What is the best practice for managing override passwords?

Sometimes you can’t access AuthAnvil. The Internet connection may be down, IIS or SQL may not be responding, or the AuthAnvil server may even be offline. To make sure that you can still gain access to the servers when you need to, the AuthAnvil Windows Logon Agent and Credential Provider include a feature to set an Override Password. This password is put into the passcode field when logging onto a system, allowing that user to bypass AuthAnvil Authentication.

This is a pretty powerful feature, so it has to be managed carefully. Today’s AuthAnvil best practice is to only give out override passwords when you need to, and change them after every use. 

We've made override passwords easy to change for people with the right credentials. You can use the AuthAnvil Logon Config control panel applet that is installed by default with the logon agent, the Override Password Utility  available from the Help Center, or you can just generate a password hash by running the Change Override Password utility with the –g: switch and pushing it out to the HKEY_LOCAL_MACHINE\SOFTWARE\Scorpion Software\AuthAnvilLogon\OverridePwd key on the target machine.

This is a common issue for MSPs. Override passwords can be securely stored in your PSA tools, such as ConnectWise or Autotask with access given only to high-level employees. When field techs are dispatched to a site where an override password needs to be used (ie: when the Internet connection is down) they can call in and request the override password for the system that they need to log into. When the tech has finished, and the system is back on the Internet, a new override password can be pushed out using your RMM tools, such as Kaseya or LabTech, or any other tool that allows you to push out changes to registry keys.

Override passwords also provide an audit trail, writing event ID 5 to the application event log any time they’re used. This can be monitored either by your favorite RMM tool or by triggering an action every time the event happens in Windows Server 2008 or later. This way you’ll know every time someone has used one. 

By keeping your override passwords secure, changing them when required, and monitoring their use, you can have a safe method of getting into an AuthAnvil-protected system when you can’t reach the AuthAnvil server, without having to worry that staff is abusing the privilege.

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section