Jump to content

Active Directory auth or local auth more secure


Guest Thomas W

Recommended Posts

Guest Thomas W

I'm currently trialling Passwordstate which is looking good and I think I'll be buying it soon.
The one security concern I have is if my server was actually stolen (hopefully unlikely!)

 

So I wanted to ask the question if local accounts are better to use than AD integration for security in this circumstance?
e.g. if my server was stolen it is possible for someone to reset the windows login (if you have the right tools and know how) and get administrator access into the server, then reset any AD account passwords, and therefore be able to log into PasswordState. Or is there something I'm missing which would avoid this being possible?
However if I used local accounts in PasswordState they couldn't do that, they'd actually need the password we've set in PasswordState. There isn't a way to reset PasswordState local passwords without having a admin login is there? (e.g. reset via a email)

 

Thanks

Link to comment
Share on other sites

Hi Thomas,

 

Thanks for your enquiry. It would be quite difficult for someone to configure AD authentication in this instance, as they would need to set up a domain they same as yours - but I guess it would still be possible.

If they did steal your server though, they wouldn't be able to login to the server itself, as we assume the server would be domain joined? So they would have no way of knowing what URL is being used, etc.

 

Most of our customers use AD authentication, and have never reported an issue of this nature before. And no, you cannot reset the passwords for Local Accounts, unless you are logged into Passwordstate. You can also enable two-factor authentication on your site as well if you want.

Regards

Click Studios

Link to comment
Share on other sites

I'm not sure you know what I meant.

For example, if someone stole my server then can boot it up, but obviously can't login and do anything with it. However it is not hard to reset the Windows administrator password, e.g. http://www.lsoft.net/pwch.aspx   (I have this and a few others to unlock PCs when people forget their passwords). And I think it applies to domain controllers too. Physical access to a server is everything......

So once done they can login to the server, then reset any AD Account passwords they wish. They then have access to everything on the server so could easily see it has PasswordState installed, and see how to connect in IIS, and use any AD account they want to login.

Correct?

 

However if we use local PasswordState accounts and they can't be reset without logging in as another user to do the reset, then it should still be secure.

 

Link to comment
Share on other sites

Hi Thomas,

 

Sure, if you have concerns of your server being stolen, you can certainly use Local Logins instead of you want. As mentioned, you could enable two-factor authentication as well, and you could have SQL Server running on a different server as well - this way you would need 2 servers stolen.

 

You could even use an MSA account for database connectivity, making it again more difficult to use the software in this scenario.

You also don't have to install the AD Integrated version - you can install the Forms Based Authentication version, which is effectively the same as Local Logins.

Regards

Click Studios

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...