Manage Password Policies for Disconnected Accounts
When you enable disconnected account management (DAM), a default password policy is defined. You can also define password policies on a per-list basis. If no list-specific policy has been created for a list, clients of the list will use the default policy.
Understand How Policies Affect Derived Password Generation
Once a secret has been generated and stored on the endpoint, it can begin deriving passwords. If a password set time has not been saved or if the password expiration time has elapsed, a new password will be derived from the stored secret and set for the local account. The password expiration time is calculated based on when the secret was obtained from the server and the password update frequency defined in the password policy.
Because the secret is generated on the server and saved on the client, the secret set time is always known by both systems. Therefore, the set times on the endpoint cannot drift over extended operation. Even if the update process cannot run for an extended length of time, such as when an endpoint is shut down, the password will be changed immediately when the update process is re-enabled, and the password will be re-synchronized with the value derived on the server. The endpoint also attempts to update its information on the server each time a new secret is obtained or when a new password is derived and set. However, since we expect the system to be disconnected, we also expect this update to be infrequent.
The algorithm used to derive the password from the stored secret depends on the password policy settings. Two types of password policies can be applied globally and/or per list:
- Simple hashing password generation
- Admin-defined password generation
Password policies let you configure the endpoint secret and password generation interval, set a wild card matching string to determine which endpoints are affected by each policy, and define the format for derived passwords. The password policy is copied to the endpoint as part of the endpoint enrollment process, and the policy is updated each time the endpoint obtains a new secret.
The default password policy is defined on the server as part of the web app settings. Unless otherwise specified, the default policy generates a new secret every 7 days and a new password every 24 hours, using the simple hashing algorithm.
Each endpoint will use exactly one policy. If an endpoint matches more than one policy, the first match is applied.
The endpoint determines when a new secret is required based on when the existing secret was generated and the current time on the endpoint. The endpoint determines when a new password is needed based on the last time the password was set and the current time. A new password is always set immediately when a new secret is generated and stored on an endpoint.
Create a List Policy
You can create list policies either from the web application or programmatically.
Create a List Policy From the Web Application
- Log into the web application as an All Access user.
- Select Passwords > Disconnected Accounts.
- Click the List Policies button (gear) in the list row.
- Click the Create New Policy button (+) at the top of the page.
- Define the following policy elements:
- Machine Type Filter: Enter a string to specify the types of systems to which this policy should apply. If you set it to an asterisk (*), it will apply to all systems enrolled in the list.
For more information about filters, please see Apply Policies Based on Machine Type.
- Secret Update Frequency: Set how often a new secret should be generated on the server. The default is 168 hours (7 days). The next time the managed system connects to the web service, if the secrets are mismatched, the managed system receives the latest secret.
- Password Update Frequency: Set how often a new derived password should be generated. The default is 24 hours.
- Simple Hash: If you select this option, then a password derived from the client secret will be a 14-character, random string of uppercase letters, lowercase letters, and numbers.
If you do not select this option, then set the following options for passwords derived from the client secret:
- Password length: Set how many characters to include in the password. The maximum is 127 characters.
- Numbers: Set if the password can contain numbers.
- Symbols: Set if the password can contain special characters.You can leave the text field blank to allow all possible symbols, or you can define an allowed list of symbols.
Some databases accept only the special characters hash (#), underscore (_), and dollar sign ($)
- Lowercase letters: Set if the password can contain lowercase letters.
- Click Create.
Apply Policies Based on Machine Type
The machine type filter is a wild card string that sets the policy to be used for any client systems with a matching machine type. The machine type identifies the endpoint's platform and system type. This string is generated by the endpoint itself when the client script runs. The Windows service and Python script generate machine type information in different formats:
| OS Version | Windows Script Machine Type String |
Python Script Machine Type String |
|---|---|---|
| Windows Vista | Microsoft Windows NT 6.0.6000 | Vista-6.0.* |
| Windows Server 2008 | Microsoft Windows NT 6.0.* | Vista-6.0.* |
| Windows Server 2008 R2 | Microsoft Windows NT 6.1.* | Windows-7-6.1.* |
| Windows 7 | Microsoft Windows NT 6.1.7600 | Windows-7-6.1.* |
| Windows Server 2012 | Microsoft Windows NT 6.2.* | Windows-post2008Server-6.2.* |
| Windows 8 | Microsoft Windows NT 6.2.* | Windows-post2008Server-6.2.* |
| Windows Server 2012 R2 | Microsoft Windows NT 6.3.* | Windows-post2008Server-6.2.* |
| Windows 8.1 | Microsoft Windows NT 6.3.9600 | Windows-post2008Server-6.2.* |
| Windows Server 2016 | Microsoft Windows NT 10.0.* | Windows-post2008Server-6.2.* |
| Windows 10 | Microsoft Windows NT 10.0.10240 | Windows-post2008Server-6.2.* |
| SLES 12 | Linux-4.4.21-69-default-x86_64-with-SuSE-12-x86_64 | |
| Raspberrry Pi (Debian) | Linux-4.4.21-v7+-armv7l-with-debian-8.0 | |
| OSX (Sierra) | Darwin-13.4.0-x86_64-i386-64bit |
In the examples above, the specific patch level is replaced with an asterisk (*), because the exact number varies.
