What’s New in Passwordstate Version 8

Click Studios is very happy to announce the release of Version 8 of Passwordstate, for which we have been working on for the past 12 months.

Version 8 comes with two new major modules, and many new improvements to our Password Management platform. Below are the major changes, within many more minor changes not documented in this post.

New Interface
We’ve been working on several improvements to the interface of Passwordstate, to make workflow more intuitive, and to provide a more appealing User Interface experience. Some of the changes are:

  • A new modern looking interface
  • A new Notification Centre for important alerts
  • The Remote Session Launcher feature has been given its own focus with a new Hosts navigation tab
  • A new consolidated search improvement to search for either Password credentials, or Host records
  • Password Folders have now been redesigned, to improve the type of information which can be associated with the Folder
  • And various navigation menus have been moved around to simplify the UI for the majority of users

Below are some screenshots for features mentioned above.

New Modern Looking Interface

New Notification Centre

New Hosts Navigation Tab

Consolidated Search Improvements

When using the Search feature in the top header bar, you can search for either Password credentials in the Passwords tab, or Host records in the Hosts tab.

By default, it will search within the currently selected Tab, but you can either append a p (for Passwords) or h (for Hosts) to the end of your search term, if you need to swap which tab you are searching within.

Password Folder Changes

In prior versions of Passwordstate, the Password Folder view was primarily the same as Passwords Home, but just a filtered view of records nested beneath it. This caused some confusion for customers, and was a feature rarely used, so Password Folders has now been give its own custom screen.

On this screen you see various fields for the Folder at a glance, as well as a Guide if specified, and you can also upload relevant documents to the folder – and link to any relevant External links as well.

Password Reset Portal

We have added a new module in Passwordstate called the Password Reset Portal. This is a Self-Service Password Reset Portal, which allows users to reset their own password for their domain account, or unlock their account, without needing to call the IS Service Desk (Help Desk).

Once the user has enrolled to use the feature, resetting their account is a simple 3 step process:

  1. Identify who they are
  2. Verify who they are
  3. Reset or Unlock their account

The Portal itself is installed separately to Passwordstate, and communicates securely back to the Passwordstate API. The Portal can be installed in your DMZ as an example, and then be accessible on all mobile phones, or desktop computers (Windows, Macs, Linux, etc).

The key component to a Reset Portal like this is accurately ‘Verifying’ the users account, to mitigate against unauthorised users doing this for accounts other than their own. For our Reset Portal, the following methods are used – for which we call ‘Verification Policies’:

  • AuthAnvil Authentication
  • Duo Push Authentication
  • Email Temporary PIN Code
  • Google Authenticator
  • One-Time Passwords (TOTP or HOTP)
  • PIN Number
  • RADIUS Authentication
  • RSA SecurID Authentication
  • Safenet Authentication

Some of these two-factor authentication options require a subscription to third party providers, but options like Email Temporary PIN Code, Google Authenticator, One-Time Passwords (TOTP or HOTP) & PIN Number can be used for free.

Below are some screenshots of key areas within the Administration area of Passwordstate, as well screenshots of the Portal itself – the Portal can also be customized with different background images, and colors.

Active Directory Domains

Multiple Active Directory Domains can be added, and LDAP over SSL (Port 636) is used by default to communicate with the domain.

Reporting

Various pre-defined reports are available, assisting with management of the module, and confirmation the portal is being used by your users.

User Account Management

The User Account Management screen can be used for various user management tasks, including resetting or unlocking a user’s account if required. The whole purpose of the Reset Portal is to prevent this from happening though, so if a user is to call the Help Desk asking for assistance, you can log a reason why they are doing this – and then overtime, you can get a picture as to why the Reset Portal is not being used, and address those reasons specifically.

On the Account Lockout Monitoring tab, you can also look at Domain Controller Event Log data to try and identify where a user is constantly getting their account locked out on – if needed.

Verification Policies

The Verification Policies screen is where you specify which policies apply to which users (multiple policies can be used), customize the configuration settings for the policy, and also customize the Enrollment Emails which can be sent.

On initial deployment, after applying the policy to user accounts or security groups, you can use the ‘Send Enrollment Email 1’ menu to send the initial email to all users on this policy. Enrollment email 2 and 3 will be sent automatically, if the user fails to enroll. Any subsequent users who are added to the system via an AD Security Group synchronization, will have each of the 3 enrollment emails sent as appropriate.

Portal Screenshot 1 – Identify

Portal Screenshot 2 – Verify

Portal Screenshot 3 – Reset or Unlock

On this screen, if the user’s account is also locked, it will tell them on this screen and give them the option to also unlock.

