Easy pre-populate machine name in the form

[Nuffnorm]

We'd like to give some of our users easy URL shortcuts to look up their admin passwords. So it would be good to be able to send it something like: https://access.url.com/Computer/AccessRequest/?ComputerName=my-desktop

I'm not an HTML expert but I think the source has " value="" " in the attributes for the field which may stop this from working (and then I'm not sure of the URL syntax anyway!)

Hope this is an easy one!

[jemmiegod]

Hi @Nuffnorm

This is a potentially dangerous option to have. If you're using this for JIT access, it could reduce the effectiveness of AMS. I can see a scenario where admins would script this with all their servers and they'd run it each morning so they don't have to go to the website to request access each time, effectively adding permanent admins back to your servers, completely nullifying the whole reason for implementing JIT.

I'll let Ryan comment on this though. I'd however suggest you not permit this behaviour even if the feature existed. There's a trade off between security and convenience.

[ryannewington]

Jaysn is right, it could inadvertently open up 'misuse' scenarios, however rate limits could prevent this from being a problem.

I'll have a think about how to implement it. I might be able to do it in a way that allows this feature to be turned 'on' where the organization has assessed the risk profile itself.

[Nuffnorm]

Hi Ryan and Jaysn,

I can see that you’re 100% right about the negative usage scenarios – and this is a poor idea!

Any thoughts on our use-case? Any better way of doing it? Our use case is: We have a set of users who need occasional admin access on their PCs. We wish them to work normally with lower priv.d users (their basic accounts). If they need to look up their admin password, Lithnet/AMS will show it to them, but also automatically changes that password x minutes later. These users will forget their machine names though, and/or type it wrongly so we hoped to give them something to pre-populate it. Any ideas?

Is it possible to associate a user with one or more PCs (which they own) and the admin passwords for all x are shown? (That doesn’t feel tremendously secure either, of course!).

Thanks for your thoughts!

From: Ryan Newington @.> Sent: 02 July 2021 22:15 To: lithnet/access-manager @.> Cc: Mark D. P. Norman @.>; Mention @.> Subject: Re: [lithnet/access-manager] Easy pre-populate machine name in the form (#108)

Jaysn is right, it could inadvertently open up 'misuse' scenarios, however rate limits could prevent this from being a problem.

I'll have a think about how to implement it. I might be able to do it in a way that allows this feature to be turned 'on' where the organization has assessed the risk profile itself.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/lithnet/access-manager/issues/108#issuecomment-873259586, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AUWQDU6Z6HQZ7LU7JWHV4FTTVYT3ZANCNFSM47WT32HQ.

[ryannewington]

I think we can do this, it's just a matter of making sure the rate limit settings are appropriate, so that people don't take advantage of it in unintended ways.

At the end of the day, AMS is about protecting organizations from bad guys - not from yourselves. So this is something you'd deal with and assess the risk of internally.

It would be nice for the product to have a 'my computers' page where they could have shortcuts to the computers per-identified as theirs. Or maybe the ability for people to just mark computers as 'favorites' and show them on a dashboard/landing page

[perfectly-preserved-pie]

These users will forget their machine names though

We had the same problem here and I initially thought of your solution. Pre-filled computer names or BGInfo. However (thankfully) management was like "oh, you want admin rights? You need them to do your work? You don't want to stress out over the weekend because this is preventing you from getting admin rights to install a needed software? Then remember your damn computer name when helpdesk provides it the first time."

Paraphrasing of course, but cmon users. Write the computer name down or just look through your emails... favorite it... pin it... it's not too much to ask.

just my 2 cents. This is one of those cases where I think policy would solve this issue rather neatly instead of a new technical solution.