Secret Server Disaster Recovery 101

22 04 2014

Part 1: Form your DR plan

Just like any tool that enhances your company’s security, the security of the tool itself is of ultimate importance. That means no backdoors and no way for Thycotic or anyone other than yourselves to decrypt your data. This is really important, but a disaster recovery plan is critical to ensure your organization’s data and hard work will be preserved in any scenario. Secret Server is designed with multiple DR options – below is a guide to the fundamental points of Secret Server disaster recovery. Don’t forget to review your disaster recovery plan regularly to make sure it meets your current needs.

The “absolute minimum” backup plan

At minimum, have a backup of your encryption.config file and database. This is the MOST IMPORTANT part!! We can’t emphasize this enough. If you lose your database, you lose your data, and if you lose your encryption.config file, you lose any ability to read that data.

For your security, we do not have copies to anyone’s encryption.config file.

Back up your encryption.config file by copying it from your Secret Server application directory. See Choose your backup option, below, for more information about taking a manual backup of your SQL database.

The comprehensive backup plan

Backing up your database and encryption.config file will allow you to restore Secret Server in an emergency, but will likely require the assistance of technical support if you don’t have the application files as well.

For a more comprehensive backup, back up the entire Secret Server application directory. This will preserve not only your encryption.config file but also the application files matching the Secret Server version of your database and files such as the web-appSettings.config that you may have customized with additional settings.

Choose your backup option

So how do I perform the backups, you might ask?

  • Back up files through the Secret Server UI. Do this from Administration > Backups. Specify a file path to back up the files. From this page, you can either perform a backup right away or configure automatic backups. For further details, see the Backup/Disaster Recovery section of the User Guide.
  • Back up files through Windows on the server(s) hosting Secret Server. This involves (1) taking a backup of the database through SQL Server Management Studio, and (2) sending the Secret Server application directory to a .zip file. See How to manually backup Secret Server for instructions.

Choose your backup paths wisely. Remember that you’ll need the files in the event that your primary servers go down, so backing them up to the same local server won’t do you any good.

Whether you choose to manage backups through Secret Server, manually, or with another tool in your environment, make sure they’re done regularly, and as a standard process before major changes are made to the server, such as migrating or upgrading Secret Server.

Know the important  accounts

Know which accounts are running your application pool and connecting Secret Server to the SQL Server database.In the event that you need to set up Secret Server on a backup server, you will need to know which account(s) to use to run the application pool and connect Secret Server to the SQL database. These accounts are configured during installation. For more information about the accounts (including how to determine the identity running your application pool), see the Installation Guide.

Know your local admin account password

Can’t log in with domain credentials? When troubleshooting login issues for domain accounts, you’ll need to have the ability to log in with a local account that has administrative rights. (Remember that local admin account you created when first installing Secret Server?) Knowing these credentials will allow you to log into Secret Server when your domain authentication isn’t working and access Active Directory sync issues. Keep a reminder of this account in a safe place, such as a safe; if Secret Server is down, you won’t be able to log in to find it. One suggestion: store a cleartext export of your most important Secrets as a printed copy in a safe or other physically secure location. See the User Guide for more information about cleartext exports.

Make use of our support number

If you are preparing for disaster recovery or find yourself in an actual DR situation, our technical support team is available to help! Give us a call and we’ll help you get things sorted out.

Contact Support

Keep an eye out for Part 2 of our disaster recovery review, where we’ll cover how to use your backups to restore Secret Server in a DR scenario.

 

 

 

 

 

 





Streamline Compliance with your Internal Security Policy by using Secret Server

4 03 2014

Incorporating a new tool into your company’s overall security architecture can be a tricky and time-consuming process. Fortunately, Thycotic Secret Server has a several features that streamline the process of complying with your existing corporate requirements. In this post, we will take a look at a few ways Secret Server can work in conjunction with your existing security policy to improve policy compliance and your user experience.

Enforce Password Compliance with Group Policies

Secret Server’s group policy feature allows you to set polices for local and domain account passwords, such as minimum password age, password length and password complexity. Secret Server adheres to the group policy when changing local Windows or Active Directory passwords. For example, if a password change is attempted with a weak password, Secret Server will return an error message to explain the password complexity requirements. Or, if a password change fails because it was too weak, Secret Server can send an email alert to administrators.

To eliminate the possibility that users will set weak passwords or use prohibited characters, Secret Server can automatically generate passwords using the preset password requirements. The result: secure, randomly generated passwords that are guaranteed to meet your group policy requirements each time they’re changed, whether automatically by using Auto Change or manually by a Secret Server user.

Restrict Access with Restricted Launcher Inputs

Group policy can also be used to restrict remote access to servers, which is a great way to decrease the area of attack for an account. However, with a large number of accounts this can be difficult to keep track of. Secret Server provides the ability to restrict launcher inputs to allow users to only see and connect to machines that have been whitelisted for each account. This simplifies the process for end users, who no longer need to keep track of details of their privileged account access, and allows administers to configure more granular access control in a way that is clear and fully audited.

Simplified Web Password Management

Finally, a policy that we have talked about before is allowing a user’s browser to store credentials. Auto fill for browser credentials is certainly convenient, but it does not provide an audit of usage, making it a bit of a problem for the security department. Instead, organizations can disable the browser’s password auto fill option and add those credentials to Secret Server. Users can then use the Secret Server Web Filler to directly log in to websites. This makes your environment more secure by tracking who accessed each web credential and it ensures passwords are stored securely within Secret Server instead of a user’s individual browser.

Check back next week to hear our team’s recap of RSA 2014 San Francisco.






Is Your Hash Being Passed?

25 02 2014

 

A typical day in IT:

It’s another day-in-the-life of an IT administrator and you have yet another 1,000 problems to solve. Around noon you receive a ticket saying Bob is having trouble with his computer’s performance. Instead of grabbing lunch, you RDP into his computer to figure out the problem. You need admin credentials to see what’s going on, so you use your Domain Administrator account.  Turns out Bob needs to update a driver. It was a simple fix and you disconnect from the user’s computer, happy to have a couple minutes left to grab a sandwich.

Later that day you see login alerts from your SIEM tool for several machines you don’t typically access. Alarmingly, they happened while you were picking up your sandwich. Your password is strong and well above the company’s password recommended length, including alphanumeric and symbols. How was it used?

Turns out, the person who “borrowed” your credentials didn’t have to figure out your password. Instead, they infected Bob’s less secure computer and waited for you to log in using your Domain Administrator credentials. When you used RDP to enter Bob’s machine they captured the clear text hash of your password. Congratulations, your hash was passed.

What is Pass-the-Hash?

A Pass-the-Hash attack is where an attacker captures and uses the plain text hash of a user’s password instead of their plain text password. It allows an attacker to impersonate another user, typically a privileged account. This type of attack can affect ANY network using Windows machines. For the attacker, the advantage getting a hash instead of the password is it can be done without a brute-force attack, which is not as effective and takes a lot more time.

How is the Hash acquired?

Hashes can be acquired through a variety of methods, two being the most common. The first is to retrieve the hash from a SAM dump for the local machine users. The second is to grab the dump of a user’s credentials stored by Windows in the LSASS.exe process, allowing the attacker to retrieve the hash of any account that connects to the machine for example; an RDP-connected domain accounts. This is how the attacker compromised the Domain Administrator’s credentials from Bob’s computer in the scenario above.

How can Secret Server mitigate the threat of Pass-the-Hash?

While Pass-the-Hash attacks have existed for the last 17 years, the threat is now bigger than ever, with tools to exploit this vulnerability continuously improving. Currently the best way to protect yourself from a Pass-the-Hash threat is to upgrade to Windows 8.1 and Server 2012 R2. The new Windows updates have built-in security measures, including making the LSASS.exe a protected process, adding new security identifiers, and changing RDP so it no longer stores the remote login’s credentials on the target machine.

It is typically not practical to upgrade every computer in an organization quickly, and a network would still be vulnerable during the upgrade process. However, there are other protective measures that can be taken by using Secret Server. For example, organizations can use Secret Server’s Check Out feature and configure it to automatically change the password after each RDP session’s Check Out is complete. This would render any hash that was captured during the session useless; when the password is changed, the hash also changes. Secret Server can also restrict which computers can use an account by restricting the launcher inputs. These measures mitigate the chance of a Pass-the-Hash attacks by greatly reducing the amount of time a hash is valid and decreasing the computers accessible for attack on privileged accounts.





2013: A Security Odyssey

31 12 2013

What did 2013 hold for Thycotic Software? New partners, software releases, and other exciting milestones. Join us for our movie themed year-in-review.

