Follow

Configuring the AuthAnvil Password Server

The AuthAnvil Password Server web interface is used for day-to-day use and management of your AuthAnvil Password Server. All users can log onto the AuthAnvil Password Server Web Interface, but in order for a user to be able to access admin functions, they must have the "Organization Administrator" privilege, granted when their user is created or at any time through the "Manage user" page.

Logging in

  • Open http(s)://<ServerName>/AAPS/
  • Enter your username and password. Or, if your are configured to use AuthAnvil Two Factor Auth, your AuthAnvil passcode. Your passcode is comprised of your PIN and the next One-Time password from your token. ie. 123484449545.
  • Click the arrow button to attempt authentication.
  • After completing the authentication, the AuthAnvil Password Server's Dashboard appears.

image

 

Dashboard

The dashboard gives you a brief overview and introduction to the system. On the left side you will see your favorite passwords, if you have marked any as your favorites with the blue star. The right side has a list of what tasks are available for you to complete, such as updating passwords and reviewing password requests.
image
The "Password Search" bar is a quick tool to scan through all of the passwords you can access and will return a list of matching search results.
image

Users

Everyone who needs to login to AuthAnvil Password Server requires a User. Each username is unique as it is tied to a specific email address. This email will be used for logging in as well as for user notifications (i.e. password expiry, requesting access, permission approval).

 

Adding Users

Adding new users is done from the Users tab. Just hover over the actions menu and click Add User.

  1. In the "General Information" panel, fill in the user's personal data, account status, and set their permissions.The available permissions are:
    • Requires two-factor authentication to login: The user does not use a password, instead using AuthAnvil Two-Factor Auth to log in.
    • Allowed to maintain a Private Vault: The user is allowed to maintain a private vault, where they can keep private passwords. See the section on Private Vaults later in this document for more details.
    • Allowed to create Shared Vaults: The user is allowed to create and manage new shared vaults. This permission implies the "Allowed to own Shared Vaults" permission.
    • Allowed to own Vaults and create Personal Vaults: The user is allowed to be assigned the "owner" permission for shared vaults so that they can manage them. They are also able to manage their own Personal Vaults. See the section on vault types later in this document for more details.
    • Organization Administrator: The user is an organization administrator, allowed to manage users, settings, and sync agents, and run reports. If the administrator is also assigned the "Allowed to own Shared Vaults" permission, they can seize control of shared vaults.

    image

  2. If the user is set to require Two-Factor Auth, the SAS URL and Site ID for their AuthAnvil Two Factor Auth Server can be set on the "AuthAnvil Two Factor Auth Settings" panel. Here, you can also set the user to use the organization's Two Factor Auth settings, as configured on the Settings tab.
    image
  3. On the "Roles" panel, the user can be assigned to one or more Roles, deciding which vaults they can see and access.
    NOTE: A user must be assigned to at least one Role, as Roles are directly mapped to Scopes.
  4. Finally, click "Save Changes" to create the user.
 

Managing Users

Managing existing users is done from the Users tab. Just click on the username of the user that you would like to manage.

When managing a standard user, you can change the following things:

  • General Information Tab: Email Address, Display Name, Password (if enabled) user permissions, and whether the user is enabled or disabled.
  • AuthAnvil Two-Factor Auth Settings: SAS URL and Site ID or Use Organization Settings
  • Roles: Which Roles the user is assigned to.
  • Actions menu: Delete the user.

When finished, click "Save Changes" to save changes, or "Cancel" to cancel them.

Roles

Roles provide an easy method to apply configuration to a large group of users, rather than to each user individually. Scopes and Vault permissions can be applied to Roles to allow visibility and access control to specific user templates, such as "Administrator", "Technician", and "Client". Users can also be assigned to multiple roles, and they will always take the best policy available to them.

For example, if you create an "Admin" role which has access to the "Administration" scope, but the "Users" role only has access to the "Default Scope", a user assigned to both roles will have access to both scopes respectively.

Roles were introduced in AuthAnvil Password Server v1.6. Any customers upgrading from earlier versions will automatically have a role created for each individual scope, mapping up the current scope members with access to that scope.

Adding Roles

Adding new roles is done through the Roles tab at the top of the page. Hover over the Actions menu and click Add Role.

    1. In the "General Settings" panel, fill in the Name and Description of the Role. This may represent user groups or departments in your own company ("Technicians", "Administrators", "Accounting")
    2. The "Scopes" panel determines which Scopes this role is able to see. All members of this role will be able to see every vault bound to these scopes.

