Password Safes in a MultiUser Environment

Forums › IT Pro and developers › Password Safes in a MultiUser Environment

1 | 2 | 3

82 posts

Master Geek

#1515032 17-Mar-2016 14:17

Lias:

Andib:

Lias:

So this started a bit of a conversation at work.

Different need from the OP, what do people do in large (by NZ standards anyways) enterprise environments.

Our IT team is ~80+, supporting ~5000 users. What sort of tools do people use to store passwords in big environments like this. Different teams within IT would need different access to different accounts, granular control etc.

My manager wants to know what other large enterprises are doing before he even talks to a reseller about costs/licensing.

Sent you a PM

Ta, appreciated that.

IT team of around 120 supporting 12000+ employees and we use Secret Server by thycotic

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1515043 17-Mar-2016 14:25

PolicyGuy:

Start with User Requirements - who needs (that's "needs" not "wants"!) access to what, &c.?

Then do Design of the groups and permissions in your Identity & Access Management (IDAM) system - Microsoft AD is amazingly adequate for this
In my experience, nobody should need more than two access IDs and therefore no more than two passwords - one ID is for their 'regular' persona, the other is for their Privileged User role. Typically, a PU logs in with their regular credentials, then uses the 'sudo' / 'access as' facility supported in their operating environment to execute privileged commands.

The password for 'root' or 'can do anything anywhere' userID is a very long and really hard to remember string. It is written down on paper, put in an envelope which is sealed and has '"root" password' written on the outside. That is put in another sealed envelope emblazoned "For Emergency Use Only" "Master Password" and put in the locked filing cabinet of the IT Manager / IT Operations Manager. There will be a second copy in a different location - in one case I caused it to be stored in the Company Solicitor's office off-site. The attached process says that after each use (recorded in a Major Incident log, of course) it must be changed. There should be no 'root'-equivalent accounts

Make sure that there is only One Source Of Truth - ideally the HR / Payroll system which feeds the IDAM system automatically.
Do not permit direct manipulation of user details in Exchange / AD - make people change the HR system data then feed through.

We don't _yet_ have a proper Identity Management system.. It's something being looked into by others (who like myself are dead keen on it), We do have separate PU credentials, but no policy (yet) of only using them on secure workstations etc.. Something I'd like to implement but change here is glacial.

I'm more looking for something to store things like:

The umpteen billion distinct service accounts we have for things
DSRM password(s)
Local admin passwords
DMZ/Workgroup server passwords
Shared online account passwords
SQL SA passwords
ESXI host root passwords
IMM, UPS, etc passwords
etc.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

mentalinc

3226 posts

Uber Geek

Trusted

#1515044 17-Mar-2016 14:28

Keepass isn't suitable for an enterprise environment.

There is no auditablity, accountablity etc.

Also shared password....

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

tchart

2379 posts

Uber Geek

ID Verified

Trusted

#1515058 17-Mar-2016 15:17

JamesL:

Keepass

We use Keepass as do many of our customers. We used to take local copies but with Keepass 2.x you can sync across HTTPS.

We now have the Keepass database in Sharepoint which allows online sync between many users (10-20 users) and enforces "2 factor" as the user has to authenticate with Sharepoint and then also type in the master password. We haven't had any issues with this.

jhsol

102 posts

Master Geek

#1515461 18-Mar-2016 10:36

https://thycotic.com/products/secret-server/

meesham

973 posts

Ultimate Geek

#1515465 18-Mar-2016 10:43

mentalinc:

Keepass isn't suitable for an enterprise environment.

There is no auditablity, accountablity etc.

Also shared password....

Fair point, that's why I mentioned we're a team of only 8 people - for us we don't really need the auditing and if someone leaves (although we've all worked together for 10+ years) we just change the master password.

guyl

120 posts

Master Geek

ID Verified

#1515479 18-Mar-2016 10:50

Large Government Org - Hundreds of IT staff, thousands of end users.... We use https://www.manageengine.com/products/passwordmanagerpro/

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

chewster

127 posts

Master Geek

Trusted

#1515522 18-Mar-2016 11:32

Just managed to convince a small IT team of 4 to shift to KeePass from Excel

Was looking at the open source web application (Python/Django) RatticDB which looks promising as a step up from KeePass. Maybe not for a 500+ staff operation, but just throwing it out there.

