I am trying to create local admin account for my lab machines with unique passwords. I have around 25 machines in the lab. I am looking out if there is any way where we can store the password in Azure keyvault and if password is rotated in azure key vault, the authentication should pick up the updated password and authorize the user. I have to rotate password too often, usually once in couple of days. The end user would receive the password with which he can login.
Asked
Active
Viewed 109 times
1 Answers
0
This is a too complex task to put it into a simple answer. You have to divide your problem into some smaller ones. Here here the building blocks I would see:
- Create an authenticated web api that allows CRUD operations against your Azure Key vault (maybe with ASP core or Azure functions, etc.)
- Create a windows service that runs on your lab machines and is able to change the local admin accounts password and can communicate with your web api.
- Create an authenticated web page, where you can log in and read the username and password.
All of these steps have to be divided on their own and or not trivial. Also some additional features could make sense like
- when a username/password was given out some log is written about who got when this username/password.
- when a username/password was given out the windows service will be informed (maybe by regular requests from the windows service or some back channel like SignalR or Redis channel) and produces a new password a given time later (e.g. 8 hours later)
Nevertheless, this is a complex project that needs at least several weeks to be implemented correctly, even if you know how all these techniques are working.
Oliver
- 43,366
- 8
- 94
- 151
-
I think this is a good answer, although you could do without the WebAPI altogether. A Windows Service that performs rotation on a scheduled basis and changes it in the local password db on the domain controller should be enough. – Matt Small Mar 31 '22 at 14:26
-
Yes, but in the question was mentioned to store the password within an Azure KeyVault and in that case you need such an Web API (because putting the KeyVault connection string into your windows service code is a bad idea ). – Oliver Mar 31 '22 at 14:30
-
It would be just fine with App Id/Client Certificate authentication to Key Vault. – Matt Small Mar 31 '22 at 14:40
-
The problem comes, that any user with read access to the binary of the windows service could extract these information and directly operate on the key vault. By using a web API where the local windows service has to authenticate with the system account this would be prevented. – Oliver Mar 31 '22 at 14:43
-
That's not accurate. Certificate authentication to the Key Vault would be secure as long as the certificate is non-exportable from the machine where the service lives, and that would require access to the domain controller anyway, which would mean that the person is an admin. – Matt Small Mar 31 '22 at 17:50
-
Ah okay, sorry you're right. I thought the certificate would be a resource of the application, but if you install it independently on the machine it's secure. – Oliver Apr 01 '22 at 05:25