Scopes

    1. Assign users to this role through the "Role Members" panel. All users will be listed here. Simply check the boxes for the users that will be assigned to this role.

Role Members

  1. Click "Save Changes" in the bottom-right corner to create the role.

Vaults

The Vaults tab lets the user access all of the vaults that they are allowed to see, and to create new ones if they are assigned that privilege.

Shared Vaults

Shared Vaults can be shared between multiple users. Upon creation they are bound to a certain Scope, or visibility level, and only members with access to that scope can see this vault. They will have one or more Owners to manage user access and permissions. These vaults are the most common as they allow the full range of features for administration and management of passwords, including synchronization and password rotation.

Personal Vaults

Personal Vaults provide the ability to synchronize passwords. By default a personal vault is only accessible by the user that created it, but access can also be granted to admins. Organization Administrators are able to see users' Personal Vaults and they may also request access to them, but there is no way for an admin to forcibly take control of one. This vault type is for limited-access passwords that can be synchronized and used in remote desktop connections, or personal passwords that may need to be viewed by an admin.

Private Vaults

If the AuthAnvil Password Server administrator has allowed the permission, users can maintain private vault. These vaults are completely private, and cannot be viewed or seized by administrators, or even shared with other users. Additionally, the user must enter a unique password in order to log into their private vault, so the private vault is kept safe even if the user's login password is changed or compromised. This password can be changed if the user is logged into the private vault, but cannot be reset if the user forgets it. This means that they will lose access to all of their stored passwords.

Creating Shared Vaults

To create a shared vault, simply click on the Vaults tab, mouse over the actions menu and click "Create a New Vault"

  1. In the "General Information" panel, set a Name, Description, and Scope for the Vault. Note that the scope cannot be changed after the vault is created.
    image
  2. In the "Vault Password Policy" tab, set the password policy for the vault. These settings are populated based on the organization's default settings.The following Password Policy Settings are available:
    • Minimum Length: The minimum length that a password can be. Must be set to greater than 3.
    • Maximum Length: The maximum length that a password can be. Cannot be longer than 64.
    • Days to Expiration: How many days before the password is marked as expired in the AuthAnvil Password Server and requires a change. Setting this value to 0 will cause the password to never expire.
    • Password Requirements: Whether passwords should be required to contain characters from the sets of English Uppercase, English Lowercase, Base 10 Digits, or non-alphabetic special characters.
    • Save Password History: Whether the AuthAnvil Password Server should keep a record of historical passwords for each password in the vault.
      • Enforce Password History: Whether the AuthAnvil Password Server should stop users from re-using passwords from the historical password list.
      • Keep Password History For: How many passwords the AuthAnvil Password Server should keep in the historical password list for each password.
    • Enable automatic rekey of Vault: Whether the vault should be automatically rekeyed on a schedule.
      • Automatically rekey the Vault after: How often the Vault should be automatically rekeyed.

    image

  3. The "Vault Members" tab allows you to add users to the vault and assign permissions. These users and permissions can be modified on the modify vaults page.There are several permission levels available for users:
    • Owner: The user has full control over the vault, and can set password policy, add and delete users, and even delete the vault itself. This permission level also implies all of the other permission levels, including Audit, and has all of their privileges. A user can only be assigned the "Owner" permission if they have the "Allowed to Own Shared Vaults" permission assigned to their user account.
    • Create: The user has permissions to import, create, and delete passwords within the vault. It implies the read and modify permissions.
    • Modify: The user has permissions to modify the existing passwords within the vault. It implies the read permission.
    • Read: The user can read and export existing passwords from the vault.
    • Launch: The user can launch one-click applications from AuthAnvil Single Sign On. Web Launch capability is available for Windows Passwords (RDP launch) and Web Passwords.
    • Audit: The user can run vault-specific reports from the reports tab.
    • Requires Approval: This permission can be combined with the read and modify permissions. The user must request permission from an administrator before being allowed to view or modify the password for a set period of time. The user can also be assigned the Audit permission while this permission is active.

    image

  4. Finally, click "Save Changes" to create the Vault.
Managing Vaults

Managing existing vaults is done from the vaults tab. Just click on the name of the vault that you would like to manage.

The following management options are available from the actions menu on the vault page:

  • Add Password: Add a new password to the vault. Available to users with the create permission and above.
  • Import Passwords: Import a new password to the vault from a password import file. Available to users with the create permission and above.
  • Manage Vault Settings: Manage the password policy, vault membership and permissions and delete the vault. Available to users with the owner permission.
  • Export Vault: Export all of the passwords in the vault into a comma separated list of values in clear text. Available to users with the read permission and above.

