Don’t Just Store, Actively Manage Your Passwords! Create Custom Password Changers for All Devices

28 01 2014

 

You just purchased a new network device or server and realized that Secret Server doesn’t contain a specific password changer for it. You figure the best you can do is store the static credentials in Secret Server, but there’s no way Secret Server could actively manage password changing, right? Think again! Secret Server has a variety of ways you can customize password changers, no matter how complex your environment.

SSH

SSH password changers can change passwords for ANY of your SSH-compatible devices. Modify an existing SSH password changer or create your own. Enter the SSH commands in Secret Server, replacing actual credentials in the commands with values that reference the credentials stored in the Secret. The same will work for any device accessible for password changes over Telnet.

HP iLO Account Custom Password Changer Template

A few examples:

  • Configure a Dell DRAC password changer:

http://support.thycotic.com/KB/a166/how-to-manage-drac-passwords-with-secret-server-using-ssh.aspx

  • Use the built-in Cisco password changer (customizable):

http://support.thycotic.com/KB/a251/heartbeat-and-remote-password-changing-for-cisco-accounts.aspx

  • Use the built-in Unix Root account password changer:

http://support.thycotic.com/KB/a369/heartbeat-remote-password-changing-unix-root-accounts.aspx

LDAP

Secret Server comes with several LDAP password changers configured for Active Directory, DSEE and OpenLDAP. You can either customize the existing password changers or use one as a template to create your own custom configurations, for example to change passwords for 389 Directory Server. Customizable settings include enabling SSL, method of authentication, and username authentication format. See the article below for details:

  • Use and configure custom LDAP password changers:

http://support.thycotic.com/KB/a183/ldap-password-changing.aspx

Web Passwords

Secret Server’s web password management includes Remote Password Changing for Amazon Web Services, Google, and Windows Live accounts. Configure these options under the Remote Password Changing tab for any Secret using the Web User Account password changer.

Remote Password Changing for a Windows Live Account

Password Changing for Additional Account Types

Secret Server contains password changers for many other account types as well. While these are not all customizable, they include many commonly used account types such as Oracle, SQL Server, SonicWall NSA and more. A full list of included password changers can be accessed here.

See the Secret Server User Guide for more info on creating and testing custom password changers.

Did you create your own custom password changer? Share it with others on our forum.

Send us your ideas and suggestions any time. Post new feature requests and see what other customers have requested at feedback.thycotic.com.





Take the Pain (and IT) Out of AD Group Management with Group Management Server

21 01 2014

Organizations that have many different departments inevitably have to spend time just to keep things organized, and IT teams become a critical part of this strategy. Often, their role is to help implement software that enhances each employee’s ability to do their job, but they also perform many back-end tasks to organize the network. Active Directory group management is one of those critical back-end tasks. It gives each employee access they need to the network, file structures and email distribution lists, but in a complex environment, accommodating requests for AD group membership changes can become a time consuming task for IT to manage.

Universities are a great example of complex group management. They have multiple departments of students, faculty and staff, and users require access to workstations in multiple buildings, usually across several campuses.

Each semester, as students change courses and faculty and staff change offices or departments, the IT helpdesk is hit with countless requests for group administration changes to make sure everyone has the access they need to computers, folder structures and group email lists. You can probably imagine how quickly these requests pile up, and how long it can take an IT team to work through the entire list. This can create an immediate inconvenience to students, faculty and staff and to the IT team itself, which always has plenty of work to do.

With Group Management Server, non-IT staff, professors and managers can be authorized to administer their own AD groups. Simply by logging into the website and making the necessary membership changes, AD group management is distributed to those who need the changes immediately, and to those who best understand the access needs of their own groups.

Some of the key features that make Group Management Server a simple and effective solution:

Active Directory Integration

Users access Group Management Server through any major web browser, using their Active Directory credentials to log in.

Role-based Access Control

Control what featured of the application a user can access through customizable roles and permissions. Use the default roles (user, administrator and auditor) or create your own to tailor roles to your company’s needs.

Self-Service Group Administration for Non-IT Staff

Place more control in the hands of managers and team leaders by allowing them to modify group membership of their own groups through Group Management Server. Allow other staff to make group membership requests to their group managers, and fully audit all usage and group changes for security.

