Chat Now
Email Us
Before selecting a Managed Hosting provider, ask the representative to describe how they will manage your password credentials. You may be alarmed by their response. With a Microsoft operating system, the answer will likely be one of the following:
1. “We use Microsoft Active Directory (MSAD).”
MSAD is an excellent solution for managing a large number of servers in an enterprise environment – where all of the servers are trusted. If you are given administrative access to your server or are allowed to load scripts, applications or register DLLs, your server and data are NOT safe. There many MSAD vulnerabilities identified below:
- Vulnerability in Active Directory Could Allow Denial of Service (953235)
- Microsoft Windows Active Directory LDAP Request Processing Denial of Service
- Microsoft Active Directory Denial of Service Vulnerability
- Microsoft Windows Active Directory Two Vulnerabilities
- Windows Active Directory Unspecified Denial of Service
- Windows 2000 Server Active Directory Buffer Overflow Vulnerability
- (MS07-039) Microsoft Windows Active Directory Remote Code Execution Vulnerability (926122)
2. “We store passwords in a database.”
With this response, the provider is telling you that they configure a single user on your servers to allow their personnel, including current staff, hired contractors, and potentially former employees to log into your server. There are many pitfalls with this approach.
Password rotation. Unlike MSAD, this does not provide a central mechanism for changing the password for the accounts on your server. Either passwords must be changed manually or via script that accesses the password database, logs into each server, and changes the password.
Manual password rotation. This method means you have the task of changing the password yourself, which doesn't make sense considering that you're paying your provider to manage your hosting solution for you. If they are unable to rotate their own password, how can you trust them to manage more difficult tasks? You'll be surprised to know that but a rather large hosting provider utilizes this method. They require their customers to keep an active administrative login within their customer portal.
Automated password rotation. Here, the provider has written a script that reads the username/password for every one of their customers, logs into each server, and changes passwords on a regular interval. Although this method begs the question, “how secure is the database?” we’ll get to that in a minute. Automatically rotating passwords is the best and only option you should accept from your provider.
Access. Who has access to your password? Since you’re paying a Managed Hosting provider, it’s easy to understand that the employees of the provider definitely require access to your password. If this wasn’t the case, you wouldn’t need their services. Your password was put into a database for a purpose, to be easily available to the Managed Service Provider’s staff. The automated systems and employees (maybe contractors) of the Managed Hosting provider will access your password to perform services you’re paying for. Each pose their own risk.
Automated Systems. Any business trying to achieve scale will utilize automation to do mundane tasks, such as Password Rotation mentioned above. The automation itself isn’t the risk; it is the method used to obtain customer passwords that poses the risk. Automations (scripts) have to be developed to perform the task they were intended. How do the read the passwords from the database server? Could they be mis-configured, either by mistake or on purpose to log passwords? If there is an ability to read passwords from the database, then you have to ask how secure is that mechanism and trust that the Managed Service Provider never allows the passwords in the database to be accessed in mass? It is impossible to be 100% certain.
Employees. When an employee reads your password, how do they use it? Virtually all Managed Hosting providers are going to have all of your account information (along with your password) also in a database. From time to time, real people will look at your account information for a variety of reasons. Your password either has to be displayed in clear text or a simple mechanism must exist to allow the employee to get your password. What if they write your password down on paper, and take it home? How long is that password active before it’s changed? Do employees have access to your account information from home?
Contractors. From time to time, virtually every business will use temporary employees for a variety of tasks. The fact that a temporary employee has access, is a risk all by itself. The fact that they may have access to your password, makes the risk worse.
What happens next? Is the password automatically changed? What if the password is “looked at” but never used? What if the password is recorded on a notepad and taken home? What if the employee who has your password is fired? Why would it need to be accessed? How is it accessed? How are you informed when someone accesses your password?
Accountability. Knowing who used the password is very important when complying with PCI. Many standards require each administrator to have their own account. Assuming your provider has more than one employee, does their single password get used by all of their employees? Is a record maintained of who used the password?
Authorization. Are secure methods in place to protect access to your account information? How do employees login to their customer database? Are users deleted upon termination? Are passwords random and securely formed? Are they regularly changed?
Password database security. Is the database and applications housing your account information secure? Although your provider says, “Yes”, there are many cases that can be found on Google where password databases were compromised. Simply search for “service provider passwords compromised” and you’ll find plenty.
3. “We don’t keep a password for your server.”
What your hosting provider is saying is, “We'll call you when we need access”. Unless you like to receive telephone calls at all hours of the night, this isn’t very convenient. Further, it passes the burden of managing passwords to you.
By now, you probably agree that managing passwords for a large number of customer servers is a dangerous business and all three of the methods mentioned above pose a risk to the security of your data.
You may also be asking yourself if there is a secure way. PEER 1 believes there is. We’ve developed a patent-pending solution for securely managing our customer passwords, so you can focus on the Possibilities of the web, not the problems. It's called SmartKey™.
About SmartKey
SmartKey is a highly secure, two-factor authentication tool that generates a separate unique login for our technicians to access your servers as authorized by you. This lets us start resolving your server issues right away. As well, if you have a change in your staff responsible for your servers and they haven't left behind a record of the login credentials, SmartKey ensures you can still access your servers through us anytime, anywhere. SmartKey is included in FirstCall Support.
SmartKey Highlights:
- Vast amount of unique, random passwords
- Automated password changes both upon access of a password and at regular interval
- Access to customer server is only allowed after recent password request
- Detailed logging every time the password is used
- Two-factor authentication required for access of password
Add to favorites
Twitter
Badges