Security Administrators Manual - Enterprise Password Management
Contents
1. passwords generator details generate passwords alphanumerics amp special characters word phrases Please specify naming details for the Password Generator Policy Below Policy Name Default Password Generator Description Default Password Generator with medium complexity of alphanumeric characters Save Cancel Alphanumerics amp Special Characters The Alphanumeric amp Special Characters tab allows you to specify the desired length of the password you wish to generate as well as settings for letters numbers special characters and various forms of brackets 2015 Click Studios SA Pty Ltd 30 Passwordstate Security Administrators Manual passwords generator details generate passwords alphanumerics amp special characters word phrases WZ Include Alphanumerics amp Special Characters Password Length Min Length 5 Max Length 7 Alphanumerics W Lower case W4Upper case 4 Numbers Include higher ratio of alphanumerics vs special characters W Include ambiguous alphanumerics I o 0 and 1 Exclude the following characters and numerics Special Characters 4 Include the following special characters 1 B _ Include the following brackets n00 lt gt Generate Using a Pattern Generate based on a pattern of upper and lowercase letters and numbers for Lowercase u for uppercase n for numbers and s for special characters i e ullllnnnnssss2. v Editing Email Template Content By clicking on the Category hyperlink in the grid you can edit the content of the email template specifying your own words and formatting options At the top right hand side of the Editor you will notice the Variables tab ribbon bar From this drop down list you can insert the following variables into your email templates ToFirstName the First Name of the user who is receiving the email e ToUserlD the UserID of the user who is receiving the email Site URL the URL of your Passwordstate web site PermissionType the permission being applied to a Password List or Password record for the user PasswordList the name of the Password List e Password the title of the Password record Version the Version number of your Passwordstate install e UserName A combination of the Firstname and Username of the user 2015 Click Studios SA Pty Ltd a Passwordstate Security Administrators Manual e ExpiresAt the date at which a users permissions to a Password List or Password will be removed e AdditionalBodyText reserved by Click Studios for various custom text messages e AuthenticationMethod which Authentication method was used for authenticated to the Passwordstate web site or to a Password List Note In addition to the emails being sent to the relevant intended users you can also send each email category to a different email address as well as per the highlighted
3. Expand bottom Horizontal Navigation Menu items by Hovering over it Clicking on it On all Password List screens sort the grid by the following column Do not sort by default X On the Passwords Home and all Folder screens sort the Search Results and Favorite Passwords grids by the following column Do not sort by default X When creating new Shared Password Lists base the settings on the following Template s settings HR Template x When creating new Shared Password Lists base the permissions on the following Template s permissions Do not use template X Locale Date Format Use System Wide Locale Setting x Color Theme Tab The Color Theme Tab allows you to customize the colors for Passwordstate You can use the default colors as specified by you Passwordstate Security Administrator s or you can pick your own E Note The Security Administrators of Passwordstate can use a feature called User Account Policies which may override any settings you specify here 2015 Click Studios SA Pty Ltd User Accounts amp Edit User Details To modify the user s details please make appropriate changes in each of the tabs below and click on the Save button Mark Sandford halox msand account details miscellaneous color theme authentication options mobile access options Use the System Wide color theme or choose a different one for the user System Wide Choose My Own Base Color Page B
4. privileged account credentials ave Button Description Discover Windows Hosts and Resources UserName halox msand For AD acco domain use format of doma For AD ac d domain use format of useric Active Directory Account yes No Password steeeees Q Confirm Password seseeees Link To Password Windows Resources gt halox msand d Account to a p vO ord wh assword Resets ak this Privileg ated here once the mplete then it will be upd rds which have been plus match the UserName above Save Cancel Reporting The Reporting feature allows you to run the following reports which will be exported to csv files for further analysis if required Audit Records General exports a sorted list of all general audit records not specific to Passwords or Password Lists Please note this could be a large CSV file so may take some time to generate e Audit Records Passwords exports a sorted list of all audit records specific to Passwords and Password Lists Please note this could be a large CSV file so may take some time to generate e Password List Permissions exports a sorted list of permissions for all Password Lists and any permissions applied to individual passwords Note if the Title field is populated in this report then it means the permissions have been applied to the individual password record e Password Last Updated Report show the date of when the value of password fiel
5. Domain User rights and nothing else e Backup Share Folder are located on a Windows Server 2012 server and the web server is running on a different server altogether e The Passwordstate Application Pool identity is running as NetworkService also ensure there are modify NTFS permissions applied to the Passwordstate folder for this account 2015 Click Studios SA Pty Ltd 12 Passwordstate Security Administrators Manual The Share permissions itself is set to full control for testcopy account e The testcopy account you has modify NTFS permissions to the backup folder e The testcopy account is set as local administrator on the web server so it can stop start the Passwordstate Windows Service e The testcopy account is used for the Log On As identity for the SQL Server service needed for the SQL Backups our Security Admin manual shows you how to configure this e Testing of permission worked when authenticated to Passwordstate with a domain account which only has Domain User rights on the domain The following has also helped a few customers as well who had to assign additional rights on the web server for their equivalent of the testcopy account above a group policy setting was restricting which domain accounts could use the following setting The following was required e Open a command prompt as Admin e Type in secpol msc s e Select Local Policies in MSC snap in e Select User Rights Assignment e Right click
6. Please Note Due to the sensitive nature of exporting all the passwords please consider the following our temporary internet files Export Options Description Fomatted CSV file with Unique Headings Please select one of the available export options on the left and click the KeePass Compatible CSV file Export button audit record 15 Hosts amp Password Resets All of the features under the main Menu Hosts are permission based If for whatever reason users aren t able to administer the settings and records under this menu because they don t have 2015 Click Studios SA Pty Ltd 22 Passwordstate Security Administrators Manual 16 access you can grant access via this page By clicking on any one of the buttons you see in the screenshot below will give you full access to these menu items From here you can change settings delete records or apply new permissions for users or security groups Hosts and Password Resets an read any of the data on each of the screens in the Hosts menu Only users who have been given explicit permissions to any of thoug o make chang As it is possible permissions could be removed for all users to some of this data you can click on one of the appropriate buttons below for full access FQ Discovery Jobs CA Hosts Password Reset Scripts Pending Password Resets 3 Password Validation Scripts Host Types amp Operating Systems The Host Types amp
7. Privileged Account Credentials IY Reporting EEE security Groups system Settings amp User Accounts User Account Policies 27 Security Groups Security Groups allows you to manage either local security groups created within Passwordstate or Active Directory security groups These groups can then be used for applying permissions to Password Lists or to give deny access to various features On the Security Groups screen you have the following features available 2015 Click Studios SA Pty Ltd s Passwordstate Security Administrators Manual Add Local Security Group Allows you to add a local security group to Passwordstate which you can then assign one or more user accounts to the security group Note Once you have added the local security group you can assign user account membership by selecting the Manage Members menu item from the appropriate Actions menu Add New Local Security Group To add a new Local Security Group to Passwordstate please fill in the details below Note Once the Security Group is created you can then begin to assign members security group details lease specify a Name and Description for this Local Security Group Security Group Name Description Save Save amp Add Another Cancel Add Active Directory Security Group To add an Active Directory Security Group you simply need to search for the group you require then click on the appropriate
8. Pty Ltd ser Accounts 115 business requirements Resetting this accepted value means the user will be prompted again to read and accept the updated policy assuming you have this option enabled on the System Settings User Acceptance Policy Tab In the User Accounts grid as well you can see the data and time each of the users last accepted the User Acceptance Policy 30 User Account Policies User Account Policies allow you to manage a specific set of settings for a groups of users at atime The settings relate to various User Preferences and how the Password Lists Password Folders and Home Page screens appear to the user An example of how User Account Policies can be used is to hide all graphs on all screens from the users When a User Account Policy is applied to a user s account the controls settings on the screen will be disabled informing the user a User Account Policy is in effect for their account Adding a User Account Policy When you add a User Account Policy you can choose to set any number of the following settings User Preferences Mask Password Visibility on Add View Edit Pages Auto Generate New Password When Adding a New Record Enable Search Criteria Stickiness Across Password Screens Show the Actions toolbar on the Passwords pages at the Expand the bottom Navigation Menu items by Locale Date Format Specify which Authentication option will apply to the user s account Password List Screen Option
9. butto Mark Sandford halox msand account details miscellaneous color theme authentication options Please select select the user s options below for accessing Passwordstate via a mobile device Set the Mobile default home page to Password List Search Password Search When searching for Password Lists or Passwords limit the number of records displayed to as mobile devices typically operate on slower networks limiting the number of records returned can help improve performance 30 Mobile Pin Number Save Cancel Clone User Permissions It s possible to clone one user s permissions to another by using the Clone User Permissions feature This feature is generally used in one of two ways e You ve had anew employee start who has replaced another employee and you wish to give them the same access e If you need to modify the UserID for a user i e a Domain Migration someone gets married etc E Note 1 When cloning occurs the Destination User s permissions are first removed otherwise duplication would occur Note 2 You need to decide of the Source user s Private Password Lists should be moved across to the Destination user This should only ever be done if the Source and Destination user are the same actual person The reason we provide the option to move a user s Personal Password Lists is because a users Personal Password Lists are deleted if their account is removed from Passwordstate E Note 3 Ac
10. or similar to track page hits for your various web sites This feature also provides a few options for where to insert the code on the page either within the lt head gt tag or just before the end of the lt body gt tag User Acceptance Policy Tab The User Acceptance Policy Tab allows you to specify a popup User Acceptance Policy UAP which users must read when they access the Passwordstate web site A default body of text is provided but it can be customized to suite your organization There are also a couple of options for the UAP e No policy Required e Yes Mandatory for each new session every time your users initiate a new session when they visit the site they will be presented with the UAP popup e Yes Acceptance Required Once the user has read and accepted the policy they will not be prompted again User Accounts Prior to any of your users being able to access the Passwordstate web site you must first register their accounts in the User Accounts screen 2015 Click Studios SA Pty Ltd User Accounts 105 There 4 different ways user accounts can be added to Passwordstate and they are e Adding them manually by clicking on the Add button e Importing them from Active Directory by clicking on the Add from AD button e Importing them from a csv file by clicking on the Import button e Or when membership of an Active Directory Security Groups is synchronized please see the Security Groups sc
11. Any Accepted UAPs For User Set Expiry Date Toggle Status Enabled or Disabled View Email Notifications HOIVA ypapauvp yveviuve HH OSKMEEB 30 0 0 Editing User Account Settings By clicking on the UserID hyperlink in the grid you will be directed to a screen where you can edit multiple properties for the user s account E Note 1 Any changes to a user s account will not be in effect until the user logs off then back in to the Passwordstate web site E Note 2 The Miscellaneous Email Notifications and Authentication Options tabs are almost identical to what the user sees when they view their own Preferences Note 3 User Account Policies may override any number of settings for the user in which case the relevant controls on each of the tabs will be disabled Account Details Tab The Account Details Tab has some basic information about the user s account which you can edit but should rarely need to be touched E Note At this stage it s not possible to rename a user s UserID value due to the way this field is encrypted throughout a lot of the tables in the Passwordstate database 2015 Click Studios SA Pty Ltd 108 Passwordstate Security Administrators Manual amp Edit User Details To modify the user s details please make a appropriate changes in eact Mark Sandford halox msand of the tabs below and click on the Save button miscellaneous color theme Please specify appropriate accoun
12. Auth API Configuration 2015 Click Studios SA Pty Ltd System Settings Passwordstate Passwordstate Fy Duo Push Authentication Please enter your Domain Credentials and Duo Username below and press the Send Push button to start the authentication process Domain user name halox msand w oo Duo Username msand o Send to Device Send Push Leave blank for default device Status Awaiting Login Manual AD and Safe Net Authentication Provides a dialog where you can enter both your Active Directory domain credentials and your SafeNet Username to log in using two factor authentication User s must have specified their SafeNet Username on the Preferences screen in order to authenticate 2015 Click Studios SA Pty Ltd Passwordstate Security Administrators Manual Passwordstate fy SafeNet Two Factor Authentication Please enter your domain credentials and SafeNet Username and Passcode below Domain user name halox jwilkons Password Username Passcode Status Awaiting Login Google Authenticator Provides a dialog for users to manually specify their Google Verification Code this works in conjuction with Passthrough AD Authentication To use this authentication method the user must create a Google Authenticator Secret Key on the Preferences screen or Security Administrators can do it for them on the User Accounts screen Passwordstate Passwordstate fy Goog
13. Eo 7 Deny Access Altogether Inactivity Time Out fors Manual AD Authentication 3 Manual AD and Google Authenticator Manual AD and RSA SecurlD Authentication Manual AD and ScramblePad Authentication API Allowed IP Ran Manual AD and Email Temporary Pin Code P Rar Manual AD and AuthAnvil Authentication status Code 403 Forbidden will be return if outside of these IP Range s Manual AD and Duo Push Authentication Google Authenticator RSA SecurlD Authentication ScramblePad Authentication Email Temporary Pin Code AuthAnvil Authentication Duo Push Authentication Separate Password Specify the Allowed Inactivity Time Out for sessions outside the Allowed IP Ranges above mins The default Inactivity Timeout setting can be found on the Miscellaneous Tab If you have restricted access to Passwordstate to specify IP Subnets Addresses it s also possible to specify an alternate timeout value when users are out of the office allowed IP ranges 28 3 API Keys Tab The API Keys Tab allows you to create three different types of API Keys to be used for different method calls to the API general calls for query updating adding deleting Passwords querying adding deleting Hosts and for generating random passwords Please refer to the API Documentation for further details If you don t want certain users to be able to create API Keys for Password Lists you can specify which ones are allowed to by clicking on the Set Permissions button and fo
14. Error Console Any errors experienced within Passwordstate will be logged on this screen which can be reported to Click Studios for troubleshooting purposes 2015 Click Studios SA Pty Ltd Error Console 21 Y Error Console Below is any error debugging information which you can export and provide to Click Studios to help troubleshoot any technical issues you may be having If yo os help in troubleshooting any of the error w please export the contents of this Grid and send us the CSV File contents and a des ie error occurred to support clickstudios com au Date Error Information Event Type H T T Y o records to display Export Purge Error Data Grid Layout Actions v 14 Export All Passwords The Export All Passwords screen allows you to export all Password records from the system to a CSV file There are two types of exports available 1 a CSV file heading information per Password List and 2 a CSV file which is formatted for importing into KeePass Please refer to the KB Article in the User Manual titled Export All Passwords and Import into KeePass for how to import into KeePass E Note If you choose to export all passwords to a csv file they must be stored away somewhere securely as the passwords appear as plain text in the csv file gt Export All Passwords To export all passwords from Passwordstate into a CSV file please choose one of the options below then click on the Export button
15. Group and include the relevant user account 2015 Click Studios SA Pty Ltd Backups and Upgrades 13 7 Bad Passwords The Bad Passwords screen allows you to maintain a list of password which are deemed to be bad i e common passwords easy to guess etc The intention is to educate your users to ensure they do not use Bad passwords On this screen you can add or delete bad password records and once you have a list you are happy with there are options on the screen Administration gt System Settings gt Miscellaneous Tab and Password Options Tab for notifying your users when bad passwords are detected 8 Browser Extension Settings The Browser Extension Settings area allows you to specify various settings for all users for how the Browser Extension feature is used In Particular e Extension Logout Settings can you specify if you want the Extension to automatically log out of itself when the browser is closed or if the browser has been idle for aset number of minutes e Ignored URLs if you don t want users to save login credentials for certain web sites you can add them as Ignored URLs e Allowed to Use the Extension IF you don t want to allow certain users or members of a security group to use the Browser Extension feature then you can specify them on this tab e Prevent Users From Saving Logins if you only want certain users to use the Browser Extension to form fill web site logins and not allow them to save
16. Operating Systems screen allows you to add additional Host Type and Operating System records which can be associated with Host records in Passwordstate Simply add or delete Host Types and Operating System types as appropriate Hosts amp Operating Systems N are all the Host Types and Operating Systems which can be used when adding or importing Hosts on the screen Passwords gt Hosts and Host Types amp Operating Systems Actions Host Type gt o gt o gt o gt o gt o gt o gt o Add Host Type View Operating Systems Grid Layout Actions v Appliance LINUX Out Of Band Management Router Switch Unix Windows 2015 Click Studios SA Pty Ltd Host Types amp Operating Systems 23 Hosts amp Operating Systems Below are all the Operating Systems which can be used when adding or importing Hosts on the screen Passwords gt Hosts and Resources Operating Systems Actions Operating System Host Type AD Attribute Heartbeat Start Hour Heartbeat End Hour o CentOS Linux Centos 0 0 o Cisco ASA Appliance Cisco ASA 0 0 3 Cisco CatOS Switch Cisco CatOS 0 0 o Cisco IOS Router Cisco IOS 0 0 o Cisco IOS Switch Cisco IOS 0 0 o Cisco PIX Appliance Cisco PIX 0 0 ty Debian Linux Debian 0 0 o Dell iDRAC Out Of Band Management Dell iDRAC 0 0 o Fedora Linux Fedora 0 0 o HP iLO Out Of Band Management HP iLO 0 0 Change page mi 4 o Page 1 of 5 items 1 to 10 of 46 Return Previous Screen A
17. Policies 49 Edit Password Strength Policy Please specify your password strength policy settings in each of the appropriate tabs below and click on the Save button Note the policy is not enforced when entering a password instead it s used as a visual representation of password strength test password strength policy settings calculation weighting Calculation Weighting allows you to determine the weighting of a strength characteristic of a password for length numeric case and symbols The 4 values specified must total 100 Length Weighting 50 Numeric Weighting i5 Casing Weighting 2415 Symbol Weighting 20 Save Cancel Test Password Strength Tab The Test Password Strength Tab allows you to test the policy settings you ve specified on the other two tabs and shows you a graphical representation of the strength of the password you type based on the policy settings you ve specified 2015 Click Studios SA Pty Ltd so Passwordstate Security Administrators Manual Edit Password Strength Policy Please specify your password strength policy settings in each of the appropriate tabs below and click on the Save button jord strength Note the policy is not enforced when entering a password instead it s used as a visual representation of p test password strength policy settings calculation weighting To test this Password Strength Policy simply being
