Security

Question

I need to review the security of your application as part of my evaluation. This is obviously very important for a directory management app. Could you answer a couple of security related questions please?

• Where is the service connection account passwords held for the adaxes service and the managed domains? Is it encrypted? What method of encryption is used?
  What mechanism is used for IIS authentication? I see the sign in as current user can enable windows integrated auth, but the forms based authentication seems to be basic and in the clear under the default configuration. If the website is changed to use a certificate and HTTPS, will the application continue to function? Is there another method for securing logins?
  What authentication mechanisms are used to connect to the native Active Directories? Are these secured?
  What is the authentication is used for SPML & other web services? Can SSL be forced for these services?
  If a self signed cert is used for testing is there any impact or extra configuration necessary?

Thanks

Answer 1

Where is the service connection account passwords held for the adaxes service and the managed domains? Is it encrypted? What method of encryption is used?

Adaxes itself doesn't store the password for the Adaxes service account. Adaxes service is installed as a Windows system service that runs under the account of the Adaxes service administrator. The logon information for this system service is specified during Adaxes installation and is stored by Windows.
Credentials for managed AD domains are encrypted using the Data Protection API (DPAPI) provided by the Windows operating system. These encrypted credentials are stored locally on the computer where the Adaxes service runs and are associated with the account of the Adaxes service administrator, which means that only processes running under this account can unprotect the data.

What mechanism is used for IIS authentication? I see the sign in as current user can enable windows integrated auth, but the forms based authentication seems to be basic and in the clear under the default configuration. If the website is changed to use a certificate and HTTPS, will the application continue to function? Is there another method for securing logins?

By default, SSL is not configured for the Adaxes Web Interface and network transmissions are not encrypted. However, you can configure SSL on the Adaxes Web Interface in the way you do it for any other website hosted by IIS. If you configure SSL on the Adaxes Web Interface, it will work in both cases: with Windows-integrated authentication and with forms-based authentication.

What authentication mechanisms are used to connect to the native Active Directories? Are these secured?

Adaxes service uses the LDAP protocol to communicate with Active Directory. Interaction between the Adaxes service and Active Directory is secured for security-sensitive operations only. For example, prior to change or reset a password for an AD user, an SSL connection is established and the data are sent via an encrypted channel.
Interaction between Adaxes clients and Adaxes services is always performed using an encrypted TCP channel.

What is the authentication is used for SPML & other web services? Can SSL be forced for these services?

Windows integrated or HTTP basic authentication can be used for the SPML web service. SSL can be also configured for the SPML web service.

If a self signed cert is used for testing is there any impact or extra configuration necessary?

If I understand you correctly, no extra configuration is necessary.

Comments

Since version 2011.1, all the passwords passed between the web browser and Adaxes Web Interface are protected, even if you don't use SSL.