Reporting on Mobile Client Usage

The Passwordstate native Mobile Client apps for Android and iOS were introduced in V9 Build 9000.  These replaced the old Mobile Client support providing remote access to managed credentials while away from your normal place of work (desk). 

The native apps are designed to work with the Passwordstate App Server, which brokers the connectivity between the client device and your Passwordstate instance.  It allows for storing password records that a user is authorized to access, locally on the smartphone, within an encrypted cache.  Users have the ability to use the biometric capability of the smartphone when accessing the data within the encrypted cache.  All authentication and access of credentials is audited and synced back automatically with Passwordstate on next connection.

But how do you know when your users are using the offline copy of their passwords.  How do you ensure that they are using them when and where required?

We Have a Report for That!

Passwordstate has over 100 different Audit events, including those relating to usage of the Mobile Apps.  As stated above all access to stored credentials within the encrypted cache, and all synchronizations of credentials between your Passwordstate instance and a Mobile Client, are audited.  These audit records are uploaded automatically each time the Mobile App successfully synchronizes with the App Server. 

This ensures you can report on the activity of your users that have been setup for Mobile Client usage.  To be able to do this Navigate to Administration->Reporting 

And select the Activity Report called Mobile Client Activity,

You can now filter the report based on User Account, Site Location and Duration in terms of the reporting period you select from the drop-down list,

and once you’ve clicked Run Report button the audit records matching the selected filters will be shown within the display grid.   

You can now export the results to Excel for further manipulation as required,

Make the report a Scheduled Report

Don’t forget you can setup the Mobile Client Activity report as a scheduled report and have it emailed through on a regular basis.  Simply navigate to Reports->Scheduled Reports and add a report like in the image below.

If you’d like to provide feedback, please send it to support@clickstudios.com.au.

How to Rotate Your Encryption Keys

Click Studios uses Symmetric Data Encryption within Passwordstate to protect your sensitive data.   It does this using 256bit AES (Advanced Encryption Standard) data encryption to encrypt (cipher) and decrypt (decipher) information. At a high level the process of encryption and decryption looks like this;

AES is the first and only publicly accessible cipher approved by the US National Security Agency (NSA) for protecting top secret information. 256bit AES is practically unbreakable by brute force based on current computing power, making it the strongest encryption standard available.  In short, by using symmetric encryption algorithms, data is converted into a form that cannot be understood by anyone not possessing the secret key to decrypt it.

NIST the National Institute of Standards and Technology, recommends that Symmetric Data Encryption Keys be changed every 2 years, or earlier based on an organization’s risk factors.  Your Passwordstate Encryption Keys shouldn’t be “set and forget”, they should be managed and rotated on a regular basis.

But Before You Start…

Make sure you have a backup of your Passwordstate Database and take a copy of your Web.config file.  The built-in Backup functionality is perfect for taking a backup and you can do this by navigating to Administration->Backups and Upgrades->Backup Now

If you’ve never used the built-in functionality, you’ll need to configure settings first under Administration->Backups and Upgrades->Settings.  Information on how to do this can be found here https://www.clickstudios.com.au/documentation/ for both Domain and Workgroup implementations.

Follow the Bouncing Ball…

Now that you’ve taken a backup of your Passwordstate database and have a copy of your Web.config file you’re ready to get started.  And it really is as easy as following the bouncing ball! 

Under Administration->Encryption Keys you’ll find 2 buttons, Export Keys and Key RotationExport Keys allows you to create a password protected Zip file containing your Encryption keys and we’ll cover more on that later.  First, we’re going to focus on Key Rotation.  To get started click on the Key Rotation button,

You’ll now be prompted to ensure you have a backup of your Passwordstate Database and a copy of your Web.config file.  Take the time to read through the information before clicking on the box next to I have read the notification above and understand some action is required of me before and after the key rotation.  If this check box isn’t ticked then you won’t be able to proceed with the Key Rotation.  Once you’re ready, and you’ve ticked the check box, you can click on the Begin Key Rotation button,

As you can see in the image above, The Encryption Key Rotation screen lists all of the tables, the number of records in each table and the Status for each.  To commence the rec-encryption process click on the Re-Encrypt Data button.

The status symbol of a Clock means that table hasn’t been re-encrypted yet.  The status of a Tick means the table has now been re-encrypted and the Flashing Blue Squares identifies the current table being re-encrypted.  A Status message of Please Wait… is shown at the bottom left-hand-side of the display grid listing the tables. 

As the tables are re-encrypted, they will cycle off the first page of the display grid and be replaced by tables awaiting to be re-encrypted.  When there are less tables awaiting to be re-encrypted, than take up the full display grid, you’ll start to see those tables that have been completed (shown by a status of Tick) moving back up the display grid.  Once complete you’ll be taken to the Key Rotation Complete Screen.  Again, take the time to read through the information before clicking the Start Passwordstate button.  This will log you off and you will need to log back into Passwordstate.

