Click Studios designed a secure Emergency Access login to Passwordstate back in the early days of Passwordstate 5. The Emergency Access account is a separate built-in account with ‘Security Administrator’ rights that allows login to Passwordstate when other accounts are locked out, or inaccessible for any reason. This account doesn’t allocate a license from your available license pool and is not intended for use in day to day operations. It should be regarded as an account of last resort.
An organization would typically only use their Emergency Access account under select scenarios such as;
- You have issues authenticating to Passwordstate due to the Authentication Option you have selected no longer working.
- All Security Administrator accounts have been accidentally disabled or deleted, with no other accounts being able to administer all settings for Passwordstate.
To login via the Emergency Access account you must browse to the URL HTTPS://<Your Passwordstate URL>/Emergency. You are then presented with the following login screen,
As stated in the image above, there is increased auditing associated with the Emergency Access account. In browsing to the login screen you will trigger an audit event. The following applies to attempted and successful logins using the Emergency Access account;
- Browsing to the Emergency Access URL will generate an audit record. The details for the event, including the IP Address the access was initiated from, is subsequently emailed to all Security Administrators.
- On successful and unsuccessful login, details for the event including the IP Address the login attempt was initiated from is emailed to all Security Administrators.
- On successful login you must specify a reason why you need access and these details are added to the auditing data.
Once you’ve logged in with this account, you will have access to the Administration area of Passwordstate.
Auditing of Emergency Access
The auditing details below relate to Click Studios internal Passwordstate Instance and show an attempted access to the Emergency Access Login Screen (for the purpose of creating the blog entry). As this is our Production Instance please understand that I’ve redacted the account details, names of the Security Administrators and their email accounts from the screenshot below,
Setting the Emergency Access Password and Permitted IP Ranges
If you need to change the Emergency Access password navigate to Administration->Emergency Access->emergency access details. Here you can set the Password and print it out for safe storage if required,
Whilst you can always RDP directly to your Passwordstate Server, you can further lock down the ability to login over the network, via the Emergency Access login screen, by specifying Allowed IP Ranges. Using this feature, you can specify individual IP addresses as well as allowed IP address ranges. To set Allowed IP Ranges navigate to Administration->System Settings->allowed ip ranges and add the relevant entries under Emergency Access Allowed IP Ranges. Remember to add only one specific address or IP ranger per line,
Recover the Emergency Access Password
If you ever lose the printed copy of the Emergency Access Password, or if it’s been reset by someone and not recorded anywhere, you can contact Click Studios and ask us to recover it for you.
In these instances we’ll need email approval from line management before proceeding. Once we have approval, we’ll require;
- The most recent version of your Web.config file. This should be located in the root directory of your Passwordstate installation or C:\inetpub\passwordstate.
- The values for EA_Password, Secret3 and Secret4 from your Passwordstate Database, located in the Passwordstate table. To extract these, you’ll need to use Microsoft’s SQL Management Studio tools to connect to your database server and execute the following query;
USE Passwordstate
SELECT EA_Password, Secret3, Secret4 FROM SystemSettings
We’ll then recover the Emergency Access Password for you using our in-house support tools;
We’ll then email the password details back to you. Once you receive the email we suggest the first thing you do is change the Emergency Access Password, record it, print it out and store it somewhere safe! We also encourage you to rotate your encryption keys, refer to Section 2.12 Encryption Keys here.
That’s it for this week. Any suggestions or feedback are welcome and you can send these through to support@clickstudios.com.au.