18. Save button Note 1 The Active Directory Managed Service Account which you specify on the screen System Settings gt Active Directory Options Tab is what s used to query Active Directory so this account will need read access at a minimum Note 2 When you add a security group if the user account does not already exist in Passwordstate on the User Accounts screen there is on option on the screen Administration gt System Settings gt Active Directory Options Tab which allows you to also automatically add the user account E Note 3 If you have issues querying Active Directory please see the section Active Directory Lookup Permissions below 2015 Click Studios SA Pty Ltd Add Active Directory Security Group Security Groups To add a new Active Directory Security Group to Passwordstate please use the search feature below security group details Please use the search feature below to search for an Active Directory Security Group Security Group Name AD Domain LDAP Filter Description kore g halox net v dc halox dc net You can query a specify OU by modifying the LDAP QueryString above if needed Security Groups Search Results CoreAdmins Status Records found Save Save amp Add Another Cancel Debug Security Group Membership In the event you are having some issue synchronizing the membership of an Active Directory Security Group the Debug Secu
19. Temporary Pin Code please check your registered email address and enter the Pin Code below Domain user name halox msand Password Po Pin Code fs Logon You have 3 minutes before the temporary Pin Code expires at which time you will be logged out Manual AD and AuthAnvil Authentication Provides a dialog where you can enter both your Active Directory domain credentials and your AuthAnvil Username and Passcode to log in using two factor authentication User s must have specified their AuthAnvil Username on the Preferences screen in order to authenticate 2015 Click Studios SA Pty Ltd Passwordstate Security Administrators Manual Passwordstate Passwordstate Fy AuthAnvil Two Factor Authentication Please enter your domain credentials and AuthAnvil Username and Passcode below Passcode PIN One Time Password Domain user name halox msand powers Username Passcode Status Awaiting Login Manual AD and Duo Push Authentication Provides a dialog where you can enter both your Active Directory domain credentials and your Duo Push Username to log in using two factor authentication User s must have specified their Duo Push Username on the Preferences screen in order to authenticate You can also choose which device to send the Push Notification to E Please refer to the following document as to how to configure Duo Push Authentication in the Duo Portal and Passwordstate Duo
20. any new records you can do so on this tab Browser Extension Settings n which users are extension logout s ignored urls allowed to use the extension prevent users from saving logins Please specify the settings below for automatically logging users out of their Browser Extension Automatically log the user out of their Browser Extension when they close the browser Yes Automatically log the user out of their Browser Extension when the browser has been idle for x minutes 0 Setting to 0 disables this feature 2015 Click Studios SA Pty Ltd a Passwordstate Security Administrators Manual 9 10 Custom Images The Custom Images screen allows you to upload images which can be used as icons for the Password List themselves and also for the Account Type field for Password records Note 1 All images exist on the web server file system in the path lt Passwordstate Folder gt images Lookuplmages and are also stored within the Passwordstate database as well Deleting them from the file system will caused them to be recreated once the Passwordstate Windows Service is next restarted Note 2 It is recommended you keep these images relatively small inline with the size of the supplied images otherwise it can distort the view of Password Lists in the Navigation Tree and anywhere Account Type images are displayed E Note 3 If using the Passwordstate API you may need to know the AccountTypelD for so
21. as it is an irreversible process once complete you will need to restore a copy of your database if you wish to undo any changes with this feature In order to use this feature you must first apply permissions to only the intended recipient of the 2015 Click Studios SA Pty Ltd 36 Passwordstate Security Administrators Manual Private Password List meaning you must remove all Security Group permissions and any other user account based permissions why are not appropriate for a Private Password List Once you have done this and select this feature the following processes will occur e Delete any permission records applied at the individual password record level e Delete any Favorite password records for the list e Delete any linkages to Password List Templates e If any users have the Password List set as their Default Home Page then it will be changed to the Passwords Home node in the Navigation Tree e And finally it will marked the Password List as private Actions Menu Delete Password List By selecting the Delete Password List menu option in the Actions drop down menu you will be given the opportunity to delete the selected Password List Warning You are prompted twice to delete a Password List or there is no Recycle Bin in the event you do delete one so be sure you no longer require the passwords in this List If you accidentally delete a Password List and still require it you will need t
22. be care mplates which are disabled will caus eir own Email Notification Settings as p their personal settings an one Notification Group created for a use applying duplicates for a user Notification Group O No Access Requests Adq View Notifications amp View Permissions Delete Email Notifications Please select which Email Notifications you would like set for the notification group No Access Requests by selecting the appropriate option from the Actions drop down menus below Actions Category Description Enabled Notifies the user if their request to access a Password or Password List has been o Access Request Gace o Access Request Denied Notifies the user if their request to access a Password or Password List has be denied 4 o Access to Password Changed Notifies user if their access level to an individual Password record has changed a o Access to Password Granted Notifies user if they have been granted access to an individual Password record d o Access to Password List Changed Notifies user if their access level to a Password List has changed Cd o Access to Password List Granted Notifies user if they have been granted access to a Password List v7 o Access to Password List Removed Notifies user if their access to a Password List has been removed vd o aia Password List Template Notifies user if their access level to a Password List Template has changed ev o Access to Password List Template Granted Notifies user if
23. collapse process so your users are aware something is in progress This generally isn t required but may be desirable if you have 500 Password Lists Folders When generating a password based on a Password Generator Policy perform the following number of retries to ensure the password meets the strength of the selected Password Strength Policy When using the Password Generator feature S to generate new passwords for a Password List the Password Generator tries to create a password which matches the Password Strength Compliance level set for the Password List Depending on the settings for the selected Password 2015 Click Studios SA Pty Ltd System Settings 91 Generator Policy it s possible the generating of passwords may get itself in an endless loop trying to match the Password Strength Compliance level so this setting tells the generator when to give up trying and simply use the last generated password Limit the size of scheduled HTML email reports to All the available reports on the Reports screen can be sent as either csv attachments or embedded HTML within the email If your users choose embedded HTML large reports can cause performance issues when trying to open and read the email This option allows you to specify the maximum size of the report If the maximum size is reached the user is information of this within the email and they are recommended to change the report to a csv attachment Use regular expressio
24. edit an existing Password Lists settings e You can link Password Lists to a Template and then manage all settings from the Template When you do this the majority of options for the Password List will be disabled when you chose to Edit Password List Details e You can also apply permissions to a Template and these permissions can be used for o Allow other users to see the Templates via the Password List Templates menu option o Allow other users to also modify the settings for the Template via the Password List Templates menu option o Applying permissions to a Password List as needed once off when you add a new Password List or edit an existing Password Lists settings E Note Permissions ona Template are not used when Linking Password Lists to a template this can only be done when adding a new Password List or editing the settings for an existing one 2015 Click Studios SA Pty Ltd a Passwordstate Security Administrators Manual B8 Password List Templates e all the Password List Templates stored within Passwordstate T T o amp All Options Enabled PreventDragDrop 0 y m gt gt o Corporate ISP Accounts Template Corp s for ller o Gen Field Encryption Testing Y o Local Admin Accounts Template o amp My Personal Sites o a Oracle DB Template Sia v7 o Riverbead Stealhead Template na o 4 SQL Database Template rt v v o O TestTemplate gt o WAN Routers Secure r v o Web Site s Vv o amp Windows
25. eight november APLHA uniform tango discard VeSJLun delta india sierra charlie alpha romeo delta hyphen VICTOR echo SIERRA JULIET LIMA uniform november noticed PywfY november oscar tango india charlie echo delta hyphen PAPA yankee whiskey foxtrot YANKEE enraged d 8Sk2 echo november romeo alpha golf echo delta hyphen delta hash equals eight SIERRA kilo two azaleas TVzin alpha zulu alpha lima echo alpha sierra hyphen TANGO VICTOR zulu india november gasser jUw t golf alpha sierra sierra echo romeo hyphen juliet UNIFORM whiskey caret tango gall u3DbxqE golf alpha lima lima hyphen uniform three DELTA bravo xray quebec ECHO rward slash kilo charlie JULIET ot MIKE KILO YANKEE mike Save Cancel Once a Password Generator Policy has been created it can be assigned to a Password List or 2015 Click Studios SA Pty Ltd Password Generator Policies 33 Password List Template by editing the appropriate settings as per this screenshot below When your users now click on the S icon the random password generated will be based on the selected Password Generator Policy Edit Password List To edit the details for the selected Password List please fill in the details below for each of the various tabs password list details customize fields guide api key Please specify Password List settings manually below Or copy settingg Password List Details Copy Detai Password List Servers Copying a Ter n fields s
26. if their access Access to Password List Granted Jotifies user if they have b Testing and Troubleshooting Emails being Sent When editing a Password List template there is a button called Test Email This button will test sending the email template to your own email account This testing is different however to how emails are normally sent from Passwordstate normally records are added to the database and the Passwordstate Windows Service checks and send emails every minute This Test Email button sends directly from the web site and does not use the Passwordstate Windows Service If emails are queuing up and not being sent as expected the following suggestions may help to troubleshoot why 1 Check you have correctly specified your email server s settings on the screen Administration gt System Settings gt Email Alerts amp Options Tab 2 Ensure the Passwordstate Windows Service is started 3 Check the event log on your web server to see if any errors are being reported as to why emails aren t being sent look for the Source of Passwordstate Service 4 Check there aren t any Email Templates disabled either on the screen Email Templates or Email Notification Groups or possibly the user has disabled an email notification in their Preferences area 12 Emergency Access The Emergency Access screen allows you to specify a password for a separate Security Administrator role login which can be used in the ev
27. just the ones they have access to When your users copy move link passwords between different Password Lists by default they 2015 Click Studios SA Pty Ltd System Settings 99 will only be able to see the destination Password Lists on the screen which they have been given access to It s possible you may have a requirement to allow them to copy move link into Password Lists they don t have access to and by selecting this option they will be allowed to do this When searching for users in order to grant them access to Password Lists only show users who are in the same Security Groups as the person granting the access Inthe main user screens of Passwordstate i e not the Administration area there are various screens where you can apply permissions for users accounts By selecting this option they will only be able to see search for users who are in the same Local or Active Directory Security Groups as themselves as they are recorded in Passwordstate When creating new Shared Password Lists if there is a User Account Policy or a User Preference setting which copies settings permissions from a Template allow the user to override these setting It s possible for users via their Preferences screen or Security Administrators via a User Account Policy to specify which template settings to be used as a basis for newly created Shared Password Lists If one of these settings are in place for the user this option allows them to
28. of P Backup UserName halox testcopy Please specify username in the format of domain gt lt username gt Backup Password seeeeeee ac Backups Settings Specify settings as appropriate below for scheduled backups or backups prior to performing an In Place Upgrade Enabled Scheduled Backup W Backups To Keep 5 Ss v Backup Start Time 16 v Hour 25 v Minute Backup Every 24 Hours y Backup Path win2k12web1 backups To backup to a network location specify the path in the format of lt servername gt lt sharename gt Exclude Backup of Database 4 You would generally only exclude database backups if you have an established backup process In Place Upgrade Backups Perform backup prior to an any In Place Upgrades Test Permissions Save Cancel Backup Permissions To allow backups to work through the Passwordstate web interface you will need to specify an account domain or Windows account which has the following permissions e Permissions to write to the Backup path you ve specified e Permissions to stop and start the Passwordstate Windows Service on the web server e Permissions to write to the Passwordstate folder on your web server In addition to this you must configure the SQL Server service to use a domain or Windows account which has permissions to also write to the Backup Path To do this you need to open the SQL Server Configuration Manager utility on your database server click on SQL Server Ser
29. of the password they re creating does not meet the Password Strength Compliance setting above 2015 Click Studios SA Pty Ltd s Passwordstate Security Administrators Manual Edit Password Strength Policy Please specify your password strength policy settings in each of the appropriate tabs below and click on the Save button Note the policy is not enforced when entering a password instead it s used as a visual representation of password strength test password strength policy settings calculation weighting Please specify details for the Password Strength Policy Below Policy Name Default Policy Policy Description Default policy if no specific policy is set for a Password List Minimum LowerCase Characters 2 1 Minimum UpperCase Characters 1 Minimum Numeric Characters 7 1 Minimum Symbol Characters 7 1 Preferred Password Length J8 Requires Upper And Lower Case yes No Password Strength Compliance amp Strong Compliance is Mandatory amp Oves No Save Cancel Calculated Weighting Tab The Calculated Weighting Tab allows you to specify the weighting of a strength characteristic of a password for length numeric case and symbols The higher the weighting the more important the category is deemed to be Note The 4 values specified must total 100 2015 Click Studios SA Pty Ltd Password Strength
30. the Step 3 tab allows you to either test the import process or perform the actual import It is recommended you test the import process first and any errors will be reported back to you including the line number in the csv file so you re able to correct the data 2015 Click Studios SA Pty Ltd e Passwordstate Security Administrators Manual amp Bulk Password Import To import multiple passwords in to one or more Password Lists at a time please follow the instructions on each of the Tabs below step 1 generate csv template step 2 populate template with data step 3 import data Now you are ready to import your newly populated csv template To do so please select your CSV file by clicking the Select button then click on the Import Passwords button Please Note It is advised you click on the Test Import button first to ensure there are no issues with importing the data Select Test Import Import Passwords Cancel Status Perform Bulk Processing Mobile Access Bulk Permissions If you need to make many changes to Mobile Access Permissions at once you can use the Mobile Access Bulk Permissions feature This feature allows you to query all the permissions applied to one or more Password Lists select the appropriate permissions Guest View Modify or Admin and then either enable or disable access for Mobile Clients 2015 Click Studios SA Pty Ltd 22 Mobile Access Bulk Perm
31. the following automatically specify all the settings based on one of Template s settings the Templates you select here When creating new Shared Password When creating new Password Lists you can choose to Lists base the permissions on the automatically base all the permissions on one of the following Template s permissions Templates you select here Locale Date Format Allows you to specify a date format for any date fields you may need different format based on your region compared to that of what Passwordstate is current set to use system wide 2015 Click Studios SA Pty Ltd no Passwordstate Security Administrators Manual amp Edit User Details To modify the user s details please make appropriate changes in each of the tabs below and click on the Save button Mark Sandford halox msand account details miscellaneous color theme authentication options mobile access options Please select which of the following miscellaneous options within Passwordstate you would like to enable for the user Password Visibility on Add Edit Pages O Visible Mask Auto Generate New Password When Adding a New Record O Yes No Enable Search Criteria Stickiness Across Password Screens yYes No Show the Actions toolbar on the Passwords pages at the Bottom CO Top Bottom amp Top Use the following type of Navigation Menu system Use System Wide Menu System Vertical Menu System Horizontal Menu System
32. to configure Duo Push Authentication in the Duo Portal and Passwordstate Duo Auth API Configuration 2015 Click Studios SA Pty Ltd Passwordstate Security Administrators Manual Passwordstate Passwordstate fy Duo Push Authentication Please specify details below as appropriate and press the Send Push button to start the authentication process Duo Username Send to Device Send Push Leave blank for default device Status Awaiting Login SafeNet Authentication Provides a dialog where you can your SafeNet Username to log in using two factor authentication User s must have specified their SafeNet Username on the Preferences screen in order to authenticate 2015 Click Studios SA Pty Ltd System Settings Passwordstate fy SafeNet Two Factor Authentication Please enter your Username and Passcode below usaman Status Awaiting Login Separate Password Provides a dialog for users to specify a separate authentication password this works in conjuction with Passthrough AD Authentication To use this authentication method the user must specify their separate password on the Preferences screen or Security Administrators can create a random password for them on the User Accounts screen Passwordstate Passwordstate fy Separate Password Authentication Please enter your User ID and Password to authenticate pasword i Status Awaiting Login 2015 Click Studios SA Pty Ltd
33. tsand ra o Discover Windows Hosts and Resources halox passchanges_accnt o Read Active Directory Security Groups and User Accounts halox passchanges_accnt x o SandDomain Accounts msand sanddomain com o Update Active Directory Account Passwords halox msand o Update MySQL Account Passwords msand e o Update Oracle Account Passwords sys o Update SQL Server Account Passwords sa Add Grid Layout Actions amp Privileged Account Credengials Below are all the Privileged Ac t Credentials which can be used for Active Directory Account lookups Host In order for these ceden ls to be used for Host and Resource Discovery and Password Reset Scripts you mus Actions UserName Discover Windows Hosts and Resources halox msand f amp View Permissions ecurity Groups User Pg 4 Sy 7 Delete y Account Passwords halox msand v Update MySQL Account Passwords msand v Update Passwords for IIS Application Pools v Update Passwords for Scheduled Tasks v Update Passwords for Windows Services devclick msand ty Update SQL Server Account Passwords sa v Enable account Cisco root SandDomain Accounts 2015 Click Studios SA Pty Ltd 52 Passwordstate Security Administrators Manual 25 amp Edit Privileged Account Details Please update details as appropriate below for the Privileged Account Details Note lf no permissions are applied to this account then it cannot be used for any Password Reset Scripts
34. type the backslash twice i e domain userid C Auditing To search for relevant audit records please use the options below Auditing Filters Platform All Web Mobile AP Windows Service Browser Extension Instance Bott Primary High Availabilit Max Records Password List Activity Type Begin Date End Date 5000 All Password Lists gt All Activities X E 19 01 2015 Search 4 Auditing Graphs The Auditing Graphs screen is simply a graphical representation of the auditing data with similar filtering options Instead of filtering between dates you just select a specified period i e 1 year 2 years etc 2015 Click Studios SA Pty Ltd 3 Passwordstate Security Administrators Manual I7 Auditing Graphs Please select the appropriate filters below and then click on the Refresh button Graph Filters Platform Audit Activity Duration AP Windows Service Browser Extensior All Activities v 1Year v Refresh All Web Mobile 3000 2000 1031 Audit Events All Activities 1000 Nov 2013 Dec 2013 Jan 2014 Feb 2014 Mar 2014 Apr 2014 May 2014 Jun 2014 Jul 2014 Aug 2014 Sep 2014 Oct 2014 m All Activities Value 5 Authorized Web Servers The Authorized Web Servers screen is where you can specify the host names of the web servers which are authorized to host the Passwordstate web site The intention of this feature is to prevent the theft of a copy of the database and hosting it and the web site i
35. use when Importing or Exporting data When importing or exporting data you can specify the default Code Page which will be used for character encoding A Code Page consists of a table of values that describes the character set for a particular language By default all Password Lists will use the Code Page you specify here but can be changed to use a different Code Page by editing the Password Lists settings Modify permissions for Password Lists can When a user is given Modify permissions to a Password List the default options allows the user to add new passwords and edit or delete existing passwords You can modify this default behavior by unchecking one or more options here When users create a Password List and copy permissions from another Password List or Template also add permissions for the user creating the Password List When creating new Shared Password Lists if permissions are being copied from another Password List or Template this option allows you to also add permissions for the user who is creating the Password List so instead of just cloning permissions you can clone plus add the creator s account as well When administering Password List permissions from within the Administration area prevent Security Administrators from granting themselves permissions to passwords either via their own account or security groups which they are a member of If you wish to prevent Security Administrators with the Passwo
