Manage local device and service account credentials

Started by heath, February 12, 2021, 09:29:36 AM

Previous topic - Next topic

heath

How do you manage local device credentials and making those credentials available for others on your staff (should RADIUS/TACACS not be available for some reason) but also keep that information secured?

Otanx

Use a password manager. Preferably one that can setup individual accounts, and track access. There are a few different ones out there. For the local admin on our gear we also write them down on a real piece of paper, and put it in a safe. It isn't very helpful to have the password in the password manager if you can't access the password manager.

-Otanx



heath


deanwebb

Don't ask me, I use a post-it note pad for my password management. :smug:

I've had several friends get locked out of their password managers after forgetting the password to get into those... so be sure to get a manager that has a viable recovery process.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Thyotic is a common one. They offer a free teir if your requirements are not very large.

-Otanx

icecream-guy

I use a password-protected excel spreadsheet,  I have no trust in storing my passwords in the cloud.
I picked up the office 2019 suite for like 49 bucks US.
:professorcat:

My Moral Fibers have been cut.

Otanx

I wouldn't trust the cloud either. Thyotic, and others have on-prem solutions. The big benefit over a password-protected xls file is tracking how accessed the creds and when. The real fancy ones will also do password changes. So if someone accesses the password I can setup the solution to automatically change that password one hour later.

It depends on how large your environment is if it is useful. A couple people need it? A spreadsheet is probably fine. 100 engineers that may need access to local admin accounts you might want one of these.

-Otanx

icecream-guy

#7
Quote from: Otanx on February 16, 2021, 12:41:37 PM
I wouldn't trust the cloud either. Thyotic, and others have on-prem solutions. The big benefit over a password-protected xls file is tracking how accessed the creds and when. The real fancy ones will also do password changes. So if someone accesses the password I can setup the solution to automatically change that password one hour later.

It depends on how large your environment is if it is useful. A couple people need it? A spreadsheet is probably fine. 100 engineers that may need access to local admin accounts you might want one of these.

-Otanx

yeah, I was speaking mainly for home or personal logins,  NOT shared.

certificates may be another option,  I'm thinking if a device went awry and you need to gain access to troubleshoot, without TACACS reachability, nor local logins allowed, that's the only other way I can figure to login such a device other than rebuilding the device if there is no password recovery. GAO doesn't like local shared accounts since there is no accountability for who is logging in and making chances. my next question is how to do certificates when connecting locally via console. I am not sure if terminal apps will support installed certs for console access.

:professorcat:

My Moral Fibers have been cut.

Otanx

For home use I have a notebook. I am less worried about someone physically breaking into my house, and stealing the notebook than I am of someone getting access to files on my computer somehow.

I am surprised GAO wants no local accounts. DOD requires an account of last resort on the device. If you don't have one it is a finding. If you have more than one it is a finding. In theory you could do certificate auth over a console. Like you said I don't know anyone who supports it. Then if you have one certificate to use over the console you still have the same accountability issue. If you issue everyone a cert then you need to manually load the cert on every box, and remove it when they leave. You can't rely on the CA server being online to validate certificates when the network is down.

-Otanx

Dieselboy

Quote from: ristau5741 on February 16, 2021, 11:20:06 AM
I use a password-protected excel spreadsheet,  I have no trust in storing my passwords in the cloud.
I picked up the office 2019 suite for like 49 bucks US.

Same here. In fact thats mostly our thought on cloud in general. Just pick any one data breach as an example.

For my passwords I am using keepass. I store the keepass db file on a network share and there is a "master password". This isnt perfect, though. I'm the only one whos authorised to access it so any requests come through me, now. I don't like this because I am the single point of failure. In the past, I shared access to this file as well as the password and things got mis-used. So the CEO directed this.

Issues with keepass is that the db file is stored somewhere with a single password. If you share this file and the password then the credentials can be accessed. There's little to stop copying of this file. You can change the password but if the older file (with older password) had been copied then you have a concern there.

For VMs/Servers, there's an open source solution that manages SSH keys a bit like how Google Cloud does their cloud ssh login. This is on my list to look into.

For personal passwords I also use keepass. I store the db on my google drive so I can access the db from pretty much anywhere. I don't know any of my passwords and they're mostly just random sentences.  I've been doing this for about 9 years now and havent changed how I manage my passwords in that time. Again it's not perfect but I prefer that over some cloud-based solution although I have been suggesting LastPass to people who use the same password everywhere - basically anyone that doesnt do I.T on a daily basis. My opinion is that LastPass is beter than nothing.

I think a password protected excel sheet is on par with keepass to be honest with you. What I wouldnt do is save this db file somewhere that could mean it got lost or destroyed. So I'd prefer to store the sheet or db file in a cloud drive. It's encrypted in the cloud and I memorise the master password.

I am just sharing what I am doing currently. I am always looking for a better solution but havent come across one yet.

heath

I think I'm going to give the free on-prem version of Thyotic a try.  I hadn't found that one in my googling, so I appreciate that suggestion.    I use one of the leading password managers for personal use and had looked into their enterprise offering, but didn't seem to fit.  Same with most of the other options I found in my research. 

KDog

Enterprise I use LAPS for Windows desktops. Stores the creds in AD so you can look them up when required. Other passwords are stored in a self hosted (on the clients site) Bitwarden.

For my home computer I have a text file which is stored in an encrypted container opened with Veracrypt (it is cross platform). Occasionally I use ecryptfs as at home I'm 100% Linux.
Never argue with an idiot.
They will bring you down to their level and beat you with experience.