Password Manager

From RangerMSP Wiki - PSA software for MSPs and IT services providers
Jump to navigation Jump to search

Introduction

The Password Manager feature provides an end-to-end solution to track and manage passwords, in a secure and elegant way. It allows you to control the access to passwords, track passwords usage, and more.

Passwords are linked to Accounts and optionally also to a selected Asset.

Passwords can be easily searched and accessed from the Password Manager main window as well as the dedicated ‘Passwords’ tab under the Account and Asset windows.

CommitCRM automatically keeps the Password history. Each password update is saved as a password version, keeping all history changes, allowing future access to each version.

CommitCRM also automatically manages a complete audit log about who accessed a password and when.

Advanced security tools that come with the Password Manager, provide a powerful toolset to control who has access to which password.

In order to access and manage Passwords employees -

1. Must have the relevant Privileges assigned to their user.
2. Must know a secret Passphrase in order to access actual passwords.
3. May be required to be granted with Security Tokens in order to access some Password entries.


Start using the Password Manager

Enabling the Password Manager and Setting a Passphrase

In order to start using the Password Manager, a CommitCRM administrator (aka SysAdmin) user should enable it first and set a global passphrase.

Open the main Password Manager window by clicking the ‘Passwords’ icon located in the left side pane and the click the ‘Enable’ button.



As soon as the ‘Enable’ button is clicked you will be asked to select a Passphrase.

After the Passphrase is set and the Password Manager feature is fully enabled, users are granted with different Privileges required to use the Password Manager.


What is a Passphrase?

The Passphrase is an secret key that you need to share with all relevant users.

Users must know the Passphrase in order to work with passwords.


Important
Never lose your passphrase. Losing the passphrase means that you lose all access to all saved passwords.


Selecting Your Passphrase

The Passphrase should be long, hard to guess and yet EASY to remember.

Ideally the passphrase includes a mixture of uppercase and lowercase letters, numbers, spaces and punctuation characters.
Only standard ASCII characters should be used, particularly when using international keyboards. An example of a passphrase:

     	The snow is White. The ocean is Blue. Welcome 2 Baloo.


Changing Your Passphrase

A CommitCRM administrator user (aka SysAdmin) can change the passphrase by activating the following menu option: Settings > Password Manager > Change Passphrase.


Enable/Disable for the Web Interface

A CommitCRM administrator user (aka SysAdmin) can enable or disable the Password Manager feature for the Web Interface.

In general it is highly recommended to securely use Web Interface with SSL certificates and access it via the https protocol only. This is achieved by configuring the Web interface to work with Microsoft IIS as its Web server. This recommendation is even more so true when it comes to working with passwords. In case you have not yet migrated to using IIS click here for all details.

In order to enable or disable the Password Manager feature for the Web interface visit Tools > Options > Web Interface (Admin) tab:

Note: For further securing the Web interface consider enabling its 2-Factor Authentication feature.

Employee Privileges

Password Manager privileges control which employee user can access the Password Manager and perform different actions.

Only employee users that were individually granted with the privileges for the Password Manager, can do so.

Privileges:

  1. View - Let the user access the Password Manager feature and view Password entries that they have access to.
  2. Edit - Let the user add new Passwords and update existing Password entries that they have access to.
  3. Delete - Grant the user with the power to delete Password entries that they have access to.

Once the Password Manager feature is enabled, all users are granted with the View privilege and can view Password entries.

System administrator users have all privileges.

Remember that in order to access actual password values users must also be aware of the Passphrase.


Note: For increased security, Password Manager privileges are managed at the individual Employee record level, unlike at the Privileges Group level.

To manage Password Manager privileges for an Employee visit the Employee tab under their Employee Account record. Then, from the Configure User button dropdown select the Configure User option:


Note: The above window is also used to grant Security Tokens to Employees.


Security Tokens

Security Tokens provide a powerful way to further control user access rights to Passwords.

Using Security Tokens is optional, however, understanding how it works will significantly increase the password management toolset, especially when it comes to secure access.

Only CommitCRM administrator users can manage the security Tokens.


The Idea
Passwords can be “locked” using security Tokens.
Only employees that have been granted with such Token/s can access such Passwords.


Sample Use Cases

  • Limit technicians access so they can access only Passwords of specific Accounts.
  • Let technicians access all customer Passwords except for domain controller administrator users.
  • Let technicians manage 365 accounts but not access customer domains.


How to Protect a Password with Tokens?
From the Password entry Details Window, in the ‘Security Settings’ tab you can protect a Password with Tokens.

Alternatively, a Password may also be protected by Tokens in case it is configured to inherit its security settings from the Account it belongs to. See Account Security Settings for more details.


For detailed information about protecting Passwords with Tokens see Password entry - Security Settings and Account Security Settings below.


When a Password is protected by Tokens, who can access it?
Only Employees with the relevant Tokens can access such Passwords.
When protecting a Password with Tokens you select whether an employee must have ALL of the Tokens selected for the Password - OR - must have at least one of them in order to access the Password.

For example:
Joe Doe, an employee, has been granted with the following tokens:

  • Mail Servers Token
  • VIP Customers Token


A Password entry holds a domain controller administrator user credentials.
The Password is configured to require users to have ALL of the following selected Tokens:

  • Domain Controller Token
  • VIP Customers Token


Joe Doe will NOT be able to access this Password.
Joe has one matching Token - VIP Customers Token - however, the Password settings require an employee to have ALL selected Tokens (Joe is missing the - Domain Controller Token).