Don’t Forget… Take a copy of your New Encryption Keys

Now, cycling back to the Export Keys button.  Once you’ve successfully rotated your encryption keys it’s good practice to take a copy of them.  This can be done by navigating to Administration->Encryption Keys and clicking on the Export Keys button.  You’ll be taken to the Export Encryption Keys screen which tells you that the split secrets that make up your Passwordstate Encryption Keys are exported via a Password Protected ZIP file.  To begin the export process, click on the Export Keys button,

This will pop up the Password Protected Zip File dialog, which will require you to supply a password for the Zip file.  You will also be required to check the box stating that you cannot use the native Windows Compression to extract the contents of the Zip file.  Once that’s done you can click on the Export Keys button to create the Zip file containing the exported encryption keys.

The process of rotating your Passwordstate Encryption Keys is that simple and the effort required to rotate them is minimal.  There really is no reason not to be managing them appropriately.

We’d love to hear your feedback, send it to support@clickstudios.com.au.

Guide to set up Folder Structure and Permissions

You’ve decided that managing your organization’s passwords is essential.  You’ve selected a Password Management System that has the level of security you need, while retaining the flexibility to meet individual stakeholder’s requirements.  You anticipate there’ll be substantial interest and take-up as you roll out the solution.  The only question remains, how do you ensure that the way in which credentials are stored make them easy to locate, ensure they’re accessible to only those that need them, and make management of the solution as straightforward as possible.

Surely the best way to store all the credentials is in one big Password List stored in the root location?  That way you could just assign the permissions on a credential-by-credential basis!  Or maybe you should let everyone create their own Password Lists and store them all together.  If one user needs access to the same credential, they can just enter it in their Password List as well! …..No!  Absolutely Not!  Let’s rethink that approach!

Organizational Structure is Important

An organization’s structure lays out the official functional relationships governing the workflow and day to day operations in the organization. The structure makes it easier to add new positions and provides a flexible method for growth.  Without it, employees find it difficult to know who they officially report to and who has final responsibility over operational elements.  It provides a basis for segregation of duties to ensure appropriate governance.

Organizational structure improves operational efficiency. Departments work better together by focusing their effort on productive tasks without duplication.  The following diagram is a fictional organizational structure for the company An Example and we’ll be using it for this blog.

Using an organization’s structure is a good place to start when organizing your password credentials.  First, we’re going to create folders for all of the Level 1 entities in the diagram below.  These are the top-level functional bodies within this organization.  You’ll note that the CEO folder is grouped at Level 1 also.  There is no value in creating a CEO folder with all other folders nested beneath it so it’s grouped at the same Level as all other top-level folders.  Each of these top-level folders may or may not have additional folders nested beneath depending on the complexity of the organizational unit and the granularity of permissions you wish to set,

Next, we create the nested Level 2 folders for each of the Level 1 folders we’ve created.  The diagram below shows the examples of the two folders that will be nested beneath Operations (Chief Operating Officer), Operational Services and Metallurgical and Chemical laboratories.  Likewise, under Finance (Chief financial officer), we have IT and Legal (Legal matters).

Security Groups and Permissions

Most organizations that use Microsoft’s Active Directory (AD) will have AD Security Groups that closely match their organizational structure.  The group charged with IT Security will likely already have agreed and implemented your AD Security Groups and populated them with the appropriate user accounts aligned with the structure.  That’s the same in this example and it makes assigning permissions to your folders that much easier. 

If you aren’t using Microsoft AD and AD Security Groups you can still create your own Forms based User Accounts and Local Security Groups.  It’ll just mean there’s more initial work to create these and regular maintenance will be required to keep these up to date.

You may from time to time be tempted to use individual users instead of Security Groups to assign permissions.  Whilst this can be done it should always be used as the exception to the rule…the rule being use Security Groups whenever you can!

In the example above we’ve created a Folder under IT called Desktop Support.  We’ve thencreated a Shared Password List called Production Desktops

The permissions for accessing Production Desktops and the Desktop Support Folder is based on the AD Security Group Desktop Support.  Only members of this AD Security Group have been given Admin Access to the Password List.  IT staff not in the Desktop Support AD Security Group have no access.

Permission Model Types

It’s probably worthwhile recapping on the two permission models you can use within Passwordstate, Standard and Advanced

The Standard Permission Model applies the permissions in a bottom-up approach.  When you apply the permissions to the Production Desktops Password List the access is applied to all Folders in that hierarchy i.e. An Example->Finance->IT->Desktop Support.

