Vault Security

If you are having a problem using Vault, post a message here.

Moderator: SourceGear

Post Reply
thaoula@ford.com

Vault Security

Post by thaoula@ford.com » Tue Jun 01, 2004 11:04 pm

Hi,

We have been using Vault ever since its release and have now hit a big road block due to SOX.

Vault cannot lock an account after x or more failed login attempts.
Users cannot change passwords and passwords do not expire.

Are there any plan to include these capabilities in Vault in the near future, if not we will be forced to use another product. Is it possible to use windows Integrated security with Webservices?

Regard

Tarek
Ford Motor Company

Guest

Post by Guest » Wed Jun 02, 2004 1:44 am

Our plans were to implement better password management for Vault 2.1, which is scheduled for release later this year.

However, since most public companies must be Sarbanes-Oxley compliant before then, we'll look into the feasibility of providing this feature sooner.

lbauer
Posts: 9736
Joined: Tue Dec 16, 2003 1:25 pm
Location: SourceGear

Post by lbauer » Wed Jun 02, 2004 1:45 am

Sorry, I wasn't logged in. The last post was mine.
Linda Bauer
SourceGear
Technical Support Manager

GregM
Posts: 485
Joined: Sat Mar 13, 2004 9:00 am

Post by GregM » Thu Jun 03, 2004 7:32 am

Someone correct me if I'm wrong, but I believe you can configure IIS to require Windows Authentication for the Vault URL instead of allowing anonymous access. Combine this with putting the server behind a firewall and only forwarding port 443, so usere have to connect with SSL, and you should have the security and password management features you need. This would complicate things in that the user now has two separate usernames and passwords that they need to access Vault from offsite.

LovalvoB

Post by LovalvoB » Wed Jun 09, 2004 3:19 pm

As far as I know, Vault does not work with IIS Integrated security(ID/Password) - there's no place to enter IIS ID/PW. I would assume, however, that you could use client-side certificates since they would not require an user interaction.

With regard to the general security, the number one thing for us would be integration with IIS security. We use a fully integrated domain with 802.1x/RADIUS on the VPN, Wireless LAN, and smart switches. Vault is the only product left that we requires it's own ID/PW maintenence.

Working through the VPN is nice, when you can do it, but we have folks at customer sites, and most of our customers block outgoing VPN connections.

I'd like to be able to fully delagate security to IIS. Vault can still get the ID for license enforcement, but I don't want to manage IDs and PWs there.

Barry

GregM
Posts: 485
Joined: Sat Mar 13, 2004 9:00 am

Post by GregM » Wed Jun 09, 2004 6:57 pm

LovalvoB wrote:As far as I know, Vault does not work with IIS Integrated security(ID/Password)
This article talks about enabling Windows security for Vault. It uses the credentials of the logged-in user.

http://support.sourcegear.com/viewtopic.php?t=308

Lovalvob

Post by Lovalvob » Tue Jun 15, 2004 10:07 am

Yes, I read this in the past, and it discusses how to force IIS to perform authentication on the client before allowing that client to connect to IIS. Actually, it's a rather cumbersome way to do it. It's easiser to allow all validated users, then protect the webshare directly using IIS to validate access. The web.config looks like this:

<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>


Either way, this solves the basic security problem, however, it doesn't address the administration problem of ID/PW management.

Specifically, we still need to use the Vault Admin tools to create users and assign/change passwords. Perhaps there's a Vault setting that I've missed, but the desired solution would be for the Vault server to rely on IIS to confirm the user's identity.

So how about this as a feature enhancement request (90% of the value with 10% of the work):

1) Add support for domain user names (i.e. HQ\bob.jones). Right now, you can't include the '\' in the name. No fancy import required - we'll type them in for ourselves.

2) Add the code to check the username passed in by IIS against the Vault user list. IIS prefixes the domain on the user name, so this is also easy.

3) Add an option to ignore the vault ID/PW (i.e. rely on IIS validation) when the username passed in by IIS matches an existing Vault user.

You should be able to get this working in (in development) in a few minutes. If not, let me know and I'll write you a sample that demonstrates it.

Post Reply