Click Studios Support

Click Studios has built its well-earned reputation on three Pillars. The First Pillar: Continuous development of an Enterprise grade Password Management Solution that is feature rich and scales from the smallest not-for-profit to the largest multinationals. The Second Pillar: Our solution must remain affordable for all businesses ensuring that everyone has the opportunity to protect their privileged accounts and access to data. The Third Pillar: Provide excellence in the technical support of our solution by hiring inquisitive, technically savvy, customer focused team players that are truly passionate about helping others.

Click Studios Support

The Passwordstate product suite, including the core product covered by Client Access Licenses (CALs), Enterprise and Global Licensing along with the High Availability Module are all able to be placed under maintenance. The Click Studios term for maintenance is Annual Support and Upgrade Protection. Active Annual Support and Upgrade Protection entitles customers to all minor and major releases of Passwordstate, Priority Email and Phone support covering technical questions, how to questions, general enquiries and Remote Desktop assistance if deemed necessary by our Technical Support Team.

Our subscriptions for the Password Reset Portal and Remote Site Locations are only available if you have Active Annual Support and Upgrade Protection and the duration of the subscription is bound to your support expiry date.

What is covered (in detail)?

By purchasing Annual Support and Upgrade Protection you are covered by the terms and conditions as outlined here. When you navigate to the support page on our Website, you’ll see the following displayed;


It’s important to read through the details on this page to understand what is covered and what is excluded. The following is a brief outline of what is supported and when;

  • Only the current Major version and one previous Major version and their associated add-ons are supported. This will mean that 90 days after the release of Passwordstate V9 we will only be able to support Passwordstate Version 9 and Passwordstate Version 8 (back to June 2017).
  • Email support is available from Mon-Fri, 6:00am-6:00pm UTC +09:30 (Adelaide, Australia)
  • Phone support is available from Mon-Fri, 8:30am-5:00pm UTC +09:30 (Adelaide, Australia)
  • Emails and Support Tickets generated between the support hours described above will receive a response within 2 hours. Outside of standard support hours we guarantee a 24 hour response (generally within 12 hours)
  • We are unable to cover third party applications, hardware or the use of Click Studios software in unsupported environments. This includes assistance with Load Balancers, Network configuration and assistance in maintaining your Microsoft SQL Databases.

Please note, if you have accidentally allowed your Annual Support and Upgrade Protection to lapse we’ll be unable to provide you with any assistance (even though the Technical Support Team will want to). The Technical Support Team will advise you of this and will CC in sales@Clickstudios.com.au to assist with a quote to reimplement your Annual Support and Upgrade Protection.

How to log a Support Call

When needing to log a support call you have 3 options. The easiest is of these is to Generate A Support Ticket, followed by directly emailing our Technical Support Team and lastly via calling support.

To Generate a Support Ticket simply browse to the Click Studios Website Support Page https://www.clickstudios.com.au/support.aspx and you’ll be presented with the following screen,


This page details the support hours for Email Support (including Support Tickets), the current date and time for Adelaide Australia and the international phone number if needing to call for support. It also provides the email address support@clickstudios.com.au if you need to email us directly. As indicated, you’ll need to provide us with;

  • The Passwordstate Build Number, e.g. 8973
  • The Web Server Operating System selected from the drop down list, e.g. Windows Server 2019

Once you’ve entered these and clicked on Generate Support Ticket you’ll be presented with an email as per below;


You’ll notice that the above email has prepopulated the Build Number and Server OS fields and generated a Support Ticket ID for this request. Now comes the important part, we need as much information as possible relating to your issue. This includes,

  • The Web Browsers you are using to connect to the Passwordstate web site e.g. Edge Version 85.0.564.51
  • Screenshots of any errors
  • Description of what you were doing in Passwordstate at the time
  • Instructions on how to reproduce the error

Call Support

While we prefer to accept Support Requests via Generating A Support Ticket or direct email we will of course accept phone calls.

The reality is that more than 99% of our Support Requests are in the form of Support Tickets and direct Emails, and as this medium supports the supply of diagnostic rich information, it is far more effective for both parties.

What about Trial Implementations and “Free for 5 Users”?

Click Studios understands that Support Requests may be submitted by organisations that are trialling Passwordstate and for small business that have taken up the offer of “Free for 5 Users” licensing. In these instances, Click Studios will use reasonable efforts to provide technical support on the following basis,

  • Customers with active Annual Support and Upgrade Protection will be prioritised highest in the queue for support
  • Potential Customers with active Trial licenses and are still trialling Passwordstate are prioritised next
  • Small businesses with “Free for 5 Users” licensing are prioritised last

Extended Support

Click Studios offers Extended 24 x 7 Support which is in addition to the standard support coverage. The Extended Support is for critical events where the Passwordstate Website is not accessible for all users. Customers must have attempted to restore their Passwordstate Instance system from the last known good backup before contacting Click Studios.

The Support Request process is initiated via calling the Extended Support phone number, issued after Extended Support has been purchased. Your call will then be routed to the on-call Technical Support Engineer. Please note the Technical Support Engineer does not monitor the Click Studios Ticketing system for incoming Support Requests. In these cases you should only email through information for the on-call Technical Support Engineer when requested by them.