36. 2015 Click Studios SA Pty Ltd Password List Templates 45 Actions Password List Description T amp All Options Enabled PreventDragDr Corporate ISP Accounts Template g Corporate Dial Gen Field Encryption Testing Gen Field Encn View Permissions 2mplate Local Admin Ai Linked Password Lists My Personal Si Delete Template ea Riverbead Stealhead Template For the Riverbe 90 9 000 4 SQL Database Template Normal templa Linked Password Lists When you link one or more Password Lists to a Template the majority of settings for the linked Password Lists are then managed via the Template which the exception of the details on the API Key Tab Linking Password Lists to a Template is very simply process move the Password List you want to link into the Linked Password List s text box and click on the Save button Caution When linking Password Lists to a Template for the first time if the Password List has some Generic Fields specified which are different to any Generic Fields specified for the Template these fields will have their data cleared blanked in the database when you click on the Save button This is because the different Generic Field Field Types need to have their data treated differently There are multiple warning messages within the Passwordstate as well for this so please be aware 2015 Click Studios SA Pty Ltd s Passwordstate Security Administrators Manua
37. Firefox or Chrome a button will appear at the top right hand side of the screen allowing you to clear the clipboard if required When Password masking is displayed on the grid views show a fixed character length of It s possible to use Fixed Length Password Masking in Passwordstate as an added security measure By using this feature the screens which show a masked password like will all be of the same length regardless of how many characters the Password field consists of Automatically hide visible passwords based on the following conditions in seconds By clicking on any masked passwords in the grid view i e or the amp icon on any of the add edit view password screens the password will be revealed to you There are 3 different options for how quickly you wish to password to again be masked and they are Set Time one set time period for all passwords regardless of their length and complexity e Password Complexity here you can specify 5 different time intervals each for the different Password Strength ratings e Password Length here you can specify up to three different time periods based on the length of the password fields i e if the password field is 20 characters in length you probably would need it to be displayed longer on the screen compare to a record which is only 5 characters long Password Reset Options Passwordstate can perform Password Reset for Active Directory accounts as well
38. Notification Group created for a user any disabled email categories will over ride any enabled ones be careful applying duplicates for a user i Email Notification Groups Email Notification Groups can be used to enable or disable real time email notifications for multiple users at once Note 1 Any s are disabled will ca sstem wide Email Templates which se any settings here to be ignored Note 2 If a user has sp ed their own Email Notification Setting art of their Preferences any permissions you apply here for the user will override their personal settings Note 3 If yo e more than one Notification Group created for a user any disabled email categories will over ride any enabled ones be careful applying duplicates for a user Actions Notification Group Description 7 No Access Requests No Access Requests Add Grid Layout Actions v Once you have created a Notification Group you can then assign permissions for who is affected by the settings and which emails are either enabled or disabled You do this by clicking on the appropriate menu item in the Actions drop down menu 2015 Click Studios SA Pty Ltd 16 Passwordstate Security Administrators Manual i Email Notification Groups Email Notification Groups can be usegfto enable or disable real time e Note 1 Any system wide Email Note 2 If a user has specifie here for the user will overri Note 3 If you have mor enabled ones
39. Passwordstate Security Administrators Manual 2015 Click Studios SA Pty Ltd 2 Passwordstate Security Administrators Manual Table of Contents Part I Part Il Part Ill Part IV Part V Part VI Part VII Part VIII Part IX Part X Part XI Part XII Part XIII Part XIV Part XV Part XVI Part XVII Part XVIII Part XIX Part XX Part XXI Foreword Introduction Active Directory Domains Auditing Auditing Graphs Authorized Web Servers Backups and Upgrades Bad Passwords Browser Extension Settings Custom Images Email Notification Groups Email Templates Emergency Access Error Console Export All Passwords Hosts amp Password Resets Host Types amp Operating Systems License Information Menu Access Password Folders Password Generator Policies Password Lists oOo N O O A o 13 13 14 14 16 19 20 21 21 22 24 24 25 28 34 2015 Click Studios SA Pty Ltd Contents 3 Part XXII Password List Templates 43 Part XXIII Password Strength Policies 46 Part XXIV Privileged Account Credentials 50 Part XXV Reporting 52 Part XXVI Security Administrators 53 Part XXVII Security Groups 55 Part XXVIII System Settings 62 1 Active Directory Options Tab ccccceeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseaeeeeeeseeeeeeeeeeeeeseneeeeesaneenees 62 2 Allowed IP Ranges Tabset arane a a araa e ae a aaar aana aa aeneae 64 3 APL Keys Tabris rRe A EAREN A SEEI AESA EEEN EENE EAEE r ERANA EAST 65 4 Authenticati
40. S Application Pools Scheduled Tasks etc after an AD account has been reset you may want to pause fora specific amount of time before executing any associated Password Reset Tasks for the account This would generally be used to allow your Domain Controllers to replicate changes for the account before password resetting of any Windows Services etc were to happen Enable Password Reset Option Permissions Each Shared Password List or Template can be configured to allow Password Resets with other systems You may not want all users be able to configure these settings so by clicking on the Set Permissions button you can specify what User Accounts or Security Groups are allowed to enable this option 28 15 Proxy amp Syslog Servers Tab The Proxy amp Syslog Servers Tab allows you to specify proxy server details to allow querying the Click Studios web site for new builds or Passwordstate or Syslog server details to send all auditing data to Proxy Server Details To check for new builds of Passwordstate you may need to specify your internal proxy server details and possibly an account which can authenticate with your proxy server if required E Note 1 If the account stored for this setting is also stored in a Password List which is enabled for synchronizing of passwords into Active Directory or local Windows Servers then this password below will also be updated when a synchronization occurs E Note 2 If you are concerned about
41. Save Cancel Word Phrases The Word Phrases tab allows you to insert a random word at the beginning of the password somewhere in the middle or at the end You can specify how many words to create what length and what form of separation you would like between the word and the rest of the random password either dashes spaces or nothing Passwordstate has 10 000 different words it can choose from all of different lengths 2015 Click Studios SA Pty Ltd Password Generator Policies 31 passwords generator details generate passwords alphanumerics amp special characters word phrases Include Word Phrases Quantity amp Length Number of Words 1 Maximum Word Length Positioning Prefix Words to Alphanumerics amp Special Characters Append Words to Alphanumerics amp Special Characters Insert Randomly into Alphanumerics amp Special Characters Separation Separate Words with Dashes Separate Words with Spaces No Separation Save Cancel Generate Passwords The Generate Passwords tab allows you to test the settings you have specified on the other tabs and also generate any number of random passwords based on your settings Click on the Generate button just gives you the random passwords 2015 Click Studios SA Pty Ltd Passwordstate Security Administrators Manual passwords generator details generate passwords alphanumerics amp specia
42. Test Template Add New Template Toggle ID Column Visibility Grid Layout Actions v Adding and Editing Templates Adding or editing templates in the Administration area is identical to the normal Password List Templates screens which standard user accounts have access to For information on each of the settings which can be applied to a Template please refer to the Passwordstate User Manual for creating Password Lists Caution When editing a Template s settings when it is linked to other Password Lists if you change any of the Field Types for any Generic Fields these fields will have their data cleared blanked in the database when you click on the Save button This is because the different Generic Field Field Types need to have their data treated differently There are multiple warning messages within the Passwordstate as well for this so please be aware Password List Template Actions From the Actions drop down menu you have various features available e View Permissions applied to the Template this also allows you to add update delete permissions as required e You can Link Password Lists to the Template e You can delete the template E Note If you delete a Template which is linked to one or more Password Lists these Password Lists will bet set to use the Templates settings as there were prior to you deleting the Template You can then go ahead and modify the settings of the Password Lists as required
43. ackground Color Please select the Base Color to use throughout Passwordstate Please select the Page Background Color to use throughout Passwordstate Color Palette Color Palette Note it is recommended you use white Ape Ape or light background colors for better readability Base Color Page Background Color snr ZA anf WR Save Cancel Authentication Options Tab The Authentication Options Tab allows you to Specify which Authentication Option should be used for the user s account details and screenshots for each of the different authentication options can be found on the screen System Settings gt Authentication Options Tab Specify SecurlD and AuthAnvil account details Create clear email the user their ScramblePad Pin number Create clear email the user their Google Authenticator Secret Key 2015 Click Studios SA Pty Ltd 112 Passwordstate Security Administrators Manual amp Edit User Details To modify the user s details please make appropriate changes in each of the tabs below and click on the Save button Mark Sandford halox msand account details miscellaneous color theme authentication options mobile access options Please select the preferred Authentication Option for the user for accessing the Passwordstate web site Please Note You only need to specify the relevant authentication settings below if one of the available Authentication options has been applied to the users account or if they hav
44. as for many other account types The Password Reset Options tab allows you to specify various settings when updating passwords in Active Directory and specify who is allowed to enable the Password Reset option on Password Lists Active Directory Accounts When a password is configured as an Active Directory account and you wish to perform passwords resets for these accounts in AD there are a couple of options you can apply here e To validate the password stored in Passwordstate matches what s stored in AD before a password reset is to occur This can act as a security measure to prevent users of Passwordstate 2015 Click Studios SA Pty Ltd System Settings 103 making changes to AD accounts if they don t know what the password currently is i e prevents them from adding a record with any password value and then performing a reset after that e Enable the Password List setting of Show Active Directory Actions for Passwords which are enabled for Reset If this option is enabled then it can be selecting a part of the settings fora Password List When selected it will provide a new Tab on the Edit Password screen which allows you to do the following to the account in Active Directory e Unlock the account if locked e Set the option User must change password at next logon e Disable the account e Enable the account Miscellaneous Settings As Active Directory Accounts can be used as Identities for Windows Services II
45. asswordstate web site Active Directory Options Tab The Active Directory Options tab allows you to specify an account to interact with Active Directory and various options for User Accounts amp Security Groups 2015 Click Studios SA Pty Ltd System Settings 63 Passwordstate AD User Account and Security Group Membership Options The Passwordstate User Account and Security Group Membership Options settings allows you to specify various options for synchronizing User Account enabled disable status and security group memberships within Passwordstate If a User Account is found within a Security Group which hasn t already been added to Passwordstate would you like to automatically add the User Account When the Passwordstate Windows Service synchronizes the membership of any Security Groups you ve added on the Security Groups screen it s possible there will be user accounts in the Active Directory security group which have not yet been added to the User Accounts screen If this is the case you can use this option to automatically add the accounts to Passwordstate or simply ignore the account E Note If you reach the maximum number of Client Access License as recorded on the License Information screen the user accounts will not be added to Passwordstate Synchronize the enabled disabled status of Active Directory user accounts with the user accounts in Passwordstate Using this option if the enabled disabled status of a us
46. au for the domain clickstudios com au efault A Al tri ivi Accou e P A ite a O de j tud a a hal x halox halox net dc halox dc net alox msand halox msand A sanddomain sanddomain com c sanddomain dc cor passchanges_accnt sanddomain com passchanges_accnt sanddom Add Grid Layout Actions v 3 Auditing The Auditing screen allows you do report filter on all auditing data within Passwordstate Filtering can be done by e Platform events generated through the web site the Mobile Client the API Windows Service or Browser Extension e Password List filter on events specific to a selected Password List e Activity Type not all audit events relate to passwords i e there s audit events for sending emails failed authentication attempts etc To see a complete list of Activity Types ensure the 2015 Click Studios SA Pty Ltd auditing 7 Password List drop down list has All Password Lists selected e Beginning and end date by default date filtering is not enabled In addition to reporting on auditing data on the screen you can export the data for further analysis to a CSV file if required Note 1 You can disable the feature allowing purging of auditing data on the screen System Settings gt Miscellaneous Tab E Note 2 The Telerik Grid and Filter controls here prevent filtering while using special characters for security reasons If you re wanting to filter using a backslash here simply
47. ch as c backups e Username and Password required for the backup below in this document is an explanation of the permissions required Whether you want to enable a regular set and forget schedule for the backups to occur You can also exclude the database from automatic backups as well and this is useful if you use a third party tool to perform SQL Backups which prevents you from executing standard backups And finally what time you would like the scheduled backups to begin and how often you want a backup to occur 2015 Click Studios SA Pty Ltd 10 Passwordstate Security Administrators Manual Backup and Upgrade Settings Detailed below are the settings required to allow Passwordstate to backup its own folder a copy of the database if required and to perform In Place Upgrades backup settings Instructions Please note the backup account you specify below must have e Backup Path 2 Write Access to the Passwordstate folder 3 Permissions to stop and start the Passwordstate Windows Service must be con igured with an account which also has Write Access to this Bac guration requirements ity Administrator s Manual Help menu for full details Refer to the Backups and Upgrades section in the Sec Backups and In Place Upgrades Account dstate or for performing In Place Upgrades or both Specify a domain account below which will be used for either performing backups
48. credentials Passwordstate Passwordstate Fy Active Directory Authentication Please enter your user name and Password to authenticate Domain user name _ halox msand Password Logon Status Awaiting Login Manual AD and Google Authenticator Provides a dialog for users to manually specify their AD domain credentials and a Google Verification Code To use this authentication method the user must create a Google Authenticator Secret Key on the Preferences screen or Security Administrators can do it for them on the User Accounts screen 2015 Click Studios SA Pty Ltd e Passwordstate Security Administrators Manual Passwordstate Passwordstate fy Google Authenticator Please enter your user name password and Google verification code to authenticate Domain user name halox msand Password Google Verification Code Logon Status Awaiting Login Manual AD and RSA SecurID Authentication Provides a dialog for users to manually specify their AD domain credentials and a SecurlD Passcode To use this authentication method the user must have a valid SecurlD account and token 2015 Click Studios SA Pty Ltd System Settings 69 Passwordstate Passwordstate fy SecurlD Authentication Please enter your Active Directory and SecurlD credentials below Domain user name halox msand pasword fd SecurlD User ID Passcode Status Awa
49. dd Operating System Grid Layout Actions v When using the Account Heartbeat validation feature for Password records you may only want the Heartbeat poll to occur during certain times for different Operating Systems By editing each of the Operating System records you can change this poll time e g You only want to validate local administrator accounts for Windows 7 workstations during business hours Edit Operating System Please make changes to the Operating System record below as appropriate Host Type Windows ti Operating System AD Attribute windows Fi The AD Attribute field is used when Discovering Hosts within your AD environment Heartbeat Hours 12 00AM 1200AM Heartbeat checks the Host is online between the hours selected above Save Cancel 2015 Click Studios SA Pty Ltd z Passwordstate Security Administrators Manual 17 18 License Information The License Information screen simply allows you to update your license registration keys for Passwordstate E Note 1 When you purchase your renewal for Annual Support Upgrades it s import you update your Annual Support registration key on this screen otherwise you will be prevented from upgrading to new builds of Passwordstate E Note 2 If you need to purchase additional Client Access Licenses you can click on the Buy More Licenses button and it will provide you with some instructions Licenses Information To updat
50. ds were last updated e Password Reuse Report exports alist of records where the same password have been used more than once e Aged Password Report exports a list of each individual password record showing the last time any activity occurred for each record excludes Private Password Lists e Enumerated Password Permissions exports a sorted list of permissions for every individual 2015 Click Studios SA Pty Ltd Reporting 53 password recorded in Passwordstate excluding Private Password Lists It will show permissions based on users and will enumerate any Security Groups into User Account details e Password Strength Compliance Report exports a sorted list of all Password Lists the strength of each password and whether or not the Password Strength is compliant or not e Security Administrators exports a list of all Security Administrators in Passwordstate what their roles are and if access is provided via their User Account or Security Group e Security Group Membership exports a sorted list of Security Groups within Passwordstate and their User Accounts membership e User Accounts exports a sorted list of User Accounts within Passwordstate Note 1 No password values are exported in any of the reports on this screen E Note 2 Any one of these Reports can also be sent to you on the scheduled you specify via the Reports gt Scheduled Reports menu IZ Reporting view details of a report select it from the l
51. e Tracking Ta bisicsieccscticcocdccssedsetcgenetecs epcsead rri tee stecendvag evedetsaecouacddvecdcesguduasycdesccsezezens 104 17 User Acceptance Policy Tab cccceseceeseeeeceeeeeeeeeseeneeceeseeeneeceusenenseseeneeceeeeeeneeseeseneneesees 104 Part XXIX User Accounts 104 Part XXX User Account Policies 115 2015 Click Studios SA Pty Ltd 4 Passwordstate Security Administrators Manual 1 Introduction M Welcome to the Passwordstate Security Administrators Manual This manual will provide instructions for Security Administrators of Passwordstate to configure user accounts system wide settings and various other features which managing the environment The following table describes each of the different sections available within the Administration area of Passwordstate Active Directory Domains Auditing Auditing Graphs Authorized Web Servers Backups and Upgrades Bad Passwords Browser Extension Settings Custom Images Email Notification Groups Email Templates Emergency Access Error Console Specify which Active Directory Domains can be queried from within Passwordstate either for User Accounts or Security Groups Provides the ability to query all auditing data within the system with multiple filtering options and the ability to export data as well if required Simply a graphical representation of all the auditing data with similar filtering features Authorized Web Servers is used to specify
52. e details for one of the License Types below please click on the appropriate License Type link Please Note You can increase the number of Client Access Licenses anytime by simply purchasing more li License Type Registration Name License Count Expires Registratior Client Access Licenses Click Studios Enterprise Unlimited EACB 0525 Annual Support Click Studios Enterprise Unlimited 2015 11 30 B7DD C02 High Availability Click Studios Enterprise Unlimited 79AF BBC7 Buy More Licenses Grid Layout Actions v Menu Access The Menu Access screen allows you to specify which users or security groups are allowed to access the various main navigational menus in Passwordstate By clicking on the appropriate Set Permissions button you can allow all users to have access or just the ones you specify You can choose to either Disable the menu for users who do not have access or hide it from them completely 2015 Click Studios SA Pty Ltd Menu Access 25 4s Menu Access To control who is allowed to access eacha If a user doesn t have access to IR if a user doesn t have access to a top level menu hent E49 Passwords Menu Menu W Add Folder Q Add Private Password List r Add Shared Password List af Administer Bulk Permissions Expiring Passwords Calendar BE Password List Templates Request Access to Password Lists Ga Request Access to Passwords fs Toggle All Password Lists Visibility Tools Menu Me