Using the Advanced Permissions Model applies permission in a top-down approach.  If we were to apply the Desktop Support Security Group at the IT Folder Level it would provide access to IT->Desktop Support-Production Desktops Password List and IT->Legal and any Password Lists or subfolders located under the Legal Folder.  Note the image below is just to show the Advanced Model and doesn’t apply to the Desktop Support example we are using,

Both Permission Models are valid and can be used effectively.  The most appropriate model is the one that best suits the way in which your and/or your Security Administrators prefer to work.

Restrictions that can be Applied

There are a number of restrictions that can be applied to manage the folder structure and where Password Lists are placed.  The first is limiting who has permission to create new Folders in the root of Passwords Home.  This can be found by navigating to Administration->Feature Access->folder options and clicking on the Set Permissions button, 

The second is limiting who has permission to create Password Lists in the root of Passwords Home.  If you’ve gone to the extent of creating an organised folder structure then the last thing you’ll want is for Shared or Private Password Lists to be inadvertently dumped in the root.  This also applies to restricting who is allowed to Drag-N-Drop Password Lists around in the structure you’ve created.  These permissions can be set by navigating to Administration->Feature Access->password list options and againclicking on the Set Permissions button for each of the settings you wish to restrict,

Additional Items for Consideration

As you build your Folder structure and start creating Password Lists there are a couple of other points to consider with links to our blog entries below;

Performance Improvements: https://blog.clickstudios.com.au/performance-improvements-how-to-troubleshoot-and-resolve-issues/

Optimal sizing of your Password Lists: https://blog.clickstudios.com.au/password-list-performance-testing/

In Summary

With a bit of thought and alignment you can effectively build a folder hierarchy and manage your Password Lists by using;

  • The Organizational Structure as your basis,
  • Using Security Groups to your advantage,
  • Using the appropriate Permission Model, and
  • Restricting who can apply structural changes

This will ensure your Passwordstate instance accommodates changes and growth while minimizing the on-going management effort.  We’d love to hear your feedback, send it to support@clickstudios.com.au.

Troubleshoot HA Polling Issues

We’ve recently had a few technical support calls querying how to diagnose High Availability issues.  To make things easier, with identifying the health of all Passwordstate Servers, we included the health status under the Authorized Web Servers screen in Passwordstate 9.0 Build 9000.  This uses a traffic light approach of “green is good”, “red needs investigation”.

So, if your HA server shows a status of red what do you do next?

Recap on HA Implementations

To start with let’s recap on Passwordstate’s High Availability offerings.  The following logical diagram shows 2 variations of Passwordstate with High Availability.  The solution, as depicted by the Green Dot 1, is an Active / Passive implementation.  This allows the Passwordstate High Availability instance to be enabled, and will provide read only access to requests in the event of an issue with the Passwordstate Primary Instance.  All access events are audited and synced with the Passwordstate Primary Instance once recovered.

The solution, as depicted by the Blue Dot 2,shows an Active / Active implementation.  This requires a Load Balancer redirecting the End User’s Passwordstate traffic to either the Passwordstate Primary Instance or the Passwordstate Secondary Instance.  This offering allows users to update data in both the Primary and Secondary instances of Passwordstate.  It requires Basic Availability Groups, or Always On Availability Groups to be implemented in Microsoft SQL Server Standard and above.

Your High Availability Server along with your Primary Server will show up on the Authorized Web Servers page.  This page is available at Administration->Authorized Web Servers and details the Polling Health, Last Poll Time, Server Role and HA Mode along with the Install Path.  Our test environment is shown in the screenshot below;  

Note the Host Names must be entered in their NETBIOS name format not FQDN (Fully Qualified Domain Name).

High Availability: Active-Passive Implementation

When running your Passwordstate High Availability model in Active / Passive mode your HA Server will initiate the polling.  It does this through the Passwordstate Windows Service attempting to contact the Primary instance’s API.  When it successfully connects to the API it will complete the poll and your Primary instance will record the Polling Health status as green for your HA Server.

If your Polling Health status isn’t showing as “green is good” you’ll need to investigate the cause.  The first thing you can check is if the API is functional.  To do this try creating a password using the password generator icon in the top right-hand side of your Passwordstate User Interface;

When clicking on the password generator a password should be generated in the dialog box as shown above.  If this works successfully then the API is functioning correctly.

You can also check if the connection to your API is functioning correctly by opening a web browser and typing in the URL for your Passwordstate instance with the following appended to the URL /api/highavailability/primarypoll/polltest.  If the connection is successful, you’ll see the following result;

If the connection fails, in this example because the Application Pool wasn’t running, you’ll see an error message like;

It does this via a GET request to the specified Uri (URL) as an asynchronous operation.  For more information on the GET request please see https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient.getasync?view=net-5.0 .

Connection issues are always caused by issues with an incorrectly configured Load Balancer, Reverse Proxy or Firewall issues between the two Passwordstate instances.  You can also check the Authorized Webserver Host Names are the Netbios names and not the FQDN.

