Excalibur Enterprise - FAQs

Welcome to our Help Center. FAQs section covers the most common questions about our products, services, and policies. You can use the search bar or browse by categories to find what you're looking for. If you don't find the answer, feel free to reach out to us here.

---

General

What type of targets are supported? Do you provide access management for web-based applications?

Excalibur currently supports SSH, RDP, and VNC targets. Support for web-based application targets is planned for a future release.

Do you have your own vault? Are you able to rotate passwords? How are the passwords and credentials stored? Can I see what credentials are stored separately from the targets?

Vault: No, Excalibur does not currently maintain a dedicated internal vault system.

Password Rotation: Yes, Excalibur supports password rotation for PAM Targets via a privileged user account. This account changes target passwords according to a defined Password Rotation Policy, which includes settings for generating random passwords.

Credential Storage: All updated passwords for PAM Targets are stored encrypted at rest within the PAMTarget table in our system.

Credential Visibility: Users cannot directly view the passwords of PAM Targets. Credentials are decrypted only at the start of a PAM Target session and are used exclusively for session initiation.

Can it be delivered as a service (MSP model)?

Yes, Excalibur is designed with multi-tenancy in mind, making it suitable for MSP deployments. We aim to replicate the multi-tenant capabilities, similar to those found in Govcloud environments, for all MSP partners.

Is there a dashboard / list of all the targets that can be accessed (including SAML)?

Yes, Excalibur provides a user interface where all accessible targets are listed. Detailed information on this feature can be found in our User manual

Do you have your own API? What do you integrate with?

Yes, Excalibur offers a comprehensive API. For detailed information on its capabilities and integration possibilities, please refer to our API Documentation.

Can I integrate it with my SIEM? How? What information can I obtain?

Yes, Excalibur can be integrated with SIEM systems. Our Auditor Manual provides details on the integration process and the types of audit logs and event information that can be forwarded to your SIEM.

Can we support tunnels to multiple physical locations?

Yes, Excalibur supports the creation of multiple secure tunnels. Each tunnel can connect to a different physical location or network segment, allowing for flexible and widespread resource access management.

Can you integrate with O365 or Google Workspace for authentication and access management?

they can act as identity stores

Yes, Microsoft 365 and Google Workspace can act as identity stores for Excalibur.

Current Capability (Excalibur as IdP): Excalibur can act as an Identity Provider (IdP) to authenticate users into these services via SAML. This means users would authenticate through Excalibur to access O365/Google Workspace. It's also conceivable to configure security policies to enforce access to these platforms exclusively through Excalibur for enhanced monitoring. Future Capability (Excalibur as SP): We may support Excalibur acting as a SAML Service Provider (SP) in the future. This would mean O365/Google Workspace (e.g., using Microsoft Authenticator) would handle the primary authentication, and Excalibur would manage the access. However, this approach could reduce auditing visibility, which is a key strength of our product.

Are we sending the SaaS notification that Excalibur services are not available?

Yes, we will be sending notifications to all admins.

What is the storage of log and recording of the sessions?

For SaaS there is almost no limit, On-premise really depends on local storage. There is a possibility to set up a retention period for the recording to last on the storage.

There is no way to prevent screenshots of the platform?

We don’t have 3^rd party services that will block taking screenshots.

Identity Management & Authentication

Can Excalibur work as an Identity Store?

Currently, Excalibur requires an existing identity store (e.g., LDAP, Active Directory) to be present. We integrate with these using standard protocols like LDAP.

Rationale: This approach allows us to focus on our core access management strengths. For smaller organizations without a dedicated identity store, this can be a consideration.

Future Possibility: We may consider adding an integrated lightweight identity store (e.g., based on OpenLDAP) in the future if there's a strong strategic need. However, this would require careful scoping to manage user expectations regarding features (like email integration, etc.) that are typically part of comprehensive identity platforms like Microsoft 365 or Google Workspace. For now, our focus remains on leveraging existing identity stores.

