Jump to content
geeks

Audit Administration Settings Changes

Recommended Posts

I'm new to Passwordstate, so please forgive me if I'm missing something here, but I've looked everywhere I can think of in the Passwordstate interface, and throughout the Users and Security Administrators manuals, and I can't seem to find any information indicating that changes made in the Administration area (and especially in the System Settings section) are tracked so that they can be viewed and monitored under the Auditing section of Administration.

 

When we first mentioned to our users that this new system was coming, our HR person became extremely alarmed - she doesn't want System Administrators to have access to just anyone's passwords. I need to be able to show her that we can lock that down and prove through auditing that us System Administrators aren't circumventing security policies.

 

Can someone tell me if Administration level changes are audited, and if so, how to view them, or how to enable auditing of these changes?

 

And if not, please consider this a request for enhancement to Passwordstate.

 

Thank you,

 

Rochelle Adsitt

IT Director

evergreenDIRECT Credit Union

Share this post


Link to post
Share on other sites

Hi Rochelle,

 

You can see a full list of auditing events which are recorded in Passwordstate here - http://www.clickstudios.com.au/about/compliance-reporting.html. These can all be queried on the screen Administration -> Auditing, which I'm sure you're aware.

 

There isn't much in the way of audit events for the Administration area per se, but all access to Passwords are audited, all permission changes to Password Lists or Passwords are audited, so there is a full audit trail of this - which sounds like the main concern of your HR person?

 

If there's anything specific in the Administration area you would like us to add, then please let us know.

 

Regards

Click Studios

Share this post


Link to post
Share on other sites

The main concern of our HR person is that a System/Security Administrator not be able to access a private list that doesn't belong to them.

 

And if there are options under System Settings that appear to allow someone with that role the ability to override potentially risky settings (i.e. "Allow Security Administrators to convert Private Password Lists to Shared ones", "When administering Password List permissions...prevent Security Administrators from granting themselves permissions to passwords", and "Enable option for purging of Auditing records"), what's to keep a Security Administrator from converting a Private Password List to a Shared one, changing the permissions on it, and then hiding their actions by purging the Auditing records?

 

As my manager put it - by the time someone figures out what the Security Administrator has done, the damage has been done because they've already gained access to a system they shouldn't have.

 

How do other organizations deal with this? Do they lock down the System Settings and then take that role away from the Security Administrators (relying on the "emergency" access to work with System Settings if they need to be adjusted)?

 

Thanks, Rochelle

Share this post


Link to post
Share on other sites

Hi Rochelle,

There really isn't an effective way to protect against this sort of malicious behaviour. It's no different really to a domain admin resetting the password for a user's account, logging on to the domain as them, and then accessing Passwordstate or any other application - and then clearing the event log in Windows to hide your tracks.

 

We have had a request in the past to provide a two-factor authentication option where two people need to approve changes in the Administration area, but again with this sort of malicious activity, a user could find a way around it.

 

For our other customers, as far as we know, their IT guys are trusted to do the right thing with the Information Systems they look after. We know that a few customers wanted complete separation of duties in Passwordstate, and in this instance they have purchased multiple copies and have different people looking after them.

 

We also have some customers who send all the auditing data to a syslog server, and then you could possibly try and lock down access to the syslog server somehow.

 

I know this probably doesn't satisfy your HR department, but if you have any suggestions for how we can improve against this sort of behaviour, we will definitely look into it.

 

Regards

Click Studios

Share this post


Link to post
Share on other sites

I get your point about circumventing security by changing a user's password, but it's a lot more obvious to a user when their password is changed than when a critical Administration or System Setting is changed in Passwordstate, especially if the Auditing log can be purged.

 

I think enhancing a combination of:

- auditing,

- reporting, and

- email templates

would go a long way towards being able to secure Passwordstate at a level which would satisfy the pickiest of auditors (because in the long run it's not just my HR manager I need to assure, but it's our financial and security auditors we have to answer to).

 

Also, how about requiring two people to authenticate in order to change the emergency access password?

 

I'd like to see:

- auditing added for changes made to Administration settings, and especially for every System Setting,

- additional reports, especially reports for all current Administration and System Settings,

- the ability to schedule reports to be sent to individuals or groups of individuals (like sending a daily audit report containing selected types of activities), and

- additional email templates so that someone (or a group) in the organization would immediately be notified if any System Setting or other critical Administration settings were changed

 

Ideally at the moment, in order to get this up and running for us, I'm thinking I will:

1. ask a group of key management personnel to assist in deciding how certain critical settings should be configured (System Settings and other Administration configuration settings reports would help here - to give them something to review for planning purposes - besides a 111 page Security Administrators manual; and then provide them with a final report of what the settings are after they've been configured)

2. lock down the settings by having Security Administrators remove access to System Settings for each other

3. configure "alerting" by assigning email templates to security groups which include multiple management level individuals

4. insuring key personnel have access to review the full audit list (increasing the types of events which are audited and having the ability to send them daily audit reports would be helpful here)

 

Thank you for your consideration.

 

Rochelle

Share this post


Link to post
Share on other sites

Hi Rochelle,

 

Many thanks for the detailed information, and this is definitely something we will look into, as it will further strengthen the security of our software.

 

For the System Settings auditing and email, we'd need to think about how we can intelligently report on changes here, as there are so many settings to compare, with very long descriptions, and we're just not sure how we would include this level of detail in auditing data - we'll need to figure something out.

 

With the scheduled reports we have now, you can CC any other mailboxes you wish to receive the scheduled report - so possibly you could specify a general mailbox here, or multiple smtp email addresses.

 

Regards

Click Studios

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...