AddingGMSGroupMembers

Reports and Auditing

Every group membership change is audited, including the date, time and user involved for each logged event. Information can be condensed into detailed reports for audits and compliance.

GMSUser&GroupAudit

A new version of Group Management Server was released last Friday. See the full release notes HERE or check out a free 30-day trial.





Fasten Your Seat belts! Advancements to Web Services API Speed Up Remote Password Changing

14 01 2014

If you are familiar with Secret Server’s web services API, you already know that it can be a convenient way to retrieve, create and update Secrets individually and in bulk, especially if you already use scripts to accomplish account-related tasks in your environment. Some of the most common use cases require only simple calls to Secret Server to add and retrieve stored information, such as:

  • Efficiently adding new Secrets as new domain accounts are created.
  • Replacing privileged account credentials with web service calls to retrieve and utilize the account information within the same script.

More fine-grained operations, such as updating Secret security and Remote Password Changing settings require increased functionality from web service calls. This week, we’ll take a look at the additions to web services that have come with the release of Secret Server version 8.4, providing more control over Remote Password Changing for Secrets.

To start, let’s see how web services would assist Sarah, our handy system administrator, in the following scenario:

Sarah has decided that she wants to use a dedicated privileged account to change passwords for all service accounts in her production domain. A great deal of these accounts are scattered throughout her folder structure in Secret Server. Without using web services, Sarah would have to find every account in the Secret Server GUI and set the privileged account manually. Now, if the Secrets were all located in a single folder, Bulk Operation would make this a breeze. However, with the varying locations of these accounts, searching for each individual Secret to update will be time-consuming. Fortunately, Sarah is familiar with PowerShell and can use web services to update all of her service account Secrets. She uses the script below:

Web Services API PowerShell Script for Remote Password Changing

This script will search Sarah’s Secret Server to find any Secret with a name containing the word ‘Service.’ The script then updates the Secret’s privileged account setting for Remote Password Changing. Sarah can also reuse the script any time privileged accounts need to be updated for a large number of Secrets.

The scripts can also be used to change additional Secret properties, such as Require Approval for Access, Require Comment and Check Out. For more information about these properties, see our Web Service API Guide (Pages 60-62), available from the Secret Server Support page.

On another topic, are you tired of endless calls to the help desk to reset a user’s forgotten AD password? You won’t want to miss this week’s webinar, introducing Password Reset Server, our AD self-service password reset tool. Register now!





Enable, Disable, or Mirror: A Deeper Look into User Administration

7 01 2014

Controlling users is one of the most important facets of Secret Server password management administration. While Secret Server supports local users and groups, the easiest way to administer users is to use Active Directory (AD) integration. Secret Server can automatically pull in existing AD users and groups and create user accounts with the same permissions. After discovering the groups, Secret Server offers several different options on importing the data. 

secret-server-user-administration-screen.jpg

Enabling Users. First, you have the option of automatically creating and enabling all users from the selected groups. This is the best option for small groups with only user accounts that need enabling.

Disabling Users. The next option is to have the users created and marked as disabled. Don’t worry, disabled users do not count towards license seats. This is ideal when importing groups with a mix of service and user accounts. Disabling allows administrators to import the existing groups without worrying about exceeding license limits and adds another layer security because users added through AD don’t automatically have access to Secret Server. Simply import and select which users you want to enable. This can all be done using the Bulk Operation feature by administrating multiple users at once.

Mirroring User’s Status. Finally, Secret Server can mirror the user’s status in AD. Mirroring the status will not only create the users in Secret Server but also automatically enable and disable users based on their status within the AD group. Unlike the other options, it is the only method that actively affects existing users. This is useful for administrators who want to automate permissions based on groups. Mirroring allows you to administer AD groups and automatically reflect changes within Secret Server. As for security options, Secret Server supports the use of RADIUS if two-factor authentication is a concern, along with our built-in email based two-factor.

Upcoming webinars. Join us next week for our Deep Dive: Service Account Discovery Webinar. Product manager Ben Yoder will show you how to gain control of your network’s service accounts and dependencies through a step-by-step guide in our live webinar.

Also, be sure to check back next week as we will go over recent changes made to our Web Service API with the release of Secret Server 8.4.000000.

We want your feedback for future blog posts! Leave a request below and we will consider it for a later post. Happy 2014 everyone.








Follow

Get every new post delivered to your Inbox.

Join 30 other followers