High Availability: Active-Active Implementation

When running your Passwordstate High Availability model in Active / Active mode your High Availability Server (secondary instance) writes its Polling Health status directly into the Passwordstate Database.  As with Active / Passive implementations this will then show the Polling Health status as green for your HA Server. 

Again, the biggest issue we find with a Passwordstate instance not correctly participating in an Active / Active HA implementation is incorrectly configured Firewalls or your Passwordstate Windows Service isn’t started. Again, check the Authorized Webserver Host Names are the Netbios names and not the FQDN.

Knowing where to look when you experience HA Polling Issues is straightforward.  Unfortunately Click Studios can’t tell you how to resolve your Load Balancer, Reverse Proxy or Firewall issues as the number of suppliers for these is huge and growing. You will need to log a call with the vendor responsible for the equipment if you are unable to identify and resolve the issue.

Got feedback?  We’d love to hear it!  Send it through to support@clickstudios.com.au.

Self Destruct Messaging Implementations

Passwordstate includes a Self Destruct Messaging portal as part of the core software.  Self Destruct Messaging typically allows you to send emails or messages within an application, containing content considered to be highly confidential, to be viewed for a specified period of time.

In the case of Passwordstate’s Self Destruct Messages, the content that you share is stored only within the Self Destruct Messaging portal.  Access to be able to send Self Destruct Messages relating to a Password Record is permissions based and you can control both the ‘Time to Live’ and number of times the data or Password Record can be viewed.

How are Self Destruct Messages Sent

In this example we’ll use a scenario where we want to temporarily share a password record with a contractor that doesn’t normally have access to Passwordstate.  The Self Destruct Messaging portal we are using is the embedded implementation, meaning it is automatically included as part of your Passwordstate website and can be access by appending /selfdestruct to your Passwordstate URL.  The version of Passwordstate used in this example is V9 Build 9300.

To share the Password Record with the contractor we simply, click on the Action Menu next to the record and select Send Self Destruct Message;

This brings up the Self Destruct Message Screen where we can compose our message.  We specify the period of time the message is alive for and the number of times it can be viewed.  Both these fields are drop down lists where you can select from predefined options.  Once complete click Next;

Next, we enter the contractor’s email address, change the subject line as appropriate and click Next,

In this case we’re using Passphrase Protection, so we’ll need to set the Passphrase and advise the contractor what that is (in a separate email) and then click Send Message,

The contractor now receives the following email,

To access the details of the Password Record, the contractor will need to click on the URL, noting the ‘Time to Live’ for the Self Destruct Message is 30 min from the email being sent.  This will bring up the Self Destruct Message portal screen requiring authentication using the Passphrase separately emailed to them and then clicking Next,

The Self Destruct Message is then displayed (I’ve redacted the details in the image below),

The person that sent the Self Destruct Message will receive an email confirming when the message has been viewed by the recipient.

Self Destruct Messaging Implementations

The example used above is based on the embedded implementation, which is part of your existing Passwordstate instance.  The Self Destruct Messages under this model can only be used where you can also access your Passwordstate website.  This means that if your Passwordstate instance isn’t internet facing then you’ll also not be able to share Self Destruct Messages over the internet.

You can however implement the Self Destruct Message portal a couple of other ways.

  • The first, using a Push\Pull implementation.  This works by sending messages from your core Passwordstate website to a Microsoft SQLite database.  When the customer accesses the Self Destruct website, it reads the Self Destruct Message directly from that SQLite database and the message is deleted when they are finished with it.  This implementation doesn’t require any open ports to your Passwordstate website, or your Passwordstate database and requires no management of the SQLite database.  It enables the hosting of your Self Destruct Messaging website in a DMZ.  To configure this option, you’ll need to specify the URL for the site and generate an Encryption Key.  Instructions are located under the Administration Tab->System Settings->self destruct messages->Push\Pull Deployment Self Destruct Install Guide button.
  • The Second, is via your AppServer hosted within your DMZ.  This implementation requires you to connect to the AppServer to read the Self Destruct Messages.  This method doesn’t use the SQLite DB. Instead, it uses connectivity back to the Passwordstate database, hosted on your internal network. A port, typically the SQL port 1433 needs to be open.  If you are already using the AppServer as internet facing, in order to sync with your Mobile Apps on Smartphones, it makes sense to use this.  However, you should perform an internal risk assessment to ensure the solution meets your requirements.

There are multiple implementations available for the Self Destruct Messaging Portal and you are encouraged to select the model that best suits your organizational requirements. 

As always, if you’ve got any feedback you’d like to share please send it to support@clickstudios.com.au.

Linking Multiple Websites to One Password Credential

Our Technical Support Team recently assisted a customer with an issue related to form-filling credentials for a website where the website redirects to a secondary page.  This can happen when the primary URL for the website redirects the user to another URL for part of the login process. 

