Taking control

Using the Policy Editor, we centrally-defined many important program and security options, including disabling Safenotes or Identities entirely, eliminating undesirable data from Identities, denying auto-save and auto-fill (entirely or for specified domains), auto-clearing clipboards, specifying auto-logoff events, and preventing program removal. However, deploying our policies proved awkward.

The RoboForm Policy Editor is really just a Windows registry key generator. Click on any RoboForm key to view a (very brief) description and select values from pull-down lists. When done, click Test Values for a syntax check, then click Create Reg. All "pinned" keys are written to a .txt file that must be renamed .bat for execution. The manual suggests testing policies on a local copy of RoboForm before attempting a production installation or update. To facilitate large-scale rollout, the RoboForm installer can be executed without end-user prompting or registration.

RoboForm

Installing and updating RoboForm itself was easy, so long as those tasks were performed with administrative rights. But RoboForm does not report or prevent future registry changes. Furthermore, if a key isn't "pinned" by policy, users can change that option though the RoboForm UI, without changing the registry. Worse, the cleartext options file that controls a running instance of RoboForm isn't encrypted or even hashed to prevent external edits. To control policy reliably, admins must understand and address these risks. Policy drift is a real concern for any distributed solution – especially one that lacks an audit tool.

Just in case

The Policy Editor is also used for RoboForm master password backup and recovery. With the consumer RoboForm product, the master password is never stored. But enterprises must be able to help employees recover lost passwords – or perhaps decrypt Passcards and SafeNotes abandoned by former employees. The Policy Editor fulfills this business need by:

  1. Setting policies to save master passwords to a configured folder (e.g., network share).
  2. Generating a public/private key pair for master password protection.
  3. Using that public key to encrypt all saved master passwords.
  4. Using that private key as needed to recover (decrypt) any saved master password.

As previously noted, storing all master passwords in a single location poses risk – more so if that folder is public-writable. The Policy Editor password-protects the key file but does not explain its purpose or associated risks. Our Policy Editor's recovery routine also complained about the format of files written by our RoboForm enterprise beta – perhaps a version mismatch?

In any event, we think this feature should be wrapped in stronger warnings, if not stricter usage requirements like mandating a robust recovery key password and saving the private key file to a secured location, not the public backup folder. We'd also like to see encrypted master passwords archived to a location where they can't be copied or over-written.

Another recent addition is Passcard, Identity, and SafeNote backup. Consistent with today's cloud storage trend, encrypted RoboForm files can now be auto-synced (over SSL) to a RoboForm Online server hosted by Siber Systems. Importantly, master passwords are never sent to RoboForm Online. Consumers may like this service since its lets them reach their RoboForm files from any PC. Businesses will probably prefer to synchronize RoboForm files to other supported destinations, like network shares, Amazon S3, or FTP/SFTP servers.

Once synchronization is enabled, changed files are copied automatically by another Siber Systems product, Good Sync. Customers who don't want to auto-sync can still perform manual backups, copying RoboForm files to any folder. Admins can disable Backup/Restore using the Policy Editor; we hope to find Synchronization keys in a future Editor since IT will no doubt want to explicitly control this needed-but-sensitive feature.

Fitting into the enterprise

RoboForm itself is feature-rich. Beyond capabilities already mentioned, RoboForm can generate random passwords (to increase their strength), accept passwords through a virtual keyboard (to defeat keyloggers), and validate configured URLs (to deter phishing tricks). The RoboForm UI is busy – even a tad overwhelming for novices – but conveniently integrated into browser toolbars and Windows authentication prompts. The free RoboForm supports 10 Passcards; a Pro license eliminates that limitation.

All of these features are found in RoboForm Enterprise because the Win32 program installed on end-user PCs is really one and the same. For this review, we focused on version 7 features aimed at the enterprise, Policy Editor capabilities, and how this combo addresses business needs. Our initial impression was that Siber Systems had taken a healthy stab at meeting functional requirements, but not enterprise infrastructure or process integration needs.

However, Siber Systems tells us that they are now deploying Active Directory Group Policy Objects (AD GPOs). The existing Policy Editor will remain as a test tool and recovery utility. Although we were not given a chance to try RoboForm AD GPOs, we agree that large enterprises will require this. Smaller businesses may be satisfied by the Policy Editor, but customers that use AD will expect their local password management solution to dovetail with that infrastructure and the processes that surround it – including methods used to conduct policy audits.

Like many products that jump from the consumer market to the enterprise, RoboForm suffers a bit from trying to keep everyone happy. For example, when the enterprise beta checks for a new version, it opens a Website for consumer product downloads. Although RoboForm's local password management approach scales, Siber Systems needs to finish polishing the enterprise beta, including formal documentation written for enterprise end-users and admins. We hope the latter illustrates how RoboForm can be integrated with common enterprise tools to implement essential processes like file backups and policy audits in ways familiar to IT groups.

Finally, although RoboForm promotes and simplifies use of stronger passwords, some businesses have security requirements that exceed RoboForm capabilities, like FIPS-certified crypto and smart card/token authentication. Enterprise authentication is never a one-size-fits-all proposition. But, in RoboForm Enterprise, Siber Systems delivers enough to warrant business consideration.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. Since testing her first 802.11 WLAN in 2002, Lisa has performed numerous vulnerability assessments herself and taught workshops on this topic.