Restrict Keychain Access to Admin

Chuey
Contributor III

Hello,

Staff are admins of their own machines. Is there a way to restrict access to the keychain manager?

Thanks in advance

12 REPLIES 12

sdagley
Esteemed Contributor II

You could create a Restricted Software setting (see Casper Admin Guide - Restricted Software ) to prevent them from running Keychain Access

bentoms
Release Candidate Programs Tester

@Chuey What is it your wanting to stop access to?

Restricting the app will not restrict the command line (the security command).

Chuey
Contributor III

@sdagley I thought about restricting the app process by PID. I was wondering though if I restrict access to it, when a user goes to save a password in keychain, will it kill that process in the background and not allow it to save?

@bentoms We have issues with staff giving out WiFi passwords to our main network that communicates with servers, etc. If I'm an admin and know what I'm doing, I can go into Keychain and unlock the WiFi keychain password to view. I'd like to restrict them from being able to view that. I'm not too concerned about them being able to access it via command line.

I guess my question is, could I block the process by Restricted Software and still be able to store passwords in KeyChain when visiting web pages, etc?

bentoms
Release Candidate Programs Tester

@chuey are the users admins?

Chuey
Contributor III

@bentoms Yes, they are admins.

sdagley
Esteemed Contributor II

@Chuey Using a Restricted Software config like I described simply blocks access to the Keychain Access application, which as @bentoms points out won't block access to the security command line tool that will show all the info provided in Keychain Access (just without the pretty GUI). Blocking the app won't prevent your users from being able to store passwords for web sites, but your more determined users could still use the command line tool to extract the WiFi password, so it doesn't really add that much security. You may want to look into 802.1x authentication for your WiFi network so that connecting to it doesn't just require a password.

Chuey
Contributor III

@sdagley I know most of our users don't even know what Keychain means, so I can just use a restricted software rule. We block the terminal process for most of them and even ones with access won't attempt. Blocking the GUI should be good enough. I just didn't know if I used a restricted software rule if it could still save passwords. Thanks for clarifying.

alexjdale
Valued Contributor III

You would be blocking a lot of legit and important use cases for the keychain to stop something that could be addressed by a more modern authentication system (certificates) or user education/policy enforcement.

Honestly, your security is already weak if you are just using a common password.

mm2270
Legendary Contributor III

+1 to @alexjdale's comment.

Chuey
Contributor III

@alexjdale @mm2270 Not using a common password. Doesn't matter how great the password is when I can go to Keychain and unlock to view it.

sdagley
Esteemed Contributor II

@Chuey What @alexjdale, @mm2270 , and I mean regarding your WiFi security is that there are authentication systems (search on 802.1x) that provide more than password based security for connecting devices to your network than WPA2 Personal which it appears you are using now (since the password is what you're trying to protect). This is really a discussion you want to have with your WiFi vendor, but if you're using AD then you should already have a big part of the puzzle in place.

Chuey
Contributor III

@sdagley Thanks for the info. I've worked with certificate based authentication in the past and I'd like to move towards that now but I really can't make that decision. We are working on removing staff from being admins but for the time being I was just trying to find a way to lock down Keychain until that time comes. Thanks for all the input, I appreciate it.