53. e permissions Source Users ny Personal Password Lists from the Source User to the Destination User Destination Users Fites 8 amp Amanda Ford halox aford amp Arnold Scwhat halox aschwat amp Anne Wilson halox awilson amp Brett Hales halox bhales amp Bill Sandford halox bill sandford amp Click Studios halox clickstudios amp Catherine Smithers halox csmith amp Felicity Banks halox fbanks amp Fiona Case halox fcase amp Francis Milligan s halox fmilligans amp Greg Monty halox gmonty amp George Papadopolis halox gpapadop amp Graham Saunders halox gsaunders Status Filte 9 amp Amanda Ford halox aford i amp Arnold Scwhat halox aschwat amp Anne Wilson halox awilson amp Brett Hales halox bhales amp Bill Sandford halox bill sandford amp Click Studios halox clickstudios amp Catherine Smithers halox csmith amp Felicity Banks halox fbanks amp Fiona Case halox fcase amp Francis Milligan s halox fmilligans amp Greg Monty halox gmonty amp George Papadopolis halox gpapadop amp Graham Saunders halox gsaunders Cancel Clone Permissions Reset Accepted UAPs for All Users It s also possible to reset the status of accepted User Acceptance Policies for your users as well It s possible you will want to do this periodically as you may need to modify the policy based on 2015 Click Studios SA
54. e selected a secondary authentication option for a Password List they have access to Web Authentication Option Please specify which Authentication option which will apply Please Note to this user when they first authenticate to Passwordstate When using the default Passthrough authentication method the only true way to expire a user s login credentials after logging out is to close the browser window Clicking on Choose Authentication Option the Log Back In button or refreshing the page simply re authenticates the user Please z PEEP a f T Use the System Wide Authentication Settings spri ich i aware of this if they log into Passwordstate from different computers ScramblePad Pin Number If you have chosen to use ScramblePad Authentication please specify a Pin Number for the user to use ScramblePad Pin Number Email New Clear Minimum length is 4 SecurlD UserID Please specify the user s SecuriD UseriD value below SecurlD UserID msand AuthAnvil Username Mobile Access Options Tab The Mobile Access Options tab allows you to specify various Mobile Client settings for the user and to also set their Mobile Pin Number for them if required The Pin Number can then be emailed to their account 2015 Click Studios SA Pty Ltd tse Accounts 113 amp Edit User Details To modify the user s details please make appropriate changes in each of the tabs below and click on the Save
55. e with caution e Impersonate Users Account this feature should only be used when trying to troubleshoot issues with the affected user By selecting this option an email will be send to the user informing them you are impersonating them as we as to all Security Administrators Audit records are also added When you are impersonating a user being able to see edit or add passwords will be disabled e Report Historical Password Activity this reports shows all auditing data for the user s account as it relates to password records i e viewing passwords copying to the clipboard access permissions etc e Report Last Accessed vs Updated this report allows you to see all the password records the user has access to when they last viewed the value of the password and when the last time the Password itself was updated It provides a column called Reset Recommended so you know if a password should be reset after an employee leaves your organization You either choose to see all records the user has access to or only the ones where a password reset is recommended Report Password List and Folder Permissions this report will show all the Password Lists and Folders the user has access to and what their permissions are The permissions are either based on their own individual user account or any security groups they may be members of e Resend Welcome Email if you need to resend the initial Welcome email to the user the email they first r
56. eceive when their account is first added to Passwordstate then you can use this menu item e Reset any Accepted UAPs for User If needed it s possible to reset the accepted status of the User Acceptance Policy for a user The User Acceptance Policy can be configured on the screen System Settings gt User Acceptance Policy Tab Set Expiry Date it is possible to set a date in which the user s account can either by disabled or deleted from Passwordstate This is a useful feature if you know an employee is leaving the organization on a specific date e Toggle Status Enabled or Disabled this will either enable or disable the user s account preventing them from accessing the Passwordstate web site e View Email Notifications allows you to enable disable email notifications for the user assuming an Email Notification Group hasn t been applied to their account 2015 Click Studios SA Pty Ltd User Accounts 107 Note 1 The status enabled or disabled of a user s account may also change depending on the Active Directory synchronization settings on the screen System Settings gt Active Directory Options Tab Note 2 Disabling a user s account does not count towards the number of used licenses halox aschwat Arnold halox awilson Anne gt Delete Impersonate Users Account Report Historical Password Activity Report Last Accessed vs Updated Report Password List and Folder Permissions Resend Welcome Email Reset
57. ed a Local Security Group the Actions drop down menu has two features you can use e Manage Members allows you to add or remove members from the security group e Delete delete the security group from Passwordstate This does not delete any user accounts only the security group itself E Note If the Security Group has been used to apply permissions anywhere within Passwordstate removing members from the security group or deleting the Security Group itself will removes one or more user s access 2015 Click Studios SA Pty Ltd Security Groups 59 Actions Secunty Group Y amp Accountants 1 amp Cisco Engineers 3nd Level 1 Manage Members 3 Delete oup 2 Y YYY Y O Q OO S Department halox 3 Active Directory Security Group Actions Menu Once you have add a new Active Directory Security Group the Actions drop down menu has two features you can use e Manual Synchronization synchronization membership of an Active Directory Security Group can be done in one of 3 ways o When you first add an AD Security Group to Passwordstate o The Passwordstate Windows Service can perform the synchronization on the schedule you have specified on the screen Administration gt System Settings gt Active Directory Options Tab o Or by clicking the Manual Synchronization menu item Delete delete the security group from Passwordstate This does not delete any user accounts in Passwordstate a
58. ed to regularly change their login password When using the Forms Based Authentication version of Passwordstate be default users will be required to regularly change their login password The frequency of the required change can vary from 15 to 90 days depending on the strength of the password they enter If you wish to disable this feature you can do so by selecting Yes here Auto populate the SecurlD UserID field for the user If you select one of the SecurlD authentication options for your users you can automatically populate the UserID field for them if required Make the SecurlD UserID field on the login screen read only This option prevents a user from walking up to another user s computer authenticating with their own SecurlD Token but then logging into Passwordstate as the other user this can happen when the Passthrough authentication occurs after the SecurlD authentication happens as there does not necessarily need to be a correlation between a users SecurlD user account and their domain account When using the Forms Based Authentication version of Passwordstate and a SecurlD authentication option above show just the SecurlD authentication screen on initial login When this option is selected you will not be prompted to enter your forms based UserID and Password only your SecurlD UserID and Passcode 2015 Click Studios SA Pty Ltd System Settings 81 Specify your AuthAnvil Web Services URL and SiteID here You mus
59. emporary Pin Code Settings allows you to specify the length of the Pin Code and also how long until the temporary Pin Code will expire if not used Minimum ScramblePad Pin Length By default the ScramblePad Pin length is 4 characters but can be changed if required 2015 Click Studios SA Pty Ltd 82 Passwordstate Security Administrators Manual Web Authentication Options Please specify which System Wide Authentication method will apply to users who do not have any options selected as per of their Preferences or via a User Account Policies Choose Authentication Option Passthrough AD Authentication X If one of the Manual AD Authentication options are selected auto populate the UserID field based on the current logged in Active Directory account yes No If one of the Manual AD Authentication options are selected show a Domains dropdown list to form part of the UserName field yes ONo If using the AD Integrated Authentication version of Passwordstate and Passthrough Authentication is not selected make the authentication a two step process where the user first validates their AD Account and then the additional Authentication option on the following screen J Yes No If using the Forms Based Authentication version of Passwordstate disable the feature where users need to regularly change their login password Yes No SecurlD Two Factor Settings Auto populate the SecurID Us
60. en you first add a new User Account Policy it is disabled by default It is recommended that before you enable the policy you apply the permissions required then click on the Check for Conflicts button The Check for Conflicts process will ensure that there are no two settings with different values assigned to a user s account this could cause confusion for the user and for Security Administrators if this is the case User Account Policy Actions Once you have created a Policy with the desired settings the following Actions Menu items are available to you e View Permissions allows you to view and make permission changes as to who the policy is in effect for e Toggle Status either enable or disable the policy e Delete delete the policy Actions Q AuthAnvil Authentication amp View Permissions Toggle Status Enabled or Disabled Delete Y Yv vY Y Y Mobile Access Settings No Charts 2015 Click Studios SA Pty Ltd User Account Policies 117 Check For Conflicts As it s possible to apply more than one User Account Policy to a user s account or a security group it is recommended that you use the Check for Conflicts button to determine if this is the case it would cause confusion if different values for the same settings were being applied via different policies 2015 Click Studios SA Pty Ltd
61. ent other accounts are locked out or inaccessible for any reason A couple of scenarios where this would be applicable is e You have issues with authenticating on your domain and can no longer authenticate to Passwordstate using your normal domain account e Someone has accidentally deleted or disabled all Security Administrator accounts and no one is able to administer all the settings for Passwordstate 2015 Click Studios SA Pty Ltd z Passwordstate Security Administrators Manual The Emergency Access URL is HTTPS lt Your Passwordstate URL gt Emergency E Note 1 Simply browsing to the Emergency Access URL will generate audit records and notify Security Administrators via email E Note 2 Navigating to the page Administration gt Emergency Access will also generate audit records and notify Security Administrators via email E Note 3 You must specify a reason why you need to access the Emergency Access Login and this reason is added to the auditing data E Note 4 Once you ve logged in with this account you will have access to the Administration area of Passwordstate Passwordstate Passwordstate 4 Emergency Access Authentication To login with the Emergency Access account please specify the password and reason for access below Accessing this page plus any authentication attempts are both audited events which also cause email alerts Password Reason Status Awaiting Logon 13
62. eout of 3000 milliseconds port test is only executed if ping test fails Host Connectivity Timeout Settings Specify timeout settings for the execution Discovery Reset and Password Validation Scripts Specify the timeout period for establishing a connection to the remote Host 30000 milliseconds Specify the the maximum time that any operation can run 120000 milliseconds Save Save amp Close 28 10 Miscellaneous Tab The Miscellaneous Tab has multiple settings which don t necessarily apply to any of the other Tabs Default Locale Date Format Applies date formatting rules to any date fields you see in Passwordstate If users are located ina different region to what is set system wide they can specify their own date format as part of their Preferences Inactivity Time Out mins Allows you to specify the period in which users will be automatically logged out of Passwordstate if their session is inactive If Audit records in the database are detected as being tampered with send email reports at 2015 Click Studios SA Pty Ltd 90 Passwordstate Security Administrators Manual The Passwordstate Windows Service monitors the state of the Auditing data in the database and if it detects any modifications to data directly in the database it can alert Security Administrators via an email This setting allows you to specify what time on the day you would like to receive that notification Specify the Base URL u
63. er account in Active Directory is changed you can also synchronize that change to the account stored in Passwordstate When an account in Active Directory is deleted perform the following in Passwordstate If a User Account in Active Directory is deleted you can choose either you want to delete itin Passwordstate disabled the account or simply do nothing When a user is removed from a Security Group and that user no longer belongs to any Security Groups perform the following in Passwordstate If a user no longer belongs to any Active Directory Security Groups which have been added to Passwordstate you can choose to disable delete or do nothing with their account Note For the two options above if you choose to delete the user account in Passwordstate all access for the user s account will be removed and any Private Password Lists they may have had will be deleted Synchronize Security Group Memberships and User Account status at Synchronizing of Active Directory security group memberships and the status of user accounts either enabled disabled or deleted status can be done either once a day or more frequently if required by choosing the appropriate option here When synchronizing Security Groups or querying the status of an AD User Account pause for x seconds between consecutive calls to Active Directory So the Passwordstate Windows Service doesn t perform too many consecutive queries to Active Directory too quic
64. erID field for the user yes O No Make the SecurlD UserID field on the login screen read only Yes No When using the Forms Based Authentication version of Passwordstate and a SecurlD authentication option above show just the SecurlD authentication screen on initial login by selecting this option your UserlDs in Passwordstate must match your SecuriD UseriDs and any User Preferences or User Account Policies for Authentication will be ignored Yes ONo AuthAnvil Two Factor Settings Specify your AuthAnvil Web Services URL and SitelD here the AuthAnvil URL is generally in the format of 28 4 1 Duo Auth API Configuration In order to use the Duo Authentication feature you must have an Enterprise account with Duo Security and your need to create an Auth API Application in the Duo Portal so you can add these settings into Passwordstate The following instructions will show you how to do this e First login to your Duo Portal and click on the Applications menu e Click on Protect an Application 2015 Click Studios SA Pty Ltd System Settings 83 Applications p aii Name Type New User Policy Additional Information Passwordstate Auth API Require Enrollment Show 25 applications 1 1 of 1 total lt gt 2015 Duo Security All rights reserved Terms of service e Chose the Auth API Application Protect an Application Array Array SSL VPN Protect this Applica
65. erts amp options high availability options miscellaneous mobile access options password list options password options password reset options proxy amp syslog servers usage tracking user acceptance policy Please specify settings for Hosts and the Remote Session Launcher feature as appropriate Host Options On the Passwords Home screen either Show All Hosts the user has access to or make them search for the Hosts Show All Hosts Make The User Search On the Remote Session Launcher screen either Show All Hosts the user has access to or make them search for the Hosts Show All Hosts Make The User Search On the Hosts and Resources screen show the option Show Hosts do not have access to yes No Host Heartbeat Polling Each Host will be polled daily to check the online status during the hours specified for the relevant Operating System The polling hours per Operating System can be changed on the screen Administration gt Host Types and Operating Systems If a Managed Host cannot be reached for 60 Days in a row then Do Nothing Set the Host to Unmanaged Delete the Host If an Unmanaged Host cannot be reached for 365 Days in a row then Do Nothing Delete the Host For the Heartbeat Ping Test use a Packet Size of 32 bytes For the Heartbeat Ping Test send 2 echo requests with a timeout of 1000 milliseconds For the Heartbeat Open Port Test use a tim
66. ettings Description Servers Image dell png Copy Settin Password Strength Policy Default Policy E Copy Settin T D x uw n Password Generator Policy ipramWlacetotielieReratteite User s Personal Options Default Password Generator Exclude Y amp Zs Code Page Additional Authentication Just Numbers button atwork Device Passwords NEE OEES Copy Perm Password List Settings amp Pattern Match SQL Password Generator If you would li m This is a Shared Password Weak Generator Policy List please sel Allow Password List to be Windows 20 25 char LJ Time Based Access Mandatory Copy Permi l Handshake Anno Mandatory Toggle Visibility of Web API IDs When using the Passwordstate Web API there are certain API calls which can also automatically generate passwords In order to specify which policy to use when making these API calls you need to know the PasswordGeneratorlD value a unique identifier for each policy By clicking on the View Visibility of Web API IDs button you will see the PasswordGeneratorID values as per this screenshot 2015 Click Studios SA Pty Ltd 34 Passwordstate Security Administrators Manual f Password Generator Policies Listed below are all the Password Generator Policies which can be assigned to specific Actions Password Generator Policy Name Default Password Generator xclude Y amp Zs ust Numbers
67. etwork Device Passwords etwork Devices Pattern Match QL Password Generator Weak Generator Policy 9900000000 Windows 20 25 char Add Toggle VisiNtity of W D API IDs Grid Layout Actions v 21 Password Lists The Password Lists screen shows all Password Lists created in Passwordstate regardless of whether your account has Administrative rights to the Password Lists or not Note 1 You can view which Private Password Lists have been created and who created them but you cannot manage any permissions or settings for them E Note 2 For the Shared Password Lists you cannot grant yourself access to any Shared Password Lists you do not already have access to Note 3 When clicking on a Shared Password List all passwords will be hidden and some features will be disabled for you From this screen the following features are available Actions Menu Edit Password List Details By clicking on the Edit Password List Details menu option in the Actions drop down menu you will be able to edit settings for the selected Password List Note Please refer to the Passwordstate User Manual for detailed instructions on settings which can be applied to a Password List or Template 2015 Click Studios SA Pty Ltd Password Lists 35 Actions Menu View Password List Permissions By clicking on the View Password List Permissions Action menu you can view all permissions which are applied to the Password Lis
68. he Navigation Menu will look different to your users once you ve done this as it will need to rearrange any nested Password Lists Folders you can only delete a single Folder if there are no Password Lists nested beneath it e Delete Folder and all Nested Items Please use with caution as this will deleted all nested Password Lists Folders including all associated passwords 2015 Click Studios SA Pty Ltd z Passwordstate Security Administrators Manual Actions Password Folder v Customers a 6 Customer ch View Nested Delete Folder Delete Folder and all Nested Items CO re ger ee ISP Related Accounts Optus 0000m ISP Related Accounts Optus Optus Fibre 20 Password Generator Policies The Password Generator Policies screen allows you to create and manage multiple settings for the Password Generator which can then be applied to one or more Password Lists Note The Default Password Generator policy cannot be deleted it can be renamed and its settings modified but it cannot be deleted When adding or editing a Password Generator Policy you have the following options available to you Password Generator Details Edit the name and description for the Policy 2015 Click Studios SA Pty Ltd Password Generator Policies 29 Edit Password Generator Policy Please use the various tabs below to specify options for the Password Generator Policy Default Password Generator
69. issions The page allows you to query all the permissions for one or more Password Lists and then either enable or disable Mobile Access as required mobile access bulk permissions would like to Enable Disable Mobile Access for the Permissions select below Password List s Permissions Select All xJ Customers Customer s B SQL Server Mark Sandford Admin Banking Sites amp Customers True Power SA Routers and Switches Mark Sandford Admin dab Canon Printers amp Customers True Power SA Routers and Switches Tracey Sandford Modify TN Customers Customer s A Database Accounts A Customers Customer s A Generic_Unix amp Customers Customer s A Oracle Database Tier sa Customers Customer s A SCCM customers c ustomer s A Servers S Customers Customer s B LAN Switches Customers Custom Network Monitoring Is Customers Customer s B SQL Server tomers True Power SA Routers and Switches 9 Customers True Power SA Stealhead Appliances Gen Field Encryption Gen Field Encrvotion 2 Count 35 Count 3 Save Cancel Password List Templates Password List Templates can be used to apply consistency to settings for your Password Lists and accessing the Templates from within the Administration area allows you to see all Templates created by all user Templates can be used in the following way e You can apply a Template s settings as needed once off when you add a new Password List or
70. issions allows you to apply new permissions or remove permissions fora user account or security group to multiple Password Lists at once After you have searched for a user account or security group and then clicked on it the Available Password Lists listbox shows which Password Lists the user security group does not have access to and the View Modify Administrator Permissions listbox shows what Password Lists the user security group already has access to To apply new permissions or remove existing permissions simply move the Password Lists between the different listboxes using the various arrow buttons then click on the Save button Note You cannot manage permissions here for Password Lists which have mandatory options set for Time Based Access or Handshake approval 2015 Click Studios SA Pty Ltd 3 Passwordstate Security Administrators Manual f Administer Bulk Permissions for Password Lists Administering Bulk Permissions is a three step process Please Note You cannot administer bulk permissions for Pass 1 Search for a User or Security Group Lists which have mandato 2 Apply new or modify existing permissions and 3 Save the changes ry Options set for Time Based Access or Handshake Approval as these require additional settings to be applied Search for an appropriate user or security group and apply the required permissions use ch i 8 ch For Security Group Search Re