The following management options are available from the Manage Vault Settings page:

  • General Settings: Display name and description. Vault scope cannot be changed.
  • Vault Password policy: All of the password policy options. See "Creating Vaults" for more information.
  • Current and Available Vault Members: Which users are members of the vault, and which permissions they have assigned to them. See "Creating Vaults" for a detailed explanation of vault permissions.
  • Actions Menu:
    • Delete Vault: Delete the vault and all of the passwords contained inside it.
    • Rekey Vault: Re-encrypt the vault data with new encryption keys.

When finished, click "Save Changes" to save changes, or "Cancel" to cancel them.

Requesting Access to Vaults

If a user does not have permissions to access a vault, but it belongs to a scope that they are a member of, then they can request to join the vault.

  1. Click on the Vault name and click "Request Membership".
  2. The Vault owners will receive an email with the request. If they want to give the user permissions to the vault, they can click on the link in the email and can choose what level of permissions to assign the user.
Seizing Vaults

If an administrator does not have permissions to access a vault that is in a scope that they are a member of, and they have the "Allowed to own shared vaults" permission, they can request to join the vault or seize the vault. If they need to seize the vault, they click on the vault name and click the seize vault button. This will send an email message to every member of the vault, informing them which administrator has seized the vault, and that they are now an owner of that vault.

Managing Personal Vaults

To use Personal Vaults click on the Vaults page. If you have the permission "Allowed to own Vaults and create Personal Vaults" you will see a Personal Vaults tab. As outlined earlier, Personal Vaults are able to rotate and synchronize passwords, and they can also be used to configure remote desktop links for Windows credentials. They are more limited than Shared Vaults as they are only tied to a single user by default.

To use synchronization with a Personal Vault, sync agents must have access to the "Personal Scope" in their Scopes list. This will enable users to rotate and synchronize passwords using this sync agent.

Personal Vaults - Admin View


image

While a Personal Vault is controlled by a single user, Organization Administrators have a special view that enables them to see a list of the Personal Vaults. Clicking on a vault that an admin does not have access to will ask if they want to request ownership. By default, approved access is granted for 5 days.

Creating a Private Vault

To create a private vault, the user navigates to the Vaults tab, then clicks on "Private Vault". They will need to choose a private vault password of at least 4 characters that contains characters from two of the character sets of lowercase a-z, uppercase A-Z, numeric (0-9), and special characters and then click "Create".


image

 

Modifying Private Vaults

To log into and manage a private vault, the user clicks on the Vaults tab, then the Private Vault tab, then logs in with their private vault password.

The following management options are available from the actions menu on the vault page:

  • Add Password: Add a new password to the private vault.
  • Manage Vault Settings: Manage the settings for the private vault.
  • Export Vault: Export all of the passwords in the vault into a comma separated list of values in clear text.

The following management options are available from the Manage Vault Settings page:

  • Update Private Vault Password: Updates the password used to log into the Private Vault.
  • Actions Menu:
    • Delete Vault: Delete the vault and all of the passwords contained inside it.
    • Rekey Vault: Re-encrypt the vault data with new encryption keys.

When finished, click "Save Changes" to save changes, or "Cancel" to cancel them.

 

Differences between Private and Shared Vaults

Since private vaults are designed for a single user's private passwords, there are a few design differences between them and Shared Vaults:

  • Private vaults do not apply a password policy. As such, the only limitation on passwords is that they must be between 4 and 64 characters long. There are no restrictions on content, age, or history.
  • The user always has the option to export their private vault, even if the "Allow Vault members who can Read to export content to CSV (in clear text)" setting is disabled in the settings page.
  • Password history is not kept, so cannot be viewed.
  • Private passwords cannot be synchronized using sync agents.
  • Private vaults cannot be automatically rekeyed. They can, however, be manually rekeyed at the user's convenience.
 

Passwords

Passwords are stored and managed inside vaults, with users' level of access to them depending on the permissions that are assigned at the vault level.

 

Creating Passwords

  1. Open a Vault, and click "Add Password" under the Actions menu.
  2. In the general settings panel, fill in the following fields:
    • Password Name: A friendly name for the password. Note: This does not have to be the same as the password's username.
    • Description: A description of the password.
    • Password Type: The category of password that this falls into. If you do not see the password type, then just set it as a General Password.
      Note - Most password types are informational, meaning they do not have a special affect on the password. Windows and Web password types (i.e. Active Directory Windows Password) will provide additional functionality or fields, as outlined in the rest of the guide.
    • Days to Expire: How many days before this password is expired and flagged for change. If this value is set to 0, the password will never expire.
    • Expire X Minutes After Access: After a user reveals or copies this password, wait this many minutes to automatically rotate this password or flag it for manual expiration. This also applies to passwords accessed through RDP or Web Launch icons. If this value is set to 0, the password will never expire.
    • Username: The username associated with the password. This field is not displayed for types of passwords that do not have usernames. If you have a general password that does not have a username, just leave it blank.
    • Domain: The active directory domain name associated with this password. This field is only displayed for the "Active Directory Windows Password" type.
    • Machine Name: The name of the machine associated with this password. This field is only displayed for Windows password types.
    • Password: Any additional notes needing to be stored with the password data. This could be special information about the connection or account. All Notes information will appear when the password is revealed on screen.
    • Notes: After a user reveals or copies this password, wait this many minutes to automatically rotate this password or flag it for manual expiration. This also applies to passwords accessed through RDP or Web Launch icons. If this value is set to 0, the password will never expire.
    • Checkboxes: There are 2 additional options. "Ignore the Vault Password Policy for this Password" allows you to save the password, even if it does not meet the necessary complexity requirements. "Do not include this Password in the 'Passwords not attached to an Association' report" excludes this password from a special report that looks up all passwords not tied to an Association.

    image

  3. If the password is a synchronizable type of password, such as a Standalone or Remote Windows Password or an Active Directory Password, you can set up synchronization settings in the synchronization tab following the instructions in the "Synchronizing Passwords" section below.
  4. Click Save Changes to save the password.
 

Password Policy Templates

Password Server allows you to create customized password policy templates to control the complexity requirements for your passwords. Many websites have specific requirements or limitations on how long or short a password can be, as well as what characters are acceptable. Password Policies allow you to define the specific complexity requirements for each password to make sure they stay within the boundaries of your user account. Rotating passwords tied to a policy will also automatically generate based on those constraints to properly adhere to the security policy for the account.

Password Policy List

When you are creating or modifying a password record, there is a new dropdown to select a password policy. Once selected, the constraints of that policy will apply to this password whether it is manually or automatically changed.

Password Policy Dropdown

To unassign a password policy from a record, select "Optional: Choose a Password Policy" from the policy dropdown list.

 

Creating your own Password Policies

You can create your own Password Policies on the "Settings" tab at the bottom of the page. There are multiple premade templates available to use right away with preset ranges for password length and allowable characters.

Creating your own template is easy. Simply fill out the boxes for what will be allowed in your password policy:

  • Policy Name – The title of your password policy
  • Allow Lowercase (abc), Uppercase (ABC), Numerals (123)
  • Allowed special characters (no spaces) Example: !#$%^&*()_-+={}[]
  • Minimum / maximum length
  • "Create Policy" button
  • Click "Create Policy"

Creating a password policy

 

Revealing and Modifying Passwords

To reveal a password, a user with "Read" permissions or better to the vault can open up the vault and click the "Reveal Password" button. Users that have the "Requires Approval" permission set first need to follow the instructions in the "Requesting Access to Passwords" section below. A user with "Modify" permissions or better can click on the password's name to modify it.

When modifying a password, the following options are available:

  • General Settings: All of the settings available in the General Settings panel of Add Password, including, Name, Description, Type, Expiration, Username, Domain Name, Computer Name, and Password.
  • Password History: Previous password history will be shown here if password history is enabled in the vault, and the "Allow previous password history to be shown" setting is set at the organizational level.
  • Synchronization: Synchronization settings which can be set based on the instructions in the "Synchronizing Passwords" section below.
  • Actions:
    • Delete Password: Deletes this password and its history (if enabled) from the vault. This operation cannot be reversed.

When finished, click "Save Changes" to save changes, or "Cancel" to cancel them.

 

Requesting Access to Passwords

If a user is assigned the "Requires Approval" permission, they must request approval to access a password in the vault, and an administrator must approve the request before they can see the password. The requires approval workflow goes as follows:

  1. The user logs into the vault and clicks the "Request Approval" button beside the password. This sends an approval request to the vault owners.
  2. When the owner logs into the vault, they will have a task in their task list letting them know that a password request is pending and that they have to review it. The admin then clicks on "View Password Request"
  3. The administrator can then either approve or deny the request. If they decide to approve it, they can set an expiry date for the user's access, have the option to change the password before approval, expire the approval when the password expires, and can have the system automatically generate a new password when the approval expires (if the password is synchronized), then click Accept.
    image
  4. If the administrator approves the request, the system will send an email to the user letting them know that their request was approved.
  5. The user can then log in to the vault and view or modify the password as their permission level allows.
 

