Streamline Compliance with your Internal Security Policy by using Secret Server

4 03 2014

Incorporating a new tool into your company’s overall security architecture can be a tricky and time-consuming process. Fortunately, Thycotic Secret Server has a several features that streamline the process of complying with your existing corporate requirements. In this post, we will take a look at a few ways Secret Server can work in conjunction with your existing security policy to improve policy compliance and your user experience.

Enforce Password Compliance with Group Policies

Secret Server’s group policy feature allows you to set polices for local and domain account passwords, such as minimum password age, password length and password complexity. Secret Server adheres to the group policy when changing local Windows or Active Directory passwords. For example, if a password change is attempted with a weak password, Secret Server will return an error message to explain the password complexity requirements. Or, if a password change fails because it was too weak, Secret Server can send an email alert to administrators.

To eliminate the possibility that users will set weak passwords or use prohibited characters, Secret Server can automatically generate passwords using the preset password requirements. The result: secure, randomly generated passwords that are guaranteed to meet your group policy requirements each time they’re changed, whether automatically by using Auto Change or manually by a Secret Server user.

Restrict Access with Restricted Launcher Inputs

Group policy can also be used to restrict remote access to servers, which is a great way to decrease the area of attack for an account. However, with a large number of accounts this can be difficult to keep track of. Secret Server provides the ability to restrict launcher inputs to allow users to only see and connect to machines that have been whitelisted for each account. This simplifies the process for end users, who no longer need to keep track of details of their privileged account access, and allows administers to configure more granular access control in a way that is clear and fully audited.

Simplified Web Password Management

Finally, a policy that we have talked about before is allowing a user’s browser to store credentials. Auto fill for browser credentials is certainly convenient, but it does not provide an audit of usage, making it a bit of a problem for the security department. Instead, organizations can disable the browser’s password auto fill option and add those credentials to Secret Server. Users can then use the Secret Server Web Filler to directly log in to websites. This makes your environment more secure by tracking who accessed each web credential and it ensures passwords are stored securely within Secret Server instead of a user’s individual browser.

Check back next week to hear our team’s recap of RSA 2014 San Francisco.






Is Your Hash Being Passed?

25 02 2014

 

A typical day in IT:

It’s another day-in-the-life of an IT administrator and you have yet another 1,000 problems to solve. Around noon you receive a ticket saying Bob is having trouble with his computer’s performance. Instead of grabbing lunch, you RDP into his computer to figure out the problem. You need admin credentials to see what’s going on, so you use your Domain Administrator account.  Turns out Bob needs to update a driver. It was a simple fix and you disconnect from the user’s computer, happy to have a couple minutes left to grab a sandwich.

Later that day you see login alerts from your SIEM tool for several machines you don’t typically access. Alarmingly, they happened while you were picking up your sandwich. Your password is strong and well above the company’s password recommended length, including alphanumeric and symbols. How was it used?

Turns out, the person who “borrowed” your credentials didn’t have to figure out your password. Instead, they infected Bob’s less secure computer and waited for you to log in using your Domain Administrator credentials. When you used RDP to enter Bob’s machine they captured the clear text hash of your password. Congratulations, your hash was passed.

What is Pass-the-Hash?

A Pass-the-Hash attack is where an attacker captures and uses the plain text hash of a user’s password instead of their plain text password. It allows an attacker to impersonate another user, typically a privileged account. This type of attack can affect ANY network using Windows machines. For the attacker, the advantage getting a hash instead of the password is it can be done without a brute-force attack, which is not as effective and takes a lot more time.

How is the Hash acquired?

Hashes can be acquired through a variety of methods, two being the most common. The first is to retrieve the hash from a SAM dump for the local machine users. The second is to grab the dump of a user’s credentials stored by Windows in the LSASS.exe process, allowing the attacker to retrieve the hash of any account that connects to the machine for example; an RDP-connected domain accounts. This is how the attacker compromised the Domain Administrator’s credentials from Bob’s computer in the scenario above.

How can Secret Server mitigate the threat of Pass-the-Hash?

While Pass-the-Hash attacks have existed for the last 17 years, the threat is now bigger than ever, with tools to exploit this vulnerability continuously improving. Currently the best way to protect yourself from a Pass-the-Hash threat is to upgrade to Windows 8.1 and Server 2012 R2. The new Windows updates have built-in security measures, including making the LSASS.exe a protected process, adding new security identifiers, and changing RDP so it no longer stores the remote login’s credentials on the target machine.