71. ist below and click on the Run Report button to execute Note These reports can also be scheduled from the Reports gt Scheduled Reports menu if you ve been given access to this menu Available Reports General Secunty Group Membership Run Report 26 Security Administrators The Security Administrator role in Passwordstate provides access to one or more features in the Administration area If a user s account is not set up as a Security Administrator the Administration menu will not be visible to them There are 15 different types of roles a Security Administrator account can be configured for with each role providing access to various screens features in the Administration area The roles are E Note To ensure there is a clear separation of elevated privilege responsibilities within 2015 Click Studios SA Pty Ltd s Passwordstate Security Administrators Manual Passwordstate you cannot modify any Security Administrator role settings for your own account another Security Administrator will need to do this for you As such Click Studios recommends you have at least 2 Security Administrators assigned otherwise you may need to use the Emergency Access account to make changes to this role if required Role Active Directory Domains Auditing Bad Passwords Email Templates Emergency Access Export All Passwords Licensing Password Generator Password Lists Password Strength Policy Repor
72. iting Login Manual AD and ScramblePad Authentication Provides a dialog for users to manually specify their AD domain credentials and a ScramblePad Pin To use this authentication method the user must specify their ScramblePad Pin number on the Preferences screen or Security Administrators can do it for them on the User Accounts screen In the screenshot below if the user s Pin Number was 0123 then they would need to enter ejgx to authenticate correctly the letters are rearranged every time the screen is accessed 2015 Click Studios SA Pty Ltd Passwordstate Security Administrators Manual Passwordstate Passwordstate fy ScramblePad Authentication Please enter your user name password the corresponding letters for your ScramblePad pin number Domain user name halox msand Password ScramblePad Pin Manual AD and Email Temporary Pin Code Provides an authentication dialog for users to manually specify their own AD credentials and also a Temporary Pin Code User s must specify an email address in their Preferences area as to where they want the Temporary Pin Code to be emailed to and Security Administrators cannot set this email address for them The length of the Pin Code and the time in which it expires can also be set on this screen 2015 Click Studios SA Pty Ltd System Settings Passwordstate Passwordstate fy Temporary Pin Code Authentication To authenticate with your
73. just a single IP Address E Note 1 Regardless of the settings you specify here you will always be able to access Passwordstate if logged into your web server directly or via the Emergency Access account E Note 2 If making an API call from an IP Address which is not authorized then API will return a HTTP Status Code of 403 Forbidden You can set the Allowed IP Ranges separately for each of the 3 features web site API and Emergency Access Login and the features below are also possible for further restricting access to the Passwordstate web site If the Passwordstate web site is accessed outside of one of the IP Ranges listed above force the user to authenticate using the following method If you would like to choose a different authentication method when your users our outside of your internal network then you can choose the option from here By default access from IP Addresses which aren t listed as Allowed will be blocked By selecting an authentication option instead you can enforce a different authentication mechanism This is a more secure option if you use Passthrough Authentication within the office but want to further 2015 Click Studios SA Pty Ltd System Settings 65 secure access to Passwordstate when outside of the office If the Passwordstate web site is accessed outside of one of the IP Ranges listed above force the user to authenticate using the following method Authentication Option BETTE PAPE T
74. kly you can add a pause for this 2015 Click Studios SA Pty Ltd e Passwordstate Security Administrators Manual 28 2 E Performance Tip If you have many Active Directory User Accounts added to Passwordstate the synchronization of the features above will perform significantly better if these user accounts belong to one or more Security Groups and these Security Groups have also been added to Passwordstate via the page Security Groups The reason for this performance improvement is because all the users can be enumerated with one call to Active Directory for the Security Group instead of making separate calls for every single account If you have many AD users added to Passwordstate i e 200 it is recommended you add one or more Security Groups even if you don t use them to apply permissions anywhere Allowed IP Ranges Tab The Allowed IP Ranges Tab allows you to specify a range of IP Addresses where clients are allowed to access the Passwordstate web site make calls to the Passwordstate API or access to the Emergency Access login page Specifying IP Ranges can be done in the following format e 192 168 1 all addresses in the range of 192 168 1 0 to 192 168 0 255 e 192 168 all addresses in the range of 192 168 0 0 to 192 168 255 255 e 192 all addresses in the range of 192 0 0 0 to 192 255 255 255 192 168 1 1 192 168 2 50 just the addresses in the range of 192 168 1 1 to 192 168 2 50 e 192 168 1 50
75. l 23 i Linked Password Lists Below are a list of Password Lists which can be or are already linked to the Template Gen Field Encryption Testing n only be linked to one Template at a time If already linked to another Template it will be disabled in the Availabl vord List to this Template and the Template has different Generic Field field types compared to the Password List th Note 1 A Pa Note 2 If you for the Password List when you click on the Save button link password lists Link to Template Gen Field Encryption Testing Available Password List s Linked Password List s Fite eo Banking Sites fd Gen Field Encryption Canon Printers TN Customers Customer s A Database Accounts A Customers Customer s A Generic_Unix je Customers Customer s A Oracle Database Tier igl Customers Customer s A SCCM Orc ustomers Customer s A Servers z gt amp Customers Customer s B LAN Switches ss Customers Customer s B Network Monitoring ic ustomers Customer s B SQL Server E Customers True Power SA Stealhead Appliances 2 Gen Field Encryption 2 f ISP Related Accounts BiaPond Biapond ISP Accounts L Count 37 Count 1 Save Cancel Status Password Strength Policies Password Strength Policies are used as a set of rules for determining the strength of a Password Once a policy is created it can be applied to one or more Password Lists When adding or editing a Password S
76. l characters word phrases Number of Passwords 15 Generate Generate amp Spell Select All dims xSMuQGZ unblown LMwt 6 copying c9Dzfvy grains Cs TW5 trash amp UDcyW under BUr C hunched VJf u saucers NKzVzs set JSXW7E left BENESi exotic sGA RKm bearers Aad83 praying eNGu leaker khZ B frame WjQaG Save Cancel Clicking on the Generate amp Spell button gives you the random passwords and spells them out for you as well passwords generator details generate passwords alphanumerics amp special characters word phrases Number of Passwords 15 Generate Generate amp Spell Select All burnish h kc bravo uniform romeo november india sierra hotel hyphen ho jewels LeHGjR juliet echo whiskey echo lima sierra hyphen LIMA echo HOTEL CH grouper kc73Br golf romeo oscar uniform papa echo romeo hyphen kilo charlie seven recount W4fMKYm_ romeo echo charlie oscar uniform november tango hyphen WHISKEY four exempts uK8 a echo xray echo mike papa tango sierra hyphen uniform KILO eight percent alpha devised n 4J B delta echo victor india sierra echo delta hyphen november hash four JULIET dollar caret BRAVO punters eEPyS4 papa uniform november tango echo romeo sierra hyphen echo ECHO PAPA yankee SIERRA four craning hcH amp Wd_ charlie romeo alpha november india november golf hyphen hotel charlie HOTEL ampersand WHISKEY delta gapes D amp 8nAut golf alpha papa echo sierra hyphen DELTA ampersand
77. le Authenticator Please enter your Google verification code to authenticate Google Verifeation Code Ce Status Awaiting Login 2015 Click Studios SA Pty Ltd System Settings RSA SecurID Authentication Provides a dialog for users to manually specify their SecurlD Passcode this works in conjuction with Passthrough AD Authentication To use this authentication method the user must have a valid SecurlD account and token Passwordstate Passwordstate Fy SecurlD Authentication Please enter your SecurlD User ID and Passcode to authenticate User ID msand Passcode Logon Status Awaiting Login ScramblePad Authentication Provides a dialog for users to manually specify their ScramblePad Pin code this works in conjuction with Passthrough AD Authentication To use this authentication method the user must specify their ScramblePad Pin number on the Preferences screen or Security Administrators can do it for them on the User Accounts screen In the screenshot below if the user s Pin Number was 0123 then they would need to enter rjdu to authenticate correctly the letters are rearranged every time the screen is accessed 2015 Click Studios SA Pty Ltd Passwordstate Security Administrators Manual Passwordstate Passwordstate fy ScramblePad Authentication Enter the corresponding letters for your ScramblePad pin number Scrambled in E Email Temporary Pin Code Provide
78. like the emails to be sent from e Whether or not your email server is configured to send via TLS Transport Layer Security e And if you need to specify an account to send from i e Sending Anonymous SMTP emails is not allowed from your email server Note If the account stored for this setting is also stored in a Password List which is enabled for synchronizing of passwords into Active Directory or local Windows Servers then this password below will also be updated when a synchronization occurs 2015 Click Studios SA Pty Ltd Passwordstate Security Administrators Manual 28 8 28 9 High Availability Options Tab If you have purchased the High Availability option for Passwordstate the High Availability Options Tab allows you to specify the following settings e How frequently the High Availability instance should check for new or updated logos and custom images If there are any new or updated images they will be written to disk on the schedule provided e When a user accesses the High Availability instance of Passwordstate you can send email alerts to Security Administrators with the selected following role s This is useful as it gives you the opportunity to investigate why the user is accessing the High Availability instance when they should be accessing the Primary instance Note Even though the High Availability instance is Read Only all actions are audited with audit data being merged back into the primary da
79. llowing the on screen instructions Note Only Password List Administrators have the access to create configure API Keys for Password Lists 2015 Click Studios SA Pty Ltd Passwordstate Security Administrators Manual System Settings To modify the system se tings please make changes within the appropriate tabs below then click on the Save button active directory options allowed ip ranges authentication options branding check for updates email alerts amp options high availability options hosts miscellaneous mobile access options password list options password options password reset options proxy amp syslog servers usage tracking user acceptance policy API so it is important this key is not given to API Key 4ea8f2937db3c56f36b23e579a8c4d9d Generate New Key Warning Resetting the API Key will break existing applications using it API Permissions By default user ord Lists can create and API key for the Password List and configure settings as appropriate If you wish to control who is allowed to do this please click on Set Permissions Hosts API Key By creating a Hosts API Key below you can create delete Hosts records via the API API Key f97cd63b35a248ea735b2de3fc964883 Generate New Key Warning Resetting the API Key will break existing applications using it Password Generator API Key API Key 3 can generate ranc rate API Key is used for this purp ch allows full access for
80. making API Key 6fe53a784d329cb3fd92e8734bc56ab9 Generate New Key Warning Resetting the API Key will break existing applications using it Clearing this key will also stop the Password Generator feature in the top toolbar of Passwordstate from working Save Save amp Close 28 4 Authentication Options Tab The Authentication Options Tab provides various settings for when your users first authenticate to the Passwordstate web site E Note 1 Options will be different on this screen depending on if you have installed the Active Directory integrated version of Passwordstate or the Forms Based Authentication version Note 2 If in the event you lock yourself out of authenticating against the Passwordstate web site for any reason you can always use the Emergency Access account to authenticate Authentication Option There are multiple different authentication options available for when your users first access the Passwordstate web site and they are Passthrough AD Authentication If DNS your browser and the site in IIS is configured correctly your browser should not prompt you for your account details when using this authentication method instead it should pass your account details to the Passwordstate web site in IIS and IIS ensures your account exists in Active Directory 2015 Click Studios SA Pty Ltd System Settings Manual AD Authentication Provides a dialog for users to manually specify their AD domain
81. me of the images you see on this screen To do this simply click on the Toggle ID Column Visibility J Custom Images are all the Custom Images which can be use the Password Lists in the navigation tree or assigned to the Account Actions mage mage File Name gt T D activedirectory png Android android png Application Account stats png Ee R Calendar calendar png Chrome chrome png 0S 990000000090 e Colorman agement colorman agement png n 4 12 34567 rl Page 1 of7 Page size 10 item 1 to 10 of 64 Add Toggle ID Column Visibility Grid Layout Actions v Email Notification Groups The Email Notification Groups screen is used to manage email notification settings for a group of individual users accounts or members of security groups Using Email Notification Groups you can specify which email notifications certain users receive or don t receive i e you may wish to have certain notifications enabled for Security 2015 Click Studios SA Pty Ltd Email Notification Groups 15 Administrators but disabled for normal user accounts in Passwordstate E Note 1 Any system wide Email Templates which are disabled will cause any settings here to be ignored Note 2 If a user has specified their own Email Notification Settings as part of their Preferences any permissions you apply here for the user will override their personal settings Note 3 If you have more than one
82. missions Reset Accepted UAPs For All Users Process Selected items Grid Layout Actions 7 Once you have added the user s account to Passwordstate there are certain functions which can be performed against it Local Login Accounts When using the Active Directory Integrated version of Passwordstate it s still possible to create Local Login Accounts which aren t tied to Active Directory This would only ever get used in rare circumstances when you have users wanting to use Passwordstate but don t have an AD Account In order to take advantage of this feature you need to 2015 Click Studios SA Pty Ltd 106 Passwordstate Security Administrators Manual For the Passwordstate web site in IIS you need to set the Authentication for the site to Anonymous e You need to add or import via a csv file Local Login Accounts to Passwordstate these behave similar to Forms Based accounts Note There are some limitations when you configure Passwordstate in this manner In particular user s won t be able to set their own Authentication options in the Preferences screen Security Administrators won t be able to configure any Authentication options for a User Account Policy and certain System Wide Authentication options will also be disabled User Account Actions Menu The following Actions menu items are available for a user s account e Delete deleting a user s account will remove all access for them so please us
83. mpts Failed login attempts are also recorded and reportable on the Auditing screens Only send Failed Login Attempt email alerts to Security Administrators if the following conditions are met If Security Administrators don t wish to be alerted to every single failed login attempt by individual users you can set a threshold which must be met before an email is sent Even if this option is used to not be notified every single time auditing data is recorded for all failed login attempts Alert Security Administrators if there are an excessive number of events from a single user for Viewing Copying or Exporting Passwords Alert if the following condition is met Another option which alerts to uncommon behavior is to notify Security Administrators when an 2015 Click Studios SA Pty Ltd System Settings 87 individual user is viewing copying or exporting alot of password data within a set period of time i e if a user views 10 password records within a single minute then this is not common behavior and you may have an issue with potential information leakage theft When users Request Access to Passwords or Password Lists in addition to emailing the request to Password List Administrators also email it to Security Administrators with the following roles By default Password or Password List Access Requests are routed to the Administrators of the relevant Password Lists If you would also like the access requests to be sent t
84. multiple domains to authenticate and access the Passwordstate web site you must have a domain trust in place This is because it s Internet Information Services which does the initial authentication check on the domains e You must specify at least a domain account which has Read access to the domain and this account can be setup on the Privileged Account Credentials screen e If you want Passwordstate to update passwords in Active Directory you must also specify a Privileged Account Credential which has the relevant permissions to update accounts e Even if you are using the form based authentication version of Passwordstate you can add in Active Directory domains here so that Password Resets on each of the domains can work this can even be done with non trusted Active Directory Domains E Note If you are unsure of what NetBIOS Name and LDAP Query String settings to specify please speak with your Active Directory Administrators for assistance sh Active Directory Domains To grant access to Passwordstate by either adding users manually or via Active Directory lookup you need to specify one or mo e Active Director mains ould be please use the following as a guide en a command prompt on y computer and type set userdomain and then set userdnsdomain Active Directory settings should match the result of set userdomain t of set userdnsdomain ettings should match the result of set userdnsdomain in the following wa tudios dc com dc
85. n an untrusted environment E Note 1 If you plan on moving your Passwordstate web installation to anew web server you must first register the host name of the new web server on this screen E Note 2 If you also purchased the High Availability module you must register the host name of your High Availability instance web server Note 3 The host names are not case sensitive 6 Backups and Upgrades The Backups and Upgrades screen allows you to specify the settings required to perform backups in Passwordstate as well execute manual backups and view the status of any backups Note 1 The Upgrade Now button takes you to the same screen you would navigate to when clicking on the new build notification hyperlink which may appear at the top of the screen when 2015 Click Studios SA Pty Ltd Backups and Upgrades 9 new builds are available The following instructions will provide some guidance for configuring the backup settings and other permissions required to backup all the web tier and database files Backup Settings On the Backup Settings screen you have the following options available to you e Whether you want to perform a backup prior to any In Place Upgrades this option should only ever be unchecked if you have your own Backup procedures in place e How many backups to keep on the file system e The path to where you would like to store the backups please use UNC naming conventions here not a literal path su
86. nd does not touch your Active Directory environment in any way Actions Security Group Y v amp Accountants 1 oO amp Cisco Engineers 3nd Level 1 a CoreAdmins halox 3 5 42 Manual Synchronization Delete Nee ee amp Juniper Engineers 1 Clone Security Group Permissions It s possible to clone the permissions from one Security Group to another using the Clone 2015 Click Studios SA Pty Ltd so Passwordstate Security Administrators Manual Permissions feature E Note 1 When cloning occurs the Destination Security Group s permissions are first removed otherwise duplication would occur E Note 2 Security Group Memberships will not be cloned with this process as you need to manage these memberships yourself either manually for Local Security Groups or by letting the AD synchronization work for AD groups During the cloning process the following types of permissions will be cloned e Any memberships to Email Notification Groups e Any of the Features permissions for what menus the user is allowed access to at the bottom of the screen e Any permissions to Password Lists auditing records are added e Any Password Permissions auditing records are added e Any permissions to Password Lists Templates auditing records are added e Any Security Admin Roles auditing records are added e Any User Account Policy permissions 2015 Click Studios SA Pty Ltd Security Group
87. ns when matching Bad Passwords If the use of Bad Password detection is enabled on the Password Options Tab the use of regular expression matching means the bad password can be detected anywhere within the string not just the bad password on it s owni e mypassword would be deemed as a bad password as it contains the word password Enable option for purging of Auditing records If you don t want to give Security Administrators the ability to purge delete auditing records on the Auditing page then you can hide the controls which allow the purging When users are Requesting Access to passwords hide the following fields due to possible sensitive information being stored in them From the Passwords menu at the bottom of the screen users are able to request access to either Password Lists or individual Passwords they don t already have access to assuming you have enabled this feature for them As viewing password related data can be sensitive by its very nature you can choose to hide various fields on the screen from your users either the Username Description or Notes fields Allow permissions to be applied multiple times for a user security group to the same Password or Password List Under certain circumstances you may wish to allow the application of multiple permissions to a Password List or Password record for user accounts or security groups If this is arequirement you can check this option Allow users to view Pa
