Password Manager: Difference between revisions
| Line 173: | Line 173: | ||
Note that when needed, individual Passwords can still have their own security settings that will be in effect and will determine access rights to the Password entry. Settings at the Password level overwrite and entirely replace any Account level settings. | Note that when needed, individual Passwords can still have their own security settings that will be in effect and will determine access rights to the Password entry. Settings at the Password level overwrite and entirely replace any Account level settings. | ||
To configure the Account Security Settings for Passwords | To configure the Account Security Settings for Passwords an administrator user should visit the Account’s Passwords tab and click ''‘Edit’'': | ||
[[File:Password_manager_account_security_settings1.png|center]] | [[File:Password_manager_account_security_settings1.png|center]] | ||
Account Passwords can be protected by requiring [[Password_Manager#Security_Tokens|Security Tokens]]. Depending on the setting, when Tokens are used Employee users must have '''All''' - OR - '''At-Least-One''' of the selected Tokens. | |||
[[File:Password_manager_account_security_settings2.png|center]] | |||
===Employee Tokens=== | |||
Passwords may be protected by [[Password_Manager#Security_Tokens|Security Tokens]]. | |||
Only Employee users that have been granted with the relevant Tokens will be able to see and access such Passwords. | |||
Administrators can grant Tokens to a specific Employee by visiting the ''Employee'' tab under their Employee Account record. Then, from the '''Configure User''' button dropdown select the '''Configure User''' option, when the window is displayed click the ‘Grant Tokens’ link. | |||
[[File:Employee_password_manager_privileges.png |center]] | |||
[[File:Employee_password_manager_privileges_grant_tokens1.png|center]] | |||
[[File:Employee_password_manager_privileges_grant_tokens2.png|center]] | |||
==Tips & Tricks== | ==Tips & Tricks== | ||
Revision as of 08:32, 10 July 2017
Introduction
The Password Manager feature provides an end-to-end solution to track and manage passwords, in a secure and elegant way. It allows you to control the access to passwords, track passwords usage, and more.
Passwords are linked to Accounts and optionally also to a selected Asset.
Passwords can be easily searched and accessed from the Password Manager main window as well as the dedicated ‘Passwords’ tab under the Account and Asset windows.
CommitCRM automatically keeps the Password history. Each password update is saved as a password version, keeping all history changes, allowing future access to each version.
CommitCRM also automatically manages a complete audit log about who accessed a password and when.
Advanced security tools that come with the Password Manager, provide a powerful toolset to control who has access to which password.
In order to access and manage Passwords employees -
1. Must have the relevant Privileges assigned to their user.
2. Must know a secret Passphrase in order to access actual passwords.
3. May be required to be granted with Security Tokens in order to access some Password entries.
Start using the Password Manager
Enabling the Password Manager and Setting a Passphrase
In order to start using the Password Manager, a CommitCRM administrator (aka SysAdmin) user should enable it first and set a global passphrase.
Open the main Password Manager window by clicking the ‘Passwords’ icon located in the left side pane and the click the ‘Enable’ button.
As soon as the ‘Enable’ button is clicked you will be asked to select a Passphrase.
After the Passphrase is set and the Password Manager feature is fully enabled, users are granted with different Privileges required to use the Password Manager.
What is a Passphrase?
The Passphrase is an secret key that you need to share with all relevant users.
Users must know the Passphrase in order to work with passwords.
Important: Never lose your passphrase. Losing the passphrase means that you lose all access to all saved passwords.
The Passphrase should be long, hard to guess and yet EASY to remember.
Ideally the passphrase includes a mixture of uppercase and lowercase letters, numbers, spaces and punctuation characters.
Only standard ASCII characters should be used, particularly when using international keyboards.
An example of a passphrase:
The snow is White. The ocean is Blue. Welcome 2 Baloo.
Changing Your Passphrase
A CommitCRM administrator user (aka SysAdmin) can change the passphrase by activating the following menu option: Settings > Password Manager > Change Passphrase.
Enable/Disable for the Web Interface
A CommitCRM administrator user (aka SysAdmin) can enable or disable the Password Manager feature for the Web Interface.
In general it is highly recommended to securely use Web Interface with SSL certificates and access it via the https protocol only. This is achieved by configuring the Web interface to work with Microsoft IIS as its Web server. This recommendation is even more so true when it comes to working with passwords. In case you have not yet migrated to using IIS click here for all details.
In order to enable or disable the Password Manager feature for the Web interface visit Tools > Options > Web Interface (Admin) tab:
Note: For further securing the Web interface consider enabling its 2-Factor Authentication feature.
Employee Privileges
Password Manager privileges control which employee user can access the Password Manager and perform different actions.
Only employee users that were individually granted with the privileges for the Password Manager, can do so.
Privileges:
- View - Let the user access the Password Manager feature and view Password entries that they have access to.
- Edit - Let the user add new Passwords and update existing Password entries that they have access to.
- Delete - Grant the user with the power to delete Password entries that they have access to.
Once the Password Manager feature is enabled, all users are granted with the View privilege and can view Password entries.
System administrator users have all privileges.
Remember that in order to access actual password values users must also be aware of the Passphrase.
