Skip to main content

Articles in this section

Print

HSecurity

  • Updated

HSecurity

A sustained security effort is critical to obtaining and surpassing each organization's security goals. Cayosoft strives to meet or exceed industry standards to allow customers to meet their security standards.

The following information is provided to give customers a greater understanding of privacy and protection against attacks or malevolent users.

Design

Cayosoft Administrator is designed to follow security best practices. These are the steps that an administrator must perform to maintain the desired level of security when deploying the product:

Prerequisites

  1. Protect the machine, where Cayosoft Administrator is running, from unauthorized access. Only people, who should have full control over Cayosoft Administrator, should have access to this machine.

  2. Configure Web Portal with SSL certificate for secured communication from a browser over HTTP.

  3. Encrypt the drive where Cayosoft Administrator is deployed.

Secure information stored persistently in the Cayosoft Configuration DB

  • To access managed systems, the product needs to store target system credentials, in the form of connection account name and its password, or in the form of OAuth refresh token.

  • Passwords are stored in the configuration DB, encrypted with AES encryption, using an automatically generated key, called a DB Encryption Key.

  • DB Encryption Key length is 128 bits (AES-128).

  • DB Encryption Key is stored in the local system protected vault using Windows Server Data Protection API (documentation).

  • DB Encryption Key can be exported as a file.

    • DB Encryption Key can be exported to a file from the Cayosoft Administrator Console.

    • Exported DB Encryption Key is encrypted with Rijndael symmetric encryption algorithm with a 256-bit key, derived from a password provided by a user during export (SHA1 hashing).

Secure information stored persistently in other systems (Self-Service password reset answers)

  • When a user enrolls into Self-Service Password Reset, the user is asked to select questions, provide answers, and also provide his email and phone.

  • That information is encrypted and stored with the user object in Active Directory, as a value of the accountNameHistory attribute.

  • For user answers, MD5 one-way hash is calculated for each answer and this hash is stored in AD.

  • Selected questions, and specified phone and email addresses, are encrypted with Rijndael symmetric encryption algorithm with a 256-bit key, derived from a password provided by an administrator during configuration of Self-Service Password Reset functionality.

Secure information while in transit from Admin Console to Admin Service

  • The communication channel between the Cayosoft Administrator Console and Service is TLS1.2 encrypted.

Secure information while in transit from IIS to Service

  • As IIS and the Cayosoft Administrator Service must be installed on the same machine, which we require to be protected from unauthorized access, there are no requirements to encrypt traffic between IIS and the Cayosoft Administrator Service.

Secure information while in transit from Service to Office 365

  • The communication channel between the Cayosoft Administrator Service and Office 365 is encrypted with TLS1.2.

NOTE: The Cayosoft Administrator Service uses two types of API to communicate to various Office 365 service endpoints: a) corresponding PowerShell module, provided by Microsoft, and b) direct call to RESTful Graph API.

  1. When initializing connection to Graph API, Admin Service sets the channel security protocol to TLS1.2.

  2. PowerShell modules, provided by Microsoft, provide built-in communication encryption by default.

Secure information while in transit from Service to AD

  • The communication channel between Admin Service and Active Directory is encrypted with TLS 1.2.

NOTE: The Cayosoft Administrator Service is using Active Directory PowerShell Module to communicate to Active Directory. This module communicates through the Active Directory Web Services service, with built-in communication encryption enforced by default.

Secure information while in transit from Browser to IIS Web Application (Web Portal)

  • It is required that SSL encryption be configured and required for the CayosftWebAdmin web application in IIS Server Manager.

  • That would ensure all the traffic is encrypted between the Browser and IIS Web Application.

Authenticate Users from AD (Web Portal)

  • When the Web Portal authentication for users setting in the Web Portal is set to Active Directory, IIS Forms Authentication module is used to obtain and pass user credentials to the Web Portal. Form authentication ticket protection set to validation and encryption (documentation).

  • User credentials are then used by Web Interface on a server machine with native Win32 API to logon user to Active Directory.

NOTE: It is required to configure SSL encryption for the CayosftWebAdmin web application in IIS Server Manager.

Authenticate Users from Azure AD (Web Portal)

  • When the Web Portal authentication for users setting in the Web Portal is set to Azure Active Directory (Office 365), IIS Forms Authentication module is used to obtain and pass user credentials to the Web Portal. Form authentication ticket protection set to validation and encryption (documentation).

  • User credentials are then used by Web Interface on a server machine with native Win32 API to logon user to Active Directory.

NOTE: It is required to configure SSL encryption for the CayosftWebAdmin web application in IIS Server Manager.

Local Administrator Access

  • The local administrator is automatically granted a Global Admin role in Cayosoft Administrator.

  • This is done by design, to prevent configuration mistakes that remove all other explicit delegations in Cayosoft Administrator, without which there would otherwise be no access to the product or any of its functionality.

  • This design always provides an account that can log in and fix the configuration to reinstate proper delegation.

NOTE: This default delegation to local admins is also explained by the fact that members of the Local Administrators group have full control of the machine, the operating system, and all other software running on this machine and can thus bypass any protection measures implemented in a software package. Local administrator accounts need to be properly secured.

Cayosoft Administrator and antivirus software

An Antivirus software can cause slow performance for some operations in Cayosoft Administrator. For example, when using object pickers or automation rules execution.

Cayosoft Administrator firewall rule

When the Cayosoft Administrator Service starts for the first time, it adds an inbound firewall rule with the name Cayosoft Administrator Service:

  1. The rule scope is any local or remote IP address.

  2. The rule is applied to all profiles.

  3. The Cayosoft Administrator Console requires 7800 TCP port.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.