Do you have an administrator account that’s rarely accessed, kept only for backups or for emergencies? These accounts are frequently overlooked, despite having high privileges and a high threat potential.
What if these accounts could be sealed so that, when one is accessed, all administrators are notified?
As of 2024.2, Devolutions Server and Remote Desktop Manager support sealed entries for accounts that need additional layers of protection against misuse.
What is a sealed entry?
A sealed entry requires a user with the proper permissions to actively unseal the entry in order to access it, which will trigger a notification to be sent to all DVLS administrators. While correctly scoped roles determine who can access the entry in the first place, the entry’s seal adds another layer of protection by discouraging casual use and alerting administrators to any access attempts.
Sealed entries are particularly useful for managing high-risk or rarely used accounts, such as the following:
- Disaster recovery accounts
- Break-the-glass accounts
- Critical accounts
- Inflexible accounts
Getting started with sealed entries
Sealing a credential entry is as simple as toggling the setting. Whether starting from the Devolutions Server web interface or the Remote Desktop Manager client, navigate to a credential entry’s Security tab. Once there, locate the Security settings section and change the seal state to Sealed.
Once sealed, an entry will show an informational screen indicating that the entry must first be unsealed to view any details. In addition, there is a new icon next to the entry in the entry list, showing that it is a sealed entry.
Finally, clicking the Unseal entry button will prompt a confirmation and, ultimately, a notification to be sent to all administrators. An information tag indicating that the entry was unsealed is also shown in the entry details.
The new Devolutions Server REST API and sealed entries
With the introduction of the Devolutions Server REST API in recent versions, entries can be retrieved programmatically. We recently showed a PowerShell example on our blog demonstrating how quickly the details of an entry can be retrieved through the REST API.
To prevent circumvention of the seal state, DVLS will respond with an error message indicating a sealed entry if someone attempts to access a sealed entry programmatically.
Layered protections through sealed entries
Sealed entries provide an essential layer of protection for important accounts, ensuring that any access, whether accidental or malicious, alerts administrators. Requiring users to actively unseal entries also encourages deliberate and cautious use of sensitive accounts and of user privileges. Enhance your security strategy with one more piece of the security puzzle by incorporating sealed entries into your credential management.