The limitations associated with Extended Support are,

  • Any minor events or issues logged as part of the Extended Support will incur additional charges
  • Email requests received outside of standard support hours will not be processed until the next business day
  • It is not available for Trial or “Free for 5 Users” licenses
  • Click Studio reserves the right to determine which customers qualify for the Extended Support prior to accepting the order
  • Additional charges may apply in instances where upgrades have been attempted and backups have not been performed and/or instructions have not been followed

If you have any queries, or want to provide feedback, please email it through to support@clickstudios.com.au

Buy Now – Options and Information Required

You may be a new customer, having trialled Passwordstate, and are about to jump in and make your first purchase. There are a number of different ways in which you can purchase Passwordstate, so which do you choose? This week’s blog entry is a quick overview of using the BUY NOW menu option available from our Website.

Locating the BUY NOW Options?

When you browse to the Click Studios Website https://www.clickstudios.com.au/
you’ll notice the third menu item, from the left at the top of the screen, is BUY NOW. This menu provides a range of different options and information to ensure you have everything you need to complete your purchase.


Buy Now

When you select the Buy Now option you will be taken through to our Purchase Passwordstate page https://www.clickstudios.com.au/buy-now.aspx. This allows you to enter the quantities and types of licenses you require. In all the examples for this week’s blog entry we are using a fictitious company called Contoso,


In our examples Contoso are about to purchase 60 x Client Access Licenses (CALs) with Annual Support and Upgrade Protection and a Password Reset Portal Subscription for up to 100 Users. The cost for the purchase is presented to the customer and they can fine tune the quantities up and down as required before selecting Buy Now. It is important to note that outside of Australia the purchaser is responsible for any applicable sales and value-added taxes in their jurisdiction. These taxes are not factored into the prices presented on the Purchase Passwordstate screen. Our Australian customers will be presented with the GST component on this screen and it is factored into the Total Price.

On clicking Buy Now you will be directed to our Webpage that links through to our global eCommerce partner BlueSnap,


When entering your payment details you should note;

  • If you don’t see the Order Information as per above click on the + symbol in the circle. That will expand the Order Information summary. To see the full description, hover your mouse cursor over the description.
  • You’ll note that BlueSnap have automatically added the Tax for your Jurisdiction. This controlled by BlueSnap and is legally required by them. For European customers with tax exemption you will have the option to input your exemption code and BlueSnap will not apply this Tax component.

Once you’ve completed filling out your details click on submit. You will receive an email with the order details and your license keys will be emailed through within a maximum of 48 hrs (typically 12 hrs).

Get a Quote

When you select the Get A Quote option you will be taken through to our Create Passwordstate Quote page https://www.clickstudios.com.au/create-quote.aspx. This allows you to create a formal quote and have that emailed through to a nominated email account. Simply supply the Company Details and enter the quantities and types of licenses you require as per the image below,


On clicking Submit the nominated email account will receive a copy of the Quote as per below,


You’ll also note that at the bottom of the quote you are presented with a number of options to proceed with the order,


  • If you click on the Click to order Online link at Option 1 you’ll be taken through to our Webpage that links through to our global eCommerce partner BlueSnap.
  • If you click on the Click for Purchase Orders Instructions link at Option 2 you’ll be directed to https://www.clickstudios.com.au/purchase-orders.aspx
    and be presented with the details to be included on your Purchase Order,


  • If you elect to take Option 3 and provide a Direct Bank Deposit / Wire Transfer please note that IBAN (International Bank Account Number) is not used in Australia. We have followed the recommendations issued by the Commonwealth Bank of Australia on how to represent an IBAN. You can reference their information here. Please ensure you email us with the License Registration Name, typically your Company or Business Name, your contact details including First Name, Surname and email addresses of up to 4 contacts and the details of the transaction. Don’t forget to reference the quote or invoice number in the deposit / transfer description so that we can trace the payment. Once we have received payment we will generate the licenses keys and email them through.
  • Lastly, if you decide to pay by Check and are based outside of Australia it can take between 8 to 12 weeks for the Check to arrive.

We hope this helps in better understanding your purchasing options. If you have any queries or would like to provide feedback please email it through to support@clickstudios.com.au

Final Sneak Peek of Passwordstate 9

This is the final Sneak Peek at Passwordstate Version 9. Our Managing Director and Chief Executive Officer has kindly requested all Click Studios employees to stop finding new functionality to incorporate into the release (but we can’t help it ). The last of the code is currently being run through Systems Testing and will soon progress to our internal UAT (User Acceptance Testing) Team.

So, on to this week’s blog and your final tease of the new features that form part of Passwordstate V9.

Automatically update passwords in Passwordstate when updated on a Website

Up until Version 9 of Passwordstate, when you needed to change a password for an existing password record linked to a Website login, you were required to change it on the Website, then login to Passwordstate and update the password for that record manually.

