Secret Server can easily be configured so that end users do not have to see the password to make use of a resource, such as logging onto a remote server. Using Hide Launcher Password, Secret passwords can be hidden from users, forcing them to use a Launcher to access the machine or device. This makes it easier for admins to use long and complex passwords and also improves security by eliminating the ability for users to write down and save passwords. You can even create white or black-lists< http://blog.thycotic.com/2013/05/03/restricting-user-input-for-launcher/> to restrict the devices that users can launch into. In addition, Secret Sever also has a Web Filler< http://blog.thycotic.com/2013/02/20/webinar-secret-server-web-password-filler/> to launch into website accounts.
Whenever possible (without impending workflow, of course!) passwords should only be revealed when necessary. This keeps passwords from being written down or memorized and enforces using the vault to ensure a full audit trail. Hiding passwords for all of your accounts, however, may not always be possible. For instance, if an administrator creates a new service, she will need to manually enter a password from Secret Server. To do this, you can certainly give the administrator permission to view the Secret’s password, but it risks the password being compromised.
Secret Server’s solution to this is Check Out. Utilizing Check Out allows you to configure how long a user has access to any given Secret. You also have the option of having Secret Server change the password when the access period expires or the user checks in the password themselves.
Here’s an example of how this can work. Say Sarah, our imaginary system administer, checks out a Secret to go preform maintenance on a couple Windows servers. She decides to write the password down and then gets to work on the different servers using that Secret’s credentials. In the process, she gets a little distracted and leaves her sticky note with the password behind when she goes to grab a cup of coffee. Luckily, Check Out with Expiration is configured. While she is out, the Check Out period automatically ends and Secret Server checks in the password and changes it automatically. When Sarah returns from her coffee break, she will have to go back to Secret Server for the new password. This keeps her usage audited in the system, and protects the company against her stray sticky note, which has now been forgotten. For companies that want even more of an audit trail, they can use Check Out in conjunction with Require Access for Approval< http://blog.thycotic.com/2013/10/15/create-an-approval-workflow-for-sensitive-secrets/> to create an easy and secure workflow for your more sensitive accounts.