Synchronizing passwords

The AuthAnvil Password Server supports synchronizing certain types of passwords that are stored in public vaults, namely Standalone Windows Passwords, Remote Windows Passwords, and Active Directory Passwords. Passwords for Windows Scheduled Tasks and Windows Services can also be synchronized by using these types of passwords in Sync Chains - covered in the next section.

To synchronize one of these types of passwords, simply open up the synchronization tab when you are creating or managing the password and select "Enable Synchronization". You also have the option to have the password automatically changed when it expires. Next, choose the sync agent that you would like to perform the password change. If this is a Windows password, select a sync agent on the same network or domain. For web passwords, make sure the sync agent has internet access. Then click "Save Changes".

image

Note: For Standalone Windows Passwords, the Sync Agent must be on the same machine as the password being synchronized. For Remote Windows Passwords, the sync agent simply has to be on the same network as the target machine, but it requires an elevated Linked Credential to connect to the target machine. Active Directory Windows Passwords just need to be on a domain member machine.

Note: For Remote Windows Passwords, the target machine's firewall must have the appropriate ports open for remote management via WMI, as described in this MSDN article and, if it is running Windows Vista or later, must have the LocalAccountTokenFilterPolicy set as described in this Microsoft KB article.

Note: For Windows Service Passwords, you must use the Service Name of the service rather than the Display Name. Right-click the service and go to Properties to verify the Service Name.

The AuthAnvil Password Server will test that it has the correct password stored the next time that the sync agent checks in, and will then keep the password synchronized with the password that is configured with the vault, based on vault policy. Each day, the AuthAnvil Password Server will verify that all synchronized password records are still in sync with the respective Windows user accounts. For any sync agents that synchronize passwords on remote machines, the machines must be online and available on the network at this time, otherwise the sync test will fail, and the password will be marked as "Out of Sync." See the Out of Sync Passwords section later in this document for more information.

Sync Chains

Sync Chains allow a user to define a series of passwords that need to be kept in sync. A common example is when you change a password for an administrative user account. If that user account has scheduled tasks that run using its credentials, the stored credentials used by the scheduled task must also be updated when the password is synchronized. That's where sync chains come in.

To set up a sync chain, you simply enable synchronization for a password and choose a Sync Agent to synchronize against. You can then add links to the Sync Chain. The "Default Sync" link is always first, and represents the synchronization against the target specified in the "General Settings" panel. Other links are processed in order and represent various local passwords, domain passwords, remote passwords, task passwords and service passwords. Depending on the link, you will have to specify the relevant information, such as the username of the user to synchronize and machine, domain, device, or task-specific information.

For example, in a computer lab where each machine is domain joined, you may want to synchronize all of the local administrator accounts to a single password. This is the perfect scenario for a sync chain. You would install a sync agent on one of the machines in the lab and set up a Standalone Windows Password for the local Administrator account on that machine. Then, in the sync chain, you would set up a "Remote Password" link for each machine in the lab, specifying the machine name and the username to synchronize. The vault will test to make sure that the passwords are initially in sync, and then synchronize all of them against the same password each time it changes in the vault.

Note: Remote Windows Passwords, Task Passwords, and Service Passwords require a linked credential to be configured for the Sync Agent. See the Sync Agents section for more details.

 

Sync States

Every password has a status to let users know how the password is being synchronized. This tells the user whether the password is synced or not, if it can be synced, or if it is in the process of being synced. A sync state can be found under the "Sync Status" column for a password. Here is a list of sync states and their meanings:

  • Not Synced – A password that has not been configured for synchronization
  • Pending Sync – A sync agent is in the process of either testing the password or changing it to a jnew value
  • In Sync – The current password is synchronized and tested against the target login
  • Out of Sync – The current password was unable to be validated, or did not log in correctly
  • Unsyncable – The Web Workflow on this password has no validation steps, so it cannot be verified as the proper password. Launch permissions can still be configured for Single Sign On access to this application
  • Change not Configured – This web password was changed, but there are no workflow steps to update this password on the website. It will have to be manually updated on the website, then you can retry the sync.
 