Managed Service Provider (MSP) Features

In version 8, the other new major module we’ve added, is our Remote Site Locations any many other new features for our Managed Service Provider customers, in particular:

  • A Remote Site Agent which can be deployed, to perform Account Discoveries, Password Resets, Account and Host Heartbeats on customer’s networks – securely communicating on one port over the Internet
  • A new process for easily resetting many passwords at once, if a technician/staff member where to leave
  • You can associate Hosts, Folders, Password Lists and Passwords, Domains, Privileged Accounts and many other things with the appropriate Site Location
  • We have added support in our Remote Session Launcher for TeamViewer as well
  • User’s from these Remote Site Locations can now also login to Passwordstate to see their passwords (View Access), without consuming any of your standard Passwordstate Client Access Licenses
  • You can now upload documentation to customer folders and Host records as well, and link to other sources of documentation too

Remote Site Locations and Agent

The Remote Site Locations area within the Administration screens is the core of the new features for MSP’s. Once you have added one or more Remote Site Locations, you can then deploy agents to customer’s sites, and start tagging data within Passwordstate to reflect what data belongs to which customers.

The screen below shows three remote site locations, the health of the Remote Agent, as well as the duration for various tasks.

Deploying the agent is a very simple process, using a silent installer with appropriate command line parameters as per the screenshot below. From the agent install itself, it must be able to communicate back to the URL you see in this screenshot below – i.e. only 1 port needs to be open back to your internal network.

In addition to the agent communicating back securely over HTTPS, all traffic within the HTTP body is also further encrypted using 256bit AES encryption, with unique In-Transit Encryption keys per customer.

In addition to all the standard auditing data which is added, the agent itself also logs various files locally to help with troubleshooting if required.

Resetting Passwords en Mass when a Technician Leaves

If you have one of your technicians leave your company, it is possible to reset multiple accounts en mass using the ‘Bulk Password Resets’ feature which can be found on the screen Administration -> Passwordstate Administration -> Password Lists.

Below is a screenshot of this feature, showing various filtering features, and options for adding one or more records to the Password Reset Queue, either immediately, or at a schedule.

Windows Integrated API

In prior versions of Passwordstate, the API required the use of one or more API keys, as authentication to various API methods. Whilst this type of API allows calls from any Operating System, one of the drawbacks is lack of accountability as to which user is executing the API call – this is not reflected in Auditing data, as it’s now “user aware”.

In version 8 of Passwordstate, we now have a new Windows Integrated API, which means all access, and all auditing, is “user aware”. As an example, when searching for password records via the API, it will return the exact same results as it would via the User Interface when the user is logged in.

When accessing the new Windows Integrated API, you would use the URL or /WinAPI instead of just /API. Below is also a screenshot of a PowerShell command which shows how the identity of the logged in user can be passed to the API.

New Discovery Jobs

In additional to discovery of Local Administrator Accounts on Windows Hosts, and Windows Dependencies, we’ve also added the following new Discovery Jobs in version 8, which saves a lot of time discovering accounts on your network, and importing them into Passwordstate for better Privileged Account Management (PAM).

  • Cisco IOS Accounts
  • HP H3C Accounts
  • Juniper Junos Accounts
  • Linux and Mac Accounts
  • MS SQL Database Accounts
  • MySQL Database Accounts
  • Oracle Database Accounts


Reporting Improvements

34 new pre-defined reports have been added to version 8, which can be reported in real-time, scheduled, or run via the API as well.

In addition, the Scheduled Reports ‘Expiring Passwords’ and ‘Custom Auditing’ Reports have been improved as well, with further filtering available.

34 Pre-Defined Reports

Custom Auditing Report

The filtering options highlighted below have been added for the Custom Auditing report.

Expiring Passwords Report

The filtering option highlighted below has been added for the Expiring Passwords report.

Document Management Improvements

Document Management in Passwordstate has been given some focus as well, with improvements in the following areas:

  • Depending on your browser and document type, documents can now be viewed in the browser, instead of you first needing to download and saving the document somewhere.
  • Documents can now also be uploaded to Passwordstate Folders, Host Folders, and Host records
  • Updated documents can now be re-uploaded into Passwordstate, without first having to delete the original document
  • API has been updated so you can upload documents to Folders, and Retrieve them from Folders as well.

There are also many more minor features available in version 8, and we thank our customers for their feedback and feature requests, making Passwordstate a better product.

Regards
Click Studios

Comments

  1. Psasword reset self-service is an excellent addition – well done! Any chance of it integrating with Windows login-screen/GINA?

    • support says:

      Hi Ken,

      Thanks for your kind words. At this stage we don’t have any plans to modify the GINA, for a couple of reasons. Most Sys Admins we’ve come across do not like the burden of this, and we’re not sure if Microsoft will be supporting this in the future – none of our competitors have done it for Windows 10 that we are aware of.

      Hopefully one of the 9 different verification policies we currently have, all of which can be accessed on mobile phones, will be enough for our customers so they don’t have the need for the GINA modification – only time will tell 🙂

      Regards
      Click Studios

Speak Your Mind

*