Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Reputation Activity

  1. Like
    Buckit reacted to support in Another request for info   
    Hi Buckit - just emailed you the same info.

    Click Studios
  2. Like
    Buckit reacted to support in Another request for info   
    Hi Steve,
    Thanks again for your request, and kind words  I will email you directly over the weekend regarding this, as we don't like to publicly disclose certain information like this, as many customers are still on older builds of Passwordstate - and we do not wish to put them at risk.

    Click Studios
  3. Like
    Buckit reacted to Steve D. in Another request for info   
    I gave a second demo of the test environment to more of our InfoSec team this week. They continue to be impressed with the product, including a senior resource that is particularly hard to impress. (thanks for that. :))  I'm pretty sure pws is now the front runner for company wide password management tools that are being evaluated by them. I'm busy granting them access to the test environment so they can test configuration and do some pen testing themselves.
    They have been reviewing information on the www site and have run across references to CS having outside parties perform pentests on the product. They asked me to see if I could get more detailed information about that. What group/s performed the pentests, on what schedule, and perhaps a summary of results.
    They are evaluating how far they want to extend it at this point I suspect. Weather to expose it to the "outside" or contain it to the corporate lan.
    There is discussion of doing multiple implementations to break out types of lists and groups so breach of one implementation doesn't expose the entire environment. I'm working to show them the ease and speed which the product provides for correction once such a breach is detected but they may still want to split this into multiple implementations.
    They are also asking questions about something I asked previously regarding the ability to implement multiple www servers and filter list type access based on the www access point used. They want to prevent shared lists from being exposed on an access point deployed in the cloud for inet access while giving users access to their personal lists. VPN or secure lan access grants all lists. Can this be slotted as a feature request?
    Can you point me at more detailed info about the pentests please?
    Steve D.
  4. Like
    Buckit reacted to Valentijn Scholten in Report: Password lists (and/or folders?) without admins   
    I agree the query works fine, but it requires SQL access. I wouldn't want to allow too many servicedesk people access to the database (and bypassing audit logs).
    So would be nice to have the report in place. 
    The primary usecase I would use this report is when/before deleting a user. So ideally the report would be "Password lists for which a user is the only admin".
  5. Like
    Buckit reacted to support in Report: Password lists (and/or folders?) without admins   

    Thanks for your request. As a work around, you could run the SQL Query below. Any Password Lists with a TotalPermissions of 0, means there is no Admin on the list.
    USE Passwordstate
    SELECT PasswordLists.PasswordListID, PasswordLists.PasswordList, PasswordLists.Description, PasswordLists.TreePath, (SELECT COUNT(PasswordListID) FROM [PasswordListsACL] PSSWD WHERE (PSSWD.PasswordListID = PasswordLists.PasswordListID) AND (PSSWD.Permissions = 'A')) As TotalPermissions
    FROM [PasswordLists] 
    WHERE (PasswordLists.PrivatePasswordList = 0) AND (PasswordLists.Folder <> 1) 
    GROUP BY PasswordLists.PasswordListID, PasswordLists.PasswordList, PasswordLists.Description, PasswordLists.TreePath
    ORDER BY PasswordLists.PasswordList

    Click Studios
  6. Like
    Buckit reacted to support in URGENT - upgrading from 7.6 failed   
    Hi Scot,
    We don't think there's an easy fix for this, as we've never seen these errors before. It almost looks like possibly some Anti-Virus software is killing sessions on your web server during the upgrade - although this is just a guess based on the 'Thread was being aborted" errors.

    Do you have any AV Software on your web server? If so, can you try disabling/uninstalling it, then restore a backup of your database. Once you've done this, and restart your browser, it should prompt again to try and upgrade the database.

    Click Studios
  7. Like
    Buckit reacted to Sarge in Freeipa Users   
    Passwordstate with LDAP integration is something I requested some time ago, under tracking ID PS-1992.
    Assuming theres enough demand for it, it would allow integration with IPA for authentication and host discovery.

    IPA is a bundle of tools, ldap being one of the tools it bundles. We also use IPA for our Linux servers authentication.

    Assuming wkleinhenz would like this as a feature request, I'd have to +1 it.
  8. Like
    Buckit reacted to Jeffrey in Multi language support   
    For legal reasons, we need to translate certain messages into our native language.
    Like Jasper says, it would take a lot of time to translate the entire product. However, some kind of a translate table in the database would do the trick for me. In this way, i can be quite easy for administrators to translate words the way they like.
    Kind regards,
  9. Like
    Buckit reacted to Jeffrey in Remote Session Launcher - WSS protocol required?   
    Hello Support,

    we are trying to implement the Remote Session Launcher in our environment. The Passwordstate is already published through a reverse-proxy and is working without any issues.
    However, when we try to start a remote desktop, we get an error page saying, "Web Proxy Gateway Connection Issue". We can however perform the gateway SSL Connection test without any issues.