It is typically not practical to upgrade every computer in an organization quickly, and a network would still be vulnerable during the upgrade process. However, there are other protective measures that can be taken by using Secret Server. For example, organizations can use Secret Server’s Check Out feature and configure it to automatically change the password after each RDP session’s Check Out is complete. This would render any hash that was captured during the session useless; when the password is changed, the hash also changes. Secret Server can also restrict which computers can use an account by restricting the launcher inputs. These measures mitigate the chance of a Pass-the-Hash attacks by greatly reducing the amount of time a hash is valid and decreasing the computers accessible for attack on privileged accounts.





2013: A Security Odyssey

31 12 2013

What did 2013 hold for Thycotic Software? New partners, software releases, and other exciting milestones. Join us for our movie themed year-in-review.

This year, in the wake of dozens of newsworthy data breaches, the landscape for IT security broadened with every headline. The importance of securing privileged credentials and managing identity went from a “nice to have” to a “need to have” seemingly overnight. It became more apparent from IT teams across the globe that a spreadsheet was no longer a trusted, secure repository to manage privileged passwords in an organization.

So what did this mean for Thycotic? Keeping a close eye on security trends, we listened to our customers and built the features they requested to solve their most essential use-cases in privileged account management. But that wasn’t all we did.

Here are just a few highlights of what made 2013 a defining year for Thycotic Software.

Let it snow, let it snow? More like, let it grow, let it grow!

Inc. Magazine named us one of the Top 5000 Fastest Growing Companies in the US, and #33 in the top 100 fastest growing companies in DC. We couldn’t be more honored to receive this privilege. Our growth is attributed directly to our fantastic customers and our intelligent, hard-working team.

Lions, Tigers, and Splunk – Oh, My!

This year we announced several great partnerships, ending the year with an official announcement of our partnership with Splunk to release the Secret Server App for Splunk Enterprise. We’re proud of all of our new partnerships, and especially of our rapidly growing technology integration partner program. You can read more about the Splunk integration with Secret Server in our press release.

Come fly with me, let’s fly, let’s fly away.

We broke a personal record at Thycotic by sponsoring over 35 tradeshows across the world in 2013. We’ve presented dozens of keynotes, spotlight sessions, thought leadership interviews and spoke directly with thousands IT security and operations professionals in every major vertical about their security needs. Thanks to our dedicated team who worked round-the-clock to make those events a major success.

Release the kracken!

This year we’ve had several exciting releases to our products Secret Server, Password Reset Server and Group Management Server based on direct requests from our customers.

For Secret Server, some notable new features are: SAP support for natively changing passwords on SAP accounts; expanded API to increase automation in scripting; Custom Columns for a more tailored dashboard view; Website Password Changing to automatically change passwords for Windows LIVE, Google and Amazon accounts; SAML Support for increased security and single-sign on convenience; and Improved Discovery for Scheduled Tasks and Application Pools, now discoverable by Secret Server.

Other new product features are Active Directory Attribute Integration to let employees easily update their own AD information with Password Reset Server, and Group Renewal for Group Management Server to remind Active Directory group managers to double check their group membership from time to time.

So what’s next for 2014?

We think that 2014 will trump this year in success stories, growth, partnerships and products. We hope you join us every step of the way. Join us on LinkedIn and Twitter for the latest news in cybersecurity and be sure to stop by our booth at RSA 2014 in San Francisco as we kick off another thrilling year in IT security.  Also Thycotic is hiring, join the Thycotic team – read these great Thycotic reviews and see the latest Thycotic videos.






Windows 8.1 Security Improvements Helps Protect Against Pass the Hash Attacks

21 10 2013

This cyber security month, we’d like to congratulate and thank Microsoft on their efforts to block Pass the Hash cyber-attacks. Known by Microsoft as “one of the most popular types of credential theft and reuse attacks ,” Pass the Hash attacks are known for their ability to infiltrate full networks within minutes, making a major mess along the way.

With the Windows 8.1 update released on October 1, Microsoft has added major security improvements that are intended to block the ability of hackers to use these kinds of attacks. With the new release, Microsoft has bought us all some “space to breathe.”

