Tips & Tricks Feed

May 16, 2013

AuthAnvil in Action - Bulk Exports

We strongly dislike when vendors hold your data hostage. We think that if it's your data, you should be able to get it.

That's part of the reason we built mass export into the AuthAnvil Password Server. If you want it, all your data is there and available in your choice of XML and CSV flavors.

Although, data accessibility isn't the only reason we want you to have export tools. One of our most commonly recommended emergency preparedness measures involves creating a periodic hard-copy backup of your stored passwords, especially the high level, mission critical ones.

How-to

For emergency preparedness, we recommend using the Bulk Export functionality to create a CSV of all shared vaults. Obviously, this file contains passwords in clear text, and thus is highly sensitive and should only be handled by the most senior administrator/executive in the department or organization.

That person should immediately:

  • Print it out on a secure printer
  • Destroy the digital copy
  • Seal it in an envelope
  • Secure it in the company safe 

Don't forget to include instructions on who has the authority to break the seal on the envelope, and under what conditions.

Practice What You Preach

For example, should something put our CEO Dana out of commission (which we hope would never happen, but emergency plans are never about the pleasant) there is such an envelope for our company. This envelope may only be opened by a member of our Board of Directors, who could delegate the authority within to us as needed to keep the company marching forward.

As a bonus, our emergency package also contains an AuthAnvil hardware token, assigned to a special AAadmin user in AuthAnvil. That way, should that unfortunate emergency arise, we would still have someone with access to the AuthAnvil administrator functions.

Planning for emergencies is never pleasant, but planning for something that may never happen is infinitely better than the alternative.

If this has you thinking, you should learn more about our recommended password best practices. Below is a 42-page eBook, written by our founder/CEO Dana Epp. Inside, Dana covers some of the best ways to take the sting out of passwords, we hope you like it

Posted at 08:00 AM in Tips & Tricks | | Comments (0) | TrackBack (0)

| |

May 02, 2013

AuthAnvil in Action - Linked Credentials

Password synchronizing is one feature a lot of IT service providers have been loving ever since we introduced it as part of the AuthAnvil Password Server last year. The ability to have key passwords rotated on an interval that you choose is quite the powerful tool in the IT toolbox.

One thing that remains a little understated is just what kinds of passwords can actually be rotated by a Sync Agent. For instance, normal domain accounts are a given, but did you know task and service passwords are also valid targets? Check out our sync scenarios page for more details. As you flip through those scenarios, you may notice that some situations require linked credentials. Just like how you'd normally require elevated credentials to change some of those passwords, so does our sync agent.

Want to see how to actually attach linked credentials to a sync agent? Check out this 60 second video.

 

Posted at 08:00 AM in Tips & Tricks | | Comments (0) | TrackBack (0)

| |

March 19, 2013

AuthAnvil Password Server: In The Trenches - Web Password Management

by: Cody Marbach

Adding-static-web-passwordThe web has never been a more powerful tool for business, but making use of these services does expose your organization to additional risks. While some enterprise class services have begun to support enhanced security like Two Factor Authentication and Single Sign On the overwhelming majority still use simple passwords to protect the information of their clients.

If you have critical web services that you make use of in your day-to-day operations, using strong, unique passwords is essential, and AuthAnvil Password Server can help.

 

Starting in version 1.7, we've added a Web Password type for shared passwords. Using this type, you'll be able to set the URL this web password is tied to. You'll have access to all the normal shared password features, like expiration notifications, the ability to generate strong passwords, auditing, and password history tracking.

Additionally, by checking the remote access option, you'll be able to launch the saved URL directly from the AuthAnvil Password Server.

Using-web-remote-button

With more and more powerful business applications making use of the cloud, or otherwise getting online, the password will be with us from quite some time to come. Make sure your passwords are safe, secure, and unique across all of your critical web applications. We've got a lot more planned for web passwords, so stay tuned. If you have any questions about this or other AuthAnvil Password Server topics, please post in the comments below!

