Here at Click Studios a couple of staff from Pre-Sales and Technical Support are pulling together the first draft of our Best Practices guide for Passwordstate. The recommendations provided in the Guide are a direct result of assisting organizations around the world deploy Passwordstate successfully and streamline their privileged access management practices.
As the finished version of the Guide is still a little way off, we thought you may appreciate having a couple of the Best Practices previewed here.
Securing your Web.config File
One of the easiest ways in which you can secure your Passwordstate Instance is to encrypt both the Database Connection String and appSettings Sections of your Web.config file. This ensures that anyone having access to your Web Server’s file system will be unable to use the details of the Web.config file to access and retrieve your Password Credentials.
The process is straightforward and requires you to separately encrypt the Database Connection String and appSettings Sections of your Web.config file using aspnet_regiis.exe. The executable is usually located in the %windows%\Microsoft.NET\Framework\versionNumber folder. Once you’ve encrypted the two sections you’ll need to stop and restart the Passwordstate Service.
The example image below shows the command being executed for the AppSetting section, stopping and then restarting the Passwordstate Service,
Full instructions for performing this can be found within our documentation here or our blog entry here.
Use 2FA with SSO for highly privileged Accounts
Most organizations choose to install the AD Integrated version of Passwordstate and enable Single Sign-On (SSO) access to their Password Lists (Password Vaults).
The use of SSO is great for providing seamless entry to Passwordstate, once users have been successfully authenticated against your Domain, using their Active Directory credentials. However, for access to highly privileged and sensitive account credentials, stored within Passwordstate, we recommend you introduce an additional level of authentication.
An easy way of doing this is by enforcing 2FA, with a Smartphone App like Google Authenticator, for either your Systems Administrators or against access to Password Lists containing the highly sensitive credentials. To do this you create a User Account Policy (UAP) that specifies that users must use Google Authenticator (the example below uses Manual AD and Google Authenticator) and apply this UAP to your target list of AD accounts,
The Systems Wide Settings for Authentication Options remain set as Passthrough AD Authentication. Now anyone in your target list of users will be prompted for their Google Authenticator PIN as an additional level of authentication when browsing to your Passwordstate Website.
Full instructions for performing this can be found in our blog entry here.
Allow the use of Private Password Lists
Allowing the use of Private Password Lists for users within your organization is encouraged. Organizations that adopt and promote the use of Private Password Lists for their employees typically build a healthier cybersecurity awareness in their workforce. These employees more quickly embrace and adopt credential management practices, for both personal and business use within the organization.
You can automatically create Private Password Lists for all new user accounts as they are added to Passwordstate by enabling the option When a new User Account is added to Passwordstate, automatically create a Private Password List for the user. You can also specify the name of the Private Password List using the variables FirstName and Surname and base the new Private Password Lists on an existing or newly created Password List Template.
Once you have chosen your template, you’ll need to enforce the creation of the Private Password Lists on that template by creating a User Account Policy and targeting All Users and Security Groups,
Now each new User will have their own Private Password List and be configured as the Administrator of that List. Again Full instructions for performing this can be found in our blog entry here.
We hope you find this preview of some of our Best Practices useful and don’t forget to provide any feedback via support@clickstudios.com.au.