Quick Thoughts on Password Managers for IT Team Use

-
I'm by no means an absolute source for security wisdom, but after working in a handful of different environments, I've learned about using Password Managers in an IT environment. I generally recommend Keepass, but I'd like to expound on that recommendation a bit.
Keepass usually gets my recommendation for it's simplicity and it's price (free). However, it does have some limitations. Let's look at some of those.
  • Shared Login - You can access a Keepass DB with a password/passphrase, a key-file, or using a Windows Account. That third option at a glance makes one think it can auth against AD. What it actually entails is that you can only login using that specific Windows Account, and it's not just that username and password. If your computer gets wiped & reloaded, you can't simply create a new user account with the same username and password. Most commonly, a Keepass DB is locked with a master password or a key-file. For a small team this is usually sufficient, but if you need auditing, or better multi-user functionality, Keepass is a no-go. More info on how Keepass locks it's DB can be found here
  • Auditing - because there's no real multi-user functionality to Keepass DBs, there's no logging of who used what password when, or who modified a record, etc. I've worked in an environment where this functionality was deemed crucial
If individual accounts and activity auditing are features you need from a password manager, then you can look at Secret Server from Thycotic Software. It's not cheap, but it definitely has more features than KeePass. 

Comments

Post a Comment

Popular posts from this blog

Installing CentOS 7 on a Raspberry Pi 3

-
Image
The Raspberry Pi is awesome. If you're like me, you bought one to tool around with for educational purposes. You can run Kodi or gaming console emulators on it or you can combine some together for a tiny OpenStack cluster. At, $50-$60, they're easy on the wallet and running off of 5v USB power makes them pretty energy efficient. Sure, it's only a 1Ghz ARM processor which limits your OS choices but I'd rather have a Pi than running an old Dell PowerEdge or HP Proliant that I bought off of Craigslist. Instead of installing the usual Raspbian OS, this guide is on installing CentOS 7. However, the process described below is relatively universal to whatever OS you want to install on your Pi.
Read more

Modifying the Zebra F-701 & F-402 pens

-
Image
I've been carrying a pen as part of my (mostly) every-day-carry, or EDC, for a couple years now. I bought the Zebra F-701 and after a few other pen purchases, the 701 is still my favorite of all. At first, I just wanted a pen that looked nice and for the moments I needed to sign something. I recall attending meetings when I worked at the university where the attendees were asked to sign-in on the attendance sheet: I tended to be the only one that didn't have a pen so I felt unprepared when I had to ask one of the other attendees if I could borrow theirs. Once I started college, I found myself using a pen much more often, so it had to be comfortable, relatively inexpensive (nice pens can cost hundreds of dollars), and still stylish enough to live in the pocket of a dress shirt.
Read more

How to fix DPM Auto-Protection failures of SQL servers

-
For longer than I care to admit, my DPM server has had the same error every night about an auto-protection failure on one of my SQL servers. I've looked into it before but never came away with anything useful until recently. I've finally found information on how to fix this annoying issue. The Advanced Information link in the error will tell you to make sure WMI is in a good state on the machine. The error itself isn't very descriptive. It'll look something like "DPM could not enumerate SQL Server instances using Windows Management Instrumentation on the protected computer $serverFQDN."
Read more