This year, in the wake of dozens of newsworthy data breaches, the landscape for IT security broadened with every headline. The importance of securing privileged credentials and managing identity went from a “nice to have” to a “need to have” seemingly overnight. It became more apparent from IT teams across the globe that a spreadsheet was no longer a trusted, secure repository to manage privileged passwords in an organization.

So what did this mean for Thycotic? Keeping a close eye on security trends, we listened to our customers and built the features they requested to solve their most essential use-cases in privileged account management. But that wasn’t all we did.

Here are just a few highlights of what made 2013 a defining year for Thycotic Software.

Let it snow, let it snow? More like, let it grow, let it grow!

Inc. Magazine named us one of the Top 5000 Fastest Growing Companies in the US, and #33 in the top 100 fastest growing companies in DC. We couldn’t be more honored to receive this privilege. Our growth is attributed directly to our fantastic customers and our intelligent, hard-working team.

Lions, Tigers, and Splunk – Oh, My!

This year we announced several great partnerships, ending the year with an official announcement of our partnership with Splunk to release the Secret Server App for Splunk Enterprise. We’re proud of all of our new partnerships, and especially of our rapidly growing technology integration partner program. You can read more about the Splunk integration with Secret Server in our press release.

Come fly with me, let’s fly, let’s fly away.

We broke a personal record at Thycotic by sponsoring over 35 tradeshows across the world in 2013. We’ve presented dozens of keynotes, spotlight sessions, thought leadership interviews and spoke directly with thousands IT security and operations professionals in every major vertical about their security needs. Thanks to our dedicated team who worked round-the-clock to make those events a major success.

Release the kracken!

This year we’ve had several exciting releases to our products Secret Server, Password Reset Server and Group Management Server based on direct requests from our customers.

For Secret Server, some notable new features are: SAP support for natively changing passwords on SAP accounts; expanded API to increase automation in scripting; Custom Columns for a more tailored dashboard view; Website Password Changing to automatically change passwords for Windows LIVE, Google and Amazon accounts; SAML Support for increased security and single-sign on convenience; and Improved Discovery for Scheduled Tasks and Application Pools, now discoverable by Secret Server.

Other new product features are Active Directory Attribute Integration to let employees easily update their own AD information with Password Reset Server, and Group Renewal for Group Management Server to remind Active Directory group managers to double check their group membership from time to time.

So what’s next for 2014?

We think that 2014 will trump this year in success stories, growth, partnerships and products. We hope you join us every step of the way. Join us on LinkedIn and Twitter for the latest news in cybersecurity and be sure to stop by our booth at RSA 2014 in San Francisco as we kick off another thrilling year in IT security.  Also Thycotic is hiring, join the Thycotic team – read these great Thycotic reviews and see the latest Thycotic videos.






Windows 8.1 Security Improvements Helps Protect Against Pass the Hash Attacks

21 10 2013

This cyber security month, we’d like to congratulate and thank Microsoft on their efforts to block Pass the Hash cyber-attacks. Known by Microsoft as “one of the most popular types of credential theft and reuse attacks ,” Pass the Hash attacks are known for their ability to infiltrate full networks within minutes, making a major mess along the way.

With the Windows 8.1 update released on October 1, Microsoft has added major security improvements that are intended to block the ability of hackers to use these kinds of attacks. With the new release, Microsoft has bought us all some “space to breathe.”

Use your space wisely and remember that cyber security is constantly evolving. Take these three steps to help strengthen your organization’s password practices.

  1. Administrator accounts still need to be separated and used with care. Segment administrator accounts into a regular AD account and a user-specific Domain Administrator account for use only when privilege is needed.
  2. Lock down Domain Administrator passwords in a secure place where the administrator can access them when needed, and admin access is fully audited, so you have a record of use.
  3. Change Domain Administrator passwords to a new, random value after each use.

These steps can be incorporated into your security policy and implemented manually or through an automation tool, such as Secret Server. Password management tools provide added value to security and password management when they enable role-based access, sharing among teams, and full auditing for compliance.

Learn more about the Windows 8.1 update here.





Create an Approval Workflow for Sensitive Secrets

15 10 2013

It’s important to understand how to properly create a workflow in Secret Server for secrets of a sensitive nature. For example, let’s say you have a Secret for the admin account on your production web server. You want to give all your web server administrators access to the Secret, but you only want them to log in for a specific reason, such as during an emergency or to perform maintenance or install new software.

