Start a new topic
Answered

How to block local Credentials

Hello Team,


I am designing solution for my company and would like to use Credentials but only from lastpass. In other words: because of security reasons i do not want any user to configure their own local Credentials (and store them on laptop - even encrypted/protected).


Because of the same reason i need to make sure provided Lastpass credentials are never saved to disk (even encrypted). It should stay in memory only.


Possible ?


Thanks,

Michal



Best Answer

Hi there!


Yes, LastPass credentials are never saved to disk and always only available in memory while the app is running and a LastPass vault is opened.

At the moment, we don't offer a way to prevent users from creating new objects, including credentials.


regards,

felix


Answer

Hi there!


Yes, LastPass credentials are never saved to disk and always only available in memory while the app is running and a LastPass vault is opened.

At the moment, we don't offer a way to prevent users from creating new objects, including credentials.


regards,

felix


1 person likes this

ok, thanks for super fast answer Felix !

You're welcome!

Hi there, I'm looking for such a solution for our company, we don't want that users are able to save passwords locally. For security reasons, we want all passwords saved on LastPass and require users to retype LastPass password (global for all users sharing RoyalTS connections) everytime RoyalTS is launched. I expected a direct and synchronized link between RoyalTS et LastPass, RoyalTS has to get credentials directly from LastPass when a connection is started. Felix mention ''LastPass credentials are never saved to disk and always only available in memory while the app is running and a LastPass vault is opened'' but I didn't find how to link RoyalTS directly with LastPass vault. Under Data->LastPass Vaults, it will import LastPass credentials once but it's not dynamically updated (a change on LastPass will not update RoyalTS) and credentials are then stored in the RoyalTS document (locally), allowing each user to save the document and keep the credentials locally. Am I doing something wrong? Is there such a solution? Thanks for your inputs. Mario

Hi Mario,


to update your LastPass credentials, just reload the document. You will automatically be logged in (given that your LastPass login info is still valid) and the credentials will be refreshed.


Could you please explain what you mean by "but I didn't find how to link RoyalTS directly with LastPass vault."?


Also, I'm not sure I understand what you mean by "and credentials are then stored in the RoyalTS document (locally)". Please explain.


thx,

felix

Hi Felix, let's try to explain our use case. We already use RoyalTS with a shared document. For security reasons, I'm looking for a central solution to save passwords outside RoyalTS (LastPass). The goal is, when a employee leaves our company, we must ensure that even if he saves a local copy of RoyalTS document, he will not be able to connect to remote servers. I'm expecting RoyalTS doesn't saves any information from LastPass locally and requires LastPass password at every launch. That way, if an administrator changes the LastPass password, the user (who leaved the company) will not be able to access the credentials.


As I could test till now, when I add a LastPass vault in RoyalTS, it will download the credentials into the opened RTS document. If I close RTS / document and open it again, it doesn't asks for the LastPass pwd and the credentials folder is still there accessible. I expected by closing RTS, the credentials are not kept into the document and it require to enter the LastPass pwd at every opening.


I hope it's more clear. Thanks for your help

Hi Mario,


whether or not Royal TSX will prompt for LastPass login information depends on how you specify your credentials. If you select an existing credential containing your LastPass username and password, we remember your selection for the next time the app is started. If the credential is still there, we use it to authenticate against LastPass. If you however select "Specify username and password" at the prompt, we only store your username but not the password so the next time you open the app you will be prompted for credentials.


That being said, if you disable or delete the LastPass user in question, there's no way to get in to the LastPass vault. Also, enabling MFA makes sense in that scenario. So even if the credentials are remembered, the second factor must be provided to open a LastPass vault.


None of these measure however prevent a user from using "Save Document As…" and saving a copy of the LastPass vault as regular Royal TS/X document. The same goes for just copy/pasting information from the LastPass vault, whether through Royal TS/X, the LastPass web interface or its desktop apps. To protect your secrets from this you will need to block a leaving user and also rotate your passwords. There's no way around this, unfortunately.


regards,

felix

Hey Felix, i have exactly same use case as Mario, would be great to have a solution here. Thanks !

Could not we just make sure that:

- RoyalTSX will never save (or allow to save) LastPass password (keep it memory only)

- RoyalTSX will never save (or allow to save) any password from LastPass vault (keep it in memory only) ?

Hi teknet7,


Royal TSX will in fact not save the LastPass password unless you manually create a credential in one of your other documents and use this credential in the prompt for authentication.

Again, what do you gain by preventing users from saving a LastPass vault as a Royal TS/X document? As long as the user still has access to his LastPass vault, he can always use one of the many options to grab the secrets and store them locally. There's even a LastPass command line interface which can be used to pretty easily export all your secrets in one fell swoop.

So can you explain why preventing this in Royal TSX matters so much to you?


thx,

felix


Hi Felix, 

Thanks for the confirmation - compliance reasons. 

My company/organization have to go via strict audits. I would need to prove that RoyalTSX does not store any passwords. If it stores any kind of password RoyalTSX would have to be deeply audited (which is time consuming/costly). So looking for a deployment which would give me that guarantee, that nobody is able to export any password out of RoyalTSX. Having those staying in memory only would be good enough (block an option to save it to file/disk). 


Does it make sense ?

Thanks,





Hi teknet7,


unfortunately there's no option to prevent users from saving a LastPass vault to disk in Royal TSX at the moment and we have no intentions to add this in the near future.

From my point of view it wouldn't make much sense to have such a feature because LastPass users would be able to get to their saved secrets using other means anyway (web interface, desktop app, CLI).


If you have strict requirements, you might want to look into some of the available enterprise credential management solutions like Thycotic Secret Server or CyberArk.


Also note that LastPass even states in their CLI documentation that some enterprise policies (like being able to disable exporting) are non-effective when using the CLI: https://support.logmeininc.com/lastpass/help/use-the-lastpass-command-line-application-lp040011#Known

So I guess even if Royal TSX was compliant with your requirements, LastPass itself would most likely not be compliant since there are always ways to get at the passwords (even with policies restricting access in place) if you know how to.


cheers,

felix

Hi Felix, 


I got your point. It makes sense. But it's all about execution. Once we terminate contract with employee LastPass account is blocked and it's not possible to retrieve credentials from there anymore. But if those credentials are stored in RoyalTSX or any other Connection Managers - which might be used on contractors computers/private PCs over which we might not have a control - then we have the issue (those credentials are still easily accessible).

It's also about security policy (we might change it in the future) saying it's safer to store credentials in one centralised Vault (with visibility/auditing) versus locally on thousands of PCs (sometimes well encrypted/sometimes not -> would have to audit it).


Again: you are right, somebody with active LastPass account could export all the passwords and store them in plaintext on desktop. On the other side we want to eliminate all places where we store passwords permanently and audit very carefully those plus maybe even have enforcement of those policies in the future.


This is a bit similar to x509 certificate - if i want to mark it as non-exportable it should be non-exportable (unfortunately it's not always the case).


Thanks,

Michal








Login or Signup to post a comment