 

Haven't upgraded yet? Grab the new installer from the banner below, or get the full release notes here.

Posted at 08:00 AM in Tip & Tricks - AuthAnvil Password Server, Tips & Tricks | | Comments (2) | TrackBack (0)

| |

January 02, 2013

How Many Passwords Fit on a Sticky Note?


Sticky Note Password ManagementThere are numerous password threats or tools used to coerce company employees into giving up their password, either knowingly or unknowingly. Hackers wishing to gain access into an account will use a variety of methods including phishing, guessing, shoulder surfing, a dictionary attack or keystroke logging. Each one of these methods is used as a way to capture a password and gain access to company information. It is essential for every employee to minimize their exposure to each one of these threats, which can be defined by:

  • Phishing – This threat often appears as an impostor email that is used to trick an employee into entering a unique username along with the password. It usually appears as a link to a website that poses to be a legitimate, financial service account, payment processor, or auction site. Typically, an employee will type in confidential information to the bogus site without realizing it is not legitimate.
  • Guessing – Human behavior is a funny thing, as it is so often predictable. Without strict company policies firmly in place, an employee will likely create an extensive list of very simple passwords that can be easily guessed. Many passwords are often used by employees including “password”, “passcode”, “12345”, “qwerty”, “admin”, or any row of letters directly off of the keyboard. It might also include names, dates, birth years, or any combination of these choices. Guessing is extremely easy for an online hacker, who understands the predictability of human behavior.
  • Shoulder Surfing – Anytime an employee is out in a public area including the airport, library, café, restaurant, or mass transit, it is easy for others to look over their shoulders and do “shoulder surfing”. By watching the employee type in their password, it is easy to steal this valuable information to gain access to a company account. Even if the employee is not logging in to a company account, they most likely use the same password for their private accounts as they do for the ones at the office.
  • Dictionary Attacks – Using a specialized software program, online cyber-thieves can let their computers easily guess employee passwords by trying every word in a dictionary, along with unlimited combinations of words, and numbers, symbols, and signs.
  • Keystroke Logging – There is an endless variety of Trojan horses, programs and viruses that can instantly, and serendipitously, install themselves onto any computer at the office or at home. These effective programs can easily capture and communicate exactly the type of keystrokes we make while logging on to accounts online. Almost instantly, the keystroke logging software program will send information of exactly what words are used for user ID, followed by the exact typing of a password, passphrase, or password combination.

 

Great Password Practices

When employees take a proactive approach at safeguarding passwords to deter others from gaining access into company accounts, they can always follow these three great password practices, which include:

  • Guard against Phishing – Never click on a link in an email. Instead, go directly to the company website and login to your account at their location.
  • Guard against Guessing and Dictionary Attacks – Create passwords that are at least eight characters long that include uppercase, lowercase, numbers, and symbols which cannot be easily guessed.
  • Guard One Account from Another – Always create a unique password for every account. If the hacker gains access to one of your accounts, they will not have access to any others.

Although it is always up to the company IT manager to direct employees on the best practices and procedures for developing effective passwords and passphrases, it is the responsibility of every employee to safeguard critical, confidential information. By using a password manager and two-factor authentication, companies can minimize the potential for online attacks, while safeguarding their vital data. Which brings us back around to the big question: How many passwords fit on a single sticky note?

 

…Zero.

 

Probably the easiest way for a hacker to gain access into a company account is to watch the employee at their desk. Many employees at their desk often leave their passwords on sticky notes in plain sight of any passerby. Even the ones that do not use sticky notes tend to find common things in their environment at work to create their unique password. An example might be “pottedplant123”. By writing down any password and leaving the information around the employee’s desk, or choosing a password based on something within plain sight, is an easy way to put the company at risk of being hacked from the inside.

Posted at 08:00 AM in In the Trenches, Tips & Tricks | | Comments (0) | TrackBack (0)

| |

December 19, 2012

Use multiple SoftTokens for easier access

Multiple-TokensLooking for easier access while using strong two-factor authentication? You can accomplish this by using multiple SoftTokens, one on your smartphone and one on a YubiKey. With the Grouped Users feature in AuthAnvil you can tie two SoftTokens to one user and simplify your access control.

