0 votes

I need to review the security of your application as part of my evaluation. This is obviously very important for a directory management app. Could you answer a couple of security related questions please?

  • Where is the service connection account passwords held for the adaxes service and the managed domains? Is it encrypted? What method of encryption is used?
    What mechanism is used for IIS authentication? I see the sign in as current user can enable windows integrated auth, but the forms based authentication seems to be basic and in the clear under the default configuration. If the website is changed to use a certificate and HTTPS, will the application continue to function? Is there another method for securing logins?
    What authentication mechanisms are used to connect to the native Active Directories? Are these secured?
    What is the authentication is used for SPML & other web services? Can SSL be forced for these services?
    If a self signed cert is used for testing is there any impact or extra configuration necessary?

Thanks

by (80 points)

1 Answer

0 votes
by (18k points)

Where is the service connection account passwords held for the adaxes service and the managed domains? Is it encrypted? What method of encryption is used?

Adaxes itself doesn't store the password for the Adaxes service account. Adaxes service is installed as a Windows system service that runs under the account of the Adaxes service administrator. The logon information for this system service is specified during Adaxes installation and is stored by Windows.
Credentials for managed AD domains are encrypted using the Data Protection API (DPAPI) provided by the Windows operating system. These encrypted credentials are stored locally on the computer where the Adaxes service runs and are associated with the account of the Adaxes service administrator, which means that only processes running under this account can unprotect the data.

What mechanism is used for IIS authentication? I see the sign in as current user can enable windows integrated auth, but the forms based authentication seems to be basic and in the clear under the default configuration. If the website is changed to use a certificate and HTTPS, will the application continue to function? Is there another method for securing logins?

By default, SSL is not configured for the Adaxes Web Interface and network transmissions are not encrypted. However, you can configure SSL on the Adaxes Web Interface in the way you do it for any other website hosted by IIS. If you configure SSL on the Adaxes Web Interface, it will work in both cases: with Windows-integrated authentication and with forms-based authentication.

What authentication mechanisms are used to connect to the native Active Directories? Are these secured?

Adaxes service uses the LDAP protocol to communicate with Active Directory. Interaction between the Adaxes service and Active Directory is secured for security-sensitive operations only. For example, prior to change or reset a password for an AD user, an SSL connection is established and the data are sent via an encrypted channel.
Interaction between Adaxes clients and Adaxes services is always performed using an encrypted TCP channel.

What is the authentication is used for SPML & other web services? Can SSL be forced for these services?

Windows integrated or HTTP basic authentication can be used for the SPML web service. SSL can be also configured for the SPML web service.

If a self signed cert is used for testing is there any impact or extra configuration necessary?

If I understand you correctly, no extra configuration is necessary.

0

Since version 2011.1, all the passwords passed between the web browser and Adaxes Web Interface are protected, even if you don't use SSL.

Related questions

0 votes
1 answer

We have password self-service enabled with users adding their questions, but was wondering if we could dispaly those answers to the help desk so that they can confirm that the user calling in is actually them? Is there an option to do somnething like that?

asked Mar 16 by seannicholas71 (20 points)
0 votes
1 answer

Is there anyway we can get an Adaxes administrator to be able to access the security the questions and answers from the “Password Self-Service Policies” portal for our users?

asked Feb 17 by JoeG (40 points)
0 votes
1 answer

We are currently looking for a way to load balance between select security groups. Doing this by either filling each group to "x" users then moving to the next or 1 user at a time ... to load balance Group 1 (10 users) Group 2 (10 users) Group 3 (8 users)

asked Jan 17 by Keonip (160 points)
0 votes
1 answer

Is it possible to connect to the Microsoft 365 Security & Compliance center through a PowerShell script? We are trying to configure users that belong to a ... department for a retention policy through the use of the Set-RetentionCompliancePolicy command.

asked Jan 3 by scoutcor (100 points)
0 votes
0 answers

Hi, One of our partner name is ABC in our AD and then later on it changed to XYZ. We gave my partner adaxes before changing the name and after changing the name the ... the security groups. Help us in popping up the security group folders in Member of Option.

asked Oct 27, 2021 by siddu (40 points)
2,762 questions
2,495 answers
6,540 comments
1,485,681 users