Example: Microsoft Advertising

The example we’re using for this is Microsoft’s Advertising login.  The primary URL we’re using takes us to the username webpage of https://ads.microsoft.com/and automatically form-fills the email address as our username;

However, the password webpage is located at https://login.live.com/ and because of this the Browser Extension doesn’t correctly form-fill the password;

Linking Multiple Website URLs

To fix this we need to add in the additional URL for the credentials in Passwordstate.  To do this, login to Passwordstate, select the Password Record and using the Action icon select Link Account to Multiple Web Site URLs;

From there you’ll need to add in the additional URL, in this case https://ads.microsoft.com/ as the URL above is https://login.live.com/ ;

Once this is saved, you’ll either need to logout and then back into you Browser Extension, or alternatively wait at least a minute before retrying.  Once you’ve done that credentials in our example now correctly form-fill on both screens.  The Enter Password Screen is shown now form-filling below;

As always, if you’ve got any feedback you’d like to share please send it to support@clickstudios.com.au.

Configuring the Brute Force IP Lockout Feature

Brute Force Attacks use a process of trial-and-error to guess the right credentials.  The attack works by using repeated sequential attempts to try and guess your username and password combination and force their way into your private accounts.  While considered an old attack method it’s still effective and popular with Cyber Criminals as it can result in relatively quick results depending on the length and complexity of your passwords.

Brute Force Attacks come in many unsavoury flavours and include;

Simple Brute Force Attacks: Where the attempt is to logically guess your credentials without the use of software tools or other means.

Dictionary Attacks: Where targeted accounts are subjected to repeated attempts of gaining access based on dictionaries containing known passwords.  Dictionary attacks are considered one of the most basic tools used in brute force attacks.

Reverse Brute Force Attacks: This style of attack starts with a password and then millions of usernames are searched through until a match is found. The starting point is usually by referencing leaked passwords available as a result of data breaches.

Credential Stuffing:  Is where Username and Password combinations that have worked for one website are retried against other websites the targeted individual may use.

Does Passwordstate Protect Against Brute Force Attacks

Yes, Passwordstate has a number of options for Blocking Brute Force Attacks to your Passwordstate webserver.  The first is located under Administration->System Settings->authentication options->Web Authentication Options.  Here you can specify the number of permitted failed login attempts before Passwordstate locks out the IP Address for the active session as per the screenshot below;  

You can also delay the returned error message by the specified number of seconds.  This makes it harder for Cyber Criminals to identify if the account actually exists (so they can harvest valid account details), or if the password supplied is simply incorrect.

The next option is to configure X-Forwarded-For support.  X-Forwarded-For is a standard header for identifying the originating IP address of a client connecting to a web server through a Firewall, HTTP proxy or load balancer.  When configured, in Passwordstate and your upstream devices, it enables you to lock-out the IP address of the computer the user is logged into and not the upstream device such as the Firewall.  Note your upstream device also needs to be configured for X-Forwarded-For support.

To tell Passwordstate you have configured your device for X-Forwarded-For support, navigate to Administration->System Settings->proxy & syslog servers-> X-Forwarded-For Support and enter the IP Addresses of trusted devices as per the screenshot below;

Note as of Passwordstate V9 Build 9117, we have added in an additional feature that takes the username into consideration when locking out an IP Address.  In these examples, it means that 3 unsuccessful login attempts, from the same user/IP address will lock their IP Address out if they were accessing your site from behind a device that isn’t configured for X-Forwarded-For Support.

Some users have been incorrectly Locked Out

This can happen if you set too aggressive a target for failed logins.  It’s a fine balancing act between not penalizing users when they incorrectly enter their details and preventing Brute Force attacks.  Every organization should consider the risk and impact and set the number of failed logins accordingly.

However, if a user’s IP address has been incorrectly blocked you can remove the blocked IP address by navigating to Administration->Brute Force Blocked IPs and select the Action icon next to the incorrectly blocked IP and click on Remove Blocked IP Address as per the screenshot below;

Make Brute Force Attacks Harder

Even though you can apply the settings outlined above there are still some prudent steps you can take to make it harder for a Brute Force Attacks. 

The first of these is to always use strong passwords.  Remember dictionary attacks using a list of common passwords, or a hybrid brute force attack that performs small changes to words by adding numbers or changing the letter case, are likely to succeed in some cases.  You need strong passwords to make their life harder.  Secondly, use 2FA where it makes sense.  Two-factor authentication can prevent Cyber Criminals from gaining access to your accounts.  It makes it nearly impossible for them to gain access to an account via a Brute Force Attack.

Have feedback, then we’d love to hear it via support@clickstudios.com.au.

