How to securely return information to end user

Question

Hello,

We did implement LAPS & Bitlocker in our AD environment. To let the helpdesk retrieve those information, we created a bunch a custom command that fetch the AD and log the result as warning

Example:
$Context.LogMessage("Local administrator password: "+$Context.TargetObject.Get("ms-Mcs-AdmPwd") , "Warning")

We chose the custom action over simply displaying the attribute in the webGUI. This way we can audit who activated the custom action on what machine.

Sadly, the output of the custom command remains in the Adaxes log, and everyone with the view log ability can retrieve the already retrieved password without leaving any trace.

How could we improve that? I thought about sending it per mail, but this is not possible as we have a "no password per email" policy

Answer 1

Hello Pierre,

As a solution you can create a Home Page Action that will display only the ms-Mcs-AdmPwd property. For information on how to create a Home Page Action, check the following tutorial: http://www.adaxes.com/tutorials_WebInte ... s.htm#view.

For information on how to grant permissions to view the ms-Mcs-AdmPwd property to specific users, check the following tutorial: http://www.adaxes.com/tutorials_Delegat ... erties.htm.

However, this solution will not allow you to check who and when viewed the property.

Comments

Dear support,

Thank you for your suggestion. This would work for the LAPS, but I don't see how I could achieve the same for the Bitlocker recovery key.

Here is the script:

$value=$False
foreach($child in $Context.TargetObject){
    if($child.get("ObjectClass") -eq "msFVE-RecoveryInformation"){
        $value=$True
        $guid=new-object -TypeName System.Guid -ArgumentList @(,($child.get("msFVE-RecoveryGuid")));
        $Context.LogMessage($child.get("cn")+": Bitlocker recovery key: "+$child.get("msfve-recoverypassword")+" (ID: "+$guid+")", "Warning")
    }
}
if(-not $value){
    $Context.Cancel("Unable to retrieve recovery key for %cn%!")
}

It enumerate the sub items of the computer account and format it in an "user friendly" way for the helpdesk.

Best for us would be to have some way to give custom command feedback to the end user without it being persisted in the log.

---

Hello Pierre,

We can suggest a similar solution for BitLocker as well. You can configure a Scheduled task that will run a similar script. The script will pull the necessary BitLocker Information and save it to a certain attribute of the computer account. The script will perform all actions so that there will be no information in the logs except the very fact that the script was executed.

So, you will only need to distribute permissions to view the property that stores BitLocker information.

Does this solution meet your needs?