Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Robert Fleming (RobIsTheName)
RBC
Senior Manager, Process Automation
RBC
CA
RobIsTheName Member since 2017 37 posts
RBC
Posted: May 4, 2017
Last activity: Aug 23, 2018
Posted: 4 May 2017 9:32 EDT
Last activity: 23 Aug 2018 19:06 EDT
Closed

RPA Auto log in security problem: passwords stored in the clear...

So, I'm configuring an RPA solution, and disable the screen locking, but there is a need for the bot to sign into the system on a specific domain. I know that there is a way to set up windows registry to cause an auto login with domain, id, and password. My infosec folks are indicating there is a security exposure as the password stored in the registry is in the clear. If anyone gets onto the machine, can open the registry and find all the credentials.

Is there another (preferred) way to log into the system in an auto-boot with password encrypted somehow.. Or other mitigation methods..?

Thanks



**Moderation Team has archived post**


This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

To see attachments, please log in.
Robotic Process Automation

Posted: 8 years ago
Posted: 4 May 2017 9:45 EDT
Thomas Sasnett (ThomasSasnett)
MOD
Contractor
Pegasystems Inc.
US

Pega Robotics provides the Credential Store component to securely store credentials on the machine. It uses DPAPI encryption in addition to an additional layer. Just remember when you call GetCredentials, to right-click on the blue lines coming out and mark them as Sensitive so the contents do not get added to the RuntimeLog when enabled. That would essentially be storing them in the clear. You can also use the ASO component which has the same security. It won't log anything, however it does have the possibility of showing a UI where a user would need to intervene if the credentials were bad. For RPA projects, this is not a great idea since there really isn't a user present.

To see attachments, please log in.
Posted: 8 years ago
Posted: 4 May 2017 11:47 EDT
Jeff Badger (jeffbadger)
PEGA
Principal Product Manager, Robotics
Pegasystems Inc.
US

For logging in to a machine automatically there really isn't another way than to use the registry option you mentioned.  Using VMs allows you to lock the host machine so that only those with access to the host can access the VMs.  That is the line of defense that is normally employed.

To see attachments, please log in.
Posted: 8 years ago
Posted: 5 May 2017 17:16 EDT
Robert Fleming (RobIsTheName)
RBC
Senior Manager, Process Automation
RBC
CA

Thanks Jeff /Sasnt;  locking the vm is real challenge, my it/infosec thinks he's found a way via controling access to the vm via A/D Groups..  hopefully this will fly with the rest of his team..

 

rob

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice