Security Features in
Password Manager
Written by Einar Mykletun, Ph.D. security and compliance architect for research and development at Dell
Introduction
Information system security is a priority for every organization, and the security level of third-party software solutions has become a differentiating factor for IT purchase decisions. Software strives to provide its customers with their desired level of security, whether it relates to privacy, authenticity and integrity of data, availability, or protection against malicious users and attacks.
This document describes the security features of Password Manager. It reviews access control, customer data protection, secure network communication, and more. There is also an appendix that describes how Password Manager’s security features meet the NIST-recommended security standards as
About Password Manager
Dell™ Password Manager provides a simple, secure,
self-service solution that enables end users to reset forgotten passwords and unlock their accounts. It permits administrators to implement stronger password policies while reducing the help desk workload. Organizations no longer have to sacrifice security to reduce costs.
Password Manager accommodates the widest possible range of organizational needs and data security standards so organizations can implement secure data access policies beyond the control offered natively in Microsoft® Active
Directory®. It increases security by reducing help desk errors,
Security Features in
Password Manager
The following sections describe security aspects of Password Manager.
User account
The user account under which Password Manager Service runs should be
specified during installation. It will be used to access the managed domain and should be delegated the privileges listed in the “Password Manager Admin Guide” document.
Protection of sensitive data
Password Manager secures all sensitive information by encrypting or hashing it. The following is considered sensitive information: credentials for service accounts and Q&A profile (answers) information. This information is protected as follows:
• Password Manager supports 192-bit TripleDES and 192-bit or 256-bit AES encryption algorithms.
• Credentials for service accounts are encrypted using selected encryption algorithm.
• Q&A profile (answers) information is hashed with MD5 or encrypted using selected encryption algorithm.
Encryption keys are generated during installation and are unique per customer. A random initialization vector (IV) is also created and used to provide randomization during encryption. The list of service accounts includes: Domain Account, SMTP service and Quick Connect service, SQL Server, Reporting service.
By default, Password Manager stores the encrypted hashes of the Q&A profiles (user answers) in the comment attribute of each user account. You can configure Password Manager to use a different attribute if needed.
Credentials for the service accounts are stored in an encrypted part of an XML file in the system “Application Data” or “Program Data” directory. Access to this
file is protected with NTFS permissions.
Figure 1. Overview of Password Manager.
Password Manager
secures all sensitive
information by
encrypting or
hashing it.
The following is
considered sensitive
information:
credentials for
service accounts
and Q&A profile
(answers)
information.
****134243 Help desk Security administratorsVerify user identity
Enforce enrollment
Define questions
Define password policies
Monitor activity
Investigate alerts ActiveRoles Server & Identity Manager Integration
Password Synchronization with Quick Connect
Integration with Defender Integration with Enterprise Single Sign-on
Verify account
Authenticate user
Enforce corporate policies
Enforce password history
Reset forgotten password
Manage password change
Unlock account
Log activity
Alert of suspicious activity Forgets password
Locked out of account
Password Manager uses the Microsoft Cryptographic API (CAPI) with the Microsoft AES Cryptographic Provider for its key generation, encryption, and hashing functionality.
Authentication of users
Password Manager requires both regular and privileged users to authenticate themselves with their user name and password. Password Manager doesn’t perform the actual user authentication, but verifies the credentials against Active Directory. Password characters are replaced by asterisks as they are typed by a user during authentication. Access control
Password Manager supports role-based access control. You can use Active Directory groups to grant permissions for Help desk staff and end users. Logging
Password Manager maintains two types of logs: an application log and a personal log. Both are stored in the SQL Server database and protected by the database’s access control policies. The application log records all actions
performed by Password Manager, including those by privileged and regular users. The logged events include timestamps and identifying information (who/what/when). Other user activity, such as successful and failed authentication attempts, password changes and resets, and unlocking of accounts, is also logged.
