Vault Security
Moderator: SourceGear
Vault Security
Hi,
We have been using Vault ever since its release and have now hit a big road block due to SOX.
Vault cannot lock an account after x or more failed login attempts.
Users cannot change passwords and passwords do not expire.
Are there any plan to include these capabilities in Vault in the near future, if not we will be forced to use another product. Is it possible to use windows Integrated security with Webservices?
Regard
Tarek
Ford Motor Company
We have been using Vault ever since its release and have now hit a big road block due to SOX.
Vault cannot lock an account after x or more failed login attempts.
Users cannot change passwords and passwords do not expire.
Are there any plan to include these capabilities in Vault in the near future, if not we will be forced to use another product. Is it possible to use windows Integrated security with Webservices?
Regard
Tarek
Ford Motor Company
Someone correct me if I'm wrong, but I believe you can configure IIS to require Windows Authentication for the Vault URL instead of allowing anonymous access. Combine this with putting the server behind a firewall and only forwarding port 443, so usere have to connect with SSL, and you should have the security and password management features you need. This would complicate things in that the user now has two separate usernames and passwords that they need to access Vault from offsite.
As far as I know, Vault does not work with IIS Integrated security(ID/Password) - there's no place to enter IIS ID/PW. I would assume, however, that you could use client-side certificates since they would not require an user interaction.
With regard to the general security, the number one thing for us would be integration with IIS security. We use a fully integrated domain with 802.1x/RADIUS on the VPN, Wireless LAN, and smart switches. Vault is the only product left that we requires it's own ID/PW maintenence.
Working through the VPN is nice, when you can do it, but we have folks at customer sites, and most of our customers block outgoing VPN connections.
I'd like to be able to fully delagate security to IIS. Vault can still get the ID for license enforcement, but I don't want to manage IDs and PWs there.
Barry
With regard to the general security, the number one thing for us would be integration with IIS security. We use a fully integrated domain with 802.1x/RADIUS on the VPN, Wireless LAN, and smart switches. Vault is the only product left that we requires it's own ID/PW maintenence.
Working through the VPN is nice, when you can do it, but we have folks at customer sites, and most of our customers block outgoing VPN connections.
I'd like to be able to fully delagate security to IIS. Vault can still get the ID for license enforcement, but I don't want to manage IDs and PWs there.
Barry
This article talks about enabling Windows security for Vault. It uses the credentials of the logged-in user.LovalvoB wrote:As far as I know, Vault does not work with IIS Integrated security(ID/Password)
http://support.sourcegear.com/viewtopic.php?t=308
Yes, I read this in the past, and it discusses how to force IIS to perform authentication on the client before allowing that client to connect to IIS. Actually, it's a rather cumbersome way to do it. It's easiser to allow all validated users, then protect the webshare directly using IIS to validate access. The web.config looks like this:
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
Either way, this solves the basic security problem, however, it doesn't address the administration problem of ID/PW management.
Specifically, we still need to use the Vault Admin tools to create users and assign/change passwords. Perhaps there's a Vault setting that I've missed, but the desired solution would be for the Vault server to rely on IIS to confirm the user's identity.
So how about this as a feature enhancement request (90% of the value with 10% of the work):
1) Add support for domain user names (i.e. HQ\bob.jones). Right now, you can't include the '\' in the name. No fancy import required - we'll type them in for ourselves.
2) Add the code to check the username passed in by IIS against the Vault user list. IIS prefixes the domain on the user name, so this is also easy.
3) Add an option to ignore the vault ID/PW (i.e. rely on IIS validation) when the username passed in by IIS matches an existing Vault user.
You should be able to get this working in (in development) in a few minutes. If not, let me know and I'll write you a sample that demonstrates it.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
Either way, this solves the basic security problem, however, it doesn't address the administration problem of ID/PW management.
Specifically, we still need to use the Vault Admin tools to create users and assign/change passwords. Perhaps there's a Vault setting that I've missed, but the desired solution would be for the Vault server to rely on IIS to confirm the user's identity.
So how about this as a feature enhancement request (90% of the value with 10% of the work):
1) Add support for domain user names (i.e. HQ\bob.jones). Right now, you can't include the '\' in the name. No fancy import required - we'll type them in for ourselves.
2) Add the code to check the username passed in by IIS against the Vault user list. IIS prefixes the domain on the user name, so this is also easy.
3) Add an option to ignore the vault ID/PW (i.e. rely on IIS validation) when the username passed in by IIS matches an existing Vault user.
You should be able to get this working in (in development) in a few minutes. If not, let me know and I'll write you a sample that demonstrates it.