Skip to main content
Dispel Vaulting | Password Auto-Injection and Password Auto-Rotation

Overview of Dispel Password Vaulting functionality, including auto-injected sessions and auto-rotation management of passwords

J
Written by Jacob Nates
Updated over a week ago

Password Auto-Injection

Password auto-injection allows admins to provide users with a session to a local device, without needing to reveal the password to the user.

Dispel offers a suite of standard password injection capabilities, as well as support for custom injection connectors. Standard injection capabilities include:

  • SSH sessions

  • RDP sessions

  • VNC sessions

  • HTTPS sessions to an HTML-based web server

  • HTTP sessions to browser-based basic auth

Custom injection capabilities are available for additional or proprietary client applications.

Auto-Injection is set up in 2 phases:

  1. Admin sets up a device account, and assigns the account to a user

  2. User workflow automatically includes dynamic shortcuts for that device

Below, we look at each of the phases

Admin sets up a device account, and assigns the account to a user

Inside Dispel dashboard, navigate to a device, and click "Add User Account"

Add the account username and password

Select which users should receive which accounts for their access

In the above setup, when fred@dispel.io wants to SSH to the device zone-1.dev-1, the local account for "admin" will be automatically injected. However, when steve@dispel.io wants to SSH to the same device, Steve will be provided with a session authenticated with the "user" account instead.

User workflow automatically includes dynamic shortcuts for that device

The user workflow does not change. Users will log in, request access, and connect to their Dispel Virtual Desktop as normal.

However, now, the Virtual Desktop will contain a folder called "Device Shortcuts".

This folder will be automatically populated with the devices and protocols as granted by the admin.

The user can open the folder, and double click on any shortcut. The shortcut will open a pre-authenticated session of that connection type to that device.

Now, the user has a session on the device, but retains no knowledge of the password for the local device account.

Password Auto-Rotation

Password auto-rotation allows admins to sync their end device passwords into Dispel, and set a time period (eg. 3 months). Then, on that time period, Dispel will automatically rotate the local password of the end device (eg. every 3 months, rotate the admin password of the engineering workstation on site).

Dispel offers two categories of password rotation:

  • Standard connection supported by HashiCorp Vault

  • Custom connection depending on OS and application

The standard connections supported by HashiCorp Vault are the following:

However, Dispel has found that our customers’ OT environments often involve server types that are not covered by HashiCorp’s built-in integrations. Thus, we additionally offer custom connections and integrations.

To build a custom integration, the following information should be identified

  • Operating system

  • Password change mechanism

  • Password change frequency

Below, we walk through a few examples of custom connectors:

  1. Linux server account password change via SSH

  2. Windows server account password change via SSH

  3. Custom web server account password change via API call

Linux server account password change via SSH

In this example, Vault stores the following pieces of information

  • IP that is accessible via SSH

  • Account with privileges to change password

  • Operating system

  • Password change frequency

At the defined frequency, the Vault will connect to the server via the stored account password, generate a new password, change the account on the server, and update its own account information with the new password.

This process is invisible to the user. Regardless of rotation, the user simply clicks on the shortcut to the device on their virtual desktop, and is automatically dropped into an authenticated session on the target device.

Windows server account password change via SSH

In this example, Vault stores the following pieces of information

  • IP that is accessible via SSH

  • Account with privileges to change password

  • Operating system

  • Password change frequency

At the defined frequency, the Vault will connect to the server via the stored account password, generate a new password, change the account on the server, and update its own account information with the new password.

Please note that more commonly, customers prefer to manage their Windows server through an Active Directory bind. In that event, Vault would require a binding account with read/write privileges for the users to control. Then, on an admin-defined frequency, the credentials for accounts in the Active Directory can be rotated automatically.

In either architecture, the process remains seamless for the user. Regardless of rotation, the user simply clicks on the shortcut to the device on their virtual desktop, and is automatically dropped into an authenticated session on the target device.

Custom web server account password change via API call

In this example, Vault stores the following pieces of information

  • API endpoint that is accessible through https

  • API token with privileges to manage password

  • Password change frequency

At the defined frequency, Vault will generate a new password, call the defined API endpoint to update the password in the server, and update its own account information with the new password.

As always, this process remains seamless for the user. Regardless of rotation, the user simply clicks on the shortcut to the device on their virtual desktop, and is automatically dropped into an authenticated session on the target application.

Related Articles
System Components & Responsibility
Did this answer your question?