Base Passwordstate Installation in Azure and AWS

­­­­­­Passwordstate is marketed as an on-premise web based solution for Enterprise Password Management.  However, “on-premise” doesn’t really mean it has to be based out of a physical bricks and mortar location.  On premise really means from a “location” where you’re in control of network access to the product, can configure the physical or virtual resources that service the product, and are responsible for granting permissions to known individuals and groups to be able to access the data stored within Passwordstate.

Based on this you can, if you choose to, host Passwordstate within a Cloud Service where that Cloud Service provides an extension to your own network, account directory and credentials.  Click Studios has tested and supports hosting of Passwordstate within both Azure and AWS.

The installation for Passwordstate is pretty much the same regardless of where you install it.  The majority of the changes relate to the configuration of the cloud platform.  This Blog will show you the key setup areas required to host Passwordstate on these platforms.

Hosting Passwordstate on Microsoft Azure

The specifics of your Passwordstate server will be dependent on your workload and the number of Users and Credentials stored within Passwordstate.  The System Requirements can be located here https://www.clickstudios.com.au/passwordstate-system-requirements.aspx and apply to both on-premise and virtual implementations.  As an indication our own Azure based instance has the following characteristics.

You have a number of options when it comes to SQL Server for your Azure hosted Passwordstate instance.  If you’ve simply provisioned an Azure Windows Server, and want to host your web and database server on the same machine, you can follow the standard installation instructions, located on the Documentation page on our website here https://www.clickstudios.com.au/downloads/version9/Installation_Instructions.pdf.  Alternatively, you may want to take advantage of the other services available within Azure such as the Azure SQL.  Azure SQL is Microsoft’s fully managed cloud relational database service that shares the same code base as their traditional SQL Server offerings.

One key point with setting up Passwordstate in Azure is that our installer is unable to create the blank database, used during setup of Passwordstate, if you have elected to use Azure SQL.  You are also unable to use the SQL Management Studio Tools as per our installation instructions.  Instead, you’ll need to login to Azure and create the blank database in Azure SQL by navigating to SQL Databases:

Now create a new database by clicking on Create and then Create SQL database,

This will take you to the Create SQL Database.  Set the Database name to passwordstate and choose an existing Azure SQL Server to host this database.  If you do not have an existing SQL Server in Azure you’ll need to create one and assign a Server Admin.  Take note of the Server Admin details as you’ll need these credentials to connect with SQL Management Studio Tools in one of the following steps.

Next, you’ll need to create a local SQL account called Passwordstate_user.  To do this right Click Master Database and select New Query.  Then copy and paste the following into the window and click Execute:

CREATE LOGIN passwordstate_user WITH password='<choose a password>’

GO

Now, you’ll need to assign db_owner rights for the passwordstate_user account to the Passwordstate database you’ve previously created.  To do this right click on the Passwordstate database, select New Query and run the following;

CREATE USER passwordstate_user FOR LOGIN passwordstate_user WITH DEFAULT_SCHEMA=[dbo]

GO

EXEC sp_addrolemember ‘db_owner’, ‘passwordstate_user’;

GO

Now when you install Passwordstate, for the Database Setting make sure to select the second tab connect to blank database and choose Microsoft Azure, entering your Azure SQL Database Server Name, SQL Server Instance Name, Database Name, and the passwordstate_user account and password you created.  Passwordstate will then proceed to populate the created database and the install will then finish as normal.

Hosting Passwordstate on AWS

When it comes to the database requirements for Passwordstate hosted in AWS you can select the database engine to be SQL Server Express, SE (Standard Edition) or EE (Enterprise Edition) depending on your requirements.  You’ll need to create a Database Instance in AWS  when logged in to the AWS console, and select Services and click on RDS as per the image below;

This allows you to create the RDS based on your choice of either SQL Server Express, SE or EE.  Click on Get Started Now, and then select the Database Engine that best suits your requirements.  In the example below I’ve selected the SQLExpress 2019 version;

Next, create a DB instance identifier name of anything you like.  In the example we’ve called it passwordstate.  Then create a Master username that you will use to administer this instance.  By default, the username is admin.  Take note of the password you are setting for this account:

Next on the Connectivity screen ensure you select ‘Yes’ for Public Access – This will allow you to connect to your RDS database instance from anywhere,

You should now be able to create your database.  Once it’s created, you can now connect to it using SQL Management Studio Tools.  This official Amazon guide shows how to find your connection details, and establish a connection: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToMicrosoftSQLServerInstance.html

Once you are connected, you will be able to use the SMSS tools to create the empty database, and a SQL account used to connection between the Passwordstate website and the AWS RDS database.  To do this right click on Databases and select New Database,

Call the database “passwordstate” and click OK,

Next, expand Security, right click on Logins and select New Login,

Select the account type as SQL Server authentication, and set the Login name to be passwordstate_user.  Now choose a strong password and click OK,

Now select the User Mapping menu, and assign the db_owner rights to the passwordstate database.  Click OK to save this,

Now when you install Passwordstate, for the Database Setting make sure to select the second tab connect to blank database and choose Amazon RDS, entering your Amazon instance in the Database Server Name field, Database Name, and the passwordstate_user account and password you created. 

