ADSSP database encryption and storage details

Encryption and data storage in ADSelfService Plus database

Encryption in the ADSelfService Plus database 

ADSelfService Plus' database uses the following encryption methods to store sensitive data:

 

Database

Encryption method

PostgreSQL

AES-256-CBC

Microsoft SQL

AES-256-CBC

 

The following sensitive information is encrypted and stored in the database:

Type of information

Encryption standard used for storage

MickeyLite framework*

AES-256 encryption

Standard username and password used to configure Active Directory domain

AES-256

Username and password used to configure email/SMS settings

AES-256

Username and password used to configure integration settings

AES-256

Username and password used to configure proxy settings

AES-256

Username and password of high availability settings

AES-256

Password used to configure external database

AES-256

Password of database backups

AES-256

Keystore password for SSL certificate configuration

AES-256

Default password of technicians

Hashed password BCRYPT Algorithm with SALT

Passwords used to configure applications for password sync

AES-256

Security questions and answers stored for MFA

MD5/SHA512 (Customers can choose the required encryption standard)

Passwords stored for the password history setting in the Password Policy Enforcer

Hashed password using SHA-512 algorithm with SALT

Note

  • Users' domain credentials aren't stored in the database.

  • In Microsoft SQL, Transparent Data Encryption (TDE) and SSL can be enabled to encrypt data at rest and in transit.

 Active Directory (AD) objects and attributes stored in the ADSelfService Plus database 

The following objects are stored in the ADSelfService Plus database:
  • Account Expires (accountExpires)

  • City/Locale (I)

  • Common Name (cn)

  • Company (company)

  • Country/Region (c)

  • Department (department)

  • Description (description)

  • Display Name (displayName)

  • Distinguished Name (distinguishedName)

  • Email (mail)

  • Exchange Home Server (msExchHomeServerName)

  • Exchange Mailbox Database (homeMDB)

  • Fax (facsimileTelephoneNumber)

  • First Name (givenName)

  • Full Name (name)

  • Home (homeDirectory)

  • Initials (initials)

  • IP Phone (telephoneNumber)

  • Job Title (title)

  • Last Logoff Time (lastLogoff)

  • Last Logon Time (lastLogon)

  • Last Logon Time Stamp (lastLogonTimestamp)

  • Last Name (sn)

  • Last Password Set (pwdLastSet)

  • Logon Name (sAMAccountName)  

  • Mail Alias (mailnickname)

  • Manager (manager)

  • Mobile (mobile)

  • Object Class (objectClass)

  • Object GUID (objectGUID)

  • Object SID (objectSID)

  • Office (physicaldeliveryOfficeName)

  • Other Mobile (otherMobile)

  • OU Name

  • Pager (pager)

  • Primary Group ID (primaryGroupID)

  • Profile Path (profilePath)

  • PSO Resultant (msDS-ResultantPSO)

  • State/Province (st)

  • Street (streetAddress)

  • User Account Control (userAccountControl)

  • User Logon Name (userPrincipalName)

  • When-Changed (whenChanged)

  • When-Created (whenCreated)

  • Zip/Postal Code (postalCode)

Group Object Attributes:

  • Object GUID (objectGUID)

  • Group Name (name)

  • Description (description)

  • Distinguished Name (distinguishedName)

  • E-mail (mail)

  • OU (organizational unit)

  • Object Class (objectClass)

  • Display Name (displayName)

  • Group Member Object GUID (objectGUID)

  • Object SID (objectSID) Common-Name (cn)

  • When-Created (whenCreated)

  • When-Changed (whenChanged)

  • Group Type (groupType)

  • Managed By (managedBy)

  • Member  (member)

  • Display Name (displayName)

  • Primary Group Id (primaryGroupID)

  • Last Name (sn)

  • First Name (givenName)

  • Logon Name (sAMAccountName)

  • Info (info)

Domain Controller Object Attributes:

  • Domain Controller name (dNSHostName)

  • Domain Name (domainName)

  • Canonical Name (canonicalName)

  • Distinguished Name (distinguishedName)