The personal log records display actions performed by a Password Manager administrator on a specific user account or “question and answer” profile. Secure network communication It is strongly recommended to enable HTTPS (SSL/TLS) on the server where Password Manager is installed. This will ensure that all Web traffic between the user, Web browser and the Password Manager Web application is encrypted and authenticated. Enabling HTTPS may
require the customer to create an HTTPS public key certificate (if one does not already exist for that server).
Kerberos and NTLM are used to protect Active Directory Service Interfaces (ADSI), Lightweight Directory Access Protocol (LDAP), and Remote Procedure Call (RPC) communication. The outgoing mail server (SMTP) can be configured to use SSL to provide an encrypted connection to users when email alerts are sent.
Open communication ports
The following ports on the Password Manager server need to be opened: Web interface
Administration site
• Port 80 (Default HTTP) TCP Inbound • Port 443 (Default HTTPS) TCP
Inbound/Outbound
• Port 8081 TCP Inbound/Outbound • Port 25 (Default SMTP port) TCP Outbound
Self-service and help desk sites
• Port 80 (Default HTTP) TCP Inbound • Port 443 (Default HTTPS) TCP
Inbound/Outbound
• Port 8081 TCP Inbound/Outbound
Password Manager Service
• Port 53 (Outgoing DNS lookups) UDP Outbound
• Port 88 (Kerberos Authentication) TCP/UDP Outbound
• Port 389 (LDAP Access) TCP/UDP Outbound
• Port 636 (LDAP Access) TCP Outbound • Port 137 (NetBIOS Name Service)
TCP Outbound
• Port 139 (NetBIOS Session Service) TCP Outbound
SQL Server
• Port 1433 (SQL Server) TCP/UDP Outbound • Port 1434 (SQL Server Browser Service)
TCP/UDP Outbound
Report Server
• Port 80 (SQL Server Report Services) TCP Outbound
• Email Notification
Password Manager
doesn’t perform
the actual user
authentication,
but verifies the
credentials
against Active
Directory. Password
characters are
replaced by asterisks
as they are typed
by a user during
authentication.
• Port 25 (Default SMTP port) TCP Outbound • Quick Connect
• Port 808TCP Outbound • Secure Password Extension
• Port 80 (Default HTTP) TCP Outbound • Port 88 (Kerberos Authentication)
UDP Outbound
• Port 389 (LDAP Access) TCP Outbound • Port 443 (Default HTTPS) TCP Outbound
Accounts used in
Password Manager
The following accounts are or can be used in Password Manager:
• Password Manager Service account • Application pool identity
• Domain management account • Password policy account • Account for Quick Connect
Password Manager Service account Password Manager Service account is used to install Password Manager. For Password Manager to run successfully, The Password Manager Service account
must be a member of the Administrators group on the Web server where
Password Manager is installed. Application pool identity
Application pool identity is an account under which the application pool’s worker process runs. The account you specify as the application pool identity during Password Manager setup will be used to run Password Manager Web sites.
Application pool identity account must meet the following requirements:
• This account must be a member of the IIS_WPGlocal group on the Web server in IIS 6.0 or a member of the IIS_IUSRSlocal group on the Web server in IIS 7.0. • This account must have permissions to
create files in the <Password Manager installation folder>\App_Data folder.
Domain management account Domain management account is an account under which Password Manager accesses a managed domain. The domain management account
must meet the following minimum
requirements to successfully perform password management tasks in the managed domain:
• Membership in the Domain Users group • The Read permission for all attributes of
user objects
• The Write permission for the following attributes of user objects: pwdLastSet, comment, and userAccountControl • The right to reset user passwords • The Write permission to create user
accounts in the Users container • The Read permission for attributes of
the organizationalUnit object and domain objects
• The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects
• The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers • The permission to create container objects
in the System container • The permission to create the
serviceConnectionPoint objects in the System container
• The permission to delete the
serviceConnectionPoint objects in the System container
• The Write permission for the keywords attribute of the service ConnectionPointobjects in the System container
The Password policy account
You can use Password Manager to create password policies that define which passwords to reject or accept. The password policy account is an account that you specify when you add a domain for configuring password policies. The password policy account must meet
the following minimum requirements:
• The Read permission for attributes of the groupPolicy Container objects.