If you already have an AuthAnvil SoftToken running on your smartphone, you may feel like you don’t want to give up the flexibility of having your authenticator on your phone. We understand that. We also know that you want fast access to the environments that you need to log into each day, and think you shouldn’t have to sacrifice that time savings so you can have another app on your phone.

So why not use both?

This is exactly what Grouped Users are for in AuthAnvil Two Factor Auth. Imagine you had a user with the windows account name of Bob. He has an iPhone and still wants the benefits of a YubiKey. Here is our suggestion:

  • Create a Standard User called Bob-iPhone and assign a SoftToken to the account.
  • Create a Standard User called Bob-YubiKey and assign a SoftToken to the account.
  • Create a Grouped User called Bob and assign Bob-iPhone and Bob-YubiKey to the account.

At this point, you now have the ability to log into any resource that supports Bob with any of those three accounts. When you use “Bob”, you can use either SoftToken. In the audit system, you will get an event that says something like:

Grouped User ‘Bob’ was logged on by member ‘Bob-YubiKey’.

You can use this same methodology for shared accounts like “Administrator” or “root”, binding the authentication transaction with the actual account used. This is very useful when needing to audit just which technician logged into a critical account on a firewall, router or domain controller.

NOTE: When using two accounts bound together like this, the AuthAnvil licensing system sees this as two separate seats. You are not charged for the grouped user, but are charged for both accounts. The balance of cost vs. time saving in OTP entry has to be considered to ensure you are meeting your budget for authentication use. Most customers find the ROI if they log into more than five systems in any given day where an AuthAnvil credential is used. Take a look at your login workflow and account for this accordingly.

Posted at 08:00 AM in Tips & Tricks | | Comments (0) | TrackBack (0)

| |

December 18, 2012

6 Tips for Happy Holiday Teleworking

Holiday-teleworking
Working from home during the holidays? Are you travelling this season to be with family and still need to finish some work back at the office? Here are some helpful tips to find the right balance so you can get the job done and spend quality time with family and friends this holiday season.

Tip 1: Make sure you have the logistics of working remotely figured out and tested ahead of time. It’s easy to pack up your tablet or laptop computer and head out to telework, but are you really prepared? How are you accessing company resources? Do you have the right permissions to all the files and programs you need to get the job done? Do you have a reliable internet connection? Head over to your nearest coffee shop to do a test run of your connections while enjoying a candy cane latte.

Tip 2: To be productive, find a dedicated space to work. There are many added distractions during the holidays and if you don’t separate yourself from them, you will get very little accomplished. You may end up spending twice as much time trying to get your work done as you try to accommodate your work tasks and family business at the same time. In the end both will suffer from lack of dedicated attention. Remove yourself to a private location and focus on what needs to get done - keep them separate.

Tip 3: Make sure you communicate back to the office. This may sound like a no brainer, but while you are remote you can easily become “out of sight, out of mind”. If your co-workers or supervisor are out of the loop you can quickly become disconnected. Keep everyone up to date on where you are at with your projects and looming deadlines. It’s also great to make sure you are on the right path so you don’t waste your holiday time on tasks that aren’t important.

Tip 4: Pace yourself. Don’t try to get everything done right away, or leave it to the last minute. Try and distribute your work time while teleworking to get the best results. If you have scheduled family gatherings or impromptu snowball fights happening in the back yard, participate! Plan your work activities around your family, friends or other activities. Christmas only happens once a year and you don’t want to miss out on great memories. Work while the kids are sleeping or while everyone is having their post turkey feast nap.

Tip 5: Make sure you have a plan. Snowball fights aside, you need to have a schedule and a plan to make sure you stay on task and get the work done. Find the right balance in your scheduling to accommodate work, rest and play. If you don’t schedule the time, it can be too easy to put it off and your work will pile up towards your deadline. Inform your family and friends of your schedule and let them know when you are not working, they have your undivided attention.