If my post helped you, consider my referrals (: Sharesies $5 referral code, Skinny 4GB buddy code, Contact Energy $100 promo code

mentalinc

3226 posts

Uber Geek

Trusted

#1515830 18-Mar-2016 18:48

meesham:
mentalinc:

Keepass isn't suitable for an enterprise environment.

There is no auditablity, accountablity etc.

Also shared password....

Fair point, that's why I mentioned we're a team of only 8 people - for us we don't really need the auditing and if someone leaves (although we've all worked together for 10+ years) we just change the master password.

That means there are 8 people who could break something or do something wrong and no way to prove who did it.... Which may be required if it turns into an HR type event

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

gundar

488 posts

Ultimate Geek

Trusted

#1517301 21-Mar-2016 23:58

Lias:

We don't _yet_ have a proper Identity Management system.. It's something being looked into by others (who like myself are dead keen on it), We do have separate PU credentials, but no policy (yet) of only using them on secure workstations etc.. Something I'd like to implement but change here is glacial.

I'm more looking for something to store things like:

The umpteen billion distinct service accounts we have for things
DSRM password(s)
Local admin passwords
DMZ/Workgroup server passwords
Shared online account passwords
SQL SA passwords
ESXI host root passwords
IMM, UPS, etc passwords
etc.

Most of these requiremetns integrate with Active Directory or at the least, RADIUS. I'd say you could make your requiremetns list slimmer by migrating the authentication to AD or RADIUS and then setting up AD to report on usage of passwords and logins via the security log. I've made a point of eliminating standalone accounts where possible, so there is now not allowed SA passwords and services must run as AD users (without interactive permissions, of course)....

Good luck.

gundar

488 posts

Ultimate Geek

Trusted

#1517307 22-Mar-2016 00:00

Andib: We use Password Manager Pro for our team of 30.

I got my quote on Friday afternoon, US$520 / user.

Of course I replied with a simple request to justify the price and was met with a simple answer "we dont set the price".

Um, so clearly, nice product, but not for us, not at that price....

meesham

973 posts

Ultimate Geek

#1524678 2-Apr-2016 16:01

Not sure if you're still looking but TeamPass is one you can look at, it's open source and self hosted. I've only done some brief testing with it so far so YMMV.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1524890 2-Apr-2016 22:25

gundar:

Lias:

We don't _yet_ have a proper Identity Management system.. It's something being looked into by others (who like myself are dead keen on it), We do have separate PU credentials, but no policy (yet) of only using them on secure workstations etc.. Something I'd like to implement but change here is glacial.

I'm more looking for something to store things like:

The umpteen billion distinct service accounts we have for things
DSRM password(s)
Local admin passwords
DMZ/Workgroup server passwords
Shared online account passwords
SQL SA passwords
ESXI host root passwords
IMM, UPS, etc passwords
etc.

Most of these requiremetns integrate with Active Directory or at the least, RADIUS. I'd say you could make your requiremetns list slimmer by migrating the authentication to AD or RADIUS and then setting up AD to report on usage of passwords and logins via the security log. I've made a point of eliminating standalone accounts where possible, so there is now not allowed SA passwords and services must run as AD users (without interactive permissions, of course)....

Good luck.

It's kinda slowly happening, new stuff in the last few years is mostly done like that, but we're dealing with a 20+ year old AD with 5000 odd active current users, not too far shy of a thousand internal Windows servers, plus Linux and AS/400. The amount of legacy systems that prevent us moving forward is simply staggering. Throw in the sort of politics you usually see in large enterprises and the very limited amount of maintenance windows we have and it's not going to be tidy for years if not decades :-)

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1524891 2-Apr-2016 22:27

gundar:

Andib: We use Password Manager Pro for our team of 30.

I got my quote on Friday afternoon, US$520 / user.

Of course I replied with a simple request to justify the price and was met with a simple answer "we dont set the price".

Um, so clearly, nice product, but not for us, not at that price....

I _think_ that's only per password administrator, not per person with access to the vault, but don't quote me.

Aaroona

3194 posts

Uber Geek

#1525077 3-Apr-2016 10:02

CYaBro: I've been meaning to try this one out but just haven't got around to it.
https://www.clickstudios.com.au/

We used PasswordState in our previous organization, across Australia and New Zealand. It is a fantastic tool, provided it's set up correctly. I would definitely recommend this tool.

We are currently working on password safe options at work - We are using KeePass at the moment, which is big bag of crap for an environment our size. I will see what options we're looking at and will report back here.

1 | 2 | 3