• The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
• The Read permission for the nTSecurityDecriptor attribute of the group Policy Container objects. • The permission to create and delete
container and the serviceConnectionPoint
For Password
Manager to run
successfully,
the Password
Manager Service
account must be
a member of the
Administrators
group on the
Web server where
Password Manager
is installed.
objects in Group Policy containers. • The Read permission for the attributes of
the container and service Connection Point objects in Group Policy containers.
• The Write permission for the service Binding Information and display Name attributes of the service Connection Point objects in Group Policy containers.
• The Write permission for the following attributes of the msDS-PasswordSettings object: • msDS-LockoutDuration • msDS-LockoutThreshold • msDS-MaximumPasswordAge • msDS-MinimumPasswordAge • msDS-MinimumPasswordLength • msDS PasswordComplexityEnabled • msDS-PasswordHistoryLength • msDS-PasswordReversibleEncryption • msDS-PasswordSettingsPrecedence • msDS-PSOApplied • msDS-PSOAppliesTo • name
Accounts for Quick Connect
To enable Password Manager to connect to Quick Connect and set passwords in connected data sources, the account used to access Quick Connect must be a member of the local administrators group on the Quick Connect server. Verification of user input
Password Manager verifies input provided by users prior to processing it. It checks for the correct data type (e.g., no numeric values in a text-only field) and the length of data. In addition, user passwords are masked by asterisks to prevent them from being displayed in clear text. Configuration parameters Password Manager configuration parameters are stored in the system “Application Data” directory in an XML
file. All sensitive data is stored in an encrypted part of the XML file. The XML contents are encrypted with 192-bit TripleDES. The XML file is protected with
NTFS permissions.
Alerting of Unexpected Events Password Manager has the ability to send email notifications to a designated
email account in case of any unexpected events. The events are recorded in the application event log.
Daylight Savings Time compliance Password Manager will not be affected by the changes introduced by the Daylight Savings Time (DST) Extension (U.S. Energy Policy Act of 2005). It relies upon the operating system for time management and does not implement any special logic around DST settings.
Customer measures
The security features of Password Manager are only one part of a secure environment. The customer’s operational and policy decisions have the greatest influence on the overall level of security. The customer is responsible for the
physical security of the server on which Password Manager is installed as well as the system network.
Appendix A: Password Manager and
FISMA Compliance
The Federal Information Security Management Act (FISMA) was passed by the U.S. Congress and signed by the president as part of the Electronic Government Act of 2002. It requires “each federal agency to develop,
document, and implement an agency-wide program to provide information security for the information and information system that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.”
A major component of FISMA implementation is the publication by the National Institute of Standards and Technology (NIST), entitled “Recommended Security Controls for
Federal Information Systems”, listed as NIST Special Publication 800-53 . This document presents 17 general security categories that can be used to evaluate an information security to measure its level of compliance with FISMA. For this reason, this appendix offers the 17
Password Manager
will not be affected
by the changes
introduced by
the Daylight
Savings Time (DST)
Extension (U.S.
Energy Policy Act
of 2005). It relies
upon the operating
system for time
management and
does not implement
any special logic
around DST settings.
categories listed in 800-53 and describes how Password Manager addresses them. We would like to emphasize that the secure deployment of Password Manager is only one part of an information security program. If the appendix states that a particular security category is “applicable” to Password Manager, this means that Password Manager contains security features that may be relevant to some or all aspects of the category in question. It
may not mean that Password Manager fully meets all of the requirements described in that security category, or that the use of Password Manager by itself will guarantee compliance with any information security standards or control programs. The specification, selection and implementation of a successful security program depends on how the customer deploys, operates, and maintains its entire network and physical infrastructure, including Password Manager.
NIST 800-53 Categories
Category Access Control (AC)
Category Awareness and Training (AT)
Category Audit and Accountability (AU)
Category Certification, Accreditation and Assessments (CA)
Applicable Yes
Description Only privileged users can access and modify configuration parameters.
