Installing Passwordstate on Windows Server

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Software (modern options make more sense, choose Windows Server 2016 or 2019 for example):
Microsoft Windows Server 2008 R2, & IIS 7.0
Microsoft Windows Server 2012, 2012 R2 & IIS 8.0
Microsoft Windows Server 2016 & IIS 10.0
Microsoft Windows Server 2019 & IIS 10.0
Windows 7 & IIS 7.5
Windows 8 & IIS 8.0
Windows 10 & IIS 10.0
Microsoft .NET framework 4.5
PowerShell 4.0 or above
Microsoft SQL Server 2012 Native Client
OpenJDK 12 or above (if using Browser based Remote Session Launcher)

Hardware:
Preferably 2 x CPU (virtualized)
4 GB RAM (the more RAM the better with higher concurrent user access)
100 MB of disk space for web install
50 MB of disk space for database (smaller initially), plus room for SQL backups. Allow for 10 MB of disk space per user per year
Passwordstate will operate in a virtualised (Australia spelling) environment (Hyper-V or VMWare compatible)
50 GB disk storage

Database:
Microsoft SQL Server 2017 Express and Above


---

Firstly, download the zip to your server from https://www.clickstudios.com.au/download-password-manager.aspx - you should see the ".zip" link at the bottom.

Extract the zip and launch the passwordstate.exe (installer).

1. Enter your desired domain and port number, next.

2100

I have entered the domain and changed port from 9119 default to 443. This server could be locked down to being accessible strictly from a VPN for example which strengthens security. Now the risk is internal, like a rogue security team member with access to passwords but Passwordstate has auditing so I can see what a user is accessing. If Asphyxia does not need to view "TeamSpeak SSH", then when he loads that and I get an alert - I will be suspicious.

Now we can open our browser of choice (I prefer Google Chrome), navigate to our server's IP or domain you entered assuming this is pointed/routed via DNS records you should have adjusted. For example, I could navigate to https://pass.r4p3.net only from within my VPN using my own DNS (provided correct configuration). With my configuration, no one even knows pass.r4p3.net exists - go on and ping it once! Good luck, you would need to be within the VPN.

2. Navigate to your server's domain/port or IP address within a web browser.


3. Make sure "Primary Instance" is selected unless you want "High Availability Instance", then Begin.

4. Open a new browser tab to https://www.microsoft.com/en-us/sql-server/sql-server-editions-express and select "Download now".

5. Run the SQL Server 2017 (or newer) Express installer and select "Basic".

6. 2102 make sure to click Install SSMS (SQL Server Management Studio), we will need this installed.

7. Launch your Microsoft SQL Server Management Studio app, using all the default settings click "Connect".

8. Open Security > Logins and right click Logins to select "New Login".

9a. Select "SQL Server authentication" and login name Pstate, choose your own password like N0thingth1$bad (make your own). You should uncheck Enforce password policy.
9b. Select "Server Roles" - check "sysadmin". Now public and sysadmin should be checked, click OK.

10. Right click your SQLEXPRESS server at the top left of your Object Explorer and click properties (bottom menu item).
2104

11. Enable SQL Server auth by filling the "SQL Server and Windows Authentication mode" radio button.
2105
For the red 2 pictured shown empty, YOU SHOULD FILL YOURS.

12. Click OK, right click your SQLEXPRESS server at the top left of your Object Explorer and click Restart - Yes - Yes.

13. Return to your web browser to resume setting up Passwordstate.

14. Fill your database connection details in and click "Test Connection".
2107

15. Continue on after test is Okay, next.

From here, your configuration should be more self-explanatory such as whether you want AD (Active Directory) for perhaps LDAP authentication. Otherwise there is Forms Based Authentication.

Some important notes:
In the USA, you may want to enable FIPS support.
2108

Pay close attention to "Emergency Access Account", print this password onto paper or write to a USB key to store in one or more locked safes (water and fireproof for anything business critical).

Email configuration is simple enough, talk to an email admin if unsure. Proxy server settings can be configured to check for new builds.

Passwordstate is a great PAM solution, read more about their solution here https://www.clickstudios.com.au/about/privileged-account-management.aspx - you will enjoy knowing their solution is Free for 5 Users, with all the Enterprise License features.
 

Attachments

  • 1561132049863.png
    1561132049863.png
    9.9 KB · Views: 3
Top