0 votes

I need to review the security of your application as part of my evaluation. This is obviously very important for a directory management app. Could you answer a couple of security related questions please?

  • Where is the service connection account passwords held for the adaxes service and the managed domains? Is it encrypted? What method of encryption is used?
    What mechanism is used for IIS authentication? I see the sign in as current user can enable windows integrated auth, but the forms based authentication seems to be basic and in the clear under the default configuration. If the website is changed to use a certificate and HTTPS, will the application continue to function? Is there another method for securing logins?
    What authentication mechanisms are used to connect to the native Active Directories? Are these secured?
    What is the authentication is used for SPML & other web services? Can SSL be forced for these services?
    If a self signed cert is used for testing is there any impact or extra configuration necessary?

Thanks

by (80 points)

1 Answer

0 votes
by (18k points)

Where is the service connection account passwords held for the adaxes service and the managed domains? Is it encrypted? What method of encryption is used?

Adaxes itself doesn't store the password for the Adaxes service account. Adaxes service is installed as a Windows system service that runs under the account of the Adaxes service administrator. The logon information for this system service is specified during Adaxes installation and is stored by Windows.
Credentials for managed AD domains are encrypted using the Data Protection API (DPAPI) provided by the Windows operating system. These encrypted credentials are stored locally on the computer where the Adaxes service runs and are associated with the account of the Adaxes service administrator, which means that only processes running under this account can unprotect the data.

What mechanism is used for IIS authentication? I see the sign in as current user can enable windows integrated auth, but the forms based authentication seems to be basic and in the clear under the default configuration. If the website is changed to use a certificate and HTTPS, will the application continue to function? Is there another method for securing logins?

By default, SSL is not configured for the Adaxes Web Interface and network transmissions are not encrypted. However, you can configure SSL on the Adaxes Web Interface in the way you do it for any other website hosted by IIS. If you configure SSL on the Adaxes Web Interface, it will work in both cases: with Windows-integrated authentication and with forms-based authentication.

What authentication mechanisms are used to connect to the native Active Directories? Are these secured?

Adaxes service uses the LDAP protocol to communicate with Active Directory. Interaction between the Adaxes service and Active Directory is secured for security-sensitive operations only. For example, prior to change or reset a password for an AD user, an SSL connection is established and the data are sent via an encrypted channel.
Interaction between Adaxes clients and Adaxes services is always performed using an encrypted TCP channel.

What is the authentication is used for SPML & other web services? Can SSL be forced for these services?

Windows integrated or HTTP basic authentication can be used for the SPML web service. SSL can be also configured for the SPML web service.

If a self signed cert is used for testing is there any impact or extra configuration necessary?

If I understand you correctly, no extra configuration is necessary.

0

Since version 2011.1, all the passwords passed between the web browser and Adaxes Web Interface are protected, even if you don't use SSL.

Related questions

0 votes
1 answer

I only want to allow a security role to write 'user must change password at next logon' and not all options they have under 'Account Options'. The only permission I can see in ... ". I'd rather not assign permissions to all these settings if I don't have to.

asked Apr 6 by cfrazier (20 points)
0 votes
1 answer

When a new user account is created by copying an existing one, is it possible to prevent the new account from becoming a member of security groups in a specific OU (when the ... same way as the account being added to the group, which I need for audit purposes.

asked Sep 28, 2020 by markcox (70 points)
0 votes
0 answers

I am trying to find a way to create Groups based off an OU and a list of options (check boxes) within the portal For example: Select the Target OU to add groups ... 3 - Remote Administrators Option 3 - Remote Developers Option 4 - Readers Option 4 - Writers

asked Sep 11, 2020 by dknapp (100 points)
0 votes
0 answers

Followed this tutorial https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifySpecificProperties.htm, when logged into webpage cannot change any properties.

asked Jan 10, 2020 by Derek.Axe (400 points)
0 votes
1 answer

Hi Everyone - This solution is almost near perfect to meet our requirements for purchasing after the free trial. We had the following 2 issues with Manage Engines product ... also important as we don't want HR copying Management or our President accidentally.

asked Oct 9, 2019 by 6FigureMission (140 points)
2,554 questions
2,297 answers
6,126 comments
662,058 users