Introducing Secret Server 8.5 Pt. 5: PowerShell 3

17 04 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Each Thursday post since the 8.5 release highlighted a new Secret Server feature. Check out our previous posts to learn how 8.5 will increase your team’s overall security and productivity. This week we’re finishing up our series with the benefits of PowerShell 3.

Secret Server has an  increasing list of built-in password changers for a wide variety of platforms, including Active Directory, Windows/Unix/Mac, networking devices, databases, and any platform that can connect with an SSH/TELNET connection. Also, Secret Server can update many service/application account dependencies out-of-the-box.

However, there can be unique password changing dependencies, such as when actions have to be daisy-chained after a password change, like restarting a specific device or application. For those situations, PowerShell provides additional flexibility to save time and maintain security.

With the 8.5 release of Secret Server, and the upgrade to .NET 4.5, Secret Server now makes use of the full PowerShell 3 capabilities. The main benefit of this upgrade is eliminating PowerShell’s “Double-Hop” issue, where PowerShell did not allow users to log into one platform (in this case Secret Server) and then jump to another server with those credentials. Now, PowerShell scripts can authenticate Active Directory credentials over multiple connections. This allows you to run PowerShell with an Active Directory Secret to perform multiple tasks across the network. This will be useful for organizations that need to update custom dependencies after a password change, such as SharePoint and IIS metadata. Get full instruction on avoiding PowerShell Double-Hop here.

Want to learn more about using PowerShell with Secret Server? Check out instruction for using PowerShell with Secret Server.

We hope you’ve enjoyed the latest enhancements to Secret Server with our latest release. Of all the 8.5 features, which is your favorite? Let us know in the comment section below. If there is still a Secret Server feature you still wish to see, be sure to cast your vote here.





Get Increased Control for Identity Verification with Password Reset Server’s Latest Upgrade

15 04 2014

Password Reset Server’s most recent upgrade to 3.2 gives greater control over the identity verification process by allowing administrators to define which questions users must answer correctly.

Now, verification questions can be marked as Optional, Required or Grouped.

Required Questions

Administrators can now mark specific questions as Required, meaning that users will have to provide correct answers to required questions during enrollment and will have to answer the questions correctly during a password reset.

Grouped Questions

Questions can also be marked as Grouped. This will display all questions in the group during a password reset, but the user only has to answer one of the grouped questions correctly. This option is especially useful for companies requiring multifactor authentication, as it gives users the option to choose the multifactor method of communication works best for them at the time.

Here’s how this can work: Set three multifactor questions Grouped: email, SMS and phone. During enrollment, the user will be required to enter their email, SMS and phone numbers. Then during a password rest, the user can choose which multifactor question to answer correctly, so if they are only able to access email at the time, they can answer the email verification question correctly.

Password Reset Server Enrollment

 Security Policy question configuration: Three multifactor questions are marked as grouped (required 1 correct answer out of 3), an image question is required, and the user will choose two of the optional questions to answer during enrollment.

Password Reset Server Security Questions

Questions during enrollment: Required questions are marked with an exclamation point (!) and optional questions can be selected from the drop-down menus.

For a chance to see the new features in action, join us for our webinar this Thursday, April 17 at 11:30 a.m. EDT!





Phew. Thycotic solutions remain unaffected during devastating Heartbleed vulnerability.

11 04 2014

The recent OpenSSL vulnerability CVE-2014-0160, or “Heartbleed” is affecting millions of SSL-enabled web servers worldwide; estimates are somewhere between 60% and 80% of servers are affected by the deadly bug. It’s the perfect example of a worst-case scenario: Heartbleed gives attackers the ability to reveal your server’s private SSL key by recovering just enough SSL key material.

We’re fortunate to announce that Thycotic has remained completely unaffected by this vulnerability, as our solutions are built on a Microsoft stack that doesn’t use any form of SSL technology. Our customers and partners can rest assured. However, it’s important to let others know what they can do to avoid an attack during this time.

While many tech news and media sites are advising consumers to rapidly change all web passwords that may have been affected by the Heartbleed bug, there’s still a risk for IT administrators, web admins and developers managing servers affected by the vulnerability. Question is… how do you prevent an attack while vulnerable?

Keep servers safe during Heartbleed

Website administrators were advised to patch their OpenSSL libraries on their servers to address the problem. But Heartbleed goes deeper than just patching OpenSSL. OpenSSL includes a general purpose API that software developers can use as part of their software. This is where static linking comes into play.

Static linking. Developers may choose to statically link to OpenSSL. Static linking allows developers to include OpenSSL within their software and it becomes embedded at compile time. Since the OpenSSL library is embedded in the software, upgrading the OpenSSL package on the operating system alone won’t update the OpenSSL version that software programs may have linked to statically.

Update all software, not just SSL. It is highly advisable that all software that makes use of OpenSSL technology be updated. Software vendors that statically link to OpenSSL should release updates for their software immediately by using a patched version of OpenSSL.

Keep clear, steady communications with customers. Make sure that as you’re updating systems and sending patches you’re also communicating these actions with your customers regularly. Consumers are rapidly changing web passwords and scrambling to protect their most valuable, personal data. Clear communications to your customer base (whether consumer or business) will help everyone stay on the same page and mitigate the most risk by using best practices during this time.





Introducing Secret Server 8.5 Pt. 4: SSH Proxy

10 04 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. This week we take a look at using Secret Server as a proxy for your SSH Launchers. Enjoy!

Secret Server’s SSH Proxy feature, added with version 8.5, allows increased security of the servers you connect to through SSH. This feature forces any SSH connection made through a Secret Server Launcher to be proxied through your Secret Server web server.