    When capturing the traffic using Wireshark, we noticed that when we start the Remote Session, it switches from HTTPS to WSS (WebSockets Secure) protocol. Can you please conform that this is by design?

    Thanks in advance!

  10. Like
    Buckit reacted to support in ELK and PasswordState   
    Hi Guys,
    We had the following overnight from another customer who is now successfully using Greylog:
    "However, there was no question. I find in Internet specyfication of toString  function and parameter format .
    Timezone is zzz. I set Date Formatting to yyyy-MM-ddTHH:mm:sszzz and output is correct.
    Thank you for solving the problem. "
    Click Studios
  11. Like
    Buckit reacted to Azkabahn in ELK and PasswordState   
    i would like to start this thread to get some insights if any of the other customers are using external syslog server to ship the logs from PasswordState. I am using ELK stack.  Currently i am trying to create custom filters in Kibana to filter out the logs from PasswordState. I have the question, does the PasswordState always include "Passwordstate" value in the logs that are being sent to syslog server?
    host:X.X.X.X @timestamp:September 12th 2017, 17:17:29.728 @version:1 message:<110>2017-09-12 16:15:52 X.X.X.X Passwordstate: Failed 'Forms Based' login attempt for UserID 'n.lastname' from the IP Address 'X.X.X.X'. Client IP Address = X.X.X.X _id:AV_aAXYurEipAt82YaPZ _type:logs _index:%{type}-2017.11.20 _score: -  
    Feature Request - it would be great to have support for TCP ports
  12. Like
    Buckit reacted to StefanPahrmann in VMWare ESX Password Reset Example   
    I've developed a script, which uses PowerCLI/API (VMwares powershell-modules), instead of SSH. SSH is by default disabled on ESXi-hosts for security-reasons, and I want to keep it that way  
    As mentioned needs PowerCLI installed on the server (Guide can be found here https://blogs.vmware.com/PowerCLI/2017/08/updating-powercli-powershell-gallery.html). No privileged account needed.
    Function Set-ESXiPassword { [CmdletBinding()] param ( [String]$HostName, [String]$UserName, [String]$OldPassword, [String]$NewPassword ) try{ $conn=Connect-VIServer $HostName -User $UserName -Password $OldPassword } catch { switch -wildcard ($error[0].Exception.ToString().ToLower()) { "*incorrect user*" { Write-Output "Incorrect username or password on host '$HostName'"; break} "*" {write-output $error[0].Exception.ToString().ToLower();break} } } try{ $change=Set-VMHostAccount -UserAccount $UserName -Password $NewPassword Disconnect-Viserver * -confirm:$false } catch { switch -wildcard ($error[0].Exception.ToString().ToLower()) { "*not currently connected*" {Write-Output "It wasn't possible to connect to '$HostName'";break} "*weak password*" { Write-Output "Failed to execute script correctly against Host '$HostName' for the account '$UserName'. It appears the new password did not meet the password complexity requirements on the host."; break } "*" {write-output $error[0].Exception.ToString().ToLower();break} #Add other wildcard matches here as required default { Write-Output "Success" } } } } Set-ESXiPassword -HostName '[HostName]' -UserName '[UserName]' -OldPassword '[OldPassword]' -NewPassword '[NewPassword]' Regards
  13. Like
    Buckit got a reaction from support in Randomize Local Admin Password   
    Hey now! I wasn't going on about Linux boxen thankyouverymuch, they were IoT-devices! My Linux boxen are just fine and dandy
    Sure, the IoT-devices also run Linux, but they're Special Little Snowflakes (tm).
  14. Like
    Buckit reacted to support in Feature request: anchor tags on ChangeLog web page   
    Hey Buckit,
    We we take a look and see if this will be a simple change.  If it is we'll include it in a future build.
  15. Like
    Buckit reacted to support in Feature request: One-to-many (1:N) relations for accounts-to-hosts   
    Hi Buckit,
    Thanks for your request. At this stage we're not sure this is something we would like to implement, as it goes against best practice fur using unique passwords across your hosts. It would also required a complete redesign of our Password Reset Engine, Account Heartbeats, Remote Site Locations, Reporting, API, etc, etc.