Out of Sync Passwords

Occasionally, a password will get out of sync with the vault. This can happen because of an incorrect password stored in the Password Server, a changed password on the Windows / website level, or a failed change due to a bad connection or password complexity. The AuthAnvil Password Server will alert vault owners with an email that the password needs an administrative override. When the vault owner logs in, they will have a task on their task list that a password sync failed and that and administrative override is required in order to force the sync. You can see passwords "Sync Issues" on your Task List in the Dashboard:

image

On this page, the vault owner needs to enter administrative credentials for the system in question, along with a new password for the account, and click the "Approve" button so that the AuthAnvil Password Server can bring the password back into sync. Users can also click the "Retest Sync" button to send the sync instruction again. This is useful if the target machine was temporarily unavailable during the last synchronization attempt.

image

Sync Agents

The Sync Agents tab displays all of the sync agents that are currently authorized for use in the AuthAnvil Password Server, as well as showing any pending sync agent requests.

 

Approving Sync Agent Requests

After a Sync Agent has been installed on a machine, and goes to check into the AuthAnvil Password Server, it will appear in the Sync Agents tab as a pending agent. From here, you can click Approve to configure the agent for use with the AuthAnvil Password Server, or Deny to deny the request and remove the agent form the list.
image
When approving a sync agent, the following options are available:

  • General Settings: Set a friendly name for the agent in the Agent Name field, and optionally set a new password for the agent. If you set a password for the agent, you will need to enter this password on the agent side before the approval process can complete. This is typically only required if you need to verify the identity of the computer that is making the request.
  • Scopes: Choose one or more scopes for this Sync Agent to be available to.
  • Linked Credential: For synchronizing passwords that require an administrative credential to be provided, such as Windows Tasks, you can set a credential to use for these password changes here, picking it from the passwords available in the system.

image

When ready, hit Save Changes to approve the Sync Agent request.

 

Managing Sync Agents

To manage a Sync Agent's settings, simply click on the agent's name under the Approved Agents section, and the following options are available:

  • General Settings: Change the agent name, and enable or disable the agent.
  • Scopes: Change the scopes that this agent is assigned to.
  • Linked Credential: Add, change, or remove the linked credential that is assigned to this agent.
  • Actions:
    • Delete Agent: Permanently remove this agent from the system.

When ready, hit Save Changes to save changes to this Sync Agent.

 

Reports

The AuthAnvil Password Server collects a wealth of data on users, vaults, and passwords. It makes this data available to administrators through the reports tab for all users, tokens, and vaults, and to vault owners and auditors for the vaults that they control. Each report can be exported to a CSV file for storage or import into other tools.

The following reports are available:

  • "Top 10" Reports
    • Top 10 passwords accessed in the last 30 days: Displays password name, description, last access date and the vault for the top 10 most accessed passwords.
    • Last 10 passwords accessed: Displays password name, description, last access data, accessing user, and the vault for the last 10 accessed passwords.
    • Top 10 users in the last 30 days: Displays Name, Email address, status, last login, last login failure, and the option to run a permission report for the top 10 users.
  • User Reports
    • What passwords can a user see? Per user report displays the password name, description, read permissions, last access date and vault for all of the passwords that the user can see.
    • What passwords has a user seen? Per user report displays the password name, description, read permissions, last access date and vault for all of the passwords that the user has seen, even if the user no longer has access to the password.
    • What passwords does a user still know? Per user report displays the password name, description, read permissions, last modified date and vault for all of the passwords that the user has seen, that have not changed since the user has seen them, even if the user no longer has access to the password, with the option to expire all of the passwords that the user still knows.
    • What has a user been doing lately? Per user report displays the user's action, a detailed message and the timestamp of the action for the user's last 100 actions over the past 30 days in the AuthAnvil Password Server.
  • Vault Reports
    • What vaults have been created recently? Displays the event information, user, vault and event time for up to the last 100 vaults created within the last 30 days.
    • What vault settings have changed recently? Displays the event information, user, vault and event time for all of the vault settings changed within the last 30 days.
    • Which vaults have been exported recently? Displays the event information, user, vault and event time for up to the last 100 vaults exported within the last 30 days.
    • What permissions have been granted for a vault? Per Vault report displays displays the users and their permissions for the vault.
  • Password Reports
    • What passwords are about to expire? Displays the Password Name, Description, Last Modified Date, Days since the last change, days left, password expiration settings, and the vault, for passwords that are about to expire.
    • What passwords are out of sync? Displays the Password name, Description, Last Modified Date and Vault for any passwords that are out of sync.
    • What passwords are not being synced? Displays the password name, description, last modified date, and vault for any passwords that are not being synchronized.
    • What passwords have been accessed? Displays the password name, description, access time, status message, last accessed time and vault for all of the passwords that have been accessed by users.
  • Permission Reports
    • What permissions does a user have? Per user report on what permissions a user has assigned to their account, and what permissions they have for each vault that they have access to.
    • What permissions have changed recently? Displays the event information and time for up to the 100 most recent permissions changes within the past 30 days.
    • Who received password approval recently? Displays the password requested, vault, requestor, reviewing owner, and time of up to 100 of the most recent approved password requests over the past 30 days.
    • Who was denied password approval recently? Displays the password requested, vault, requestor, reviewing owner, and time of up to 100 of the most recent denied password requests over the past 30 days.
  • Activity Reports
    • When have passwords been revealed lately? Displays charts of the frequency and timing of password reveals over the previous day, month and year, which are regenerated hourly by default.
    • Which accounts seem to be inactive? Displays the Username, last activity date, last successful logon, and last logon failure for users that have not logged on within the past 30 days, including those users who have never logged on.
    • Which accounts have failed to logon recently? Displays the Username, last activity date, last successful logon, and last logon failure for up to the past 100 failed logons over the past 30 days.
    • What administrative activity has gone on lately? Displays the user, event and timestamp for all administrative activity that has occurred over the past 30 days.

