Many password managers actually support this: They keep a username or password copied to the clipboard only there for 15 seconds or so until they overwrite it again. There seems to be no option to have sensitive information copied to the clipboard automatically cleared after a given time of after it has been inserted once. It is unclear, what - if any - mechanisms are in place to protect an open Royal TS document from being exploited through any number of bugs through connections (such as malicious web pages, RDP, SSH or MITM attacks by a red team on the same network) which could then expose the complete Royal TS document with all credentials to the attacker.ġ0. There seems to have been no security audit done on either Royal TS as a whole and/or the encryption part specifically.ĩ. sending an email or logging this to the Windows log).Ĩ. There is no reporting of failed login attempts (e.g. This would also have to be done quietly.)ħ. There is no option to delete all credentials from a document after a number of failed login attempts (e.g. increasing wait time and always displaying a "wrong password" message after the 3rd or 5th try regardless of whether the correct password is entered).Ħ. quietly limit brute-force attempts by e.g. KeyPass and many other programs do support this, it has been requested before, and it should not be very difficult to implement.ĥ. Royal TS does not optionally use the Windows Secure Desktop for the login form which means that any installed keylogger can easily snoop the master password. Again, this should not generally be very difficult to implement.Ĥ. in Veracrypt) as an additional authentication method (this is generally used to protect against hardware keyloggers as well). There is no option to use keyfiles (like e.g. Also, as far as I am aware, Royal Server already has some MFA options.ģ. Windows does provide APIs for biometric devices and implementing TOTP that works with any Authenticator app should be very easy. There are no multi-factor authentication options, even something simple like using an Authenticator app, or any biometric options such as a fingerprint scanner or smartcard reader. The only protection Royal TS seems to offer is a simple password.Ģ. Security concerns that have been raised include:ġ. I don't know if all of them are still valid in the current version or some features that mitigate this are already available, so I apologize in advance if some of the issues raised should be unjustified in some instances. I have collected some of the objections and issues that have been brought forward and I would like to detail them here (I hope this is the right place). So far, the CISO team won't let us because they deem the protections and security features of Royal TS insufficient. Royal TS is really unparalleled in flexibility, longevity, features and ease of use and we'd therefore like to deploy it in a sensitive / high-security environment on Privileged Access Workstations. I have some concerns about the security of Royal TS which I would like to share.
0 Comments
Leave a Reply. |