With Passwordstate 9 and using our Browser Extensions you can automatically update the password for that password record when you change it on the Website. Once you’ve changed the password on the Website the Browser Extension will automatically identify the record to be changed and prompt you with the following screen,


As indicated above, you have the option of selecting Later and manually updating as per version 8, or selecting Update to write the new password back to the password record in Passwordstate. The Password List is automatically selected as per the existing password record details. We’ve also enabled a visual indication of Ignored URLs by turning the Browser Extension icon blue when you browse to a website that has been previously recorded as ignored.


New Mobile App autofill of credentials for Smartphone Browsers

Our new Passwordstate Smartphone app is being released to coincide with Version 9. This is a true native app for Android and iOS devices and is offered alongside our existing Mobile Client. In addition to the offline mode allowing access to an encrypted cache of credentials the Passwordstate app is capable of autofilling your Website credentials – just like our Browser Extensions!


Folder Permission Model

The old Folder Permission Model has been enhanced and now incorporates additional permission settings as per the image below;


The Standard Permissions Model is the old Passwordstate permissions model. This in effect roles-up the permissions applied to Password Lists at the Folder Level. In the image above the Permissions applied to all the Password Lists within Business Systems are applied to the Business Systems Folder. This is a bottom-up approach to applying Permissions,


With the Advanced Permissions Model the Permissions are specified at a Parent Folder and are propagated down to all child folders and Password Lists. This is similar to the approach for applying NTFS Permissions on a Windows Folder Structure. The example below is for the Contoso Folder,


You’ll also note that the Folder’s with the Advanced Permission Model have the blue downward arrow shown next to the folder icon indicating they have the Advance Permission Model applied to them. If you see a red X next to a Password List, such as the Web Sites Password List (Passwords example above), it means that inheritance from above is being blocked.

Improved built-in Backup Feature

We’ve listened to feedback on how to improve our built-in Backup solution and have incorporated a number of new features under Administration->Backups and Upgrades. The image below outlines the new features,


The section Backups Settings has been renamed to Backup Schedule and Settings and now incorporates the following;

  • You can specify different backup paths for Web Files and Database backups,
  • There is now an option to backup your Split Secrets in a separate zip file. This is backed up to the same path as your Web Files backups.
  • An option to password protect your backup files can now be enabled. Once enabled you’ll need to specify the password and record it somewhere safe for when you need to recover Passwordstate from a backup.

There is also a section called Backup File Naming Convention where you can specify the naming convention for each of the types of backups (Web Files, Database and Split Secrets). When backups are performed the naming conventions you have provided are appended with the Date and Time that the backup was performed. The format used for appending the Date and Time is the same as for Version 8, using the format of YYYYMMDDHHMMSS where YYYY is Year, MM is Month, DD is Day, HH is Hour, MM is Minute and SS is Seconds.

Tweaked UI

Lastly, with Passwordstate V9 we’ve tweaked the UI (User Interface) in a number of areas. The image below is a composite image showing a number of changes,


The first of these is represented by the numbered green dots 1, 2 & 3. In previous versions of Passwordstate, hovering over the Menu item caused that menu to pop out to the right. In V9 you can toggle the Menu item by clicking on the ^ to collapse the menu or V to expand it. When expanding the Menu item, it now appears below the Menu Heading. In the left-hand side of the image you can see Passwords (1) is expanded while Tools (2) and Preferences (3) are collapsed. In the right-hand side of the image Passwords (1) has been collapsed while Tools (2) and Preferences (3) are expanded.

The second of the tweaks relates to the new icons for folders and password lists as shown in the right-hand side of the image in the golden rectangle. These are brand new icons, have been optimized for performance when loading screens and are consistent with the icons used in the new Mobile App for iOS and Android.

We hope you like this final sneak peek and can’t wait to get your hands on V9 (just like us ).

All suggestions and feedback are welcome via support@clickstudios.com.au.

Hosting Your Password Reset Portal in a DMZ

We were recently asked if it was possible to install the Passwordstate Password Reset Portal in a DMZ. A DMZ or Demilitarized zone, also known as a Perimeter Network or Screened Subnet, is usually a physically (or logically) separate network containing an organization’s external-facing services. This is usually the Internet however large federated institutions such as Universities sometimes utilize the same for common services offered to faculty networks.

Our Password Reset Portal is a Self-Service Portal designed to enable your users to unlock or reset the password for their Active Directory Domain account. The intent is to allow end-users to easily reset their own Active Directory password without having to contact your Help / Service Desk. This not only means the service is available 24 hours a day, but you also unburden your IT Support staff from having to handle high volume, repetitive, transactional processes that are ultimately of low value (if the security aspect is handled appropriately).

And yes, you absolutely can install the Password Reset Portal within a DMZ so that it’s accessible to employees that are out of the office.

Verify the User is who they say they are!

This is where we cover the prior statement about the security aspect being handled appropriately.

Most organizations struggle with the manual processes associated with verification of a user’s identity when they need their password reset! This isn’t just an unsubstantiated statement. The Click Studios Senior Management Team have worked in Executive and Senior IT Management positions spanning Global and Australian Enterprise Organizations, in industries such as Aerospace and Defence, Government, Law Enforcement, Mining, Oil & Gas, Banking & Finance, and Systems Integration.