Passwordstate will then proceed to populate the created database and the install will then finish as normal.

Migrating Existing Passwordstate Instances to the Cloud

The above details can also be used when migrating from an on-premise instance to the cloud.  Just remember to follow the documentation, located under Passwordstate General Administration here https://www.clickstudios.com.au/documentation/, the documents you want are Moving Passwordstate To A New Database Server and Moving Passwordstate To A New Web Server and theinstructions need to be performed in that order.  Finally, please remember to migrate them before decommissioning your existing instance.

Have feedback, then we’d love to hear it via support@clickstudios.com.au.

Performance Improvements – How to Troubleshoot and Resolve Issues

From time to time we receive support requests from customers having performance issues with Passwordstate.  In a significant number of cases the issues contributing to, or even the direct cause of the performance issues, are related to configuration or environmental considerations within a customer’s network.

To begin with, let’s recap on a set of very simplified installations.  The following image outlines 2 different Passwordstate installations that are typically encountered by our Technical Support Team;

The top of the image above shows a simple Passwordstate instance, with the webserver and database installed on the same Windows Server.  This could be either a physical or virtual server.  In this example the customers client PCs are connected via Wi-Fi to a simple Switch with in-built Wi-Fi.   

The bottom of the image shows a larger setup, with a dedicated Passwordstate webserver, deployed in High Availability mode and stack of virtual servers.  In this example the webserver and database servers are installed on separate Windows Servers and all members in the example are connected over a traditional ethernet network.  The Passwordstate webservers site behind a load balancer. 

In all instances, when a user has been authenticated and navigates to a screen in Passwordstate, their web browser is rendered based on the HTML for the screen they are accessing on the webserver, validated by the permissions they have been assigned as recorded in the SQL database, and the results of the SQL query for the data they are requesting.  This by necessity requires multiple interactions (queries and responses) between the webserver and SQL database before the results are rendered in the user’s web browser.    

Common Performance Issue Symptoms

Using the 2 typical implementations above, we are on occasion advised that users are experiencing performance issues.  These can typically be broken down into the following types of performance issues;

  • Overall responsiveness in Passwordstate
  • Slowness in navigating through Folders and Password Lists
  • Passwordstate sessions abruptly terminated
  • Features not working correctly or at all

There is some duplication between the underlying causes for the above and a number of these can, when aggregated, result in a significant impact to performance of your Passwordstate implementation.     

Examples of Approach to Issue Identification and Resolution

The following are examples of approaches toward identifying the underlying cause of the performance issues and resolving these. 

Overall Responsiveness:  The overall responsiveness in Passwordstate can depend on a number of factors.  This includes;

  • network connectivity between the client PC, Passwordstate webserver and SQL database
  • it can be affected by the number of Folders and Password Lists on the Passwords Tab and Folders and Nodes on the Hosts Tab
  • misconfiguration of any Load Balancers and Reverse Proxies
  • excessive number of entries in the auditing table

To test and resolve these, it’s recommended to;

  • confirm the issue with responsiveness is widespread or confined to only some users
  • verify there are no inherent network connectivity issues between the clients PC, the Passwordstate webserver and SQL database
  • test local authentication as opposed to Cloud based SAML authentication
  • develop and test a User Account Policy that applies Load on Demand and Node Capping
  • review and remove unnecessary Folders and empty Password Lists
  • reduce the size of your auditing table to less than 500,000 entries by archiving
  • bypass the Load Balancers and/or Reverse Proxies.  If this resolves the issue please liaise with the vendor supporting these

Slow Navigation with Passwordstate:  This is usually affected by the number of Folders and Password Lists on the Passwords Tab and Folders and Nodes on the Hosts Tab.  As an example, on the Passwords Tab you have a folder hierarchy with 1000 Folders and underneath each of these a number of Password Lists.  By default, when you navigate to the Passwords Tab the underlying query will validate your access to view and then retrieve the details of the 1000 folders, along with the Password Lists contained within these folders.  This produces a substantial amount of data that will then need to be rendered within your web browser.  It can also be affected by;

  • setting the password records display grid to a very large number of records
  • poorly behaved Anti-Virus software

To test and resolve these, it’s recommended to;

  • again, confirm if the issue is widespread or confined to some users
  • set your Password Records display grid to no more than 10 records
  • use the Search capability to locate the Password Record rather than browsing through Folders, Password Lists and long display grids
  • use a User Account Policy that applies Load on Demand and Node Capping
  • review and remove unnecessary Folders and empty Password Lists
  • test if your Anti-Virus software is the cause by temporarily setting exclusions on the Passwordstate folder structure on your webserver.  You can also temporarily disable the AV software to test this.  Please note if this resolves the issue you should enable your AV software and remove any exclusions before contacting the vendor for a permanent fix.