Use your space wisely and remember that cyber security is constantly evolving. Take these three steps to help strengthen your organization’s password practices.

  1. Administrator accounts still need to be separated and used with care. Segment administrator accounts into a regular AD account and a user-specific Domain Administrator account for use only when privilege is needed.
  2. Lock down Domain Administrator passwords in a secure place where the administrator can access them when needed, and admin access is fully audited, so you have a record of use.
  3. Change Domain Administrator passwords to a new, random value after each use.

These steps can be incorporated into your security policy and implemented manually or through an automation tool, such as Secret Server. Password management tools provide added value to security and password management when they enable role-based access, sharing among teams, and full auditing for compliance.

Learn more about the Windows 8.1 update here.





Create an Approval Workflow for Sensitive Secrets

15 10 2013

It’s important to understand how to properly create a workflow in Secret Server for secrets of a sensitive nature. For example, let’s say you have a Secret for the admin account on your production web server. You want to give all your web server administrators access to the Secret, but you only want them to log in for a specific reason, such as during an emergency or to perform maintenance or install new software.

To address this issue, Secret Server has a security feature called Require Approval for Access. This setting lets you grant a user access to a Secret by making the user enter a reason they would like to access the Secret. It can be used for any Secret within Secret Server. For our example today, your web server admins would enter the reason why they want to access the web server.

Secret Access Request | Secret Server

Secret Access Request | Secret Server

After the web admin explains why he wants access to the production web server, an email is sent to one or more people to approve. You can customize who receives the email and is allowed to approve the request – every Secret has a customizable approval list.

Next, those approving the request will receive an email notifying them of the request. Inside Secret Server, they can read the request, deny or approve it, and specify how long that user may have access to the Secret before they have to submit another request for access.

Request Access for Workflow | Secret Server

Request Access for Workflow | Secret Server

This entire request and approval process is logged in the audit trail of Secret Server, so if there are ever questions later, it can be double checked.





Secret Server iOS 7 Mobile App Upgrade

7 10 2013

As iOS users may have noticed, our Secret Server app received an upgrade with the recent release of iOS 7. The most noticeable sign the app was upgraded is a fresh user interface. However, there are a few other aspects of the latest update that are worth highlighting.

View & Edit Restricted Secrets
Previously, users could not view restricted Secrets from the mobile app. Now, Secrets that have the advanced security settings Require Comment, Require Approval and CheckOut are also accessible from your mobile device.

Require Comment_iOS app update post_2013

Require Comment

 

Require Approval

Require Approval

Checkout

CheckOut

When viewed through the mobile app, Secrets that require a comment will receive an audit entry called WEBSERVICEVIEWCOMMENT to help differentiate comments in the audit log:

ViewWebserviceView_iOS app update post_2013

These restricted Secrets will not be cached. Therefore, a user must re-enter information after a 5-minute period (for Require Comment) or when the approval period ends (for Require Approval and CheckOut).

More Information

If you don’t yet use the mobile app and/or would like more information, please see the following articles in our Knowledge Base:

Using the iOS 7 Mobile App with Secret Server Installed Edition

Using the iOS 7 Mobile App with Secret Server Online





The Value of SIEM and How to Integrate with Secret Server

1 10 2013

What is a SIEM tool and why should I use one?

SIEM (System Information and Event Management) tools are a type of software that pulls in log and audit information from multiple sources across your network. This can include access logs for building entry, computers, servers, network devices, databases and applications. SIEM tools can aggregate all the data pulled so that you can get a clear picture of what is going on across your network by correlating events. It also provides real-time alerting in the case of security breach.

Here’s a quick example of how a SIEM tool can identify a breach. Say an employee – let’s call her Sarah – comes to work every day around 9:00 am EST. She’s an IT admin, so she beeps into the building with her key card, logs into her computer and starts checking on the status of her assigned servers. But, one day her computer is accessed in the middle of the night, long before she typically comes in. She hasn’t beeped back into the building and her VPN connection was never activated. This could be a security breach and someone better start asking questions. If the company had a SIEM tool, it would have alerted the company that something was wrong.