Rather than utilize manual processes for identity verification, the Password Reset Portal has the option of up to 10 different secure verification policies to choose from. This means you can identify your users as they start the process of resetting or unlocking their AD Password. It’s a more secure process than having an employee manually process the request, provides a faster and better user experience and is available 24 hours a day!

Install the Password Reset Portal where you need it!

The Password Reset Portal is installed via a separate installer executable and is included with the Passwordstate core product download. It can be accessed from the screen Administration->Password Reset Portal Administration within Passwordstate. Installation is performed through a Setup Wizard and the instructions can be located here,


The Password Reset Portal operates via a separate website and communicates back to the main Passwordstate website via an SSL tunnel. All traffic carried via the SSL tunnel is encrypted. All business logic including user authentication, verification of user identity, password resetting and unlocking of accounts etc. is performed by the API (Application Programming Interface) located on your Passwordstate website.

As this blog is about installation of your Password Reset Portal in your DMZ, click next and supply the information relevant to your environment and click Save. You’ll then be prompted to run PasswordResetPortal.exe on the server you have chosen within your DMZ. Simply follow the instructions provided by the Installation Wizard to complete the install.

Open Port Considerations

It’s important to remember that your Website that hosts the Password Reset Portal in the DMZ must have appropriate ports open back to your Passwordstate web server.

  • For communication from the Password Reset Portal back to you Passwordstate Instance API this is generally Port 443 unless you are using a non-standard port by default for HTTPS. You must also have a Domain Certificate Authority installed, so that Passwordstate can communicate via LDAPS (LDAP over SSL).
  • Port 636 is required by LDAPS for communication by the Passwordstate User Interface and the API to Active Directory, allowing the reset of Passwords and unlocking of accounts.
  • Ports 135 and 49153 are required for the Passwordstate UI and Windows Service to query Event Logs on Domain Controllers for bad login attempts and account lockouts.

As usual, any suggestions or feedback are welcome via support@clickstudios.com.au.

Emergency Access Password – What is it and how do I find it?

Click Studios designed a secure Emergency Access login to Passwordstate back in the early days of Passwordstate 5. The Emergency Access account is a separate built-in account with ‘Security Administrator’ rights that allows login to Passwordstate when other accounts are locked out, or inaccessible for any reason. This account doesn’t allocate a license from your available license pool and is not intended for use in day to day operations. It should be regarded as an account of last resort.

An organization would typically only use their Emergency Access account under select scenarios such as;

  • You have issues authenticating to Passwordstate due to the Authentication Option you have selected no longer working.
  • All Security Administrator accounts have been accidentally disabled or deleted, with no other accounts being able to administer all settings for Passwordstate.

To login via the Emergency Access account you must browse to the URL HTTPS://<Your Passwordstate URL>/Emergency. You are then presented with the following login screen,


As stated in the image above, there is increased auditing associated with the Emergency Access account. In browsing to the login screen you will trigger an audit event. The following applies to attempted and successful logins using the Emergency Access account;

  • Browsing to the Emergency Access URL will generate an audit record. The details for the event, including the IP Address the access was initiated from, is subsequently emailed to all Security Administrators.
  • On successful and unsuccessful login, details for the event including the IP Address the login attempt was initiated from is emailed to all Security Administrators.
  • On successful login you must specify a reason why you need access and these details are added to the auditing data.

Once you’ve logged in with this account, you will have access to the Administration area of Passwordstate.

Auditing of Emergency Access

The auditing details below relate to Click Studios internal Passwordstate Instance and show an attempted access to the Emergency Access Login Screen (for the purpose of creating the blog entry). As this is our Production Instance please understand that I’ve redacted the account details, names of the Security Administrators and their email accounts from the screenshot below,

Setting the Emergency Access Password and Permitted IP Ranges

If you need to change the Emergency Access password navigate to Administration->Emergency Access->emergency access details.
Here you can set the Password and print it out for safe storage if required,


Whilst you can always RDP directly to your Passwordstate Server, you can further lock down the ability to login over the network, via the Emergency Access login screen, by specifying Allowed IP Ranges. Using this feature, you can specify individual IP addresses as well as allowed IP address ranges. To set Allowed IP Ranges navigate to Administration->System Settings->allowed ip ranges and add the relevant entries under Emergency Access Allowed IP Ranges. Remember to add only one specific address or IP ranger per line,


Recover the Emergency Access Password

If you ever lose the printed copy of the Emergency Access Password, or if it’s been reset by someone and not recorded anywhere, you can contact Click Studios and ask us to recover it for you.