88. nts and security groups with Active Directory Specify which IP Addresses or IP Address Ranges are allowed to access the Passwordstate web site or API Create various API Keys for making calls to the Passwordstate API Various options and settings for authenticating to the Passwordstate web site Specify your own Logos and Page Titles to use on various screens and dialogs Specify how frequently Passwordstate should check for new versions Email Server settings and multiple options for various email notifications Specify how frequently the High Availability instance of Passwordstate should check for new update Custom Images and Logos and write these to disk The Hosts tab has a few options for showing or hiding all the Hosts users have access to on the Password Home and Remote Session Launcher pages Various settings which don t fall into any other of the Tab categories Specify various system wide settings for the Mobile Access client Settings which are specific to Password Lists Settings which are specific to individual password records Specify various settings when updating passwords in Active Directory and specify who is allowed to enable the Password Reset option on Password Lists Specify proxy settings or syslog settings for Passwordstate to use Allows you to specify your own JavaScript code to be inserted into the main default aspx page Specify a popup User Acceptance Policy which users must read when they access the P
89. nu Password Generator Remote Session Launcher P Self Destruct Message E Hosts Menu Menu cJ Hosts and Resources R Hosts and Resource Discovery Password Reset Scripts Y Password Validation Scripts f ain Vertical or Horizontal Menu items 2 Disable it for them Hide it from them Set P rmissions Sgt Permissions Jet Permissions Bet Permissions Set Permissions Set Permissions Set Permissions Set Permissions Set Permissions bet Permissions et Permissions Set Permissions Set Permissions Set Permissions Set Permissions eset Permissions for each of the Men em not disabled 19 Password Folders The Password Folders screen show you all the Password Folders which have been created in Passwordstate From this screen you can Edit Password Folder Details amp Delete the Folder By clicking on the Password Folder hyperlink you see in the grid you will be taken to a screen where you can perform the following actions on the Folder 2015 Click Studios SA Pty Ltd z Passwordstate Security Administrators Manual e Edit name description and settings e Clone the folder and nested Password Lists and Folders but not the passwords themselves e Delete the folder deleting a folder will not delete any nested Folders or Password Lists Edit Folder Properties To edit the Folder properties please make appropriate change
90. o ask your DBAs restored a copy of the database Add Password List By clicking on the Add Password Lists button you will be able to add a new Password List to Passwordstate Note Please refer to the Passwordstate User Manual for detailed instructions on settings which can be applied to new Password Lists or Templates Export The Export button simply allows you to export the list of Password Lists to a csv file no Passwords are exported just basic information about the Password Lists themselves Toggle ID Column Visibility The Toggle ID Column Visibility button will either show or hide the PasswordListID value for each of the Password Lists These PasswordListID values may be required if you are using the Passwordstate API or the Bulk Password Import feature below 2015 Click Studios SA Pty Ltd Clicking on a Shared Password List allows you to Administer Permissions and Edit Password Actions Password List Banking Sites Canon Printers Sa _ Customers Customer s A Database Accounts Customers Customer s A Generic_Unix a Customers Customer s A Oracle Database Tier ig wl Customers Customer s A SCCM Customers Customer s A Servers Customers Customer s B LAN Switches Customers Customer s B Network Monitoring 9000000000 3 Customers Customer s B SQL Server Sig Perform Bulk Processing Administer Bulk Permissions Administer Bulk Perm
91. o various Security Administrators you can use this option to choose which Security Administrator roles will receive the requests When users Request Access to Passwords or Password Lists if there are no Administrators assigned to the Password List email the request to Security Administrators with the following roles It s possible that there may be no Administrator permissions assigned to a Password List for your users only Modify or View permissions If this is the case someone needs to be notified when users request access to passwords in a Password List which is configured this way You can use this option to specify where the request is routed i e which Security Administrators will receive the Request Access email and popup notification Send email alerts to Security Administrators with the following role when passwords are exported If you would like to alert your Security Administrators when users are exporting password data you can use this option to do so Use the following settings to send emails from within Passwordstate As various functions are performed in Passwordstate email records will be generated and stored in the QueuedEmail table The Passwordstate Windows Service checks this table once every minute and sends the emails if any exist In order for emails to be sent you need to specify various settings for your email server In particular e Host Name and Port Number e Which SMTP address you would
92. of Linked Password records across all affected Password Lists When Password records are copied amp linked between different Password Lists you can use this option to specify whether all of the linked records are moved to the Recycle Bin when one of them is deleted If the option is not selected the other linked records will remain visible in each of their respective Password Lists 2015 Click Studios SA Pty Ltd System Settings 101 Show the Send Self Destruct Message Actions menu item for Password records If you don t want users to see the Send Self Destruct Message Actions menu item for individual password record you can hide it using this option Show the Remote Session Launcher with these Credentials Actions menu item for Password records If you don t want users to see the Remote Session Launcher with these Credentials Actions menu item for individual password record you can hide it using this option Enable the View amp Compare History of Changes menu option for Password records for users who have the following permissions to the Password List There is a View amp Compare History of Changes menu action for each and every Password record You can control which users are allowed to access this menu based on their permissions to the relevant Password List On the View amp Compare History of Changes screen for Password records When viewing the History of changes to a Password
93. om of every Passwords grid there are certain buttons controls for adding passwords importing them viewing documents etc With this option you can choose to display the Actions toolbar at the 2015 Click Studios SA Pty Ltd User Accounts 109 bottom of the Passwords grid at the top or both Use the following type of Navigation For the main Navigation Menu system you can choose Menu system to use whatever the default settings are in Passwordstate or you can choose the Vertical or Horizontal menu system for the user Expand bottom Navigation Menu items The Navigation Menu at the bottom of the screen can by expand certain menus vertically by simply hovering over them If you choose you can change this option so you must first click on the Menu item before it expands On all Password List screens sort the grid If you would like all Password grids to be sorted by by the following column default on a selected column you can choose the column here Note this will override you manually sorting a column and then selecting the save the Grid layout On the Passwords Home and all Folder Similar to the option above but this sort order applies screens sort the Search Results and to the Search Results and Favorite Passwords grids on Favorite Passwords grids by the following the Passwords Home page and and Folder pages column When creating new Shared Password When creating new Password Lists you can choose to Lists base the settings on
94. on Log on as batch job and select Properties e Click Add User or Group and include the relevant user account Something else to check is whether the local Administrators Group had been granted the Deny Logon as a batch job right as this will cause the setting above to have no effect Non Local Administrator Rights for the Backup Account on the Web Server If you do not wish to grant the backup account Local Administrator rights on your web server then the following instructions will help with this e The backup account will now need Modify NTFS permissions to the Passwordstate Folder and all nested files folders Download SubInACL from here and install somewhere https www microsoft com en us download confirmation aspx id 23510 It really only installs the subinacl exe file only into the location of C Program Files x86 Windows Resource Kits Tools If you didn t install this on your web server copy the file across to a folder on your web server e Open a command prompt as Admin change to the folder where you have subinacl exe and execute the following command replacing lt BackupAccount gt with the correct account subinacl service Passwordstate Service grant lt BackupAccount gt F e While still having the command prompt open as Admin type in secpol msc s Select Local Policies in MSC snap in Select User Rights Assignment Right click on Log on as batch job and select Properties Click Add User or
95. on Options Tab ssssssesssssnnesnsrnnnrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnen nnnn nanenane nann nn nnna 66 DuozAuth API G n OUTA OT ssciseesiisesssiecesdeccsnestesecescondexncetzscssstecesssecesctesb soseseazeeseaasstceteassctsvecseeeidesensississstiessesesies 82 5 Branding Tab iiaeeeainoae Ar aaa a aE aaea EREA TEn 85 6 Che ck f r Updates Taba arr savecciccedee cettsscetacsccvecenuseepaeecdvecetasstesgecodvecsiesdesesanceseeesare 86 7 Email Alerts amp Options Tabs iaaea a a Vaaia aaa a ae Kaane aaa aaa Ke a aa aa aada iaaa aasaran 86 8 High Availability Options Tab ssssssssssunssnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnna 88 9 Hosts Tabs so E T T ETT ET S E T ET EE T 88 10 Miscellaneous Ta Da i e e a aaa aa aa aaa raaa aA aa aaae a paa aiaa eatae 89 11 Mobile AcGess Opti onsteciis sic ic ticccciec anea nadaanan aean adea a casa deed a aa Eae aa Aren aE arae asenaan in 94 12 Password List Options Tab cccceseeee cece cece eee cece ee ence eeeeee ee seeeeeaa nessa eeeaeeseaeeeseeesseaeeseeeeees 96 13 Password Options Tab vviiiicsccccccesisecevsccsetievienceseccsteceseacecegsctaceccuensnantecestecuneatederecesansbaencets 100 14 Password Reset Options i ci 2itessercsevs oe tet sete heee ce a ee ceed eliseds he ecde de aaar aiara 102 15 Proxy amp Syslog Servers Labs isc ecsccncceccgcceevecccns lovcgececuvaccnscivcgecuevedecnsendagecdanvadenidevegeseaveiees 103 16 Usag
96. or user authentication must be a minimum length of You can choose the length of the Mobile Access Pin Number the users must use to authenticate with When the users specify their own Pin Number on the Preferences screen or use the option to generate one it must meet the minimum length requirement of this setting The Inactivity Timeout for Mobile Access is mins If the user forgets to log out of the Mobile session this setting will automatically log them out after the set period of inactivity and also clear their authenticated session Protect against brute force dictionary authentication attempts by 2015 Click Studios SA Pty Ltd 96 Passwordstate Security Administrators Manual locking out an active session after the following number of failed login attempts As the Mobile Access web site is generally externally accessible from your internal network this setting will mitigate against any brute force authentication attempts by locking out authentication attempts when this setting has been reached System Settings To modify the system settings please make changes within the appropriate tabs below then click on the Save button active directory options allowed ip ranges api key authentication options branding check for updates email alerts amp options high availability options miscellaneous mobile access options password list options Password options password reset options proxy amp syslog servers user acce
97. ous features in Passwordstate require Active Directory Accounts Credentials to perform certain tasks i e Resetting Passwords querying active directory etc This screen allows you to add those accounts to be used Reporting Various reports which can be exported to CSV files Security Administrators Allows you to specify which users are Security Administrators within Passwordstate and select which roles they can have Security Groups Allows you to manage either local security groups created within Passwordstate or Active Directory security groups These groups can then be used for applying permissions to Password Lists or to give deny access to various features System Settings System Settings is used to manage the majority of system wide settings for Passwordstate User Accounts Allows you to specify the user accounts which are able to access the Passwordstate web site User Account Policies User Account Policies are used to apply a specify set of settings to any number of user accounts or security group members 2015 Click Studios SA Pty Ltd 6 Passwordstate Security Administrators Manual 2 Active Directory Domains The Active Directory Domains screen is where you can specify which domain s user accounts and security groups can authenticate and interact with the Passwordstate website A few things to note about AD Domains e If you are using the AD Integrated Authentication version of Passwordstate and you want users in
98. ow Enable the Propagate Permissions Downwards feature for top level Folders With this option enabled in conjunction with the Allow Permissions on Folders to be managed manually above permissions on top level Folders can be propagated down to all nested Password Lists and Folders Disable the popup Guided Tour for new user accounts If you do not wish new user accounts to see the popup Guided Tour window when they first log into Passwordstate then you can disable this feature the guided tour is still available under the Help menu if required On the Permalink screens allow the following types of user roles to see the list of email address stored in Passwordstate If you wish to hide all the email addresses registered in Passwordstate on the Permalink screens you can restrict visibility to just Security Administrators by selecting this option Mobile Access Options The Mobile Access Options tab allows you to specify multiple settings for how the Passwordstate Mobile Client behaves for your users Allow Mobile clients to access Passwordstate If you do not wish to allow Mobile Access to passwords you can disable access altogether by selecting this option E Note 1 If you choose to disable Mobile Access it is recommended you set the option below to No and then go to the screen Administration gt Passwords Lists gt Mobile Access Bulk Permissions and then disable Mobile Access for all permissions 2015 Click Studio
99. permissions being applied to the Password List itself the user is given Guest rights to the entire Password List This is so the Password List will show in the Navigation Tree on the left hand side of the main screen By selecting this option you will allow users who have Guest access to also create new passwords in the selected Password List Note If this option is enabled a user creates a new Password record they will be given Modify rights to the individual Password record they are creating Allow users to create password records when they only have View permissions to the Password List When a user is given View access to a Password List by default they cannot add password records to the List By setting this option to Yes they will be able to add new records Note Even after the user adds new records when using this option they will still only have View access to all records in the Password List Allow users to copy move link passwords to Password Lists which they have View access to It s possible for your users to copy or move passwords around between different Password Lists they have access to By selecting this option you allows them to copy move link passwords into Password Lists they only have View Access to If deselected they will only be able to do so to Password Lists they have Modify or Admin access to When copying moving linking passwords between Password Lists allow users to view all Password Lists not
100. ptance policy Please specify appropriate settings for Mobile Access to Passwordstate Allow Mobile clients to access Passwordstate Permissions needs to be set at the Password List level if this option is enabled Ves No When adding new permissions to Password Lists enabled Mobile Access by default Permissions can also be changed in bulk on the page Administration gt Password Lists Yes No Use the following authentication method for the Mobile Client Mobile Pin Number z The Mobile Access Pin Number for user authentication must be a minimum length of 4 7 The Inactivity Timeout for Mobile Access is mins 5 Protect against brute force dictionary authentication attempts by locking out an active session after the following number of failed login attempts 5 Save Save amp Close 28 12 Password List Options Tab The Password List Options Tab provides multiple settings which are applicable to Password Lists in Passwordstate Allow users to export details from their private Password Lists If you wish to prevent users from exporting passwords from their Private Password Lists you can do so by selecting this option Allow Password List Administrators to export passwords from Shared Password Lists If you wish to prevent users from exporting passwords from any Shared Password Lists you can do so by selecting this option 2015 Click Studios SA Pty Ltd System Settings 97 Select which Code Page to
101. ptions are available e Show Passwordstate Build Number you can show this build number to all users of Passwordstate or just Security Administrators Main Page Title and Logo Change the Passwordstate logo to your own custom logo plus the Page Title displayed in Tab of your browser Dialog Title and Logo Change the Passwordstate logo in each of the Authentication Dialog windows plus the Page Title Mobile Client Title and Logo Change the Passwordstate logo for the mobile client plus the Page Title Color Scheme Change the color scheme you see in Passwordstate the Base color and Page Background Color E Note 1 The logos are stored within the database and restarting the Passwordstate Windows Service will recreate the logos on the file system if they are accidentally deleted for any reason Note 2 Adobe Photoshop template files are also provided allowing for easier creation of your own logos if required You can also change the default colors in Passwordstate by specifying your own Base color and Page Background color User Account Policies can also be used to apply different colors for different sets of users Base Color Page Background Color Please select the Base Color to use throughout Passwordstate Please select the Page Background Color to use througho ate Color Palette Color Palette No j you use white or Apex WR Default color is 0080af Apex light background colors for better readability Base Color Page Backg
102. r Password Lists and need to move records around in mass Note You can only copy move records between Password Lists which have similar fields configured If the fields are not compatible then the destination Password List will be disabled preventing you from copying moving records to it 2015 Click Studios SA Pty Ltd Bulk Copy Move Passwords To copy move multiple Passwords from one Password List to another is a 3 step process 1 Select the Source Password List s 2 Select all the Source Passwords you want to move 3 Select the Destination Password List and click the Copy Move button Note Any Password Lists which have incompatible Generic Field settings will be disabled bulk copy move passwords I would like to Copy amp Link Copy Move these password s to Source Password List s Source Password s Select All Destination Password List Filter m 7 j o F aaa record Filter a nx Banking Sites zd F banki Banking Sites Canon Printers E gsand Canon Printers Nn Customers Customer s A Database Accounts P TN Customers Customer s A Database Accounts A Customers Customer s A Generic_Unix I sale A Customers Customer s A Generic_Unix 6 Customers Customer s A Oracle Database Tier Uh sql_pass2 lt j Customers Customer s A Oracle Database Tier al Customers Customers A SCCM customers Customer s A Servers Ba sqlaccount3 g Customers Customer s A Server
103. r data into it please click on the button below Once you have saved the csv template you can continue to the Step 2 Populate Template with Data tab alues required here Dy returning to the previous screen an d bility button Note 2 Some Password Lists may not use all the fields in this CSV template or Generic Fields may be named differently so enter or omit data as appropniate Note 3 Various compliance checks will not be performed with this import i e Bad Passwords Password Strength Compliance amp Mandatory fields Generate CSV Template Step 2 Populate Template with Data The screenshot below shows the fields which are populated in the csv template file which fields are required and the maximum size of any fields You will notice 10 Generic Fields in the csv template By default Password Lists are not configured to use any of the available Generic Fields but it s possible they may have been configured to use them Generally the Generic Fields are named differently but those names cannot be shown in the csv template as each Password List may have named them differently You will need to ensure you populate the csv template file with the correct fields for each of the different Password Lists you are importing into Note 1 If a field is not Required then you can leave it blank in the csv template E Note 2 The PasswordListID field is required so the import process knows which Password List
104. rd Lists role from being able to grant themselves access to Password Lists via the Administration area you can check this option When copying settings from a Template to a Password List also copy the following field values By default the Password List Name and Description fields aren t populated when copying settings from another Password List or Template With these two options you can choose to copy them if needed When copying settings from a Template to a Password List allow a different image for the Password List to be selected If you want to be able to select a different image to be associated with a Password List when copying settings from a Template then set this option to Yes 2015 Click Studios SA Pty Ltd 98 Passwordstate Security Administrators Manual Allow Security Administrators to convert Private Password Lists to Shared ones If you wish to allow Security Administrators to convert Private Password Lists to Shared ones you can enable this option There will then be an Actions menu item available on the screen Administration gt Password Lists for Private Password Lists E Note Converting a Private Password List to a Shared one adds relevant auditing data showing which Security Administrator has done the conversion Allow users to create password records when they only have Guest permissions to the Password List When auser is given access to individual passwords in a Password Lists as opposed to