Tip 6: It is also very important to take the necessary security precautions while remotely connecting back to the office. You don’t want your remote session to be a potential open door to sensitive corporate information and assets. Never use un-trusted or public Wi-Fi, use a secure 3g, 4g or wired connection instead. Always lock your device while unattended. Enable two-factor authentication and single sign-on to access points that support it. Do not share passwords over email or write them down on the back of your aunt May’s famous gingerbread recipe, use a password manager. And if you are staying with family, do not use your 13 year old nephew’s computer that doubles as a Minecraft server to do your work on.

 

We hope that these helpful tips will take the guesswork out of teleworking for you. Remember, the goal is to find the right balance so you can work smarter and get the most out of this holiday season.

Join us in our Google+ Hangout today @ 3pm PDT where we will be discussing "Teleworking during the Holidays". We will sit down and have a candid chat with some of our customers about their thoughts on allowing staff to telework over the holidays and how this can be a real business opportunity in the coming weeks.

Posted at 08:00 AM in Tips & Tricks | | Comments (0) | TrackBack (0)

| |

December 11, 2012

Programming your YubiKey to support AuthAnvil

Using a YubiKey with AuthAnvil is simple. As far as AuthAnvil is concerned, it is simply another device that supports an AuthAnvil SoftToken. That means it uses the same license, and the same activation system.

When you receive your YubiKeys shipped directly from Yubico, download the AuthAnvil programmer for YubiKey. This is a Windows MSI package that can run on any Windows desktop or server that has Microsoft .NET Framework v3.5 or newer. You can even deploy the MSI using Active Directory Software Distribution Policies if you wish to permit entire departments or sets of organizational units the ability to program their own YubiKeys.

Combine that with the AuthAnvil Self Service Portal that is installed on your AuthAnvil server by default, you can remove a lot of administrative overhead and have the users take care of managing their YubiKeys themselves. It will even take care of enrollment and activation to your AuthAnvil environment.

TIP: Once a YubiKey is activated with the token programmer it will function no different than any other AuthAnvil SoftToken. All documentation, guidance and best practices will follow suit. Anywhere you see an AuthAnvil passcode prompt you enter in your personal PIN, and then touch the YubiKey to generate your one-time-password.

If you would like more information, head over to our YubiKey page, or download our FREE eBook for more great tips.

Posted at 08:00 AM in In the Trenches, Tips & Tricks | | Comments (0) | TrackBack (0)

| |

December 07, 2012

AuthAnvil SoftTokens and YubiKeys

A SoftToken on your mobile device is quite handy. However you may find youself re-typing your passcode too often during the day if you manage many different entry points. A great solution is to add a SoftToken to a YubiKey, so now you can enter that credential with a simple touch. Check out this video to learn more. 



For even more information, download our latest free eBook, " The Definitive Guide to using YubiKeys with AuthAnvil".

Posted at 11:15 AM in Tips & Tricks | | Comments (0) | TrackBack (0)

| |

November 05, 2012

A tale of least privilege: Why we create the "AADBUser" account when we install AuthAnvil.

This weekend we had a customer whose AuthAnvil server went into a fault condition after they accidentally changed the password of the AuthAnvil database user without considering the impact of that Restricted-Area-Signdecision. I thought it might make sense to share with the community why it’s a BAD idea to be playing with the “AADBUser” account if you do not know what you are doing with it.

Let’s start with some background. Back in the old AuthAnvil v1 (way back in 2004) days during initial threat modeling it was determined that to help reduce the attack surface of AuthAnvil on Windows Server 2003 the use of least privilege would be ideal. So we created a restricted user in Windows with only enough privileges to access the SQL Server (using Mixed Mode auth) and the application directories, which were controlled through strong ACLs. We would ask the administrator installing AuthAnvil to provide the username and password they wished to create, defaulting to the name of “AADBUser”. It was a great architectural decision that took security in mind to apply least privilege; it was a poor practical decision because most administrators don’t have the discipline to document change management properly and store passwords in a safe manner. (We hadn’t released the AuthAnvil Password Server yet Winking smile ) The result was that during upgrades where the installer would require a password to make any changes, the process would come to a grinding halt when the administrator “forgot” the password and had no clue what to do. At one point, we contributed more than 70% of our new cases created during an upgrade cycle to be on this one single condition… the administrator had no clue what AADBUser was or what the password was.