Further Details Section(s) Access Control.
Applicable No
Description Customers who install Password Manager on their systems are responsible for developing and reviewing their security awareness and training policies.
Further Details N/A
Applicable Yes
Description Password Manager keeps an application log that records all transactions performed by both privileged and regular users, including timestamps and identifying information such as who/what/when.
Further Details Section(s) Logging.
Applicable No
Description Customers who install Password Manager on their systems are responsible for developing and reviewing their security assessment, accreditation and certification policies.
Further Details N/A
The specification,
selection and
implementation
of a successful
security program
depends on how
the customer
deploys, operates,
and maintains its
entire network
and physical
infrastructure,
including Password
Manager.
Category Configuration Management (CM)
Category Contingency Planning (CP)
Category Identification and Authentication (IA)
Applicable Yes
Description Configuration changes to Password Manager can only be made by privileged users. The communication ports used by Password Manager are restricted and only administrators can configured them. There are a specific set of privileges required by Password Manager accounts. Further Details Section(s) Open Communication Ports, Accounts Used in
Password Manager.
Applicable No
Description Customers who install Password Manager on their systems are responsible for designing and implementing their own contingency plans. As defined by NIST (publication 800-34), disruptive events to IT systems include power-outages, fire and equipment damage, and can be caused by natural disasters or terrorist actions.
Further Details N/A
Applicable Yes
Description Password Manager enforces identification and authentication through password—protected user accounts. Only authorized users, who are authenticated through Active Directory, can log on via the Web application.
Further Details Section(s) Authentication of Users.
Category Incident Response (IR)
Applicable No
Description Customers who install Password Manager on their systems are responsible for developing and reviewing their incident response policies and procedures. Further Details N/A
Category Maintenance (MA)
Category Media Protection (MP)
Category Physical and Environmental Protection (PE)
Category Planning (PL)
Category Personnel Security (PS)
Applicable Yes
Description Dell Software will make patches available in a timely manner if problems are discovered in Password Manager. Further Details N/A
Applicable No
Description Customers who install Password Manager on their systems are responsible for developing and reviewing their own media protection policies.
Further Details N/A
Applicable No
Description Customers who install Password Manager on their systems are responsible for developing and reviewing their own physical and environmental policies. Further Details N/A
Applicable No
Description Customers who install Password Manager on their systems are responsible for developing and reviewing their security planning policies.
Further Details N/A
Applicable No
Description Customers who install Password Manager on their systems are responsible for enforcing personnel security policies, including personnel screening and termination. Further Details N/A
Category System and Information Integrity (SI) Category Risk Assessment (RA)
Category System and Services Acquisition (SA)
Category System and Communications Protection (SC)
Applicable Yes
Description Password Manager must run under a user account with specific privileges. User input provided through the Web application is verified to protect against faulty input and potential attacks.
Further Details Section(s) Accounts Used in Password Manager, Verification of User Input.
Applicable No
Description Customers who install Password Manager on their systems are responsible for developing and reviewing their own risk assessment policies.
Further Details N/A
Applicable No
Description Customers who install Password Manager on their systems are responsible for developing and reviewing their own system and services acquisition policies. Further Details N/A
Applicable Yes
Description To secure network communication with its users, the Password Manager Web application supports the use of SSL. Kerberos and NTLM Authentication are used to protect Active Directory Service Interfaces, LDAP, and remote procedure calls. Sensitive data is encrypted with 192-bit TripleDES. Access is only required to necessary communication ports.
Further Details Section(s) Protection of Sensitive Data, Secure Network Communication, Open Communication Ports.
© 2012 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. (“Dell”).
Dell, Dell Software, the Dell Software logo and products—as identified in this document—are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.
The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.
About Dell Software
Dell Software helps customers unlock greater potential through the power of technology—delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com.
If you have any questions regarding your potential use of this material, contact:
Dell Software
5 Polaris Way Aliso Viejo, CA 92656 www.dellsoftware.com
Refer to our Web site for regional and international office information.
