Password Manager: Difference between revisions

From RangerMSP Wiki - PSA software for MSPs and IT services providers
Jump to navigation Jump to search
No edit summary
No edit summary
Line 68: Line 68:


'''Note:''' For further securing the Web interface consider enabling its 2-Factor Authentication feature.
'''Note:''' For further securing the Web interface consider enabling its 2-Factor Authentication feature.
===Employee Privileges===
Password Manager privileges control which employee user can access the Password Manager and perform different actions.
Only employee users that were individually granted with the privileges for the Password Manager, can do so.
Privileges:
#'''View''' - Let the user access the Password Manager feature and view Password entries that they have access to.
#'''Edit''' - Let the user add new Passwords and update existing Password entries that they have access to.
#'''Delete''' - Grant the user with the power to delete Password entries that they have access to.
Once the Password Manager feature is enabled, all users are granted with the '''''View''''' privilege and can view Password entries.
System administrator users have all privileges.
Remember that in order to access actual password values users must also be aware of the [[What is a Passphrase?|''Passphrase'']].
Note: For increased security, Password Manager privileges are managed at the individual Employee record level, unlike at the Privileges Group level.
To manage Password Manager privileges for an Employee visit the Employee tab under their Employee Account record. Then, from the Configure User button dropdown select the Configure User option:





Revision as of 08:01, 10 July 2017

Introduction

The Password Manager feature provides an end-to-end solution to track and manage passwords, in a secure and elegant way. It allows you to control the access to passwords, track passwords usage, and more.

Passwords are linked to Accounts and optionally also to a selected Asset.

Passwords can be easily searched and accessed from the Password Manager main window as well as the dedicated ‘Passwords’ tab under the Account and Asset windows.

CommitCRM automatically keeps the Password history. Each password update is saved as a password version, keeping all history changes, allowing future access to each version.

CommitCRM also automatically manages a complete audit log about who accessed a password and when.

Advanced security tools that come with the Password Manager, provide a powerful toolset to control who has access to which password.

In order to access and manage Passwords employees -

1. Must have the relevant Privileges assigned to their user.
2. Must know a secret Passphrase in order to access actual passwords.
3. May be required to be granted with Security Tokens in order to access some Password entries.


Start using the Password Manager

Enabling the Password Manager and Setting a Passphrase

In order to start using the Password Manager, a CommitCRM administrator (aka SysAdmin) user should enable it first and set a global passphrase.

Open the main Password Manager window by clicking the ‘Passwords’ icon located in the left side pane and the click the ‘Enable’ button.



As soon as the ‘Enable’ button is clicked you will be asked to select a Passphrase.

After the Passphrase is set and the Password Manager feature is fully enabled, users are granted with different Privileges required to use the Password Manager.


What is a Passphrase?

The Passphrase is an secret key that you need to share with all relevant users.

Users must know the Passphrase in order to work with passwords.

 Important:
 Never lose your passphrase. Losing the passphrase means that you lose all access to all saved passwords.

The Passphrase should be long, hard to guess and yet EASY to remember.

Ideally the passphrase includes a mixture of uppercase and lowercase letters, numbers, spaces and punctuation characters.
Only standard ASCII characters should be used, particularly when using international keyboards. An example of a passphrase:

     	The snow is White. The ocean is Blue. Welcome 2 Baloo.

Changing Your Passphrase

A CommitCRM administrator user (aka SysAdmin) can change the passphrase by activating the following menu option: Settings > Password Manager > Change Passphrase.

Enable/Disable for the Web Interface

A CommitCRM administrator user (aka SysAdmin) can enable or disable the Password Manager feature for the Web Interface.

In general it is highly recommended to securely use Web Interface with SSL certificates and access it via the https protocol only. This is achieved by configuring the Web interface to work with Microsoft IIS as its Web server. This recommendation is even more so true when it comes to working with passwords. In case you have not yet migrated to using IIS click here for all details.

In order to enable or disable the Password Manager feature for the Web interface visit Tools > Options > Web Interface (Admin) tab:

Note: For further securing the Web interface consider enabling its 2-Factor Authentication feature.


Employee Privileges

Password Manager privileges control which employee user can access the Password Manager and perform different actions.

Only employee users that were individually granted with the privileges for the Password Manager, can do so.

Privileges:

  1. View - Let the user access the Password Manager feature and view Password entries that they have access to.
  2. Edit - Let the user add new Passwords and update existing Password entries that they have access to.
  3. Delete - Grant the user with the power to delete Password entries that they have access to.

Once the Password Manager feature is enabled, all users are granted with the View privilege and can view Password entries.

System administrator users have all privileges.

Remember that in order to access actual password values users must also be aware of the Passphrase.


Note: For increased security, Password Manager privileges are managed at the individual Employee record level, unlike at the Privileges Group level.

To manage Password Manager privileges for an Employee visit the Employee tab under their Employee Account record. Then, from the Configure User button dropdown select the Configure User option:


Tips & Tricks

URL Field

The URL field can be used to execute any valid URL, for example, http://, ftp://

In addition, it can be used to execute commands by prefixing the field content with cmd:// .

By using the <<Username>> and <<Password>> placeholders you can easily embed the 'Username' and 'Password' field values in the executed URL / Command. The placeholder will get automatically replaced when the URL is executed.


Examples:

1. Open a text file in Notepad:

cmd://C:\Windows\Notepad.exe C:\Documents\SampleFile.txt

NOTE: Quotes (") should be used in case the file path contains spaces:

cmd://”C:\My Programs\Notepad.exe” “C:\My Documents\SampleFile.txt” 


2. Launch an RDP session by executing a saved RDP configuration file:

cmd://c:\saved-rdp-settings\Server1.rdp


3. Log into a Website or access a Web service:

https://www.samplesite.com/default.php?user=<<USERNAME>>&pass=<<PASSWORD>>


4. Start a save PuTTY session and provide the user credentials automatically:

cmd://C:\PuTTY\PUTTY.EXE -load "saved-session-name" -l <<USERNAME>> -pw <<PASSWORD>>

Keyboard Shortcuts

CTRL+B - copy Username to clipboard
CTRL+C - copy Password to clipboard
CTRL+U - execute URL / command