Can you support access through existing tunnels so I don't need to install another endpoint client for your tunnel?

Excalibur offers flexibility here:

1. Integrated Tunneling: Excalibur provides its own integrated tunneling solution. This method is fully managed within our interface and benefits from comprehensive auditing and control features. 2. Using Existing Tunnels/Network Connectivity: Alternatively, you can use your existing VPNs or network infrastructure. In this scenario, the Excalibur server simply needs network-level reachability to the resources it protects. While this approach works, features like detailed tunnel management and specific tunnel-related auditing within Excalibur would be less visible, as the network layer is transparent to our system.

Can you sync Excalibur user with AD users?

Excalibur does not have any owned identity store so it is fully reliable on AD or other identity store which is LDAP/LDAPS , there are some more on roadmap to add more variety (Entra, Google Workspace, etc.).

Target Access Management

Do we support access management to databases?

Excalibur can manage access to databases through various methods, depending on how the database is typically accessed:

• Web Interfaces: Many modern databases offer web-based management consoles. Excalibur can secure access to these web interfaces.
• Console Access: For databases allowing command-line access, Excalibur can protect this via an SSH PAM Target.
• Thick Clients: If the database relies on a dedicated 'thick client' application, you can install this client on a Windows machine (or a jump host) and use Excalibur to manage RDP access to that machine, thereby controlling access to the database client.

Do we support access management to OT devices?

Yes, Excalibur can manage access to OT devices, focusing on the human-interactive protocols they commonly use. OT devices vary in their interaction methods:

Supported Protocols for Interactive Access: * Web Interfaces: Many modern OT devices (PLCs, HMIs, SCADA controllers) have browser-based interfaces. Excalibur can secure these. * SSH (Secure Shell): Common on advanced OT devices (RTUs, industrial routers) for secure command-line management. Excalibur supports SSH PAM Targets for these. * Telnet: While older devices might use Telnet, it's an insecure (unencrypted) protocol. Excalibur could potentially support it, but we strongly advise against its use due to security risks.

Unsupported Access Methods (by design): * Programmatic Access (APIs): Protocols like REST APIs or Web Services are typically for server-to-device communication, not direct human interaction. Excalibur focuses on securing human access, so these are generally out of scope for direct PAM. * Physical Access (Serial Connections): Direct serial connections (RS-232/485) are physical access methods and are not applicable to Excalibur's remote access management capabilities.

Summary: Excalibur effectively manages access to OT devices through common interactive protocols like HTTP/S and SSH, aligning with standard Privileged Access Management practices.

Can we secure sandboxes with IAM?

Yes, Excalibur can effectively secure access to sandbox environments using IAM principles.

A "sandbox" is typically an isolated environment used for purposes like testing, development, or running potentially untrusted applications. Securing such an environment with IAM involves controlling who can access these resources and what actions they are permitted to perform.

Excalibur achieves this by: 1. Brokering Access: Excalibur manages and brokers all access to the resources within the sandbox. 2. Connectivity: Whether the sandbox is on a separate network segment (requiring an Excalibur tunnel for connectivity) or directly reachable by the Excalibur server, access can be managed. 3. Policy Enforcement: Granular access policies are defined within Excalibur, specifying which users or groups can access which sandbox resources. 4. Credential Abstraction: Users are authenticated through Excalibur, and access is granted based on these policies. The underlying credentials for the sandbox resources are never exposed to the end-user. 5. Auditing: All access attempts and sessions are logged, providing a clear audit trail.

By implementing these measures, Excalibur ensures that only authorized personnel can access specific sandbox environments, and all interactions are controlled and auditable, significantly enhancing the security and governance of these isolated systems.

Do we support Yubikeys?

We support Passkeys so as long as their Yubikeys can support Passkeys, we can support that.

Is there possibility to join PAM target in form of Web App for example Jira/CRM/ERP etc. to have SSO and full auditability?

It will be possible, but not included in current PAM solution. It will be available in our upcoming product Vitro (AI-powered contextual prevention functionality) which will be integrated in PAM.

Is there any limit to PAM targets? Are we talking hundreds or thousands? What can be added as PAM target? Are there any limitations?

Amount of targets: code perspective - no limit, UX - we have not enough data. SSH and RDP can be added. In the future also HTTP

What is the limit of simultaneous user connections through tunnel?

Only one Excalibur Tunnel Client can be connected and establish the connection. When the tunnel established, we can have many simultaneous PAM target connected through the tunnel. We dont have an estimated limit number since the feature is still in development and the limitation may vary thought time.

Is secure tunnel client component planned for Windows servers?

Yes. See the Administrator Manual for more information on the Excalibur Tunnel. More details about the installation are available at https://github.com/excalibur-enterprise/excalibur-tunnel-client?tab=readme-ov-file#-installation-guide

Can I get alerts when there are potentially malicious actions?

Excalibur operates on a whitelisting principle: users only have access to resources they are explicitly configured to access. This inherently limits the scope for unauthorized actions, as access to the broader network is not granted; only streamed access to specific resources is provided.

Authentication Logging: All authentication attempts are logged. Failed attempts are recorded and can be used for security monitoring.

SIEM Integration for Alerts: While Excalibur itself is improving its direct alerting capabilities (e.g., configurable email notifications for security policy failures are under consideration), all relevant security events are streamed to your SIEM. This allows for sophisticated alert configurations and notifications to be managed at the SIEM level. Future AI-based Anomaly Detection: AI-powered anomaly detection (e.g., behavioral analysis, attack detection) is a feature currently under development and not yet generally available. A demo (AI1 demo on vitro.xclbr.com) showcases this future capability.

If the developer has emergency during weekend, but in standard mode there is no possibility for him to join, how it can be solved?

Needs to be configured in security policy:

• security policy in place but in disabled state - in critical situation this policy will be activated by Admin
• original security policy needs to adjusted to make sure

There is no way to do any special request which is approved by superior?

This is functionality on roadmap, the policy can be configured that on weekends there needs to be approval from superior according to security policy.

If there is a way to access remote server via bookmark or the user needs to go directly through the dashboard?

Currently there is no possibility to have persistent URL or bookmark to remote system.

Security & Encryption

How does the encryption of data works? Could we use a customer-provided key for encryption?

Encryption Standards: Excalibur employs industry-standard cryptography, specifically Public Key Infrastructure (PKI) based on ECIES (Elliptic Curve Integrated Encryption Scheme) for asymmetric key ciphers. For details, you can refer to resources like Nakov's CryptoBook on ECIES.

Key Storage (HSM): For our cloud services, we utilize Hardware Security Modules (HSMs) to store cryptographic keys securely. HSMs ensure that key material is stored in dedicated hardware, similar to secure enclaves on mobile phones, but on a larger, often network-attached scale.

Customer-Provided Keys: For larger customers who have their own HSMs, Excalibur can integrate with these, as they typically provide APIs for interaction. This allows customers to maintain control over their key material.

How peer-veritification works? What actions can be peer-verified?

Peer verification in Excalibur is a configurable security policy feature. It allows you to require an additional approval step from a designated peer (or a member of a designated group) before access to a resource is granted.

How it works: When a user attempts to access a resource for which peer verification is enabled, the system will trigger a request. For example: "If user X wants to access resource Y, and condition Z is met, then require peer verification from any member of group W before granting access." Applicable Actions: Any access attempt to any resource managed by Excalibur can be configured to require peer verification, as defined by the security policy. This aligns with our core function of streaming and controlling access to resources based on defined conditions.

When accessing a web target through Vitro, and the target displays a login page, does the user always have to manually enter their login credentials, or can those credentials be saved?

Vitro can not save the login credentials, because the remote browser engine is sandboxed. We definitely do plan to be able to fill in credentials into forms in vitro session whether some scripted way or AI agent but thats some future feature.

Design & Architecture

Why we only provide access to our PAM through a browser instead of other clients (i.e., Putty)?

Excalibur Privileged Access Management does not support other clients connecting to protected resources to avoid protocol proxying, which could expose protocol vulnerabilities. By streaming access instead of direct interaction with protocols like SSH, Excalibur ensures that potential exploits on vulnerable targets are mitigated. Introducing weaknesses to accommodate familiar tools would undermine the security benefits provided by Excalibur's approach. [Exposure Reduction]

Why we integrate MFA & PAM instead of supporting 3^rd party MFA solutions?

In Excalibur, every action performed within the PAM system is cryptographically signed using key material tied to the MFA. We utilize secure enclaves in mobile devices, similar to the security used in mobile payments, providing robust security guarantees. This integration ensures that each user action is securely verified and recorded, with the user's identity cryptographically linked to all authentication factors. By tightly integrating MFA with PAM, Excalibur prevents the security gaps that could arise from using third-party MFA solutions, which lack standardized cryptographic signing capabilities.Unlike OTP hardware tokens, which only allow retyping displayed OTPs and cannot cryptographically sign actions, Excalibur's integrated solution ensures comprehensive security by signing every user activity. [Non-Repudiation]

Why you scan QR codes for authentication instead of using other common methods like SMS or notifications?

At Excalibur, we look into how to provide the best user experience as well as the most secure environments. Push notifications, SMS, and other similar methods can cause MFA fatigue which then can be exploited by attackers. Scanning a QR code to login is a "pull" approach that can't be exploited by attackers in a similar fashion. [Secure-by-Default]

Why using raw protocol (RDP/SSH) proxying is bad idea no matter what

Because a raw TCP proxy sits between client and server, it effectively becomes a man‑in‑the‑middle: host‑key/certificate pinning breaks, credentials and session data pass through the proxy, and long‑patched relay exploits reopen—so you lose the very security RDP/SSH are meant to provide. See https://github.com/runZeroInc/sshamble for some attacks.

Is there any possibility to create geofence in different shape other than circle?

We are doing geofencing as circles - nothing else is needed from all previous experience. It is much easier to work with circle in the code as we just pinpoint the middle point with GPS and add radius around it.

Does Excalibur solution continuously gather data of GPS location of the user?

Excalibur does not continously gather any data from the GPS over time. We are using the gps location directly from phone and only as a snapshot in the moment of authentication.

Can the system send email notifications to the supervisor if the user or admin used a certain command?

Based only on syslog messages -> sent to SIEM -> email sent to user ifconfigured in SIEM.

Is it possible to add MAC address to network policies?

No, its not possible.

Is the Geolocation extracted from mobile phone internet connection or from phone provider?

Through phone operating system API and it is just snapshot, not continous monitoring.

Is any kind of way excalibur can be offline solution in fully offline infrastructure?

Can be done via WFA, but the smartphones and users will be able to connect.

Deployment & Infrastructure

Where is your cloud version located? Do you provide it as a SaaS?

Hosting: We primarily utilize Hetzner (Germany-based with data centers in the EU, US, and Asia) for our cloud deployments, offering global coverage. However, Excalibur can also be deployed in other cloud environments like Azure, AWS, or Google Cloud if required.

SaaS Offering: We plan to offer Excalibur as a self-service SaaS solution in the future, with a target timeframe around 2026. Currently, it's available as a managed service or for on-premise/private cloud deployment.

Where do Excalibur store data and what are the 3^rd party services used to do so?

Excalibur is using 3^rd party services in order to store customer data. These are in form of cloud providers with storage units in Germany:

• Microsoft Azure
• Hetzner

What certifications do you have? Do you have for example ISO 27000?

We are currently in process of getting certified for ISO 27 000 and some other certification. We will announce once we will be officially certified.

Deployment of solution?

VM or SaaS.

Really good solution for Gov and Enterprise, but one bottleneck - the weakest link is your company Excalibur - what kind of certifications, security policies, disaster plans do you have in place?

For security and certification, we have certificates from https://www.linkedin.com/company/tuvsud/:

• ISO/IEC 27001 – Information Security Management
• ISO/IEC 27017 – Cloud Security Controls
• ISO/IEC 27018 – Protection of Personal Data in the Cloud

Configuration & Administration

Is active directory connection necessary?

Yes it is required to connect IS through deployment process and Excalibur also support any other identity store with LDAP/LDAPS.

What functionality client lose if they did not register AD/IS?

AD/IS must be connected through deployment process.

Recording sessions - how big are they? Where they are stored and how big is basic storage for standard licensing?

File size is based on how much changes there are on the screen, small and local changes can be tackled by compression creating just small file - small bitrate recording. Also resolution plays a role.

How long does PAM keep the logs available?

There is no limit for the logs, they are available as long as possible.

Is the PAM target of each tenant independent of the PAM target of the system administrator? Can you add system pam targets to another Tenants?

No, managements of tenant are independant of each other. System is also a tenant, hence we can not add system PAM targets to another tenants.

Usage & Performance

Imagine 10 000 users using the session 8 hours a day, what might be the estimation of storage we need to sustain it for let's say 3 years? Applies for on-prem, hybrid and MSP/SaaS model.

We record sessions using incremental snapshots i.e., it only records the changes on the screen. It means that, if a person uses a session for 8 hours but do nothing, the records are very small. However, if they do a lot of things, the size of the records can be quite large. It needs to be experimented by the user and then calculate the average to have an estimation.

I am connected to 5 to 6 machines. Browser shuts down. Can I see on which machines I am connected at the moment on the dashboard? What happens when I close the tab instead of signing out?

Yes, the current active sessions are visible in the dashboard even though the browser shuts down. The termination of session depends on the PAM target.

• Win Servers - the session will keep running.
• Linux/Unix (SSH protocol) - session will be terminated with closed tab.

How does it work if I have MFA on 3^rd party soft (f.e. VPN) and I will lose my phone, can I access it via Excalibur even without phone?

At the moment, Excalibur always requires token (mobile app) authentication and we don't support 3^rd party MFAs. However, 3^rd party MFA support is on the roadmap.

Is there any point on roadmap where you can scan QR code with basic camera app and it will automatically guide you to Excalibur App for authentication?

No, currently not on a roadmap and not being considered. Might change if many customers ask for it.

When you click on invite link and you are logged in (as different user), it will redirect you to /me page instead of regular page for invitation.

Scenario is expected. You have to be logged out from the session. Postponing, and we can have a discussion if we want to have multiple users logged in within one browser.

If the user closes the tab or the whole window, does the RDP session still run underneath?

Depends on the setup of RDP connection and RDP server, but yes, it can be configured the session will last for 15 seconds after closing the tab/window to be rejoined by opening the tab again before it will be terminated.

What are specific case of use? Smaller and medium companies

First benefits is secure an easy to use MFA, it is combined MFA+ PAM solution. MFA is possible to integrate as standalone products with 3^rd party via SAML protocol.

If the RDP session is closed and later reopened (in 15 sec interval to reopen the tab), are the credentials being stored in cookies or somewhere else?

RDP session browser Tab reopened within 15 seconds means, that user is redirected to the same session as he was interacting with before. So there no need to store the credentials, because session is still alive in the background within those 15 seconds and terminated after the 15 seconds expiration interval.

How many users can access and work on the same target simultaneously via RDP? Does this depend on Microsoft RDP licensing?

Yes, this is completely depending on Microsoft RDP licensing. By default each Windows server can run 2 RDP session simultaneously. After deployment of Microsoft RemoteDesktopServices Client Access licenses to Windows server, it can handle more than 2 RDP sessions.

Troubleshooting & Support

How to fix token "Network error" during the registration?

There are serveral possible actions to take on iOS, iPadOS, and visionOS devices:

1. Trust manually installed certificate profiles in iOS, iPadOS, and visionOS: https://support.apple.com/en-us/102390

2. Turn iCloud Private Relay off