105. record you can choose to either show mask or hide the password field on the screen When adding new Active Directory accounts if the same account is found in another Password List automatically link the password records if the user knows the value of the password If adding Active Directory accounts to a Password List you can check if the account exists in any other Password Lists before saving the record If it does then the records will be linked together This feature does rely on you first entering the correct password for this Active Directory account When users add edit passwords alert them when a Bad Password is specified and rate it as When your users add or edit password records you can choose to either alert them when bad passwords are detected as per the list stored in the Bad Passwords screen or you can allow bad passwords to be used If a bad password is detected you can specify why Password Strength indicator you would like to be assigned to the password record 2015 Click Studios SA Pty Ltd 102 Passwordstate Security Administrators Manual 28 14 Automatically clear clipboard after the following specified number of seconds When your users copy Passwords to the clipboard using the icon you can specify how long before the clipboard is automatically cleared E Note This option is only applicable to Internet Explorer as it s not possible to automatically clear the clipboard with
106. reen for information on this method Performance Tip If you have many Active Directory User Accounts added to Passwordstate the synchronization features on the Active Directory Options Tab on the System Settings page will perform significantly better if these user accounts belong to one or more Security Groups and these Security Groups have also been added to Passwordstate via the page Security Groups The reason for this performance improvement is because all the users can be enumerated with one call to Active Directory for the Security Group instead of making separate calls for every single account If you have many AD users added to Passwordstate i e 200 it is recommended you add one or more Security Groups even if you don t use them to apply permissions anywhere E Note 1 When you first add a user s account to Passwordstate they will receive an email informing them they have access and what URL to access the site with assuming the email notification category is not disabled on the screen Email Templates E Note 2 If you need to purchase additional Client Access Licenses you can click on the Buy More Licenses button and it will provide you with some instructions amp User Accounts ted below are all users wh YR Total License Count Enterprise Unlimited R Available License Count Not Applicable Y T T T T E rT Y rT gt 9000000000 K DS 6 al 4 je 1 of S E resize 10 RR tem 1 to 10 of 50 Export Clone User Per
107. ren t able to administer the settings and records under this menu because they don t have access you can grant access via this page Host Types amp Operating Allows you to add additional Host Type and Operating System records Systems which can be associated with Host records in Passwordstate License Information Allows you to enter your license keys for Passwordstate either Client Access Licenses Annual Support or High Availability Menu Access Allows you to control which users are able to access each of the main navigation menus Menus can be disabled or hidden from users if required Password Folders Shows all Password Folders created in Passwordstate Password Generator Create edit or delete Password Generator Policies Policies can be Policies associated with one or more Password Lists and are used as a basis for generating random passwords of varying complexity Password Lists Shows all the Shared Password Lists in Passwordstate and provides various features for administering permissions moving passwords around or importing passwords in bulk Password List Templates Shows all the Password List Templates stored in Passwordstate which can be used to apply a common set of settings to one or more Password Lists Password Strength Policies Password Strength Policies are used as a set of rules for determining the strength of a Password Once a policy is created it can be applied to one or more Password Lists Privileged Account Vari
108. rity Group Membership screen allows you to query the members of the security groups and provide some additional debug information which may be useful for determine the cause of the issue 2015 Click Studios SA Pty Ltd s Passwordstate Security Administrators Manual th Active Directory Security Groups Debug Screen This page will allow you test querying the membership of An Active Directory Security Group and provide additional debug information during the process To use this feature you will need to first search for the appropriate Security Group When you click on a Security Group in the search results it will attempt to enumerate all the members for you security group details Please use the search feature below to search for an Active Directory Security Group Security Group Name CoreAdmins g AD Domain halox net F LDAP Filter dc halox dc net You can query a specify earch Results Security Group CoreAdmins Debug 4 If p StructuralObjectClass lt gt group Then Debug 5 p Disti ne Violantes CN Users DC halox DC net p StructuralObject r Debug 6 p Context tem DirectoryServices AccountManagement PrincipalContext Debug 7 Dim user As UserPrincipal IdentityType DistinguishedName p Dis Debug 8 Dim str As String LCase GetUsersNetBIOSDomain FQDN amp amp gt Status Records found Clear Results Cancel Local Security Group Actions Menu Once you have creat
109. round Color EEA AA 2015 Click Studios SA Pty Ltd s Passwordstate Security Administrators Manual 28 6 28 7 Check for Updates Tab The Check for Updates Tab allows you to specify how frequently the Passwordstate web site should check for new updates and who it should display the new build notification to This feature queries the following file www clickstudios com au NewBuildInfo xml and if anew build is found the notification will be displayed at the top left hand side of the screen just next to the main logo E Note Depending upon your environment you may need to specify proxy authentication details on the Proxy amp Syslog Servers Tab for this feature to work Email Alerts amp Options Tab The Email Alerts amp Options Tab allows you to specify your email servers settings so emails can be generated from Passwordstate as well as multiple settings and notifications relating to emails being sent Send email alerts to Security Administrators who have User Accounts role for Failed Login Attempts There are two different scenarios in which your users must authenticate when using Passwordstate 1 When they first browse to the web site 2 If a Password List is configured to require an Additional Authenticate step prior to the Password List being accessible By selecting this option Security Administrators who have the User Accounts role will be alerted via email to any failed login atte
110. s Customers Customer s B LAN Switches Fh saltest3 Customers Customer s B LAN Switches Customers Customer s B Network Monitoring Customers Customer s B Network Monitoring F Customers Customer s B SQL Server Customers True Power SA Routers and Switches G Customers True Power SA Routers and Switches Customers True Power SA Stealhead Appliances ein ners Ti Gen Field Encryption PB Gen Field E jon Gen Field Encrvotion 2 A Gen Fiel on 2 rT Ty G Count 35 Count 9 Count 35 Status Copy Move Reset Cancel Perform Bulk Processing Bulk Password Import The Bulk Password Import feature is useful when you are migrating data from another system as it allows you to import multiple passwords records into multiple different Password Lists at once To import passwords in bulk is a 3 step process Step 1 Generate CSV Template By clicking on the Generate CSV Template button you will be able to save an empty csv template file to your file system It is this template you need to populate with data ready for import 2015 Click Studios SA Pty Ltd 4 Passwordstate Security Administrators Manual amp Bulk Password Import To import multiple passwords in to one or more Password Lists at a time please follow the instructions on each of the Tabs below step 1 generate csv template step 2 populate template with data step 3 import data To create a CSV template file ready for you to ente
111. s Show the Header row on all Passwords Grids Show the Filter controls in the Header of the Passwords Grids Show the Header row on all Recent Activity Grids Make the Recent Activity Grid visible to the user Selects the Paging Style controls for Password and Recent Activity grids Make the Pie Charts visible to the user Sort the grid by the following column Home Page and Folder Screen Options Show the Favorites Passwords Grid Show the Password Statistics Chart Choose the Style of the Password Statistics Chart 2015 Click Studios SA Pty Ltd ne Passwordstate Security Administrators Manual Stack the data points on top of each other for the Password Statistics Chart Select the color theme for the Password Statistics Chart Sort the Search Results and Favorite Passwords grids by the following column Mobile Access Options Set the Mobile default home page to When searching for Password Lists or Passwords limit the number of records displayed to Password List Options When creating new Shared Password Lists base the settings on the following Template s settings When creating new Shared Password Lists base the permissions on the following Template s permissions If copying settings from a Template to a Shared Password List also link them When creating new Private Password Lists base the settings on the following Template s settings If copying settings from a Template to a Private Password List also link them E Note Wh
112. s 61 Clone Security Group Permissions To clone permissions for a Security Group you need to select the Source and Destination Groups below then click on the Clone button Please Note Please refer to the Security Administrators manual for what processing occurs when you clone a Security Groups s permissions Important clone permissions Source Security Groups Destination Security Groups Fitter o Fitter CJ amp Accountants amp Accountants amp Cisco Engineers 3nd Level cisco Engineers 3nd Level gs CoreAdmins halox L 1 CoreAdmins halox amp Education Support Group amp Education Support Group os IS Department halox o IS Department halox amp Juniper Engineers amp Juniper Engineers amp Password Lists Creators amp Password Lists Creators oe Passwordstate Auditing Security Group halox a Passwordstate Auditing Security Group halox a Passwordstate Export All Password Security Group halox a Passwordstate Export All Password Security Group halox amp Sec passwd customers view amp Sec passwd customers view amp Security Administrators amp Security Administrators a SecurityGroup1 halox a SecurityGroup1 halox a SecurityGroup2 halox a SecurityGroup2 halox a Sys Admins sanddomain L Sys Admins sanddomain amp Telco Team amp Telco Team Status Clone Permissions Cancel Debug Active Directory User Account and Security Groups Synchronization Process By clicking on
113. s SA Pty Ltd System Settings 95 Note 2 Even if this option is enabled your Firewall System Administrators still need to configure external DNS and allow access through the firewall for anyone to access the Mobile Client web site When adding new permissions to Password Lists enabled Mobile Access by default When adding new permissions to a Password List you can use to enable disable Mobile Access by selecting the appropriate option here Use the following authentication method for the Mobile Client There are four types of Authentication Options available for the Mobile Client e Mobile Pin Number a numeric pin code that the user can specify on their Preferences screen e Active Directory Authentication authenticate using the users Active Directory UserID and Password e Email Temporary Pin Code Two Factor Authentication using the emailing of a temporary pin code which expires after a set period of time e AuthAnvil Authentication Two Factor Authentication using Scorpion Software s AuthAnvil solution e Google Authenticator Two Factor Authentication using the Google Authenticator solutions Duo Push Authentication Two Factor Authentication using Duo Security s Push Authentication Note You must have an Enterprise account with Duo Security to use this feature e SafeNet Authentication Two Factor Authentication using SafeNet s On Premise our cloud based authentication services The Mobile Access Pin Number f
114. s to import the passwords into The PasswordListID values can be determined by returning to the previous screen and either Exporting the list of Password Lists or by clicking on the Toggle ID Column Visibility button E Note 3 Various compliance checks will not be performed with this import i e Bad Passwords Password Strength Compliance amp Mandatory fields 2015 Click Studios SA Pty Ltd amp Bulk Password Import To import multiple passwords in to one or more Password Lists at a time please follow the instructions on each of the Tabs below step 1 generate csv template step 2 populate template with data step 3 import data Now that you have a saved CSV Template below are the columns you are expected to populate with data as appropriate Once you have finished populating your CSV file and saved it please click on the Step 3 Import Data tab Column Name Size Max Required Please note Any Password Lists who have the column AccountType selected can use any of the values displayed in this Listbox PasswordListID NA na Title 255 Ca A A tT 7 UserName 255 Description 255 AccountType NA Notes NA URL 255 Password NA ExpiryDate NA GenericField1 NA GenericField2 NA GenericField3 NA GenericField4 NA GenericField5 NA GenericField6 NA GenericField7 NA GenericField8 NA GenericField9 NA GenericField10 NA Status Cancel Step 3 Import Data Once you have populated the csv file with the required data
115. s an authentication dialog for users to enter a Temporary Pin Code User s must specify an email address in their Preferences area as to where they want the Temporary Pin Code to be emailed to and Security Administrators cannot set this email address for them Passwordstate Passwordstate FQ Temporary Pin Code Authentication To authenticate with your Temporary Pin Code please check your registered email address and enter the Pin Code below pincode om You have 3 minutes before the temporary Pin Code expires at which time you will be logged out 2015 Click Studios SA Pty Ltd System Settings AuthAnvil Authentication Provides a dialog where you can enter your AuthAnvil Username and Passcode to log in using two factor authentication User s must have specified their AuthAnvil Username on the Preferences screen in order to authenticate Passwordstate Passwordstate fy AuthAnvil Two Factor Authentication Please enter your Username and Passcode below Passcode PIN One Time Password Username Imsand Passcode Logon Status Awaiting Login Duo Push Authentication Provides a dialog where you can your Duo Push Username to log in using two factor authentication User s must have specified their Duo Push Username on the Preferences screen in order to authenticate You can also choose which device to send the Push Notification to E Please refer to the following document as to how
116. s and click on the Save button folder properties Please specify appropriate details below for the Password Folder then click on the Save Button Folder Properties Folder ID 85 Folder Name Customers Description Customers Permalink https passwordstate7 halox net fid 85 8 Prevent Non Admin users from Dragging and Dropping this Folder in the Navigation Tree Yes O No Folder Permission Model Manage permissions manually for this folder this means the Folder will not inherit permissions from any nested Password Lists O Yes No Save View Permissions Clone Folder Convert Permission Mode Delete Cancel View Nested Password Lists By selecting the option View Nested Password Lists from the appropriate Actions drop down menu a popup screen will appear showing all Folders and Password Lists nested beneath the one you ve chosen 2015 Click Studios SA Pty Ltd Password Folders Nested Password Lists Below are all nested Password Lists and Folders for the Folder you selected gt FA Passwords Home FP comes 4 Customer s A N Database Accounts A Generic_Unix 2 Oracle Database Tier od SCCM Servers 4 Customer s B LAN Switches Network Monitoring E SQL Server 4 True Power SA Deleting Folders Also in the Actions menu are two options for deleting a folder e Delete Folder will delete just the folder and nothing else T
117. sed in any emails generated by Passwordstate This URL field is used as hyperlinks in any emails generated from Passwordstate Force the use of an SSL Certificate HTTPS When set to Yes if the user types HTTP into the browser address bar they will be redirected to HTTPS which securely encrypts all traffic between the user s browser and the web site The API will return a 403 Forbidden message if HTTPS is not used Use the following type of Navigation Menu system You can choose to use a Vertical navigation Menu on the left hand side of the screen ora Horizontal navigation Menu at the bottom of the screen Show Password List Auditing data to users with the following permissions Beneath each Password List grid you see on the Password screens there is a Recent Activity grid This data in the Recent Activity grid is all auditing data specify to the Password List you are viewing You can choose to hide this grid be deselecting the relevant role for this setting this will also remove the Password List from the Auditing section that users have access to When expanding collapsing nodes in the Passwords Navigation Tree show a loading animation icon when the count of nodes in the tree is greater than If you have many Password Lists and Folders visible in the Navigation Tree for your users there may be a small delay in expanding collapsing tree nodes If this is the case you can display a loading animation icon during the expand
118. so Passwordstate Security Administrators Manual Various Authentication Options Some of the authentication methods above also have various options which can be set and they are If one of the Manual AD Authentication options are selected auto populate the UserID field based on the current logged in Active Directory account If you select one of the Manual AD authentication options for your users you can automatically populate the UserID field for them if required If one of the Manual AD Authentication options are selected show a Domains dropdown list to form part of the UserName field This option provides a Domain dropdown list on all the Manual AD Authentication screens so the user doesn t need to type the domain prefix for their account If using the AD Integrated Authentication version of Passwordstate and Passthrough Authentication is not selected make the authentication a two step process where the user first validates their AD Account and then the additional Authentication option on the following screen By choosing this option the authentication process will be executed in two steps initially just authenticating the user s Active Directory Domain credentials and then any other additional authentication options selected for their account This is useful if users need to log into Passwordstate with more than just one account If using the Forms Based Authentication version of Passwordstate disable the feature where users ne
119. specify a different template if needed When creating new Private Password Lists if there is a User Account Policy setting which copies settings permissions from a Template allow the user to override these setting It s possible for Security Administrators via a User Account Policy to specify which template settings to be used as a basis for newly created Private Password Lists If this User Account Policy is in place for the user this option allows them to specify a different template if needed When creating a new Password List and copying settings from a Template automatically select the option to link the Password List to the Template When creating a new Password List and you copy settings from an existing Password List Template you can choose to automatically link the Password List to the template if required When creating a new Password List and the settings are being Linked to a Template allow users to uncheck the option for linking it to the Template If you want to enforce a Password List to be linked to a template then you can set this option to 2015 Click Studios SA Pty Ltd 10 Passwordstate Security Administrators Manual 28 13 No the user s will then not be able to uncheck the option which links the Password List Show the Account Types label next to the Image within each of the Password Grids In each of the different Password Grids it s possible to display the Account Type column In this column yo
120. ssword List permissions when they are not Administrators of the Password List Under each Password List grid there is a drop down list called List Administrator Actions The majority of options in this drop down list are only accessible to Administrators of the Password List If a user does not have Administrators rights to the Password List it might still be useful if 2015 Click Studios SA Pty Ltd 2 Passwordstate Security Administrators Manual they can see what other users or security groups have access to the Password List By enabling this option the View Password List Permissions feature will be available to them they will only be able to view permissions not change them List Administrator Actions List Administrator Actions PASSWORD LIST ACTIONS f Bulk Permissions for Individual Passwords N dh Bulk Update Passwords ta N Delete Password List ake O amm Edit Password List Details P a BO Save Password List as Template P t 4 Toggle Visibility of Web API IDs ord lt amp View Password List Permissions d C vt Ty View Recycle Bin w 4 AD Synchronization Report lsi amp All Password History Report 4 All Passwords Report 4 Enumerated Permissions Report 4 Password Strength Report amp Standard Permissions Report When displaying URL columns in grids display the URL value as a If you have chosen the URL field for any one of the Password Lists there are t
121. sults ia Available Password Lists amp Accountants pl e amp Cisco Engineers 3nd Level Banking Sites Canon Printers Education Support Group TN Customers Customer s A Database Accounts Customers Customer s A Generic_Unix Customers Customer s A Oracle Database Tier 3 Customers Customer s A Servers s SSW 5 baj Passwordstate Auditing Securi f Customers Customer s B LAN Switches All Pass a PRSE Export AE Customers Customer s B Network Monitoring amp Sec passwd customers view SecurityGroup1 Sys Admins l F Customers Customer s B SQL Server P Gen Field Encryption BP Gen Field Encryption 2 ISP Related Accounts BigPond Bigpond ISP Acc Avene are son a Ei 4 X Status to search for all View Permissions le Access for these permissions lt lt Reason for Access Modify Permissions gd Customers Customer s A SCCM gt gt Administrator Permissions Customers True Power SA Routers and Switches gt gt Customers True Power SA Stealhead Appliances Save Cancel Perform Bulk Processing Bulk Copy Move Passwords The Bulk Copy Move Passwords feature allows you to Copy Move or Copy amp Link multiple passwords from multiple Password Lists to a different Password List at once instead of doing one record at a time as users can do through the standard interface This feature is useful if you are re organizing you
122. t From here you can make any number of changes to permissions as required Actions Menu Bulk Permissions for Individual Passwords By clicking on the Bulk Permissions for Individual Passwords menu option in the Actions drop down menu you will be able to apply permissions for a user account or security group to multiple individual password records at once Administer Bulk Permissions for Individual Passwords ssions for any Passv This screen allows you to apply permissions to more than one individual password record at a time for a User or Security Group This Administering Bulk Permissions is a three step process 1 Search for a User or Security Group 2 Apply new or modify existing permissions and 3 Save the changes access permissions time based access Search for an appropriate user or security group and apply the required permissions for passwords in the Password List Database Accounts use to search for all Search wayne 9 Search For User Security Group Search Results Available Passwords View Permissions Reason for Access amp John Wayne TN msand Wayne Archer W passwordstate nz TA testuser SQL Account as TN tsand Modify Permissions Administrator Permissions Status Save Cancel Actions Menu Convert to Private Password List Under certain circumstances you may want to change a Shared Password List into a Private one E warning Please use this feature with caution