In these instances we’ll need email approval from line management before proceeding. Once we have approval, we’ll require;

  • The most recent version of your Web.config file. This should be located in the root directory of your Passwordstate installation or C:\inetpub\passwordstate.
  • The values for EA_Password, Secret3 and Secret4 from your Passwordstate Database, located in the Passwordstate table. To extract these, you’ll need to use Microsoft’s SQL Management Studio tools to connect to your database server and execute the following query;

    USE Passwordstate

    SELECT EA_Password, Secret3, Secret4 FROM SystemSettings

We’ll then recover the Emergency Access Password for you using our in-house support tools;


We’ll then email the password details back to you. Once you receive the email we suggest the first thing you do is change the Emergency Access Password, record it, print it out and store it somewhere safe! We also encourage you to rotate your encryption keys, refer to Section 2.12 Encryption Keys here.

That’s it for this week. Any suggestions or feedback are welcome and you can send these through to support@clickstudios.com.au.

Creating New Private Password Lists for New Users

Passwordstate allows teams of people to access and share sensitive password credentials through the concept of Shared Password Lists. This enables your organization to implement granular control over who has access to your privileged account credentials through Role Based Access Control. This in turn enables built-in auditing and compliance capabilities to track who has accessed credentials and when.

Equally important is the concept of Private Password Lists, where individuals can securely record and manage credentials that are used for private use. The ability to create and use Private Password Lists is free and provided as part of the named User Licensing Model that Passwordstate uses. But what does this mean? It means that if a user has access to login to Passwordstate, they are enabled and have a Named User License automatically applied to their account, license count permitting.

Organizations that don’t allow the use of Private Password Lists for their users typically struggle with enforcing the use of Shared Password Lists. This is understandable as you are in effect stating that credential management is only important for business use and not personal use. On the other hand, organizations that adopt and promote the use of Private Password Lists typically build a healthy cybersecurity awareness in their workforce with employees embracing credential management for both personal and organizational use.

So how do you minimize the impact on Security Administrators having to setup Private Password Lists for all your employees.

Automatically create Private Password Lists for New Users

To reduce the workload on your Passwordstate Security Administrators, and make life easier for your users, you can automatically create Private Password Lists for all new user accounts as they are added to Passwordstate. This is done by enabling the option to automatically create a Private Password List for new users. To do this navigate to Administration->System Settings->password list options and click the Yes radio button underneath When a new User Account is added to Passwordstate, automatically create a Private Password List for the user option. You can also specify the name of the Private Password List using the variables FirstName and Surname shown below,


In doing this all new users that are added will have a Private Password List created in the root of the Passwords Tab. If you decide to not use the variables in the name then all Private Password Lists will look to have the same name, however they will all have a unique PasswordListID that is used to identify them at a system level. And of course, each Private Password List will only have Administrator permissions assigned to the appropriate user.

Customize Private Password List Fields with User Account Policies

It is possible to create all Private Password Lists with additional fields that the user may want to use. For example, these could be fields for a support email, PIN for 2FA, a phone number, or an address. By default, automatically created Private Password Lists include the URL field, however they aren’t based on any of the templates located under Administration->Password List Templates.

In order to add specific additional fields, you’ll need to create a User Account Policy for all users, that references a custom Password List Template. First, you’ll need to create a template that contains the fields that you want to provision for new users. To do this navigate to Administration->Password List Templates and click on Add New Template,


Give the template a Name, Description, choose an image and define the required Password Strength Policy, Password Generator Policy and any Additional Authentication you require. Then select the customize fields tab and specify the additional fields you want to provision. In the example below I’ve created the following text fields email, PIN, Phone Number and Address,


Now create a User Account Policy that will use the new Password List Template. In my example I’ve named it “Private Password Lists”. Navigate to Administration->User Account Policies and click on Add to create a new User Account Policy,


Supply a Policy Name, Description and on the password list options tab, for Setting ID E4, select the name of the Password Lists Template you wish to reference,


Then click Save. Now click on the Actions icon and select Apply Policy to Users, selecting All Users and Security Groups,


Now every time a New User is added to Passwordstate they will have an automatically created Private Password List with all the Fields that you’ve selected. Each individual user will be the Administrator of their Private Password List and will be able to edit it as desired.

Don’t forget, we welcome your feedback via support@clickstudios.com.au.

What Else Can I Record with Passwordstate

Most existing customers will have a good idea of the benefits that Passwordstate provides. The core product, an on-premise web-based solution for Enterprise Password Management, provides enormous flexibility for individuals and teams accessing and sharing sensitive password resources.

However, in this week’s blog we want to draw to your attention some other use cases, where Passwordstate’s ability to share information, based on assigned roles and permissions along with audited access, can provide even greater value to your organization.

So what else can I Record?

Passwordstate has a number of default templates, not related to Passwords, that can be used through the Add Shared Password List Wizard. The key one’s being,

  • Alarm/Door Codes
  • Credit Cards
  • Software Licences
  • SSL Certificates

By using the Add Shared Password List Wizard and selecting one of the above templates you are in effect creating a List of critical details relating to that topic instead of a Password List. The example below is the Click Studios Door PIN Codes which lists all the PIN codes for access to different sections of the Click Studios office,


The details in each List consist of Standard and Generic fields, with all Generic fields being able to be renamed to fit in with an organization’s terminology and naming conventions. You can easily add additional fields to suit your particular requirements. Note you can select the Hide Column from the List view, so the hidden details are only revealed when you click on the record. This ensures access to all of the data for that record is logged when a user reviews it. You should also consider ticking the Encrypt check box to prevent Database Administrators from seeing critical sensitive data stored within the database.

