Forum / Devolutions Password Server - Bug Report

Active Directory based Roles - renaming

  • Create an Issue
  • Cancel

Hi,

i know, it depends on your view of the world if thats a bug or a feature,
but as an windows-administrator said to me -

it is unexpected behaviour.


If you create domain-based roles in dps and you have to rename the domain-group, things get messy and nobody knows why.

Its because you handle the "Domain-Link" in DPS.

You use the CN of the domain group, where every other product in this world uses the objectSID to identify users and groups.

btw. the objectSID in active directory is by guarantuee unique.

so is it a bug? maybe not

but should a security product use a fakeable CN to identify security groups?

Best Regards
Markus

======================

Clock3 mths

Hello,

When we moved to identifying users by UPN, we felt it was sufficient at the time. We are aware of the concerns you mention, but I have the impression that the CVSS score would be on the low end, just because of the privileged access required to interact with AD. (Dont quote me on that, I can ask our CISO to calculate the score...)

Our security system is subject to a ton, and I do mean a ton, of discussions, both internally and with new customers. We compare ourselves with all of our PAM partners, while trying to keep our uniqueness and ease of use. That ease of use results in many customers not only buying a pricey PAM solution, but also insisting on putting RDM in front of it. But, I digress...

We are in the planning stages of refactoring our private vaults, which are closely tied to the login name, whichever authentication model you choose. I guess that as part of this project, it would not be risky to preserve the SID for an additional validation. Its easy on paper, we just need to identify the placement of this task within all of the other projects we are undertaking....

As in the other thread, is this a show stopper? Can it wait for a few months?

Best regards,



Maurice Côté

signaturesignature

Clock3 mths

Hi Maurice,

thank you for your detailed answers to our concerns.

No, the CN/UPN/Netbios-mapping is no "show stopper".

I was just very surprised after renaming one of our AD-Groups to meet CI-requirements and
I know you will do your best to overwork this base functionality.
It is very good that you have a CISO now that helps priorization and finding issues, I really appreciate working together with you guys.

regarding my other post - i'll get back to my customer with your reply and keep you updated.

Clock3 mths

Hello Markus,

About renaming a role in RDM no matter which advanced data source you are connected to, instead of manually modifying all permissions, you could use the PowerShell script published in this forum thread.
https://forum.devolutions.net/topic29716-renaming-a-role-and-update-permissions.aspx

Best regards,



Érica Poirier

signaturesignature

Clock3 mths

Thank you Erica,

that script would have helped me a lot ...
I'll give it a try next time...


Best Regards
Markus

======================

Clock2 mths