Note: For increased security, Password Manager privileges are managed at the individual Employee record level, unlike at the Privileges Group level.
To manage Password Manager privileges for an Employee visit the Employee tab under their Employee Account record. Then, from the Configure User button dropdown select the Configure User option:
Note: The above window is also used to grant Security Tokens to Employees.
Security Tokens
Security Tokens provide a powerful way to further control user access rights to Passwords.
Using Security Tokens is optional, however, understanding how it works will significantly increase the password management toolset, especially when it comes to secure access.
Only CommitCRM administrator users can manage the security Tokens.
The Idea Passwords can be “locked” using security Tokens. Only employees that have been granted with such Token/s can access such Passwords.
Sample Use Cases
- Limit technicians access so they can access only Passwords of specific Accounts.
- Let technicians access all customer Passwords except for domain controller administrator users.
- Let technicians manage 365 accounts but not access customer domains.
How to Protect a Password with Tokens?
From the Password entry Details Window, in the ‘Security Settings’ tab you can protect a Password with Tokens.
Alternatively, a Password may also be protected by Tokens in case it is configured to inherit its security settings from the Account it belongs to. See Account Security Settings for more details.
For detailed information about protecting Passwords with Tokens see Password entry - Security Settings and Account Security Settings below.
When a Password is protected by Tokens, who can access it?
Only Employees with the relevant Tokens can access such Passwords.
When protecting a Password with Tokens you select whether an employee must have ALL of the Tokens selected for the Password - OR - must have at least one of them in order to access the Password.
For example: Joe Doe, an employee, has been granted with the following tokens:
- Mail Servers Token
- VIP Customers Token
A Password entry holds a domain controller administrator user credentials. The Password is configured to require users to have ALL of the following selected Tokens:
- Domain Controller Token
- VIP Customers Token
Joe Doe will NOT be able to access this Password. Joe has one matching Token - VIP Customers Token - however, the Password settings require an employee to have ALL selected Tokens (Joe is missing the - Domain Controller Token).
Another Password entry holds the customer mail server credentials. This Password is also protected by Tokens. It is configured to require an employee user to have AT LEAST ONE of the following Tokens:
- Mail Servers Token
- 365 Token
Joe WILL be able to access this Password. While Joe does not have token - 365 Token - he has been granted with the - Mail Server Token - and because this Password requires at least one token, unlike ALL, access to this Password is granted to Joe.
To learn how to grant Tokens to Employee users click here.
Naming Your Tokens
CommitCRM comes with 128 predefined Tokens for you to use. Token names can be fully customized to reflect your user case.
To customize Token names visit the following menu option:
Settings > Password Manager > Customize Token Names:
Account Security Settings
Each individual Password can have its own security settings and optionally be protected by tokens.
However, in case there are many different Passwords managed per customer and you want to protect all or most of them using the same security settings, managing this at the individual Password level would have been a tedious process. This is the exact problem Account Security Settings solves.
The Account Security Settings is the way to configure security settings at the Account level, ones that, by default, will affect all of the Account Passwords.
Note that when needed, individual Passwords can still have their own security settings that will be in effect and will determine access rights to the Password entry. Settings at the Password level overwrite and entirely replace any Account level settings.
To configure the Account Security Settings for Passwords an administrator user should visit the Account’s Passwords tab and click ‘Edit’:
Account Passwords can be protected by requiring Security Tokens. Depending on the setting, when Tokens are used Employee users must have All - OR - At-Least-One of the selected Tokens.
Employee Tokens
Passwords may be protected by Security Tokens.
Only Employee users that have been granted with the relevant Tokens will be able to see and access such Passwords.
Administrators can grant Tokens to a specific Employee by visiting the Employee tab under their Employee Account record. Then, from the Configure User button dropdown select the Configure User option, when the window is displayed click the ‘Grant Tokens’ link.
Tips & Tricks
URL Field
The URL field can be used to execute any valid URL, for example, http://, ftp://
In addition, it can be used to execute commands by prefixing the field content with cmd:// .
By using the <<Username>> and <<Password>> placeholders you can easily embed the 'Username' and 'Password' field values in the executed URL / Command. The placeholder will get automatically replaced when the URL is executed.
Examples:
1. Open a text file in Notepad:
cmd://C:\Windows\Notepad.exe C:\Documents\SampleFile.txt
NOTE: Quotes (") should be used in case the file path contains spaces:
cmd://”C:\My Programs\Notepad.exe” “C:\My Documents\SampleFile.txt”
2. Launch an RDP session by executing a saved RDP configuration file:
cmd://c:\saved-rdp-settings\Server1.rdp
3. Log into a Website or access a Web service:
https://www.samplesite.com/default.php?user=<<USERNAME>>&pass=<<PASSWORD>>
4. Start a save PuTTY session and provide the user credentials automatically:
cmd://C:\PuTTY\PUTTY.EXE -load "saved-session-name" -l <<USERNAME>> -pw <<PASSWORD>>
Keyboard Shortcuts
CTRL+B - copy Username to clipboard
CTRL+C - copy Password to clipboard
CTRL+U - execute URL / command