Fabian Näf Posted May 7, 2018 Report Share Posted May 7, 2018 Hi There I would like to start a dicussion about how to make the Win-API more secure. You can use very secure login procedures using two-factor and so on and make Passwordstate very secure. But if the Win-API is enabled, every user can access passwords by using this REST-API without the secure two-factor authentication. Of course, it needs more knowledge to get passwords from the Win-API, but this will not defend any potentialy attackers to get passwords out of Passwordstate by using the API. And I'm also aware of, that we can restrict the APIs to some certain IP ranges, but in the end it's stays the same. The users (or potential attackers) can retrieve passwords without going through the two-factor authentication process. Currently I'm not sure, which is the best way to avoid this vulnerability, but I've some point which could help here and I would like to start a discussion about this: Restrict the REST methods (e.g. only allow POST [create new items]), for us this would help a lot, because we only use the WinAPI to import things. Make it work like the browser extension: Win-API is only available for a particular user from a particular device (IP?) for a certain timeperiod, after he had successfully authenticated through the usual login procedure (two-factor for instance) on the Passwordstate webinterface. Any other ideas? Best regards, Fabian Link to comment Share on other sites More sharing options...
support Posted May 7, 2018 Report Share Posted May 7, 2018 Hi Fabian, You can currently restrict which users are allowed to use the WinAPI - go to the screen Administration -> Feature Access and API tab. And also you can restrict which IP Addresses are allowed to make calls to the API. Another option a customer has done is using Managed Service Accounts to execute the script. So they have added in an MSA account into Passwordstate, and then are executing scripts under this identity. I believe they have written something themselves for this in IIS, so the Application Pool is doing the Impersonation. We believe you can also use a Scheduled Task to execute the script under the identity of an MSA account. Regards Click Studios Link to comment Share on other sites More sharing options...
Fabian Näf Posted May 10, 2018 Author Report Share Posted May 10, 2018 Hi Support Thank you for your answer and explanation! Currently we would give our users the ability to import their credentials by using the PasswordSafe and KeePass importer scripts. That's why we didn't restrict access to users so far. When I again think about all this, I get to the basic point that the REST WinAPI is not intended to be used by all users, only by some certain managed service account. So I guess we need to restrict our WinAPI access and only open it for users on request to import their data. Best regards, Fabian Link to comment Share on other sites More sharing options...
support Posted May 10, 2018 Report Share Posted May 10, 2018 Thanks Fabian Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.