RDM - SQL Database and Vaults
Hello,
I created now a SQL Database and tried a few things. I added two Users with their own Vault and it works so far. User 1 does not see what entries User 2 has.
But as an Admin I am able to open the Vaults of those users and read all entries including the passwords. That is not as I want to have it. Is it somehow possible for an admin to NOT see the passwords stored with an entry? This would be very important to not have any discussion that an admin is able to read everything.
The second thing is: I read in an 6 years old post that there is an internal key which is used to encrypt the passwords stored. But as it is the same key on all RDM installations - thats not really secure. In the KB section about Security Providers I found, that with a shared passphrase you can select to save the passphrase in the registry which also is no security. And I am also not sure what certificate would help as I think we must have one certificate that is distributed to all computers where RDM is used.
But we use smartcards for computer logon. Would it be possible to use each users certificate from his own smartcard to encrypt the Vault assigned to him?
Brgds Andreas
All Comments (21)
Hello,
I just need to confirm, you created a shared vault and assigned different permissions to each users so that User 1 can see Vault 1 and User 2 can see Vault 2 or are you referring to their User Vault? https://help.remotedesktopmanager.com/vault.html
As for your second question, I will verify with my team!
Best Regards,
Etienne Lord
Hello,
yes - I created a single shared vault and assigned different permissions to different users. User 1 can see Vault 1 and so on as you described. I am NOT talking about the User Vault. As an admin I am able to select each other users Vault and see everything they created. But I am not able to remove me from the permissions or at least remove me from the ability to see the passwords.
Where is the User Vault stored when using a MS SQL database? Is it local, or also in the database? I did not find this info anywhere.
Brgds Andreas
Hello,
As an Administrator, you will indeed have access to all the shared vault, but not the user vaults.
Also, the user vault is indeed stored in the Database.
Best Regards,
Etienne Lord
Hello,
OK, that brings me to the next question - can I disable the shared vault so a user has only a personal vault? The user vault (link) can be disabled, but I found no way to disable the shared vault.
Sorry for all those stupid questions, but I want to make it as fool-proof as possible for our users...
Brgds Andreas
Hello,
If you do not give your users any access to any Vaults, they will only be able to see the User Vault!
Best Regards,
Etienne Lord
Hello,
That also worked!
To have this perfect, can I - as an admin - disable the shared vault view for my users? I mean remove this:
and make the personal vault default?
Brgds Andreas
Hello,
Sadly, we do not have any options to do so.
Best Regards,
Etienne Lord
Hello,
Can you please make this a feature request? If I only have user secrets, no shared - why bother my users with a shared vault?
If it is not possible to disable this, would it be possible to define a default view for the navigation to make the user vault default instead of the vault?
Brgds Andreas
Hello,
Good question, I will look back with my colleague and let you know!
Best Regards,
Etienne Lord
Hello,
I just had a support session and the colleague showed me
File, Options, Navigation Pane, Default selected tab
This does basically what I want.
Would it be possible to add this option as GPO? :)
Removing the shared vault would be better, but this way I at least have the option to define what my users have as default.
Thanks a lot for your help!
Brgds Andreas
Hello,
That's good to know! I will check with the engineering department!
Best Regards,
Etienne Lord
Hello,
We've added the GPO DefaultNavigationPaneTab to provide the desired behavior. Setting it to 0 will mean that the GPO is disabled, while setting it between 1-9 will use any of the choices found in the options (in the same order as they are presented, so 1 = Vault, 3 = Favorites, etc.) This should be available for 2022.3.27
Regards,
Jafran Majeau
Hello,
You are all incredible!!!!! Thank you very much for this!
Brgds Andreas
Hello,
Could it be that there is a problem with the GPO? I am unable to enter a number...
Brgds Andreas
Hello Deas,
Thanks for your return.
If I understand your needs, you would like to push the DefaultNavigationPaneTab using GPO.
We still need some development to enrich our ADMX file in order to provide the ability to set a value from a selector.
For the moment, in order to help you pushing this settings, you can use the .reg attached to this post.
Be careful because the Value set in the script is "3" (Favorites), so edit it first using the value that fits your needs.
Make sure to test it before deploying it at large.
If you need some information on how to modify registry objects through GPO, let me know. Or you can find information on the Internet.
Christophe Boyer
Set-DefaultNavigationPaneTab.zip
Hello Deas,
We've worked into integrating our admx file into the Local Group Policy Editor. You should be able to select a numerical value through the medium you posted in your latest screenshot when our next version comes out (2022.3.28).
Regards,
Jafran Majeau
Hello,
thanks for the info - I could also edit the .admx file and replace the "1" that is currently set when enabled to the number I need. A workaround, but better than pushing a reg file via GPO. The good thing is, that it is not so urgent as some other things also need to be changed before I can rollout the .3.x version to our company.
Brgds Andreas
Hello,
Thanks for 2022.3.28 - now I am able to set a value! Thanks for that change!
One last question about this specific GPO setting - this will only work with 2022.3.27 and newer. Correct?
So if my users still have 2022.2.29 they won´t be affected when I set this globally by GPO until I am ready to do the upgrade to 2022.3.27 or newer for all of them.
Brgds Andreas
Hello Andreas,
You're correct, this will only work with versions 2022.3.27.0 or more recent. Your users still running 2022.2.29.0 will not be affected by the GPO.
Once you're ready to upgrade, if you want to be sure your users all are on the correct version, you could use the Version Management feature to restrict application access to a minimal version of 2022.3.27.0. You can read more about this here https://help.remotedesktopmanager.com/datasourcesettings_versionmanagement.html
I hope this helps.
Regards,
Hubert Mireault
Hello Hubert,
Thanks for the confirmation! I know about the Version Management possibility. But as we install RDM with SCCM, I can make sure all use the version needed.
EDIT:
I set now the GPO to 6, changed my local setting to "Vault" and closed RDM. Then I did a gpupdate and started RDM again. RDM did what it should do - open "User Vaul" as default view.
Thanks a lot for that change! :)
EDIT 2:
One last cosmetic thing: If something is controlled by GPO, you should disallow changing this setting and note that it is controled by GPO. At the moment a user does not know, that he can´t change it.
Brgds Andreas
Hello Andreas,
Glad to hear this works well for you.
I will open an additional ticket relating to disabling fields affected by GPOs. I know from experience that for some we do disable the fields but for most of them we don't. I think it's a bit inconsistent. We will see what we can do.
Regards,
Hubert Mireault