Jump to content

Restrict REST Win-API access


Recommended Posts

Hi There

 

I would like to start a dicussion about how to make the Win-API more secure. You can use very secure login procedures using two-factor and so on and make Passwordstate very secure. But if the Win-API is enabled, every user can access passwords by using this REST-API without the secure two-factor authentication. Of course, it needs more knowledge to get passwords from the Win-API, but this will not defend any potentialy attackers to get passwords out of Passwordstate by using the API. And I'm also aware of, that we can restrict the APIs to some certain IP ranges, but in the end it's stays the same. The users (or potential attackers) can retrieve passwords without going through the two-factor authentication process.

 

Currently I'm not sure, which is the best way to avoid this vulnerability, but I've some point which could help here and I would like to start a discussion about this:

 

  • Restrict the REST methods (e.g. only allow POST [create new items]), for us this would help a lot, because we only use the WinAPI to import things.
  • Make it work like the browser extension: Win-API is only available for a particular user from a particular device (IP?) for a certain timeperiod, after he had successfully authenticated through the usual login procedure (two-factor for instance) on the Passwordstate webinterface.
  • Any other ideas?

 

Best regards,

 

Fabian

Link to comment
Share on other sites

Hi Fabian,

 

You can currently restrict which users are allowed to use the WinAPI - go to the screen Administration -> Feature Access and API tab. And also you can restrict which IP Addresses are allowed to make calls to the API.

 

Another option a customer has done is using Managed Service Accounts to execute the script. So they have added in an MSA account into Passwordstate, and then are executing scripts under this identity. I believe they have written something themselves for this in IIS, so the Application Pool is doing the Impersonation. We believe you can also use a Scheduled Task to execute the script under the identity of an MSA account.

Regards

Click Studios

Link to comment
Share on other sites

Hi Support

 

Thank you for your answer and explanation!

Currently we would give our users the ability to import their credentials by using the PasswordSafe and KeePass importer scripts. That's why we didn't restrict access to users so far.

 

When I again think about all this, I get to the basic point that the REST WinAPI is not intended to be used by all users, only by some certain managed service account.

 

So I guess we need to restrict our WinAPI access and only open it for users on request to import their data.

 

Best regards,

 

Fabian

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...