An interesting question that came out from yesterday’s post on the use of the restricted “AADBUser” account for AuthAnvil was how an administrator can use the AuthAnvil Password Server to help. There are several things you can do to assist in the management of the AuthAnvil database credential:
- You can store the AADBUser password in the AuthAnvil Password Server, and then:
- Keep a history of it so you know if and when it changes
- Have the ability to reveal it if you ever need it
- Can apply role-based access control (RBAC) for access to it as required
- Maintain change logs to determine who changed it, and when
- You can use the built-in daily scheduler to check that the password stored in the AuthAnvil Password Server actually matches up with the AADBUser account that is in Active Directory, or in the local SAM (depending on if it was installed in a domain environment or not). This lets you:
- Be alarmed if they do not match, allowing you to take remediation steps quickly.
- Allow you to FORCE the change of the password and maintain change management within the AuthAnvil Password Server, if they ever get out of sync
- Keep audit logs of all this interaction in case you need it for forensic or business purposes. (Like beating the admin that changed it WITHOUT updating the AuthAnvil Password Server with a wet noodle!!!)
It is surprising that so few of our customers know that they can use the AuthAnvil Password Server in this manner to monitor system passwords for things like AuthAnvil Two Factor Auth. Not only can you store and audit access to passwords… you can actually have the AuthAnvil environment test that the passwords match on the actual systems if you have enabled them for synchronization. And this can be done both on-premise for your local systems, and those at your client sites. This helps to maintain and audit your password management processes across all the networks that you manage.
To help better understand just how AuthAnvil password synchronization works, check out the Sync Scenarios matrix for a more detailed break down.
Of course, if you have any other questions about how password synchronization works, feel free to chat with our Customer Service team. They would be happy to help.