Encryption and data storage in ADSelfService Plus database
Encryption in the ADSelfService Plus database
ADSelfService Plus' database uses the following encryption methods to store sensitive data:
Database | Encryption method |
PostgreSQL | AES-256-CBC |
Microsoft SQL | AES-256-CBC |
The following sensitive information is encrypted and stored in the database:
Type of information | Encryption standard used for storage |
MickeyLite framework* | AES-256 encryption |
Standard username and password used to configure Active Directory domain | AES-256 |
Username and password used to configure email/SMS settings | AES-256 |
Username and password used to configure integration settings | AES-256 |
Username and password used to configure proxy settings | AES-256 |
Username and password of high availability settings | AES-256 |
Password used to configure external database | AES-256 |
Password of database backups | AES-256 |
Keystore password for SSL certificate configuration | AES-256 |
Default password of technicians | Hashed password BCRYPT Algorithm with SALT |
Passwords used to configure applications for password sync | AES-256 |
Security questions and answers stored for MFA | MD5/SHA512 (Customers can choose the required encryption standard) |
Passwords stored for the password history setting in the Password Policy Enforcer | Hashed password using SHA-512 algorithm with SALT |
Note:
Users' domain credentials aren't stored in the database.
In Microsoft SQL, Transparent Data Encryption (TDE) and SSL can be enabled to encrypt data at rest and in transit.
Active Directory (AD) objects and attributes stored in the ADSelfService Plus database
Account Expires (accountExpires)
City/Locale (I)
Common Name (cn)
Company (company)
Country/Region (c)
Department (department)
Description (description)
Display Name (displayName)
Distinguished Name (distinguishedName)
Email (mail)
Exchange Home Server (msExchHomeServerName)
Exchange Mailbox Database (homeMDB)
Fax (facsimileTelephoneNumber)
First Name (givenName)
Full Name (name)
Home (homeDirectory)
Initials (initials)
IP Phone (telephoneNumber)
Job Title (title)
Last Logoff Time (lastLogoff)
Last Logon Time (lastLogon)
Last Logon Time Stamp (lastLogonTimestamp)
Last Name (sn)
Last Password Set (pwdLastSet)
Logon Name (sAMAccountName)
Mail Alias (mailnickname)
Manager (manager)
Mobile (mobile)
Object Class (objectClass)
Object GUID (objectGUID)
Object SID (objectSID)
Office (physicaldeliveryOfficeName)
Other Mobile (otherMobile)
OU Name
Pager (pager)
Primary Group ID (primaryGroupID)
Profile Path (profilePath)
PSO Resultant (msDS-ResultantPSO)
State/Province (st)
Street (streetAddress)
User Account Control (userAccountControl)
User Logon Name (userPrincipalName)
When-Changed (whenChanged)
When-Created (whenCreated)
Zip/Postal Code (postalCode)
Group Object Attributes:
Object GUID (objectGUID)
Group Name (name)
Description (description)
Distinguished Name (distinguishedName)
E-mail (mail)
OU (organizational unit)
Object Class (objectClass)
Display Name (displayName)
Group Member Object GUID (objectGUID)
Object SID (objectSID) Common-Name (cn)
When-Created (whenCreated)
When-Changed (whenChanged)
Group Type (groupType)
Managed By (managedBy)
Member (member)
Display Name (displayName)
Primary Group Id (primaryGroupID)
Last Name (sn)
First Name (givenName)
Logon Name (sAMAccountName)
Info (info)
Domain Controller Object Attributes:
Domain Controller name (dNSHostName)
Domain Name (domainName)
Canonical Name (canonicalName)
Distinguished Name (distinguishedName)
Object GUID (objectGuid)
Domain DNA Name (dnsRoot)
Domain Flat Name (nETBIOSName)
Domain User Name
Domain Password
Domain Functional Level User
Domain Policy Object Attributes:
Minimum Password Age (minPwdAge)
Maximum Password Age (maxPwdAge)
Password History Length (pwdHistoryLength)
Lock Out Duration (lockoutDuration)
Lock Out Threshold (lockoutThreshold)
Password Complexity (pwdProperties)
Computer Object Attributes:
Object GUID (objectGUID)
DNS Name (dNSHostName)
OU Name (OU)
Machine Name (name)
OS (operatingSystem)
OS version (operatingSystemVersion)
Location (location)
Common Name (cn)
Distinguished Name (distinguishedName)
When-Created (whenCreated)
When-Changed (whenChanged)
Canonical Name (canonicalName)
OU Object Attributes:
Name (name)
Distinguished Name (distinguishedName)
Object Class (objectClass)
Object GUID (objectGUID)
Description (description)
Parent OU (ou)
When Created (whenCreated)
When Changed (whenChanged)
Managed By (managedBy)
Canonical Name (canonicalName)
PSO Object Attributes:
PSO Name (msDS-ResultantPSO)
Common Name (cn)
Minimum Password Age (msDS-MinimumPasswordAge)
Maximum Password Age (msDS-MaximumPasswordAge)
Minimum Password Length (msDS-MinimumPasswordLength)
Password History Length (msDS-PasswordHistoryLength)
Password Complexity (msDS-PasswordComplexityEnabled)
Lock Out Duration (msDS-LockoutDuration)
Lock Out Threshold (msDS-LockoutThreshold)
Domain Object and RootDSE Attributes:
Domain Functional Level (msDS-Behavior-Version) or (domainFunctionality)
Default Naming Context (defaultNamingContext)
Configuration Naming Context (configurationNamingContext)
Schema Naming Context (schemaNamingContext)
Root Naming Context (rootNamingContext)
Domain DNS Name (dnsHostName)
Domain Flat Name (Domain name)
Group Member Object Attributes:
Object GUID (objectGUID)
Object SID (objectSID)
Member (member)
Name (name)
Common-Name (cn)
When-Changed (whenChanged)
Contact Object Attributes (during employee search):
The selected display and search attributes will only be searched in AD during contact search.
