RE: AW: Multi-User Access to Password Database

• Previous message: Tarun Dua: "RE: Monitoring the network: Routers"
• Maybe in reply to: Meidinger Chris: "AW: Multi-User Access to Password Database"
• Next in thread: Chris Berry: "RE: AW: Multi-User Access to Password Database"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 17 Jul 2003 14:12:52 +0100 (BST)
To: security-basics@securityfocus.com

Mmmm I must be phrasing my question badly...

The majority of responses seem to suggest storing All
the passwords in a file (or database) protected by a
shared password. As I mentioned in my email this isn't
suitable because

1. Anyone who requires access to the file/database for
a specific purpose has access to All of the passwords
(even if they never need to know them)... so, if they
leave the company All the passwords need to be
changed.

2. There's no audit trail to indicate who has had
access to the passwords - the access is provided by a
single password known to all the Admins ... (and
anyone else who gets to hear of it). So if someone
leaves the company you have to assume they've seen the
passwords and change them all.

3. If the password for access to the file/database
becomes known (or if it's even suspected that it's
known) then All the passwords have to be changed.

As you can see, in all of the above cases there's a
lot of admin involved. If you're a small shop with
only a couple of Admins who need to access all
equipment then maybe this isn't an issue.
But if you've got a lot of admins (who each require
access to a varied group of equipment) then you've got
a problem on your hands.
Sure you could have a different file/database for each
group of equipment but some Admins may require access
to the lot...so do they have to remember the password
for every password file/dtatbase ... or do you have
the same password in multiple files/databases (in
which case updating becomes an issue).

So what I hoped for was:
A multi-user database
The user (admin) uniquely authenticates to the
database (with their own password or, preferably,
their ssh key or SecurID token)
The user can only access specific records (passwords)
which relate to the equipment for which they have
responsibility.
Every access creates an audit trail showing who
accessed a specific record.
Obviously the actual data is protected by encryption

If a password is changed on the equipment it is only
changed in the one database (and the audit trail can
even be used to notify those users who have recently
accessed the old password).

If a user (admin) leaves, then any passwords for which
they have access should be changed (from the audit
trail the actual passwords that they have looked up
can be identified and these can be changed as a
priority)

If it is suspected that a user's authentication has
become compromised then only those passwords for which
he/she has access need be changed (and the exposure of
risk is limited to those machines)

Thom's response caught the flavour and maybe that's
the solution - in effect giving each admin their own
database for the passwords that they need to know. Of
course, you lose the audit and the ability update
passwords easily but it's certainly closer then a
shared file.

Thanks for all your responses though - if anyone comes
up with a database solution I'm gagging to hear :-)

Regards

__________________________________________________
Yahoo! Plus - For a better Internet experience
http://uk.promotions.yahoo.com/yplus/yoffer.html

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

• Previous message: Tarun Dua: "RE: Monitoring the network: Routers"
• Maybe in reply to: Meidinger Chris: "AW: Multi-User Access to Password Database"
• Next in thread: Chris Berry: "RE: AW: Multi-User Access to Password Database"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]