This List can then be provided to applicable users and Security Groups via Password List Permission->Grant New Permissions.

Default fields provided by each of the Templates

By default, Passwordstate provides the following predefined fields for each of the different Lists that you’ve created,

  • Alarm/Door Codes: Title, Description, Building, Security Code
  • Credit Cards: Title, Description, Card Type, Card Number, CVV, Expiry Date
  • Software Licences: Title, Description, Software Name, Software Version, Software Owner, Expiry Date
  • SSL Certificates: Title, Description, Expiry Date

Build your own Lists

You can also build your own Lists, to suit other purposes. The example below is our List containing Hardware Maintenance Contract details, including Authorization codes which are hidden and uploaded documents outlining all the device serial numbers, that are covered by maintenance,


Any information that needs strict control and audited access by authorised users can be setup with these Lists.

As always, we welcome your feedback via support@clickstudios.com.au.

How to use your Phone for Google Authenticator and Passwordstate

We often receive support requests asking how to enable Two-Factor Authentication (2FA) in addition to AD Authentication. This is a straight forward process and the 2FA options can be used with Single-Sign-On (SSO), Manual AD Authentication and even with Local Passwordstate Accounts.

Background

There are a couple of approaches that can be used to set this up. For the examples in this week’s blog I’m going to be using the Google Authenticator App from an iPhone and a Local Passwordstate Account. These examples will work equally well with AD Accounts, the only difference being the required Authentication Options under Administration->System Settings->authentication options->Choose Authentication Option.

I normally choose SSO (Passthrough AD Authentication) for the System Wide Authentication setting, as I quickly jump in and out of my Passwordstate Sandpit environment. For the purpose of doing this blog I’ve dropped back to Manual AD Authentication as I’m logging into Passwordstate with 2 accounts from the same computer.

Create a User Account Policy for 2FA with Google Authentication

Using a User Account Policy is a great way to both test the 2FA configuration as well as making it easier to rollout across your intended users.

Navigate to Administration->User Account Policies and click Add to create a new Policy. Give the policy a name and description and select the Authentication method you want to assign at A6. In the example blow I’ve used Manual AD and Google Authenticator, then click Save at the bottom of the page,


Apply the User Account Policy to Users

Next, you’ll need to apply the newly created User Account Policy to Users. Select the Action button next to the Policy Name, click and select Apply Policy to Users,


Now select the users you want to apply this User Account Policy to. In the below example I’m using a single account for testing purposes. Once you happy it’s working you can go back in and apply it to Security Groups as required


Now when I log into Passwordstate for the first time after the policy has been applied, I’ll be presented with a normal login screen,


And on clicking on logon will be presented with,


I now need to use the Google Authenticator App and select the + symbol to add an Authenticator, pick Scan barcode and place the QR code that is presented above within the onscreen frame. This will then setup the Authenticator and present back the PIN code that needs to be entered.


Simply enter this in the Google Verification Code and click Login.

Once you’re happy you can Apply the User Account Policy to the required Security Groups to rollout the policy.

Using SSO with 2FA & Google Authentication

As stated at the beginning you can use 2FA with both SSO (Passthrough AD Authentication) and Manual AD Authentication. The only differences being that with SSO you only need to ensure your System Wide Settings under Administration->System Settings->authentication options->Choose Authentication Option is set to Passthrough AD Authentication, and the Authentication Option you specify at Setting A6 in your User Account Policy is set to just Google Authenticator as per the below image;


This will in effect Prompt for your Google Authenticator credentials during the Passthrough Process. It is highly recommended that you don’t roll this configuration out to all users as it defeats the purpose of having SSO. Rather you should reserve it for those users that have access to highly privileged password credentials or those accounts associated with considerable impact if the credentials were stolen or misused.

As always, we welcome your feedback via support@clickstudios.com.au.

Anatomy of the Upgrade Process

Here at Click Studios we occasionally get asked “What happens behind the scenes during an In-Place Automated Upgrade?” and “What’s the difference between the In-Place Automated Upgrade with Internet Connectivity and without Internet Connectivity?”.

To answer the second question first, the only difference between an In-Place Automated Upgrade with Internet Connectivity and without Internet Connectivity, is that without Internet Connectivity you’ll manually need to download the passwordstate_upgrade.zip containing the latest source files and execute a SQL statement. When performing the In-Place Automated Upgrade with Internet Connectivity the upgrade automatically reaches out to the CDN (Content Delivery Network), downloads the latest passwordstate_upgrade.zip, and updates the Build and Version numbers.

It is highly recommended that users should, wherever possible, use the In-Place Automated Upgrade with Internet Connectivity and allow Passwordstate to handle the retrieval process and magic directly.