Seeing so many cases being created on what should have been a simple password entry field, we decided to go back to the drawing board. By the time AuthAnvil v3 was released the installer would read into your password policy of your domain (or on the system if it was not domain joined) and generate a random password to meet those complexity rules and then store this value in the Data Protection API (DPAPI) store where Microsoft themselves store passwords. This allowed us to protect the credential and get access to the password in a safe manner and still manage the account within our software. So we automatically create the account, set a strong password and mark the password to never expire so you don’t have to do anything with it. Meanwhile, we get the benefit of using least privilege with a restricted account you don’t have to manage.

Now, later this month when AuthAnvil Two Factor Auth v5 is released there will be a slight change to this. To account for the updated fault tolerance and clustering capabilities of AuthAnvil we have moved to using SQL auth for our interaction with SQL Server no matter if it's on-premise, or in the cloud. This allows us the ability to use SQL Azure Database which is already highly redundant and fault tolerant in Microsoft’s Cloud Services, for those customers who wish to use it. And we have moved the protection of the restricted account out of DPAPI and into a custom config section in the application with is encrypted to our standards to permit the control and access while using things like Network Load Balancing (NLB) in clustered environments.

It also has one other positive side affect. We are starting to move away from administrators breaking their AuthAnvil environment because someone accidentally does something like disable the restricted account, or change it’s password… without knowing the impact. Like what happened this weekend with one of our customers.

We can always learn from the experience of our customers. It is clear the more we can do to balance security and usability in a way that benefits both sides of the equation… the more we all win. If you have ever wondered what that section in the installer is doing when it says “Creating restricted user… please wait”… now you know. We are reducing the attack surface of your AuthAnvil environment by creating an account with the least amount of privileges to allow it to communicate with the resources it needs. Tampering with that account will cause the AuthAnvil system to collapse on itself and fail securely, not allowing you to do anything until the account is updated. If you are unsure how to repair that if you do accidentally do that, contact Customer Service at www.scorpionsoft.com/help. We have guidance and a simple tool in the Tools directory of the application that can do this for you.

Posted at 07:45 AM in In the Trenches, Tips & Tricks | | Comments (0) | TrackBack (0)

| |

October 18, 2012

Make the experience of Office 365 even better, and more secure.

It's common to hear IT Pros state that security and usability are at odds. That applying one reduces the effectiveness of the other. While on the surface this may have some merrit, if we look closer we find it doesn't always have to be the case.

Passwords in Office 365 are a perfect example. Business users scream about having to remember more passwords. Security professionals scream when you use your work credentials in external cloud services. How can we make both sides of the fence happy?

If you haven't been following the news lately, AuthAnvil fully works in Office 365, replacing the need to use a password with the introduction of federation to offer two-factor authentication. No need to use a Windows credential at work to log into your critical business resources in the Cloud.

If something like that interests you, you should check out AuthAnvil for Office 365.

The thing is, we CAN make the user experience better and increase security. To highlight just a few ways, we have released a new episode of Five by 5 that shows you just how to do that.

Check it out below.

 

If you are still not sure how AuthAnvil can make your experience with Office 365 easier and more secure, then I encourage you to download our free eBook that explains how it works, and why its important. It will demonstrate how you can unlock Office 365 without a password. Exactly what business users and security professionals both are looking for. Simplicity. And yet still secure.

Posted at 08:29 AM in Five by 5, Tips & Tricks | | Comments (0) | TrackBack (0)

| |

Next »

Search

Visit Our Company Website
Subscribe to this blog's feed

Categories

Archives

More...

Become a Fan