While not all versions and distributions are shown, this table should provide a guide to relative formats. If you have a question about a specific format, you can run the endpoint client and observe what it reports. With the Python client, you can also start a Python session and run:
import platform print platform.platform()
Examine Password Generation Settings
Simple Hashing Password Generation
The default derived password generation algorithm uses an MD5 hash combined with simple transforms to derive passwords with a simple, fixed format.
The first time a password is generated, the secret is hashed using MD5 to ensure good data distribution for the resulting hash. The resulting 64 bytes of binary data are interpreted as 32 hex-encoded characters. The first two hex digits are replaced with a question mark (?) to make sure the password contains a special character. The next fourteen characters are lowercase letters and numbers, and the remaining sixteen characters are uppercase letters and numbers.
For each following password generation, the previous derived password is used to generate a new MD5 hash (similar to how the secret is used the first time), and the same password derivation algorithm is applied to that hash.
Below is an example of a simple hashing password generation over two cycles:
| Secret | pFKiZUQFIl3yJi4H1UvEb3gTRbADrV7E |
| MD5 Hash | |
| MD5 hash for first cycle | 359df6d30033ed522c057ce5b5bdda96 |
| Transform | |
| First password | ?9df6d30033ed522C057CE5B5BDDA96 |
| MD5 Hash | |
| MD5 hash for second cycle | 964d3ffe07680f9b1696543c1dc634d8 |
| Transform | |
| Second password | ?4d3ffe07680f9b1696543C1DC634D8 |
Defined Policy Password Generation
Derived password generation for a defined password policy is similar to the default method.
The first time a password is generated, the secret is hashed using MD5 to ensure good data distribution for the resulting hash. The resulting 64 bytes of binary data are interpreted as 32 hex-encoded characters. The process calculates the set of possible ASCII characters the resulting password can contain. In total, 95 characters are possible:
| 26 uppercase (always used) | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| 26 lowercase | abcdefghijklmnopqrstuvwxyz |
| 10 numbers | 0123456789 |
| 33 symbols | [space] , . < > / ? ; : ' " [ ] { } \ | ` ~ ! @ # $ % ^ & * ( ) - _ = + |
The set of allowed characters is constructed by adding all uppercase letters, all lowercase letters (if allowed), all numbers (if allowed), and all symbols (or the allowed symbols in the order they appear in the allowable symbols string). For each type of character that is not allowed, the size of the character set decreases. If a specified symbol set is used, the set size is decreased by the number of symbols that are not allowed.
Each two bytes of the binary data are interpreted as a decimal number between 1 and 255. That number is divided (mod) by the size of the allowable character set to get an index in the array of possible characters. One hash can generate a password up to sixteen characters. If the policy requires a longer password, another MD5 hash is generated from the first portion of the derived password, and that new hash is used to generate more characters, using the same method as before.
The remainder of this section looks at an example policy with a length of twenty characters, using uppercase and lowercase letters and numbers but no symbols:
| Index Value | Character Result |
|---|---|
| 0 | A |
| 1 | B |
| … | … |
| 26 | a |
| 27 | b |
| … | … |
| 52 | 0 |
| 53 | 1 |
| … | … |
| 60 | 8 |
| 61 | 9 |
Below is an example of conversion from a 2-byte hash value to a password character:
| Machine secret | BQgApSMIqsHBD3xUlK1vLbtHb2uo6Gr3 |
| MD5 Hash | |
| MD5 hash | a60b978fc6d0364de97aa218d0b15272 |
| First 2 bytes | a6 (166 in decimal) |
| Character set size | 95-33=62 (subtract symbols) |
| Character index mod | 166 % 62 = 42 |
| Character at index 42 in character set | q |
Below is an example of a defined policy password generation over two cycles:
| Secret | BQgApSMIqsHBD3xUlK1vLbtHb2uo6Gr3 |
| MD5 Hash | |
| MD5 hash for first cycle | a60b978fc6d0364de97aa218d0b15272 |
| Convert to password characters | |
| First 16 characters of first password | qLbTMW2Pv8mYW1U0 |
| MD5 Hash first 16 characters | |
| MD5 hashfrom first 16 characters | 70f18a8ff78f83ab64124276af3aad98 |
| Convert to password characters | |
| Remaining 4 characters of first password | y3OT |
| Append results for password | |
| First password (16 + 4 characters) | qLbTMW2Pv8mYW1U0y3OT |
| MD5 Hash | |
| MD5 hash for second cycle | 2977bfc0f1fb2fec8f8b7e501b97388d |
| Convert to password characters | |
| First 16 characters of second password | p5FG3DvyTPCSbb4R |
| MD5 Hash first 16 characters | |
| MD5 hash from first 16 characters | ae0b4ad18c6503fd7ed243cbc57c0566 |
| Convert to password characters | |
| Remaining 4 characters of second password | yLMX |
| Append results for password | |
| Second password (16 + 4 characters) | p5FG3DvyTPCSbb4RyLMX |
