Products

Spotlight on layered protection with sealed entries

Devolutions Server and Remote Desktop Manager now support sealed entries, providing an additional layer of protection for high-risk accounts. Sealed entries require users to actively unseal them, triggering an alert to be sent to all administrators and encouraging careful use of sensitive accounts.

Adam Listek

As an IT specialist with over 20 years in the industry, I work hard to stay up to date on new and emerging technologies. Having worked in diverse fields from healthcare to higher education, I love new challenges and creating in-depth content to share with the world!

View more posts

Do you have an administrator account that’s rarely accessed, kept only for backups or for emergencies? These accounts are frequently overlooked, despite having high privileges and a high threat potential.

What if these accounts could be sealed so that, when one is accessed, all administrators are notified?

As of 2024.2, Devolutions Server and Remote Desktop Manager support sealed entries for accounts that need additional layers of protection against misuse.

What is a sealed entry?

A sealed entry requires a user with the proper permissions to actively unseal the entry in order to access it, which will trigger a notification to be sent to all DVLS administrators. While correctly scoped roles determine who can access the entry in the first place, the entry’s seal adds another layer of protection by discouraging casual use and alerting administrators to any access attempts.

Sealed entries are particularly useful for managing high-risk or rarely used accounts, such as the following:

  • Disaster recovery accounts
  • Break-the-glass accounts
  • Critical accounts
  • Inflexible accounts

Getting started with sealed entries

Sealing a credential entry is as simple as toggling the setting. Whether starting from the Devolutions Server web interface or the Remote Desktop Manager client, navigate to a credential entry’s Security tab. Once there, locate the Security settings section and change the seal state to Sealed.


Modifying the seal state of a credential in Devolutions Server
Modifying the seal state of a credential in Devolutions Server

Modifying the seal state of a credential in Remote Desktop Manager
Modifying the seal state of a credential in Remote Desktop Manager

Once sealed, an entry will show an informational screen indicating that the entry must first be unsealed to view any details. In addition, there is a new icon next to the entry in the entry list, showing that it is a sealed entry.


A sealed entry in Devolutions Server
A sealed entry in Devolutions Server

A sealed entry in Remote Desktop Manager
A sealed entry in Remote Desktop Manager

Finally, clicking the Unseal entry button will prompt a confirmation and, ultimately, a notification to be sent to all administrators. An information tag indicating that the entry was unsealed is also shown in the entry details.


Devolutions Server alert upon unsealing an entry
Devolutions Server alert upon unsealing an entry

The new Devolutions Server REST API and sealed entries

With the introduction of the Devolutions Server REST API in recent versions, entries can be retrieved programmatically. We recently showed a PowerShell example on our blog demonstrating how quickly the details of an entry can be retrieved through the REST API.

To prevent circumvention of the seal state, DVLS will respond with an error message indicating a sealed entry if someone attempts to access a sealed entry programmatically.


PowerShell code example attempting to retrieve a sealed entry
PowerShell code example attempting to retrieve a sealed entry

Layered protections through sealed entries

Sealed entries provide an essential layer of protection for important accounts, ensuring that any access, whether accidental or malicious, alerts administrators. Requiring users to actively unseal entries also encourages deliberate and cautious use of sensitive accounts and of user privileges. Enhance your security strategy with one more piece of the security puzzle by incorporating sealed entries into your credential management.

Related Posts

Read more Products posts