Export formats that supports scripting of new accounts (multi-domain env)

Hello,

Thank you for contacting us on that matter.

It's possible to use the Devolutions.PowerShell module to export credential entries in a CSV file. Please see the following script on GitHub.
https://github.com/Devolutions/RDMSamples-ps/blob/main/module/export/Export-RDMCredentialsPassword_ClearText.ps1

What DVLS version are you using?

Are you using RDM to connect on DVLS?

Best regards,

Hello,
Thank you.

• This script exports all credentials in the database or a subset?
• Will the password output be hashed or clear-text?

We are not using DVLS at this point, I'm investigating if DVLS supports this type of function and can be a solution candidate. The goal is to have user-friendly GUI that acts as a global catalog, used to provision new credentials and update password in other managed AD domains. We are running RDM latest version to reach out to these managed AD DS today, but the password "sync" is done by manually by every user

Regards,
Simon

Hello Simon,

Thank you for your feedback.

• The script currently exports all credentials from any entry type. It's very simple to modify it to only export credential entries and select a subset of these credentials.
• The script exports the password in clear text. It is also possible to modify the script to export the passwords in a secure string format.

If the other managed AD domains can be reached by DVLS from your infrastructure, then the PAM module with the password rotation feature could be a great addition in your scenario to automatically manage these credentials.

Let us know if you have further questions about this.

Best regards,

Hello,
Ok, password rotation with DVLS sounds like a nice feature, how is this connection best secured if the managed AD's are on remote sites? Site2site-VPN?
Are the port requirements for this communication specified?
One managed AD counts as one data source?
Can DVLS also provision new accounts?

How to we prevent admins from connecting to endpoints using local RDP with pre-recorded credentials from DVLS to circumvent auditing trails? Devolution Gateway?

Best Regards,
Simon

Hello Simon,

Here are the answers to your questions:

• The machine that hosts the Devolutions Server needs to have access to the remote ADs, so you would need to have a site2site VPNs available to those sites.
• For AD, it uses either LDAP or LDAPS for the ports.
• You would simply need to add a provider for each domain: https://docs.devolutions.net/server/privileged-access-management/providers/domain-provider/
• DVLS cannot provision new accounts, but new oines can be added via the discovery: https://docs.devolutions.net/server/privileged-access-management/scan-configurations/domain-account-discovery/
• To limit the local RDP to be used, the Gateway can be a solution, if you restrict the source of the IP for the connection to the IP of the Devolutions Gateway.

Best regards,

Hello Richard,
Thank you, yes it's clearing up now.

How is the JIT feature controlled? Is this configuration held in the DVLS's database and distributed to the gateways?
I noticed that your products complies to alot of security standards, do you have CMMC/NIST 800-171 in your roadmap as well?
Do you have any best practice, whitepapers or architecture diagrams that can be used to guide us to make our high-level design, like the one below?
https://webdevolutions.blob.core.windows.net/cms/Gateway_diagram_2_2b60fddb9b.png

Best Regards,
Simon

Hi again,
After looking at the picture and the arrows, I also need to ask if the user actually lands on a desktop on the Gateway server, or is just pass through to the endpoints seamlessly?

Hello Simon,

The JIT feature will be available in the 2023.2 release, currently planned at the end of June. You can watch this recent online seminar we held for more information: https://youtu.be/ijd3XlEPr-s?t=2300

I will ask our security team regarding CMMC/NIST 800-171.

We have a few pages that may help you with a high-level design:

• https://cdndevolutions.blob.core.windows.net/documents/datasheets/en/server-datasheet.pdf
• https://cdndevolutions.blob.core.windows.net/documents/legal/security/security-encryption-en.pdf
• https://cdndevolutions.blob.core.windows.net/documents/spec-sheets/en/server-technical-specification.pdf
• https://docs.devolutions.net/kb/devolutions-server/knowledge-base/dvls-security-hardening

As for the Devolutions Gateway, the connection is seamless, you do not end up on a jump host. For more information:

• https://blog.devolutions.net/2022/04/a-closer-look-at-devolutions-gateway/
• https://blog.devolutions.net/2022/04/devolutions-gateway-adaptive-connection-modes-explained/

Best regards,

Hello Simon,

Regarding the CMMC/NIST 800-171, the security team confirmed it is not on the roadmap.

Best regards,

Hello,
Thank you.

When adding several domain providers in PAM, does these count as data sources in the licensing model, or into multi-domain authentication (only in Platinum)?
data-DevolutionsServer-2022 (windows.net)

Best Regards,
Simon

Hello,

Thank you for your feedback.

The PAM providers are not part of the licensing model. You can create as many providers as you want as long as the PAM license is properly added in Administration - Licenses.

Let us know if you have further questions about our products.

Best regards,