Settings

The AuthAnvil Password Server manages organization settings under the "Settings" tab. There are 6 Panels that control site settings:

General Settings
  • Token Lockout Threshold: determines how many failures are allowed before a user will be locked out. A value of 0 means that the AuthAnvil Password Server should never lockout the token. A typical value of 5 attempts will allow a user to recover for an input error while preventing an attacker from probing the server in too much depth.
  • Token Lockout Duration: this determines how long (in minutes) a user will be locked out (disabled) before it can be used again. A value of 0 means that AuthAnvil should never unlock the token, requiring an administrator to unlock it manually. A typical value of 15 minutes will allow a user to recover from a failure while preventing an attacker from probing the server in too much depth.
  • Base URL: this field defines the first part of the domain URL path string that will be sent in server email messages. You can use internal domain names if the emails are expected to be within the local network only. If you expect emails to be also sent externally, you should provide a fully qualified domain name.Internal example: yourdomain.localExternal example: yourdomain.com
  • Allow the use of Private Vaults: determines whether or not users in this organization can be assigned the "Allowed to maintain a private vault" permission. NOTE: Users that already have private vaults assigned will lose access to them if this setting is unset. Passwords in these will not be deleted, and the users will regain access to them when this permissions is re-enabled.
  • Allow Vault members who can Read to export content to CSV (in clear text): determines whether users with the read permission are allowed to export the contents of the vault into a clear-text CSV file. NOTE: Users with Requires Approval Assigned cannot export vaults.
  • Allow previous password history to be shown: If a vault is configured to keep password history, this options determines whether users with the modify permission are allowed to see a list of the previous passwords when they go into the modify password page. NOTE: If this option is turned off, password history is still kept as per the vault settings. Users just aren't able to see it.
 

Mail Settings

  • Mail Server: defines where AuthAnvil will send email messages for alerts and enrollment requests. This should be a resolvable name or IP address to a working SMTP (mail) server that will allow the AuthAnvil server to relay messages. The Test button will attempt to send an email via the mail server to the email address set on this dialog.
  • Email Address: This sets the From Address. This field defines who the email will be sent from, such as 'authanvil@yourdomain.com'. NOTE: This email address is also the email address that the server will send any administrative emails to, so make sure that it is a mailbox that is checked regularly.
  • Use SSL: determines whether or not the server will attempt to use an SSL connection to communicate with the mail server.
  • Advanced SMTP Settings:
    • SMTP Server Requires Authentication: If the mail server does not allow anonymous access, authenticated SMTP is also supported.
    • Server Port: The port that the SMTP server is listening on.
    • Username: The username of the SMTP user.
    • Password: The password for the SMTP user.

AuthAnvil Two Factor Auth Settings

  • AuthAnvil SAS URL: The SAS URL of the AuthAnvil Two Factor Auth server that you would like your users to authenticate to by default if the "Requires Two-Factor Authentication" setting is set for the user. This setting can be changed on a per user basis.
  • Site ID: The Site ID of the AuthAnvil Two Factor Auth server that you would like your users to authenticate to by default if the "Requires Two-Factor Authentication" setting is set for the user. This setting can be changed on a per user basis.
  • Single Sign-On Settings:
    • Enable Single Sign-On: Enable Single Sign-On via SAML to the AuthAnvil Password Server. This feature will work with any identity provider that supports SAML 2.0.
    • Issuer: Allows you to specify the issuer of the certificate used for SSO.
    • Identity Provider Login URL: The URL of the SAML Identity Provider's login page.
    • Identity Provider Logout URL: The URL of the SAML Identity Provider's logout page.
    • Import New SSO Certificate: Import a new SSO Certificate.
  • Require all users to sign in with an AuthAnvil strong two-factor authentication credential, or use Single Sign-On: Disables the use of passwords for login to the AuthAnvil Password Server. Users that currently have passwords will be allowed to use them until an administrator switches them over to use Two-Factor Auth. NOTE: When a user is in this state, they will not be able to change their password.