In-Place Upgrade with Internet Connectivity

The following process applies to an In-Place Automated Upgrade of Passwordstate with Internet Connectivity. On clicking Upgrade Now from the Administration->Backups and Upgrades;

  • You will be taken to the Passwordstate Upgrade Screen. This shows your Current Build and the Latest Build Available. It will also provide you with guidance on the steps required.
  • Place your Passwordstate Instance in ‘Maintenance Mode’ by clicking on the Enable Maintenance Mode button.
  • This will take you to the Maintenance Mode Screen showing any Active Users for your Passwordstate Instance, a time period in minutes where you can specify when to Terminate other users sessions for those users and the Enable Maintenance Mode Button.
  • On clicking the Enable Maintenance Mode button you will be taken back to the Passwordstate Upgrade Screen and can click on Begin Upgrade button.
  • You will now be presented with the Step 1 – Upgrade the Web Files Screen. To continue click on the Start Upgrade button.
  • The Passwordstate and Passwordstate-Gateway Windows Services will now be gracefully stopped.
  • Passwordstate’ s Web Files will be compressed, and along with your database, be backed-up. The backup is performed using the settings specified under Administration->Backups and Upgrades->Settings. Please note the account used for the backup must have Write
    Access to the Backup Path, Passwordstate Folder, appropriate permissions to be able to Stop and Start
    both Passwordstate Windows Services. Your SQL Server Windows Service must also be configured with an account that has Write Access to the Backup Path. When making any changes to the Backup Settings it is recommended you click the Test Permissions button at the bottom of the page.
  • The upgrade will now reach out to the CDN to download the latest passwordstate_upgrade.zip, which contains the Web source files and required SQL scripts, and place it in the Upgrades folder. This is located under \inetpub\Passwordstate on the drive you installed Passwordstate on.
  • New Web Files will now be extracted from passwordstate_upgrade.zip with the new versions overwriting all corresponding files located in \inetpub\Passwordstate. Critical files such as web.config, gateway.conf, Passwordstate.pfx (if using the Browser Based Gateway), along with your SecurID folder are not touched during this process.
  • You will now be logged out of Passwordstate.
  • On logging back into Passwordstate, using the same account you commenced the upgrade with, you will be presented with the Step 2 – Upgrade the Database Screen. To continue click on the Start Upgrade button.
  • The Upgrade will update your database to the latest version. This will include any schema and data changes along with writing the Passwordstate version number to the database.
  • Once the database upgrade is complete all temporary files used during the upgrade are deleted.
  • The Passwordstate and Passwordstate-Gateway Windows Services are now restarted.
  • Upgradelog.txt located in the \inetpub\Passwordstate\upgrades folder is retained as it contains information relating to the upgrade processes.
  • You are returned to the Administration->Passwordstate Administration Screen showing the latest Build number.

In-Place Upgrade without Internet Connectivity

The following process applies to an In-Place Automated Upgrade of Passwordstate without Internet Connectivity.

  • You’ll need to manually download the latest passwordstate_upgrade.zip from the CDN https://www.clickstudios.com.au/getupgradefile.aspx or from https://www.clickstudios.com.au/downloads/passwordstate_upgrade.zip. This contains the Web source files and required SQL scripts, and needs to be placed in the folder \inetpub\Passwordstate\Upgrades on the drive you installed Passwordstate on.
  • Using Microsoft’s SQL Server Management Studio, you will need to enter the latest build number as stated on Click Studio’s home page https://www.clickstudios.com.au/. To do this you’ll need to run the following statement within SQL Server Management Studio,

    USE Passwordstate

    UPDATE [SystemSettings]

    SET NewVersionNo = ‘8.9’, NewBuildNo = ‘8951’

    Ensuring the NewVersionNo uses the first 2 digits separated by a “.” and the NewBuildNo shows the full number from Click Studio’s home page

  • Login to Passwordstate and navigate to Administration->Backups and Upgrades, click on Upgrade Now and place your Passwordstate Instance in ‘Maintenance Mode by clicking on the Enable Maintenance Mode button.
  • This will take you to the Maintenance Mode Screen showing any Active Users for your Passwordstate Instance, a time period in minutes where you can specify when to Terminate other users sessions for those users and the Enable Maintenance Mode Button.
  • On clicking the Enable Maintenance Mode button you will be taken back to the Passwordstate Upgrade Screen and can click on Begin Upgrade button.
  • You will now be presented with the Step 1 – Upgrade the Web Files Screen. To continue click on the Start Upgrade button.
  • The Passwordstate and Passwordstate-Gateway Windows Services will now be gracefully stopped.
  • Passwordstate’ s Web Files will be compressed, and along with your database, be backed-up. The backup is performed using the settings specified under Administration->Backups and Upgrades->Settings. Please note the account used for the backup must have Write
    Access to the Backup Path, Passwordstate Folder, appropriate permissions to be able to Stop and Start
    both Passwordstate Windows Services. Your SQL Server Windows Service must also be configured with an account that has Write Access to the Backup Path. When making any changes to the Backup Settings it is recommended you click the Test Permissions button at the bottom of the page.
  • The upgrade will now use the latest source files you’ve placed \inetpub\Passwordstate\Upgrades. The new Web Files will be extracted from passwordstate_upgrade.zip and the new versions will overwrite all corresponding files located in \inetpub\Passwordstate. Again, all critical files such as web.config, gateway.conf, Passwordstate.pfx (if using the Browser Based Gateway), along with your SecurID folder are not touched during this process.
  • You will now be logged out of Passwordstate.
  • On logging back into Passwordstate, using the same account you commenced the upgrade with, you will be presented with the Step 2 – Upgrade the Database Screen. To continue click on the Start Upgrade button.
  • The Upgrade will then update your database to the latest version, including any schema and data changes. Note you have already written the Version number to the database.
  • Once the database upgrade is complete all temporary files used during the upgrade are deleted.
  • The Passwordstate and Passwordstate-Gateway Windows Services are now restarted.
  • Upgradelog.txt located in the \inetpub\Passwordstate\Upgrades folder is retained as it contains information relating to the upgrade processes.
  • You are returned to the Administration->Passwordstate Administration Screen.