  • Object GUID (objectGuid)

  • Domain DNA Name (dnsRoot)

  • Domain Flat Name (nETBIOSName)

  • Domain User Name

  • Domain Password

  • Domain Functional Level User

Domain Policy Object Attributes:

  • Minimum Password Age (minPwdAge)

  • Maximum Password Age (maxPwdAge)

  • Password History Length (pwdHistoryLength)

  • Lock Out Duration (lockoutDuration)

  • Lock Out Threshold (lockoutThreshold)

  • Password Complexity (pwdProperties)

Computer Object Attributes:

  • Object GUID (objectGUID)

  • DNS Name (dNSHostName)

  • OU Name (OU)

  • Machine Name (name)

  • OS (operatingSystem)

  • OS version (operatingSystemVersion)

  • Location (location)

  • Common Name (cn)

  • Distinguished Name (distinguishedName)

  • When-Created (whenCreated)

  • When-Changed (whenChanged)

  • Canonical Name (canonicalName)

OU Object Attributes:

  • Name (name)

  • Distinguished Name (distinguishedName)

  • Object Class (objectClass)

  • Object GUID (objectGUID)

  • Description (description)

  • Parent OU (ou)

  • When Created (whenCreated)

  • When Changed (whenChanged)

  • Managed By (managedBy)

  • Canonical Name (canonicalName)

PSO Object Attributes:

  • PSO Name (msDS-ResultantPSO)

  • Common Name (cn)

  • Minimum Password Age (msDS-MinimumPasswordAge)

  • Maximum Password Age (msDS-MaximumPasswordAge)

  • Minimum Password Length (msDS-MinimumPasswordLength)

  • Password History Length (msDS-PasswordHistoryLength)

  • Password Complexity (msDS-PasswordComplexityEnabled)

  • Lock Out Duration (msDS-LockoutDuration)

  • Lock Out Threshold (msDS-LockoutThreshold)

Domain Object and RootDSE Attributes:

  • Domain Functional Level (msDS-Behavior-Version) or (domainFunctionality)

  • Default Naming Context (defaultNamingContext)

  • Configuration Naming Context (configurationNamingContext)

  • Schema Naming Context (schemaNamingContext)

  • Root Naming Context (rootNamingContext)

  • Domain DNS Name (dnsHostName)

  • Domain Flat Name (Domain name)

Group Member Object Attributes:

  • Object GUID (objectGUID)

  • Object SID (objectSID)

  • Member (member)

  • Name (name)

  • Common-Name (cn)

  • When-Changed (whenChanged)

The selected display and search attributes will only be searched in AD during contact search.

Note: Custom attributes configured in ADSelfService Plus are also synchronized between AD to ADSelfService Plus and stored in the database.

        New to ADManager Plus?

          New to ADSelfService Plus?

            • Related Articles

            • Automatically backup the ADSelfService Plus database

              Description The database used in ADSelfService Plus houses some important information that is crucial for the proper functioning of the tool. As a proactive measure against the loss of data, the ADSelfService Plus application provides you Automatic ...
            • Configuring high availability in ADSelfService Plus

              ADSelfService Plus utilizes automatic failover to support high availability in case of system and product failures. Essentially, this means that when the ADSelfService Plus service on one machine fails, another instance of ADSelfService Plus running ...
            • How to manually backup and restore the database in ADSelfService Plus?

              Description You can manually backup and restore the database in ADSelfService Plus by executing certain commands. Resolution Steps to backup the database: Start the Command Prompt as an administrator (right-click Command Prompt and select Run as ...
            • ADSelfService Plus product startup issues

              What do you need to know before troubleshooting You need to have administrator access to ADSelfService Plus. When you experience an error with ADSelfService Plus, check if these prerequisites are satisfied: Install ADSelfService Plus as a service ...
            • How to automatically enroll users with ADSelfService Plus?

              Privileges The ADSelfService Plus server should have permission to access the external database server. SELECT privilege over the database table(s) for the user account that will be querying the external database. This should be an account in the ...