Devolutions Server Admin Account Recovery
1 vote
I'm doing documentation for DR scenarios, and I can't find any information about how to regain access to an on-prem Devolutions Server instance if all admin accounts become inaccessible.
I see the "Emergency procedure" on the page below, but that only addresses the case where a break glass account is accessible. Is there any method of recovering access if no account is accessible? Such as through SQL or through the OS?
https://docs.devolutions.net/server/kb/knowledge-base/console-command-line-interface/
Thanks
All Comments (4)
Hello,
Thank you for your feedback.
The following method offers a different recovery process.
https://docs.devolutions.net/server/kb/how-to-articles/enable-emergency-login-code-authentication/
Let us know if that helps.
Best regards,
Érica Poirier
Thank you Erica.
To be clear: other than the emergency codes, there are no recovery procedures for resetting the password and MFA of an admin account if all admins are locked out? Additionally, there is no external way to create a new account, such as via SQL or tools on the server?
We very much prefer not to allow email-based authentication of any kind, as it's both common target of compromise and because it can be unreliable in DR scenarios.
Hello,
Thank you for your feedback.
The provided methods, break glass account as an emergency login with a code by email, are the only available methods to access DVLS if all admin accounts are locked out. From SQL, since the account's passwords are encrypted, it's not possible to modify them.
For your information, I have moved this thread to the Feature requests section.
Do you have any method you would like us to implement as an emergency access to DVLS if all admin accounts are locked out? Or at least, a path we could analyze regarding break-glass access?
Thank you for your collaboration.
Best regards,
Érica Poirier
I would like an end result that a Devolutions Server admin account exists and that it can be logged in to. Presumably meaning its password and MFA are known (or MFA is temporarily bypassed). Preferably the password would be set by the person performing recovery rather than a well-known default password being used. Could be a temporary method requiring the admin to access the app and create a permanent account, or could be a full account created by this process, depending on your challenges with password encryption or other implementation details.
Our worst-case recovery path would be to regain admin access to the OS, then to SQL and the Devolutions Console, then work to recover access to the Devolutions Server instance.
No suggestion on the method as I'd trust your devs to know your product and security practices better than I would. Any thing like a SQL query or recovery tool that a SQL admin or OS admin can use to accomplish this would be useful. In a perfect world this would do things like end up on an audit report and send an email alerting admins that it was done.
Thanks again.