Passwordstate sessions abruptly terminated:  This is usually caused by either badly behaved Anti-Virus software or Windows Patching having installed patches that require a subsequent reboot.  Windows patching has in some cases caused Passwordstate sessions to intermittently fail.    Some Anti-Virus Software products are known to kill sessions in IIS with the following types of error being reported in Passwordstate Error Console screen;

  • It appears the user’s session in IIS has been prematurely ended, causing the following error
  • Object variable or With block variable not set
  • Error Code = Incorrect syntax near the keyword ‘DEFAULT’
  • Error Code = Thread was being aborted
  • ApplyScreenCustomisations
  • There was an issue validating both the AuthToken session variable and cookie
  • The parameterized query
  • Specified argument was out of the range of valid values in conjunction with ApplyScreenCustomisations()

Some Reverse Proxies and Load Balancers can also cause these errors.  In order to rule these out please bypass them and monitor the Error Console.

Features not working correctly:  The single biggest cause of Passwordstate features, such as Self-Destruct Messages, Password Reset Portal, API issues, SAML Authentication and HA polling not working correctly is misconfigured Load Balancers and Reverse Proxies.  To determine if these are negatively impacting on the functioning of Passwordstate please bypass them and retest.

By working through some basic troubleshooting steps you can usually find what is causing the underlying performance issues with your instance.  If you are still experiencing issues after having worked through the above, or there are other errors being reported in the Error Console then please send these through to support@clickstudios.com.au for assistance.

Once again if you have feedback, we’d love to hear it via support@clickstudios.com.au.

One Time Passwords and The Browser Extension

This week’s blog almost sounds like a modern take on one of Aesop’s fables, except instead of featuring animals with human attributes we’re using a modern “technology take” on the story.  There’s no moral taught in this story (blog), just another nifty feature to make your life easier.

Most Users of Passwordstate that have created Password Lists would know that there are a number of templates that can be used when creating them.  You don’t have to use these, however for those of us that don’t regularly create Password Lists, the Add Shared Password List Wizard can streamline the creation and permissions processes.

Add Shared Password List Wizard

So, let’s set the scene first.  Your organization has recently signed up for a new Cybersecurity defense solution and enrolled a pilot group of users.  This has proven to be very successful and you’ve been tasked with extending the enrolment, via the web-based Administration Console, to all users within your organization.

The problem is, the administration console requires multi-factor authentication, in this case a Username, Password and OTP (One-Time Password) to enable login.  This is a pain as you’re using two sources for the information.  You’re using Passwordstate for the Username and Password and a Mobile App for the One-Time Passwords.  But you don’t have to.  Instead, you can create a Password List based on the One-Time Password Authenticator template.

First navigate to the Passwords tab and right click on Passwords Home and select Add Shared Password List.   This will bring up the Add Shared Password List Wizard.  Enter the details for the Password List and choose the One-Time Password Authenticator template as per the image below; 

Enter all the details you require and click Next.  This will take you to the Permissions section where you’ll then be able to specify the Security Groups or Users you want to assign permissions for (for this Password List).  Once you’ve entered all your details click Next.  This will take you to the Confirmation section allowing you to review your details before clicking Finish to create the Password List.  The details for the Password List I’ve created are as follows;

Please note you can modify an existing Password List and simply select the Enable One-Time Password Generation to add the OTP section to all Password Records in that list.  However, in the scenario above I’ve elected to keep all Password Records requiring the additional One-Time Password authentication together in the one purpose designed Password List.

Add a Password Record for MFA

Now that we have the Password List, enabled for OTP setup, I’m going to add-in the credentials for our Cybersecurity defense solution.  To do this navigate to the Password List and click on Add underneath the Password Record grid.  Enter all the details for the Password Record and importantly, scan the QR code that was supplied by the issuer. 

If you don’t have a QR code you can enter the Issuer, Secret and algorithm specified by the issuer and click Save.  The image below shows the completed Password Record;

Access all Details via Browser Extensions

Now when you browse to the web-based Administration Console the Browser Extension will automatically form fil the Username and Password Fields.  But where’s the OTP details?    When the Browser Extension identifies the Password Record it will, in the Browser Extension menu, provide a right arrow-head next to that record.  Clicking on this will bring up the details for the Password Record including the Username, Password and One-Time Password as per the image below;

You’ll note the OTP shows the time to live for the current OTP code.  This allows you to ensure you have sufficient time to copy and paste that OTP code before it regenerates.

It really is as simple as that.  Now you can use a consolidated approach to storing the Password Credentials for sites requiring multifactor authentication with One-Time Passwords.

If you have feedback, we’d love to hear it via support@clickstudios.com.au.