0 votes

I need to review the security of your application as part of my evaluation. This is obviously very important for a directory management app. Could you answer a couple of security related questions please?

  • Where is the service connection account passwords held for the adaxes service and the managed domains? Is it encrypted? What method of encryption is used?
    What mechanism is used for IIS authentication? I see the sign in as current user can enable windows integrated auth, but the forms based authentication seems to be basic and in the clear under the default configuration. If the website is changed to use a certificate and HTTPS, will the application continue to function? Is there another method for securing logins?
    What authentication mechanisms are used to connect to the native Active Directories? Are these secured?
    What is the authentication is used for SPML & other web services? Can SSL be forced for these services?
    If a self signed cert is used for testing is there any impact or extra configuration necessary?

Thanks

by (80 points)

1 Answer

0 votes
by (18.0k points)

Where is the service connection account passwords held for the adaxes service and the managed domains? Is it encrypted? What method of encryption is used?

Adaxes itself doesn't store the password for the Adaxes service account. Adaxes service is installed as a Windows system service that runs under the account of the Adaxes service administrator. The logon information for this system service is specified during Adaxes installation and is stored by Windows.
Credentials for managed AD domains are encrypted using the Data Protection API (DPAPI) provided by the Windows operating system. These encrypted credentials are stored locally on the computer where the Adaxes service runs and are associated with the account of the Adaxes service administrator, which means that only processes running under this account can unprotect the data.

What mechanism is used for IIS authentication? I see the sign in as current user can enable windows integrated auth, but the forms based authentication seems to be basic and in the clear under the default configuration. If the website is changed to use a certificate and HTTPS, will the application continue to function? Is there another method for securing logins?

By default, SSL is not configured for the Adaxes Web Interface and network transmissions are not encrypted. However, you can configure SSL on the Adaxes Web Interface in the way you do it for any other website hosted by IIS. If you configure SSL on the Adaxes Web Interface, it will work in both cases: with Windows-integrated authentication and with forms-based authentication.

What authentication mechanisms are used to connect to the native Active Directories? Are these secured?

Adaxes service uses the LDAP protocol to communicate with Active Directory. Interaction between the Adaxes service and Active Directory is secured for security-sensitive operations only. For example, prior to change or reset a password for an AD user, an SSL connection is established and the data are sent via an encrypted channel.
Interaction between Adaxes clients and Adaxes services is always performed using an encrypted TCP channel.

What is the authentication is used for SPML & other web services? Can SSL be forced for these services?

Windows integrated or HTTP basic authentication can be used for the SPML web service. SSL can be also configured for the SPML web service.

If a self signed cert is used for testing is there any impact or extra configuration necessary?

If I understand you correctly, no extra configuration is necessary.

0

Since version 2011.1, all the passwords passed between the web browser and Adaxes Web Interface are protected, even if you don't use SSL.

Related questions

0 votes
0 answers

I have applied a security role to a group at the top of a Business Unit Container and set it to apply to the subtree and it does, all Containers and Business Units do ... Unit. Did I apply the permissions wrong or is there some setting I need to change?

asked Aug 9 by ajmilic (100 points)
0 votes
1 answer

How can I grant read only rights for Configuration items in the Adaxes Admin Console?

asked Jan 26 by mark.it.admin (2.3k points)
0 votes
1 answer

Hi all, I wanted to ask community if you are experiencing same behavior: Add a primary group owner to a security group in ADAXES console. Make sure Can update membership using ... list is checked? In my case it is CHECKED for some reason. Thanks all!

asked Dec 13, 2023 by mega128 (20 points)
0 votes
1 answer

What specific permission is needed in a security role to grant access to enable a user account?

asked Dec 7, 2023 by mightycabal (1.0k points)
0 votes
1 answer

I have an OU structure as follows: Computers |- Servers |- A |- B |- C Groups |- Computers | |- A Phase 1 | |- A Phase 2 | |- A Phase 3 | |- B Phase 1 | ... as the naming scheme is fairly standard. Is this doable, and if so, can you guide me on the right path?

asked Nov 17, 2023 by bennett.blodinger (60 points)
3,538 questions
3,229 answers
8,222 comments
547,739 users