Secret Server can easily integrate with your existing SIEM tool. As a privileged account manager, Secret Server records a full audit of credential usage – who accessed what and when.  Secret Server can take this audit trail and send all of its information to the SIEM tool using Syslog or CEF format. Once the data is in the SIEM tool, it will compare events from Secret Server to other usage audits throughout your network.

Now, say that Sarah’s company used Secret Server with a SIEM integration for all admin passwords. One night, someone logged into one of Sarah’s servers as the local admin, but there was no indication that anyone logged into Secret Server to retrieve the password. The SIEM tool would be able to tell that a login occurred without Secret Server and flag it as a potential breach. The SIEM tool would then alert the company of the potential breach.

Secret Server is partnered with two SIEM tools, HP ArcSight and Splunk, Inc., with more integrations in the works. Find out more about Secret Server’s SIEM integration and syslog output on our support page!





Using Secret Server to Help Maintain Compliance Mandates

24 09 2013

Secret Server is a powerful, flexible tool which can help your organization meet a variety of compliance mandates, such as SOX, PCI, HIPAA and more. In this article we are going to review several ways you can utilize Secret Server to maintain compliance by securely managing your privileged account credentials.

Centralizing Your Sensitive Information
Before you can start managing your privileged accounts they must be located and stored securely in Secret Server. This means removing them from where they’re currently stored (such as an Excel spreadsheet or personal password management tools) and placing them into Secret Server; centralizing all privileged and shared accounts while providing full auditing of the activity on those accounts.

Compliance tip: This is useful for complying with SOX as it mandates that your sensitive information be stored in a centralized encrypted vault.

You can do this in a few ways:

  1. Importing. Using a CSV or XML file, you can directly import your data into Secret Server.
  2. Migration. The Migration Tool imports credentials from several personal password management systems such as KeePass or Password Safe.
  3. Discovery.  With Discovery you can easily scan your network and import Local Windows Accounts and Service Accounts running Web Services.

Setup permissions, access and roles 
Once credentials are secured in Secret Server you will want to organize access control for each user and what privileges a user has to administer their accounts. To do so, Secret Server simply utilizes a permission structure reminiscent to that of Windows to easily delegate access to information with a full audit trail.

Compliance tip: This relates to PCI compliance as it mandates an audit be kept of access to network resources.

Permissions allow you to store information from multiple groups and departments while managing exactly which users have access and have been accessing sensitive information.

Role based access in Secret Server can be broken down between different users so that no one user has full control of the system, giving granular control of user ability.

Password creation and regular rotation 
A big part of most compliance standards is using strong passwords and updating passwords on a regular basis. Secret Server can automate password changing on a wide variety of devices and accounts.

Compliance Tip: This is an import piece to many compliance standards included in HIPAA regarding regularly changing passwords for credentials.

Passwords can be changed automatically on a fixed schedule or can be set to change immediately. Secret Server also has the ability to report all information that a user has access to and queue them for remote password changing with a few clicks. This is especially helpful for when someone leaves the company and all their credentials need to be changed.

Remote Password Changing can generate passwords for the accounts based on the type of account. With Password Requirements you can specify the length of password, types of characters used, and the frequency that they show up.

These are just a few ways Secret Server can help your organization maintain compliance. Next week we will discuss the benefits of using a SIEM tool with Secret Server.





Integration Spotlight – Secret Server and Devolutions Remote Desktop Manager

17 09 2013

 

In this week’s webinar we will be diving into the integration of Devolutions Remote Desktop Manager and Secret Server. Since the software integration in 2011, users have been securing their credentials through Secret Server and remote connections using Remote Desktop Manager after several client requests. Since then, administrators have been able to use both solutions for greater convenience and added security.

Using Secret Server, you can securely store and audit access your login credentials. With Remote Desktop Manager, you can centralize your remote connections that use programs such as Remote Desktop, PuTTy, Team Viewer, and more. With the integration of Secret Server, Remote Desktop Manager seamlessly retrieves the login credentials from your Secret Server account. Using these two programs in conjunction with each other provides your company with a secure, centralized way to store, manage, and utilize your credentials for remote connections.

Join product managers Ben Yoder, Thycotic Software, and Maurice Côté, Devolutions, as they demonstrate the features and benefits of both solutions this Thursday September 19th at 11:30 AM EST. Be sure to register today!








Follow

Get every new post delivered to your Inbox.

Join 30 other followers