We’ve deliberately repeated the level of detail above even though it is quite similar. There’s nothing worse than trying to hunt down information when you need it in a hurry.

We hope the detail above helps you in understanding what is occurring during the upgrade process. As always, we welcome your feedback via support@clickstudios.com.au.

RDP and SSH Sessions to Remote Hosts

Click Studios introduced the Browser Based Remote Session Launcher back in Passwordstate 8.2 – Build 8275 (March 2018). When combined with our Remote Site Locations module customers have the ability to use our first-in-class Browser Based Remote Access solution, over RDP and SSH, to connect to machines located on a remote network.

The primary functionality provided by the Remote Site Locations Module, is to allow your existing Passwordstate Instance provide Privileged Account Management (PAM), for networks firewalled on either your internal network or over the Internet.

However, when using the Remote Site Locations module with the Browser Based Remote Session Launcher, customers have the ability to establish RDP and SSH sessions to systems hosted on the remote network. This offers a significant advantage for larger customers and Managed Service Providers, in that it provides a zero-additional-cost remote access solution, for connecting to remote hosts with full auditing, session recording and requires no client agent deployments.

Requirements and Architecture

As outlined above your Passwordstate instance will require the Remote Site Locations module with a current subscription for the number of remote sites that you wish to manage. Pricing for the Remote Site Locations modules can be found here. Please ensure you contact sales@clickstudios.com.au to ensure your price for the subscription is co-termed with your existing Annual Support and Upgrade Protection expiry date.

The architecture required for deployments is straightforward. In the example below we have a fictitious customer with a requirement for PAM on a remote firewalled network, with access to that network via the internet. In this example they already have a Passwordstate Instance and would require;

  • A Remote Site Locations module subscription for 1 site, co-termed to their Passwordstate Annual Support and Upgrade Protection expiry date,
  • Installation of the Remote Site Locations agent on a server at the remote site,
  • Installation of the Browser Based Gateway on the same server as the Remote Site Locations agent,
  • A functioning external DNS record which can redirect traffic to the Remote Site firewall,
  • One open port on the firewall and ability to forward HTTPS traffic to the Server that has the Remote Site Locations agent and Browser Based Gateway installed on it.

In the diagram below we have installed both the Remote Site Locations agent and the Browser Based Gateway at the remote site, opened up a single port 7273 on the remote firewall to enable communication between the Passwordstate Instance and the Remote Site Agent.

Full instructions for the installation of both the Remote Site Agent and the Browser Based Gateway can be found in the Passwordstate Remote Site Agent Manual located here.

Benefits

The Browser Based Remote Session Launcher is not intended to be a feature for feature competitor with the likes of TeamViewer, AnyDesk or LogMeIn. Rather it is functionality that is included within the Passwordstate Core and Remote Site Locations offerings.

By using the solution outlined above, you can achieve the following benefits and potential cost savings;

  • Remote hosts do not require to have an agent installed on them,
  • Encryption of traffic, between your Passwordstate Instance and the Remote Site agent, using advanced InTransit Encryption keys (no possibility of a data breach),
  • Secure RDP and SSH sessions to any host located on the remote network,
  • Only one port is required to be opened on the remote firewall, restricted to traffic between the Passwordstate Instance and the Remote Site agent’s IP addresses,
  • Native integration between the PAM functionality provided by Passwordstate and this Remote Access Solution e.g. control who can access what remote systems, audit these accesses, restrict and even hide the password credentials for the remote systems etc.,
  • Retain full control over the use of remote access and the required remote system credentials,
  • Full auditing on who launched a Remote Session, to which Host, from what IP Address, and using which specific authentication credentials,
  • Session recording and playback to enable investigation into any suspicious activity during remote access,
  • Make potentially substantial savings by removing the cost of your existing Remote Access solution.

It should be pointed out that this functionality is intended for System Administrators managing remote systems. The solution does not provide Screen Sharing, so it is not suitable for situations where you are either watching or showing end users how to use end devices or applications.

As always, your feedback is welcome via support@clickstudios.com.au