123. t specify your AuthAnvil s Web Services URL and SitelD in order to use this two factor authentication option The URLis generally in the format of https yourFullyQualifiedDomain com AuthAnvil sas asmx Auto populate the AuthAnvil Username field for the user If you select one of the AuthAnvil authentication options for your users you can automatically populate the Username field for them if required Make the AuthAnvil Username field on the login screen read only This option prevents a user from walking up to another user s computer authenticating with their own AuthAnvil Username and Passcode but then logging into Passwordstate as the other user this can happen when the Passthrough authentication occurs after the AuthAnvil authentication happens Duo Security Two Factor Settings Specify the Integration and Secret Key for your Auth API integration settings as well as your API HostName Note You must have an Enterprise Duo Security account to use this feature and you need to create a Auth API integration for your Duo subscription via their web site Make the Duo Push Username field on the login screen read only This option prevents a user from walking up to another user s computer authenticating with their own Duo Push Username but then logging into Passwordstate as the other user this can happen when the Passthrough authentication occurs after the Duo Push authentication happens Email Temporary Pin Code Settings The T
124. tabase Even if the primary database is offline it will be merged back in later when the database is once again available Hosts Tab The Hosts tab has a few options for showing or hiding all the Hosts users have access to on the Password Home and Remote Session Launcher pages and also some Heartbeat Polling settings for checking if Hosts are available on the network Options available are e On the Passwords Home screen either Show All Hosts the user has access to or make them search for the Hosts e On the Remote Session Launcher screen either Show All Hosts the user has access to or make them search for the Hosts e On the Hosts and Resources screen show the option Show Hosts do not have access to with this option set to Yes you can see all Hosts added to Passwordstate that you do not have access to You can t changes any settings permissions if you don t already have access There are also various Heartbeat options for processing Host records when they are no longer available on the network When executing various Password Reset and Discovery Scripts you can also specify Host connectivity settings as well 2015 Click Studios SA Pty Ltd System Settings 89 System Settings To modify the system settings please make changes within the appropriate tabs below then click on the Save button active directory options allowed ip ranges api keys authentication options branding check for updates email al
125. te disable the feature where users need SecurlD Two Factor Settings Auto populate the SecurlD UserID field for the user yes O No Make the SecurlID UserID field on the login screen read only yes No When using the Forms Based Authentication version of Passwordstate and a SecurlD authentication opti just the SecurlD authentication screen on initial login by selecting this option your UserlDs in Passwordsta SecuriD UseriDs and any User Preferences or User Account Policies for Authentication will be ignored yes ONo AuthAnvil Two Factor Settings Specify your AuthAnvil Web Services URL and SitelD here the AuthAnvil URL is generally in the format of https yourFullyQualifiedDomain com AuthAnvil sas asmx AuthAnvil URL _ https win2k8rsa1 AuthAnvil sas asmx AuthAnvil SitelD 1 Auto populate the AuthAnvil Username field for the user yes ONo Make the AuthAnvil Username field on the login screen read only Oves No l System Settings 85 e Andon the user Preferences screen in Passwordstate on the Authentication Options tab just must have the Duo username matching the UserName which has been created in the Duo Portal 28 5 Branding Tab The Branding Tab allows you to hide show the Passwordstate Build Number at the top of the screen specify your own custom Logos to use at the top left hand side of the page and on various Dialog windows as well as your own custom Page Titles The following branding o
126. textbox in the screenshot below This is useful if you want to send specific email types to a shared mailbox or SMS alerting service X Edit Email Template To edit the selected Email Template please fill in the details below Category Password Updated Subject Passwordstate Pas Also Send Emails To fem here separated by semicolons i O OE B M cut Font Name gt BsZ7U Ar EBscopy Realfontsize abe x7 Oe Paste Print Aa aA S Apply CSS Cl o Cc v Insert Variable Paragraph St MN aT wl ir Clipboard Font Paragraph Styles Hi ToFirstName The password Password in password list PasswordList has been updated by UserName Passwordstate Version Secure Password Management SiteURL lt HTML amp Preview Test Email Save Cancel If while editing the contents or formatting of an Email Template you decide you don t like the changes you ve made you can restore back to the original content as supplied by Click Studios by selecting Restore Default Template from the appropriate Actions drop down menu 2015 Click Studios SA Pty Ltd Email Templates 19 Actions Category Description ty Access Request Notifies the user if their rea Q Access Request Deni Notifies the user if their req Toggle status Enablgf or Disabled Notifies user if their access Restore Default Template bite sche iF ther have ty Access to Password List Changed Notifies user
127. the Debug AD Sync Data button it allows you to turn on some debug capturing when the Passwordstate Windows Service performs the Active Directory User Account and Security Group synchronization process Debug AD Sync Data By enabling the Debug option below the scheduled AD Synchronization process will add debug information to the grid below The scheduled AD Synchronization process is performed by the Passwordstate Windows Service nable Debugging yes No Search Debug Data Debug Information information warning Error Search Date Debug Information Event Type T T T No records to display Return Refresh Grid Export Purge Debug Data Grid Layout Actions v 2015 Click Studios SA Pty Ltd Passwordstate Security Administrators Manual 28 28 1 System Settings System Settings are used to specify any number of system wide settings in Passwordstate which can affect the majority of users within the system Active Directory Options Tab Allowed IP Ranges Tab API Keys Tab Authentication Options Tab Branding Tab Check for Updates Tab Email Alerts amp Options Tab High Availability Options Tab Hosts Tab Miscellaneous Tab Mobile Access Options Password List Options Tab Password Options Tab Password Reset Options Proxy amp Syslog Servers Tab Usage Tracking Tab User Acceptance Policy Tab Various settings for synchronizing Active Directory user accou
128. they have been granted access to a Password List Template 4 Access to Password List Template Notifies user if their access to a Password List Template has been removed Ua Removed Moa aj2 345 gt m Page 1 os B Page size 10 Item 1 to 10 of 47 Return to Notification Groups Enable All Notifications Disable All Notifications Grid Layout Actions 11 Email Templates The Email Templates screen allows you to customize the emails sent from Passwordstate or to enable disable notifications as required 2015 Click Studios SA Pty Ltd Email Templates 17 Enabling Disabling Email Notifications You can enable disable email notifications in one of either two ways 1 Individually by the appropriate Actions drop down menu Actions Category Description v Access Request Notifies the use Q Access Request D nied Notifies the use Toggle status Enabled or Disabled Notifies user if Restore Default Template Notifies user if 7 Access to Password List Changed Notifies user if 2 Enabling disabling all email notifications at once by clicking on the the appropriate Enable All or Disable All buttons at the bottom of the grid we Access to Password List Template Granted Notifies user if they have been granted a Access to Passv List Template Removed NotifiegafSer if their access to a Passwort K 5 gt gt I Page 1 of5 Enable All Email Templates Disable All Email Templates Grid Layout Actions
129. ting Security Administrators Security Groups System Settings User Accounts Screen Feature Access Active Directory Domains Auditing amp Auditing Graphs Bad Passwords Email Notification Groups amp Email Templates Emergency Access Export All Passwords License Information Password Generator Policies Custom Images Password Folders Password Lists amp Password List Templates Password Strength Policies Reporting Security Administrators Security Groups Authorized Web Servers Backups and Upgrades Browser Extension Settings Error Console Hosts amp Password Resets Host Types amp Operating Systems Menu Access Privileged Account Credentials amp System Settings User Accounts amp User Account Policies If you deselect one or more of the Security Administrator roles for a user the corresponding Navigation Tree menu item will be disabled for the user 2015 Click Studios SA Pty Ltd Security Administrators 55 4 Administration Home sh Active Directory Domains C Auditing I Auditing Graphs A Authorized Web Servers Backups and Upgrades Bad Passwords EJ Custom Images Xi Email Notification Groups X Email Templates E Emergency Access Export All Passwords CJ Hosts amp Password Resets Ea Host Types amp Operating Systems License Information Ja Menu Access W Password Folders Password Generator Policies Password Lists BS password List Templates ZA Password Strength Policies o amp
130. tion Reg the documentation Protect this Application Read the documentation e Create the Secret Key and Name the Auth API as appropriate Auth API See the Auth API documentation to integrate Duo into your custom application ota gration key DIYVSHE4VUYLRCEMIS74 Secretkey Click to view Don t write down your secret key or share it with anyone API hostname api 0eSlfec9 duosecurity com Settings General Type Auth API Name Passwordstate Duo Push users will see this when approving transactions Username normalization None e Now in Passwordstate select the appropriate authentication option you want and populate the Duo Two Factor Settings section 2015 Click Studios SA Pty Ltd e Passwordstate Security Administrators Manual Choose Authentication Option Passthrough AD Authentication ai Passthrough AD Authentication Manual AD Authentication Manual AD and Google Authenticator Manual AD and RSA SecurlD Authentication Manual AD and ScramblePad Authentication Manual AD and Email ia re Pin Code Manual AD and Auth lected auto populate the UserID field based on lected show a Domains dropdown list to form pa Google Authenticator asswordstate and Passthrough Authentication is n RSA SecurlD Authentication first validates their AD Account and then the addi ScramblePad Authentication Email ears m Suni AuthAnvil Authe sswordsta
131. tive Directory Security Group Memberships will not be cloned with this process as you need to manage these memberships within Active Directory During the cloning process the following types of permissions will be cloned e Any Blocked Email Notification settings e Any memberships to Email Notification Groups e Any Favorite Passwords e Any of the Features permissions for what menus the user is allowed access to at the bottom of the screen e Any Grid Settings which columns to see width etc 2015 Click Studios SA Pty Ltd ma Passwordstate Security Administrators Manual Any User Account Policy permissions Any Scheduled Reports Clone User Permissions Any permissions to Password Lists auditing records are added Any Password Permissions auditing records are added Any permissions to Password Lists Templates auditing records are added Any Security Admin Roles auditing records are added Any membership to Local Security Groups auditing records are added The expand collapse status of the Password Lists Navigation Tree To clone permissions for a user you need to select the Source and Destination users below then click on the Clone button Please Note 1 Please refer to the Security Administrators manual for what processing occurs when you clone a user s permission Please Note 2 Active Directory Security Group Memberships will not be cloned with this process as you need to manage these m clon
132. trength Policy settings can be applied on 2 of the tabs and there is 1 tab for testing the policy Policy Settings Tab The Policy Settings Tab allows you to provide a name and description for the policy plus the following settings e Minimum LowerCase Characters specifies how many lowercase characters are required as a minimum abcd etc e Minimum UpperCase Characters specifies how many uppercase characters are required as a 2015 Click Studios SA Pty Ltd Password Strength Policies minimum ABDCD etc e Minimum Numeric Characters specifies how many numeric characters are required as a minimum 1 2 3 etc e Minimum Symbol Characters specifies how many symbol characters are required as a minimum etc e Preferred Password Length specifies the minimum number of total characters the password should have e Requires Upper And Lower Case indicates if the passwords string must have both lower and uppercase characters e Password Strength Compliance indicates the desired Password Strength Complexity Very Poor Weak Average Strong or Excellent With the following graphic when editing adding a password the Compliance Strength indicator shows the user what password complexity is desired for the applied policy Password Strengt xk xk Compliance Strength Ww amp Jr e Compliance is Mandatory if this option is set to Yes the user will not be able to save the password record if the strength
133. ts details for the user below ox msand UserID hal authentication options mobile access options First Name vark Sandford Surname testing clickstudios com au Software Development Office Head Office Save Cancel Miscellaneous Tab The Miscellaneous Tab has the following settings you can choose for the user Password Visibility on Add View Edit Pages Auto Generate New Password When Adding a New Record Enable Search Criteria Stickiness Across Password Screens Show the Actions toolbar on the Passwords pages at the When you add a new Password or edit an existing one by default the password value is masked i e If you choose you can instead show the password value instead of the masked one When adding a new Password record you can automatically generate a new random password instead of having to specify one yourself The format complexity of the new random password will be determined by which Password Generator Policy is applied to the Password List When using the search textbox found at the top of most Password screens you can choose to make this search value you type sticky across different Password Lists i e if you search for test in one Password List when you click on another Password List in the Navigation Tree the contents of the Passwords grid will also be filtered by the term test You can also clear the search criteria by clicking on the Picon At the bott
134. typing a password below Rain 97 Wr r 4 1 more characters Save Cancel 24 Privileged Account Credentials Various features in Passwordstate require Active Directory Accounts to perform certain tasks i e Resetting Passwords querying active directory etc This screen allows you to add those accounts to be used Once you have specified the details for one or more of the relevant Privileged Account Credentials and applied permissions for users or security groups who are allowed to use these accounts then they can be used for Password Resets and Discovery jobs etc If you link the Privileged Account to a password stored in Passwordstate when the password is updated in Passwordstate and Active Directory it will also be automatically updated on this screen as well 2015 Click Studios SA Pty Ltd Privileged Account Credentials 51 amp Privileged Account Credentials Below are all the Privileged Account Credentials which can be used for Active Directory Account lookups Host and Resource Discovery and Password Reset Scripts In order for these credentials to be used for Host and Resource Discovery and Password Reset Scripts you must first apply permissions to them via the Actions drop down menu Permissions can be applied to user s accounts or security groups Actions Description UserName Linked For Update o Cisco Enable Secret for Resetting Named Accounts enable Kd o Cisco Named Account for Resetting Enable Secret
135. u can show just the image for the Account Type or the image and the label for the Account Type When a new Password List is created apply the following permission to the user who created the list When new Password Lists are created the default option is to provide the user Administrative rights to the Password List If required you can change this default behavior to either Modify or View permissions When new Shared Password Lists are created grant Security Administrators with the selected role below admin rights to the Password List As new Password Lists are created you can also choose to automatically grant one or more Security Administrators of Passwordstate administrative rights to the Password Lists You can do this by selecting the All Security Administrators option or just the ones who are assigned a specific Security Administrator role Specify which users are allowed to Drag N Drop Password Lists around in the Navigation Tree You may not want all users dragging and dropping Password Lists and Folders around in the main Navigation Tree If this is the case you can set permissions here for who can do this this also assumes they have the correct permissions on each of the Password Lists to be able to do this Password Options Tab The Password Options Tab has multiple settings applicable to Password values being visible on the screen clearing the clipboard and Bad Password detection Synchronize the Deleted status
136. vices and the specify and account as per the next screenshot 2015 Click Studios SA Pty Ltd Backups and Upgrades 11 F Sql Server Configuration Manager File Action view Help 9 F 0 3 B O O08 CA SOL Server Configuration Manager Local SQL Server Services HSQL Full text Filter Daemon Launch Running SQL Server NeWork Configuration 32bit F SOL Server MSSQLSERVER Running Automatic SQL Native Client I Q Configuration 32bit C n ster EL S01 Server Network CoMiguration T SQL Server MSSQLSERYER Properties 21x SQL Native Client 10 0 Confiation Log On Service FILESTREAM Advanced Log on as Built in account Account Name halox sqlaccount Password m d anfirm password aa a Service status Running Start Stop Pause Restart Cancel Apply Help Note Please ensure you test the upgrade by clicking on the Test Permissions button this will report any issues with permissions in performing a backup Automatic Backup Troubleshooting As every customers environment can sometimes be slightly different it s possible you may experience a issues when initially setting up the automatic backups If this is the case below is a case scenario of settings which have helped several customers in the past e For the backup username we created a domain account called testcopy This account only has
137. which web server host names are authorized to run the Passwordstate web site used as a mechanism to prevent theft of the database an hosting in a different environment Allows you to specify settings and a schedule for perform backups of all web files and the database and also a place to perform In Place Upgrades of Passwordstate A list of password values which are deemed to be bad and can educate your users not to use these values Allows you to specify various settings for how the Browser Extension feature is used Custom Images are used in two locations in Passwordstate icons for the Password List themselves and also for the Account Type field for Password records Can be used to manage email notification settings for a group of individual users accounts or members of security groups Allows you to customize the emails sent from Passwordstate or to enable disable notifications A separate Security Administrator role login which can be used in the event other accounts are locked out or inaccessible for any reason Any errors experienced within Passwordstate will be logged on this screen which can be reported to Click Studios for troubleshooting purposes 2015 Click Studios SA Pty Ltd Introduction 5 Export All Passwords Allows you to export all Password records from the system to a CSV file Hosts amp Password Resets All of the features under the main Menu Hosts are permission based If for whatever reason users a
138. wo formats the URL can be displayed in when viewed in the Passwords grid either a hyperlink text field or hyperlink Icon both of which will launch the URL when clicked on They are displayed in the following manner 2015 Click Studios SA Pty Ltd System Settings 93 URL ftp iinet net au debian lt b gt debian cd lt b gt ftp iinet net au debian debian cd www borland com http www telerik com https www telerik com ftp ftp linet net au debian debian cd Allow Documents to be uploaded into Passwordstate If you don t want your users uploading documents into the Passwordstate database you can set this option to No 2015 Click Studios SA Pty Ltd o Passwordstate Security Administrators Manual 28 11 Allow Permissions on Folders to be managed manually by default permissions on nested Password Lists are propagated upwards to upper level Folders By default permissions on Folders are automatically managed for you and are applied whenever permissions change for any nested Password Lists beneath the folder If you do wish to manage permissions manually for Folders setting this option to Yes will show you the Permissions button and options E Note When managing permissions on Folders manually the permissions are not propagated down the Password List Navigation tree permissions on Password Lists needs to be managed explicitly unless you use the Propagate Permissions Downwards feature bel
139. your Passwordstate web site accessing the Internet the only file we access is http www clickstudios com au NewBuildInfo xml No data can be sent or captured by reading an XML file and you can run a program such as WireShark on your web server to confirm this is the only file Click Studio s checks 2015 Click Studios SA Pty Ltd 104 Passwordstate Security Administrators Manual 28 16 28 17 29 X Forwarded For Support When Passwordstate adds auditing data to the database it records the IP Address of the client who initiated an action which triggered the audit event As Passwordstate supports the X Forwarded For XFF HTTP header field for identifying the originating IP address of aclient if you use any form of Load Balancing or Proxy Server caching you may need to make configuration changes to your device appliance to ensure the correct IP Address of the client is reported instead of the load balancer or proxy server Syslog Server Details If required you can send all Auditing data to one of your own internal SysLog servers It is the Passwordstate Windows Service which checks every minute for new data to send and the Windows Service keeps track of the latest auditing record which was successfully sent and only send subsequent records Usage Tracking Tab The Usage Tracking tab allows you to specify your own JavaScript code to be inserted into the main default aspx page This is useful if you have your own wiki
Download Pdf Manuals
Related Search