Scopes

Here, administrators can add and remove scopes. Scopes are used to organize users and vaults. Vaults are assigned to one scope each and users are assigned to one or more scopes. Users can only see vaults in scopes that they are members of. Scopes can only be deleted if they have no vaults as members, and have no users exclusively assigned to them.

 

Default Password Policy

This section allows administrator to set the default password policy for new vaults.

  • Minimum Length: The minimum length that a password can be. Must be set to greater than 3.
  • Maximum Length: The maximum length that a password can be. Cannot be longer than 64.
  • Days to Expiration: How many days before the password is marked as expired in the AuthAnvil Password Server and requires a change. Setting this value to 0 will cause the password to never expire.
  • Password Requirements: Whether passwords should be required to contain characters from the sets of English Uppercase, English Lowercase, Base 10 Digits, or non-alphabetic special characters.
  • Save Password History: Whether the AuthAnvil Password Server should keep a record of historical passwords for each password in the vault.
    • Enforce Password History: Whether the AuthAnvil Password Server should stop users from re-using passwords from the historical password list.
    • Keep Password History For: How many passwords the AuthAnvil Password Server should keep in the historical password list for each password.
  • Enable automatic rekey of Vault: Whether the vault should be automatically rekeyed on a schedule.
    • Automatically rekey the Vault after: How often the Vault should be automatically rekeyed.

Licensing

Licensing information for the AuthAnvil Password Server

  • Subscription Username: The username for your subscription account in the Scorpion Software customer portal.
  • Subscription Key: The subscription key associated with your subscription account in the Scorpion Software customer portal.

Admin Tools

Organization Administrators have access to special import and export tools to manage the data in the AuthAnvil Password Server.

image

Import Tools

  • Master Import Tool: Uses XML import files generated by "Export Total" under the Complete Exports tab
  • Bulk User Creation: Automatically populate users and roles through the form builder. Also able to import XML files generated by "Export Users & Roles" under the Complete Exports tab.
  • Bulk Vault Creation: Automatically populate vaults through the form builder. Also able to import XML files generated by "Export Vaults" under the Complete Exports tab. All Vaults created with the form will use the Default Password Policy defined on the Settings page. Any user that creates a Vault will automatically be assigned Owner permissions for full access.
  • Bulk Password Creation: Able to import XML files generated by "Bulk Password Export".

Bulk Password Export

  • Master Import Tool: Exports all of the shared password data in clear text. Includes all of the details in the password record as well as the name of the vault containing it.

Complete Exports

NOTE: All Exports that affect passwords will notify all of the owners of each respective vault via email that the data has been exported.

  • Export Vaults: Exports all of the password data in CLEAR TEXT. Includes all of the details in the password record as well as the name of the vault containing it.
  • Export Users & Roles: Exports all of the user and role data mapped up with specific scopes. Data can be re-imported using "Bulk User Creation" under the Import Tools tab.
  • Export Total: Exports all of the following data: Users, Roles, Scopes, Permissions, Shared Vaults, and CLEARTEXT passwords. It will not export private or personal vault data, Sync Agent data, or audit reports.

User Control Panel

The user control panel is accessible by clicking the "User Control Panel" link in the top right hand corner of the screen. It displays information about the currently logged in user, including their assigned privileges, which vaults they have access to and what permissions they are assigned to eact of those vaults. If the user is set to use a password for login to the AuthAnvil Password Server, rather than two factor authentication, they can also reset their password here.

image

 

Favorite Passwords

If you have passwords that you would like to use more often, you can make use of the Favorites feature in the AuthAnvil Password Server. Flagging a Password as a "Favorite" makes it appear on your Dashboard, the front page when you first log in.

Favorite Passwords

Inside a Vault, simply click on the grey star under the "Favorite" column and this password will be flagged as a Favorite. Favorites are marked with blue stars. You can configure up to 10 passwords this way.

 

 

Questions?

If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk