If I have to log in as an admin to access my router web ui what do I need to do afterwards to wipe sensitive information that may be left behind? Does flushing DNS and deleting browsing cookies and history work or is there more to it?
Logging in to the webui successfully generates an authentication cookie. Clicking the logout button trashes that auth cookie.
Yes it would and could be an additional belt and braces step if you like.
Any other steps you recommend?
I don’t recommend any additional steps. Just clicking logout is fine in my world. Others here might have some ideas though.
If you are paranoid, then only run the browser for one website in incognito mode at a time, closing the browser between every different website, do not use any password managers, especially the ones built into the browser.
Having said that, I’m with @MartinLangmaid, logging out is enough when using the latest version of the recommended list of browsers from Peplink. We support the use of third party enterprise managed password managers, just not the built-in browser managers.
There are lots of existing how-to guides here in the forum from both the Peplink team and also from the Peplink Community, several regarding device security. Here is one guide as an example to get you started
This setup will require you to use InControl2. There are people both for and against cloud management, you need to make your own decision on that, for us, we are an advocate of InControl2, we respect those who choose to operate without InControl2, there are many good Peplink Partners and operators in both spaces.
Work your way through the articles in the Knowledge Base and see how you go.
Happy to Help,
Thank you for your response. Good info in the links you shared.
I am not paranoid. I am a security conscious IT student who asks a lot of different questions because I want to learn.
Buy a chromebook and use it in guest mode when accessing sensitive sites. Only drawback is you can’t use password manager chrome plugins as it resets each time to factory.
But I started using InControl2 with 2FA and BitWarden as my password manager. I also use Yubikeys as second factor.
In the admin settings you can shorten the admin session timeout so an inactive session won’t be valid for long. I set mine to 15 minutes. I also limit access to web admin from my main untagged LAN only.
What do you mean by this? What does this do? How does it function?
Agreed But for most people, a private mode browser that is used at just one site and then shut down is more than enough.
This is not a drawback, it is an enhanced security feature. Password managers that offer ease-of-use always lower security. Nothing has ever existed that offered ease-of-use and better security.