    Click Studios
  16. Like
    Buckit reacted to jimmy in Internet-less upgrade method still needs internet access   
    In the meantime I've been testing the other way around: unplug the NIC.
    Now the button keeps saying "testing download..." forever (or at least for 30 minutes until I terminated it).
    So there seems to be some difference but still not like it works at your side.
    When the NIC is disconnected I see Windows Events "An error has occured executing the call 'SecurityGroupExists'. The server is not operational."  Perhaps this is because the ADDS is then also unreachable.
    With te NIC connected I see nothing in the eventlog.
    To make sure it really attempts to access internet, I added www.clickstudios.com.au to the hosts file, pointing to This causes the upgrade now to fail even faster. That proves that it does do a call to www.clickstudios.com.au at a point where it should not.
    (I double checked the permissions on the zip-file, and also extracted it once to verify that it's not corrupted)
    I have created a quick-and-dirty webserver replacement of http and https for www.cliskstudios.com.ca to have a bit of logging, and I see that it requests /NewBuildInfo.xml (plain over port 80?).
    Perhaps then you know what is going on? (it's not the upgrade zipfile but an xml)
    Tomorrow I won't be able to change or test anything, but please feel free to keep me informed (I am able to reach this site).
  17. Like
    Buckit reacted to support in Internet-less upgrade method still needs internet access   
    Hi Jimmy,
    We'''ll schedule an Internet outage at the office tomorrow, and see if we can replicate your issue again - it's currently 7pm in Australia.
    We'll let you know what we find.

    Click Studios
  18. Like
    Buckit reacted to support in Internet-less upgrade method still needs internet access   
    Hi Jimmy,
    Sorry you're having some issues with this. I've just done some testing, but cannot seem to reproduce this - I disabled the network card for the test.
    We use the method of placing the passwordstate_upgrade.zip file in the /upgrades folder for every release, as we test the upgrade process before releasing - obviously we don't want to download from the Internet in this instance, as we haven't uploaded the new file yet.
    I've just done a code review, and it's possible that there is a different error which is causing our code to redirect to this page you are seeing. Can you try the following:
    1. Make sure the Passwordstate folder, and everything beneath it, has Modify or Full NTFS permissions for the NETWORK SERVICE account
    2. Now use the instructions '5. Manual Upgrade Instructions' in the following document - https://www.clickstudios.com.au/downloads/version8/Upgrade_Instructions.pdf
    Click Studios
  19. Like
    Buckit got a reaction from support in Privileged Account Management   
    Even more impressive than the "request a password which auto-expires" is the built-in "request access and get an RDP/SSH session" functionality, which will never show you an actual password
  20. Like
    Buckit reacted to support in Bug report: password dependencies   
    Hi Buckit,
    I've made some changes to this Windows Service Reset Script today:
    It will only try and stop the service if it's currently running It will only try and restart the Service, if the Startup Type is set to one of the 'Auto' options I've just emailed you a copy of this new script, and this version will be included in the next release - due later this week.

    Click Studios
  21. Like
    Buckit reacted to Sarge in AD password changing vagueries   
    Scratch that Buckit.
    Did a bit of the old googling and looks like this could be 'by design'.
    This seems similar to your problem: https://davidvielmetter.com/tricks/password-reset-delegation-not-working/
    I'd bet this is happening for you. Further, I'd bet your break glass accounts won't remember the 'include inheritable permissions' checkbox because they are members of some protected AD groups.
    Is the process for updating the AdminSDHolder object.
    Full credit to the article and the commenters. 
    You learn something new everyday!
    For clarity Buckit, I wouldn't be modifying the AdminSDProp to enable inheritable permissions, I'd simply add a security group with your priv user being a member, and grant it the required roles to perform resets on AdminSDProp based objects.
    Wait for the SDProp process to run (1 hour ish), and you should be set.
    I don't like the idea of modifying the default ACL for protected objects, but I like the idea of enabling inheritable permissions even less.
    Also, i'd be taking screenshots of before and after for every change you make to the AdminSDProp object, and be documenting it fully. 
  22. Like
    Buckit reacted to Sarge in Bug report: password dependencies   
  23. Haha
    Buckit got a reaction from Sarge in Bug report: password dependencies   
    Personally, I'd expect one to be able to edit anything one has added Nothing's set in stone.
    Wait what? O_o
    Time to hit the manuals again! You mean to say that I don't have to manually add 150+ dependencies for that task that runs on all my boxen? NICE!
  24. Like
    Buckit reacted to support in Bug report: password dependencies   
    Hi Thomas,
    Firstly, can you rename your forum post to "By design: password dependencies"
    We've released build 8284 today, and included changes for Edit and Edit 2 - we haven't renamed IIS and COM+ yet, as we did need to get the build out today.

    For the editing of Dependencies, this is not currently possible as we haven't come across a requirement for this yet - until now. Until we can work on this, you will need to delete your dependency and then add it back - or if you are using our Discovery Jobs for this, it will add it back automatically.
    Click Studios
  25. Like
    Buckit reacted to Robert Brock in PasswordState compatibility with Pwnage check?   
    Hi support,
    It's quite simple. I hacked it into an open source Active Directory password filter I work on from time to time over a case of beer last night.
    If you are also using C#, you may find my implementation a useful starting point, or more likely - an example of exactly how not to do it.
    It's a little rough because I'm a secadmin with a coding habit, and well, the beer, but you are welcome to it: 
  • Create New...