Proxing through Secret Server gives you two major benefits: The ability to enter just one IP address (your Secret Server IP) as an approved SSH connection for your servers and the opportunity for keystroke logging once an SSH session is initiated. This means that instead of including a number of your users’ client machine IP ranges, you can now specify your single Secret Server IP. Once sessions are initiated, you will also get enhanced session monitoring abilities through keystroke logs.

Configuring proxying in Secret Server is simple:

Specify your bind IP address, public host information, and port. Then create a banner to be displayed to users whenever they make an SSH connection through Secret Server. You have the option to provide a host private key or generate a new one.

If you want, you can enable an Inactivity Timeout to control how long a proxied Launcher session can remain idle before the connection is automatically closed.

SSHProxy

Improved Session Monitoring

Whether your SSH Launchers use proxying or not, Session Monitoring (covered in Part 1 of our Introducing Secret Server 8.5 series) is a feature that will help you keep track of (and optionally, terminate) your users’ launched sessions.

SSHProxy

However, proxying your SSH connections through Secret Server provides the added capability to record and then save or search through text from the SSH session.

SSHProxy

Launchers compatible with SSH Proxying

The SSH Proxying feature applies to not only the PuTTY Launcher, but any custom Launchers you create, such as SecureCRT. Just select Proxied SSH Process as the Launcher type when configuring the custom Launcher in Secret Server.

Don’t worry, our Secret Server 8.5 blog post series is not over yet! Next week we’ll be covering changes to PowerShell.





Empower the User: Group Provisioning within Group Management Server

8 04 2014

Group Management Server already relieves a lot of stress and extra work for IT Administrators. With the latest release, we just made IT admins lives even easier by streamlining the process for creating new AD groups through Group Provisioning.

What does this mean for you?

Think of this everyday scenario: The Marketing Team just started a project and they need a new mailing list for participants. Typically, the project leader would have to submit a request to IT for the new mailing list before they could add members in Group Management Server. With Group Provisioning, the entire process is simplified. Now, the marketing project leader can submit a new group request, including group members, directly through Group Management Server. The IT administrator will receive the request through the Group Management Server interface, and can immediately approve and create the group.

Helpful Tip: Use Group Provisioning alongside Group Membership Expiration to keep your Active Directory free from outdated group clutter.

Conclusion: Group Provisioning = Streamlined group creation.

Not using Group Management Server, but interested in learning more? Request a free trial here.





Introducing Secret Server 8.5 Pt. 3: Better Access Control with Secret Server Group Ownership

3 04 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. Today’s post focuses on implementing better user access control with Group Ownership. Enjoy!

This week we’re spotlighting the Group Ownership feature. Remember when giving a user group administration privileges meant trusting them with access to membership for all groups in Secret Server? That practice is long gone. Now, administrators can delegate group membership privileges to other users for their specific groups only. The result? Less burden on Secret Server administrators to manage groups, and more control for teams over their own individual groups.

Underlying Concept

Ready for the details? Here’s how it works:

An administrator (or any user with the Administer Groups role permission), chooses a local group to edit. By default, the group is managed by “Group Administrators,” but administrators can now select one or more “Group Owners” to manage the group instead. Group Owners can be multiple individuals and/or other groups. Once a group has been switched to the “Group Owners” model, Group Administrators will no longer have inherent permissions to make any changes to that group. As soon as a user is designated a Group Owner, they’re automatically assigned the Group Owner role. The Group Owner role will allow them to access the Groups administration page, where they will see only the groups they’re an owner of and have the ability to add or remove group member and owners.

Secret Server Group Edit Group Edit Secret Server

Control Folder/Secret Permissions using Group Membership

With the addition of Group Ownership, delegating Secret and Role permissions becomes a more streamlined process. After providing a group permissions to a specific folder and then assigning a Group Owner, the Group Owner will be able to manage membership of the group, which effectively controls permissions to that folder of Secrets.

Secret Server Folder Name

Stay tuned next week for a look at the new SSH Proxy features! Hopefully you’ve had a chance to test drive the new 8.5 features in Secret Server, what do you think? Do you have a favorite 8.5 feature? Share your favorites in the comment section below.

 





Thycotic Partners with LogRhythm to Offer Continued SIEM Support for Customers

1 04 2014

In our ever expanding ecosystem of technology integration alliances, Thycotic has added another leader in SIEM technology to our list of out-of-the-box integrations. Now, Secret Server event logs integrate with LogRhythm’s Security Intelligence Engine to improve network visibility for users.

LogRhythm’s Security Intelligence Platform is known for combining enterprise-class SIEM, log management, file integrity monitoring and machine analytics to provide broad and deep visibility across an organization’s entire IT environment. Using Syslog format, Secret Server can ship important syslog data into LogRhythm to compare events and ensure a more successful audit for your organization. By pairing Secret Server with LogRhythm, administrators can better monitor successful and failed user logins to privileged accounts, secret expirations and unsanctioned changes to administrator privileges.

Out of the box, Secret Server comes standard with 44 different events tracking more than 20 unique data fields, as well as the ability to create custom events based on your organization’s security policy.

A few examples of SIEM events that come standard with Secret Server.

A few examples of SIEM events that come standard with Secret Server.

Implementing an enterprise-class privileged account management tool such as Secret Server with a SIEM solution not only helps organizations reach password compliance and mitigate risk, but also removes the complexities associated with the management and monitoring of privileged account credentials across a network.

For more information on how to successfully integrate SIEM solutions with Secret Server, read our Value of SIEM blog post and integration guide here.








Follow

Get every new post delivered to your Inbox.

Join 30 other followers