery job to scan Active Directory and import the hosts on into Passwordstate automatically.  The example below shows a Host Discovery job for Windows 10, 8 and 7.  To setup a Host Discovery Job navigate to Hosts->Host Discovery Jobs->Add Discovery Job and Add a new Discovery Job like the screenshot below;

Note you’ll need to have a Privileged Account Credential which should be a member of the Domain Users Security Group so it can read Active Directory for the information relating to the hosts you are discovering.  We have a comprehensive video, showing how to set up a Host Discovery job, available from our YouTube Channel here https://www.youtube.com/watch?v=UifVi2rH8x0

Discover your Local Accounts

Now that you’ve discovered all of the target PCs, Passwordstate can begin scanning them for you and adding in any Local Accounts, as individual Password Records into a specific Password List.  This can also set them up for automatic resets when it adds the account into Passwordstate if you choose, or you can do this at a later date. 

In our example we’ll setup a Windows Local Admin Accounts discovery job by navigating to Tools->Account Discovery and Add a new Discovery Job by clicking on the Select Discovery Job Type to Add… and select Windows Local Admin Accounts as per the screenshot below;

The discovery job in the example above is creating Password Records for all Local Accounts in the shared Password List Workstation Accounts.  However, the discovery job is set for Enabled for Heartbeats only at this stage as per the screenshot below;

There is also a video on how to setup your Account Discoveries here https://www.youtube.com/watch?v=YKH0ev6MrI8&t=313s

Note, with all discovery jobs, you can choose to run them in Simulation Mode, which performs the scan and reports back what it finds via email without adding any of the results into your Passwordstate instance.  That’s how the 2 jobs in the examples for this blog have been setup.  It’s a great way of initially building confidence in the process before making changes to production machines.

Setup a Trial Password Reset Job

Now you’re ready to dip that proverbial big toe in the water.  To do this you’ll run your Host Discovery job as normal, not in simulation mode, to import all the hosts that you’re interrogating for Local Accounts. 

Next you need to run the Windows Local Admin Accounts discovery job. Again, not in simulation mode and making sure you haven’t selected the Enabled for Resets tick box.  This will discover all the Windows Local Accounts against the target hosts you’ve imported and add them into the specified Password List, in this example Workstation Accounts.

At this stage no passwords are reset, as Enabled for Resets hasn’t been ticked.  Now simply edit the Password Records, for a select number of hosts, and tick the Enabled for Resets box and save the record.  Passwordstate will now reach out to those hosts and reset the password with the newly generated password recorded in Passwordstate.

You can now logon using the Local Account on each of those hosts, using the password that’s recorded in Passwordstate, to confirm the process has worked as expected.  Once you are comfortable that the process worked as expected you can perform the Bulk Update Password Reset Options from the List Administrator Actions dialog beneath the Password Record Display Grid.  You can now search for the password records to update, choose the fields to update tab, select the Managed Account, tick the box to Enable Password Resets Option for all these accounts and select Save.

Additional Information

Documentation on both the Host Discovery and Account Discovery jobs can be located in your Passwordstate instance here;

Help->User Manual->Hosts->Hosts Home Screen->View Host Discovery Jobs, and,

Help->User Manual->Passwords->Tools Menu->Accounts Discovery

As always, if you’ve got any feedback you’d like to share please send it to support@clickstudios.com.au.

Configuring the Brute Force IP Lockout Feature

Brute Force Attacks use a process of trial-and-error to guess the right credentials.  The attack works by using repeated sequential attempts to try and guess your username and password combination and force their way into your private accounts.  While considered an old attack method it’s still effective and popular with Cyber Criminals as it can result in relatively quick results depending on the length and complexity of your passwords.

Brute Force Attacks come in many unsavoury flavours and include;

Simple Brute Force Attacks: Where the attempt is to logically guess your credentials without the use of software tools or other means.

Dictionary Attacks: Where targeted accounts are subjected to repeated attempts of gaining access based on dictionaries containing known passwords.  Dictionary attacks are considered one of the most basic tools used in brute force attacks.

Reverse Brute Force Attacks: This style of attack starts with a password and then millions of usernames are searched through until a match is found. The starting point is usually by referencing leaked passwords available as a result of data breaches.

Credential Stuffing:  Is where Username and Password combinations that have worked for one website are retried against other websites the targeted individual may use.

Does Passwordstate Protect Against Brute Force Attacks

Yes, Passwordstate has a number of options for Blocking Brute Force Attacks to your Passwordstate webserver.  The first is located under Administration->System Settings->authentication options->Web Authentication Options.  Here you can specify the number of permitted failed login attempts before Passwordstate locks out the IP Address for the active session as per the screenshot below;  

You can also delay the returned error message by the specified number of seconds.  This makes it harder for Cyber Criminals to identify if the account actually exists (so they can harvest valid account details), or if the password supplied is simply incorrect.

The next option is to configure X-Forwarded-For support.  X-Forwarded-For is a standard header for identifying the originating IP address of a client connecting to a web server through a Firewall, HTTP proxy or load balancer.  When configured, in Passwordstate and your upstream devices, it enables you to lock-out the IP address of the computer the user is logged into and not the upstream device such as the Firewall.  Note your upstream device also needs to be configured for X-Forwarded-For support.

To tell Passwordstate you have configured your device for X-Forwarded-For support, navigate to Administration->System Settings->proxy & syslog servers-> X-Forwarded-For Support and enter the IP Addresses of trusted devices as per the screenshot below;

Note as of Passwordstate V9 Build 9117, we have added in an additional feature that takes the username into consideration when locking out an IP Address.  In these examples, it means that 3 unsuccessful login attempts, from the same user/IP address will lock their IP Address out if they were accessing your site from behind a device that isn’t configured for X-Forwarded-For Support.

Some users have been incorrectly Locked Out

This can happen if you set too aggressive a target for failed logins.  It’s a fine balancing act between not penalizing users when they incorrectly enter their details and preventing Brute Force attacks.  Every organization should consider the risk and impact and set the number of failed logins accordingly.

However, if a user’s IP address has been incorrectly blocked you can remove the blocked IP address by navigating to Administration->Brute Force Blocked IPs and select the Action icon next to the incorrectly blocked IP and click on Remove Blocked IP Address as per the screenshot below;

Make Brute Force Attacks Harder

Even though you can apply the settings outlined above there are still some prudent steps you can take to make it harder for a Brute Force Attacks. 

The first of these is to always use strong passwords.  Remember dictionary attacks using a list of common passwords, or a hybrid brute force attack that performs small changes to words by adding numbers or changing the letter case, are likely to succeed in some cases.  You need strong passwords to make their life harder.  Secondly, use 2FA where it makes sense.  Two-factor authentication can prevent Cyber Criminals from gaining access to your accounts.  It makes it nearly impossible for them to gain access to an account via a Brute Force Attack.

Have feedback, then we’d love to hear it via support@clickstudios.com.au.