Another Password entry holds the customer mail server credentials.
This Password is also protected by Tokens.
It is configured to require an employee user to have AT LEAST ONE of the following Tokens:

  • Mail Servers Token
  • 365 Token


Joe WILL be able to access this Password. While Joe does not have token - 365 Token - he has been granted with the - Mail Server Token - and because this Password requires at least one token, unlike ALL, access to this Password is granted to Joe.


To learn how to grant Tokens to Employee users click here.


Naming Your Tokens

CommitCRM comes with 128 predefined Tokens for you to use.
Token names can be fully customized to reflect your user case.

To customize Token names visit the following menu option:
Settings > Password Manager > Customize Token Names:


Account Security Settings

Each individual Password can have its own security settings and optionally be protected by tokens.

However, in case there are many different Passwords managed per customer and you want to protect all or most of them using the same security settings, managing this at the individual Password level would have been a tedious process. This is the exact problem Account Security Settings solves.

The Account Security Settings is the way to configure security settings at the Account level, ones that, by default, will affect all of the Account Passwords.

Note that when needed, individual Passwords can still have their own security settings that will be in effect and will determine access rights to the Password entry. Settings at the Password level overwrite and entirely replace any Account level settings.

To configure the Account Security Settings for Passwords an administrator user should visit the Account’s Passwords tab and click ‘Edit’:


Account Passwords can be protected by requiring Security Tokens. Depending on the setting, when Tokens are used Employee users must have All - OR - At-Least-One of the selected Tokens.


Employee Tokens

Passwords may be protected by Security Tokens.

Only Employee users that have been granted with the relevant Tokens will be able to see and access such Passwords.

Administrators can grant Tokens to a specific Employee by visiting the Employee tab under their Employee Account record. Then, from the Configure User button dropdown select the Configure User option, when the window is displayed click the ‘Grant Tokens’ link.


Passwords

Adding New Passwords

New passwords can be added from:

  1. The Passwords tab of an Account.
  2. The Passwords tab of an Asset.
  3. The Password Manager main window.

Click ‘New’ to add a new Password entry.



Password Details

Each Password entry consists of several data fields and tools to help you manage its details.

Description - a short description used to describe what this Password is all about, for example “Domain Administrator”.

Username - The username.

Password - The actual password. Confirm Password - Displayed when inserting new passwords or editing existing ones.

Account - The Account the Password is related to. This field is mandatory.

Asset - The Asset the Password is related to (optional).

URL/Command - Use to automate password entry. A URL or a command that can be executed and embed the username and password as parameters. See usage samples under Tips & Tricks.

Notes - A free text field that can be used any Password related information. This field is located under the ‘Notes’ tab.




Password Security Settings

Security Settings lets you control who can access the Password details.

Each Password is related to an Account and by default a Password is protected by the security settings configured for its Account. See Account Security Settings for more.

However, a Password can be configured, by an administrator, with Custom Settings. Such settings completely override and replace the security settings defined for the Account, if any.



When the ‘Custom Settings’ option is selected it is possible (optionally) to require that employees have the relevant Security Tokens in order to access the Password entry.


Depending on the setting (see below) when Tokens are used to protect a Password employee users must have All - OR - At-Least-One of the selected Tokens:


Password Audit

A usage audit log is tracked for each Password where every time a user fetches a password value it is fully logged and can be viewed by a system administrator user.


Password Versioning

The Password versioning feature lets you access old versions of individual passwords. This may be a “life-saver” in some cases - unexpected things may happen - a customer server crashes and it gets restored to a version just before the change of the administrator password… - the Password versioning feature lets you access any previous version of a Password entry!

Any Password entry update creates a new version of the previous Password entry, which is accessible from the ‘Previous Versions’ tab:


Password Manager - Main window

The Password Manager main window is the place to access and manage all Passwords regardless of the Account or Assets they are linked to.

While the Passwords tab of the Accounts and Assets windows let you see Passwords related to the selected Account or Assets, the main window displays ALL Passwords and let you search for a specific Password.


Audit tab - Usage Log

This tab of the main Password Manager window lets administrators see a consolidated view of all Password usage audit log.

The view is chronologically ordered and it can be filtered to show only audit log related to a specific employee


Tips & Tricks

URL Field


The URL field can be used to execute any valid URL, for example, http://, ftp://

In addition, it can be used to execute commands by prefixing the field content with cmd:// .

By using the <<Username>> and <<Password>> placeholders you can easily embed the 'Username' and 'Password' field values in the executed URL / Command. The placeholder will get automatically replaced when the URL is executed.


Examples:

1. Open a text file in Notepad:

cmd://C:\Windows\Notepad.exe C:\Documents\SampleFile.txt


NOTE: Quotes (") should be used in case the file path contains spaces:

cmd://”C:\My Programs\Notepad.exe” “C:\My Documents\SampleFile.txt” 


2. Launch an RDP session by executing a saved RDP configuration file:

cmd://c:\saved-rdp-settings\Server1.rdp


3. Log into a Website or access a Web service:

https://www.samplesite.com/default.php?user=<<USERNAME>>&pass=<<PASSWORD>>


* This example assumes that samplesite.com supports passing the user credentials as GET parameters as part of the URL and that the parameter names are ‘user’ and ‘pass’. Note that each Website that supports this may use different parameter names.


4. Start a save PuTTY session and provide the user credentials automatically:

cmd://C:\PuTTY\PUTTY.EXE -load "saved-session-name" -l <<USERNAME>> -pw <<PASSWORD>>


Keyboard Shortcuts

Use keyboard shortcuts to quickly copy the username or password to clipboard or execute the URL/Command field.

The following shortcuts can be used in both the password list and password details windows:

CTRL+B - copy Username to clipboard
CTRL+C - copy Password to clipboard
CTRL+U - execute URL / command