How to completely lock down credentials?
RDM Enterprise 10.6.7.0
I am trying to figure out how to completely lock down the ability to save or view any kind of shared credentials in my RDM SQL database, including for administrators. So far I have gone into the data source settings and set the "Disabled password saving (shared)", "Disabled password saving (tools)", and "Allow reveal password for administrator and authorized users". I disabled some undesirable credential types from being visible in the entry list.
This is a good start, but I'm noticing that none of these settings affect the ability to set shared credentials in group properties. Am I just missing a setting somewhere, or does this need to be a feature request?
All Comments (9)
Hello,
Administrators will always see passwords.
That being said, when you disable password saving, we should NOT be able to save any passwords. We will try to duplicate this.
Best regards,
edited by mcote on 8/3/2015
Maurice
well, color me stupid, you can indeed hide credentials from admins as you've described (allow reveal password for administrator and authorized users)
we just need to duplicate saving passwords while the "disable password saving (shared)" is turned on.
Maurice
Hah, no worries. Again, where I'm still seeing the option to save passwords is in Group entries, not RDP or Web Browser sessions (only other types of entries I have at the moment). I realize that other admins have the ability to change the policy settings, but just having stuff turned off should be a reasonable deterrent against accidental saving of private credentials that can be accessed or otherwise used by third parties. Security is a top concern of ours, and the last thing we want is anybody doing things under somebody else's account.
Actually, I take that back, also just discovered that I can force save a password on an RDP session by going to Batch Edit > Change Saved Credentials.
we'll check into that
Have you seen http://blog.devolutions.net/2015/07/security-policies-and-our-windows-applications.html
We can look into adding more policies.
Maurice
Oh, no, I didn't realize that there were group policy templates for RDM. However, I just loaded up the template, and given the limited number of policies available, there's not really anything much of use there. Additional policies would be welcome though, especially if you could add the ability to forcibly add a specific data source, so that nobody would have to manually configure the common one. Even if it's not specifically an enforced policy, but just registry keys that we could push out via group policy preferences, that would be helpful. Right now the only option is to write a PowerShell logon script that would use the snap-in to check for and/or create a data source, which is doable, but a bit clunky.
Maurice, just wanted to check and see if you confirmed the ability to save passwords in groups and via batch edit in sessions even after disabling saving of shared passwords.
Hi Bradley,
I've been able to reproduce your issue and a bug has been created. It should be fixed soon.
Best regards,
Jean-Philippe Charest
Thank you!