To address this issue, Secret Server has a security feature called Require Approval for Access. This setting lets you grant a user access to a Secret by making the user enter a reason they would like to access the Secret. It can be used for any Secret within Secret Server. For our example today, your web server admins would enter the reason why they want to access the web server.

Secret Access Request | Secret Server

Secret Access Request | Secret Server

After the web admin explains why he wants access to the production web server, an email is sent to one or more people to approve. You can customize who receives the email and is allowed to approve the request – every Secret has a customizable approval list.

Next, those approving the request will receive an email notifying them of the request. Inside Secret Server, they can read the request, deny or approve it, and specify how long that user may have access to the Secret before they have to submit another request for access.

Request Access for Workflow | Secret Server

Request Access for Workflow | Secret Server

This entire request and approval process is logged in the audit trail of Secret Server, so if there are ever questions later, it can be double checked.





Secret Server iOS 7 Mobile App Upgrade

7 10 2013

As iOS users may have noticed, our Secret Server app received an upgrade with the recent release of iOS 7. The most noticeable sign the app was upgraded is a fresh user interface. However, there are a few other aspects of the latest update that are worth highlighting.

View & Edit Restricted Secrets
Previously, users could not view restricted Secrets from the mobile app. Now, Secrets that have the advanced security settings Require Comment, Require Approval and CheckOut are also accessible from your mobile device.

Require Comment_iOS app update post_2013

Require Comment

 

Require Approval

Require Approval

Checkout

CheckOut

When viewed through the mobile app, Secrets that require a comment will receive an audit entry called WEBSERVICEVIEWCOMMENT to help differentiate comments in the audit log:

ViewWebserviceView_iOS app update post_2013

These restricted Secrets will not be cached. Therefore, a user must re-enter information after a 5-minute period (for Require Comment) or when the approval period ends (for Require Approval and CheckOut).

More Information

If you don’t yet use the mobile app and/or would like more information, please see the following articles in our Knowledge Base:

Using the iOS 7 Mobile App with Secret Server Installed Edition

Using the iOS 7 Mobile App with Secret Server Online





The Value of SIEM and How to Integrate with Secret Server

1 10 2013

What is a SIEM tool and why should I use one?

SIEM (System Information and Event Management) tools are a type of software that pulls in log and audit information from multiple sources across your network. This can include access logs for building entry, computers, servers, network devices, databases and applications. SIEM tools can aggregate all the data pulled so that you can get a clear picture of what is going on across your network by correlating events. It also provides real-time alerting in the case of security breach.

Here’s a quick example of how a SIEM tool can identify a breach. Say an employee – let’s call her Sarah – comes to work every day around 9:00 am EST. She’s an IT admin, so she beeps into the building with her key card, logs into her computer and starts checking on the status of her assigned servers. But, one day her computer is accessed in the middle of the night, long before she typically comes in. She hasn’t beeped back into the building and her VPN connection was never activated. This could be a security breach and someone better start asking questions. If the company had a SIEM tool, it would have alerted the company that something was wrong.

Secret Server can easily integrate with your existing SIEM tool. As a privileged account manager, Secret Server records a full audit of credential usage – who accessed what and when.  Secret Server can take this audit trail and send all of its information to the SIEM tool using Syslog or CEF format. Once the data is in the SIEM tool, it will compare events from Secret Server to other usage audits throughout your network.

Now, say that Sarah’s company used Secret Server with a SIEM integration for all admin passwords. One night, someone logged into one of Sarah’s servers as the local admin, but there was no indication that anyone logged into Secret Server to retrieve the password. The SIEM tool would be able to tell that a login occurred without Secret Server and flag it as a potential breach. The SIEM tool would then alert the company of the potential breach.

Secret Server is partnered with two SIEM tools, HP ArcSight and Splunk, Inc., with more integrations in the works. Find out more about Secret Server’s SIEM integration and syslog output on our support page!





Using Secret Server to Help Maintain Compliance Mandates

24 09 2013

Secret Server is a powerful, flexible tool which can help your organization meet a variety of compliance mandates, such as SOX, PCI, HIPAA and more. In this article we are going to review several ways you can utilize Secret Server to maintain compliance by securely managing your privileged account credentials.

Centralizing Your Sensitive Information
Before you can start managing your privileged accounts they must be located and stored securely in Secret Server. This means removing them from where they’re currently stored (such as an Excel spreadsheet or personal password management tools) and placing them into Secret Server; centralizing all privileged and shared accounts while providing full auditing of the activity on those accounts.

Compliance tip: This is useful for complying with SOX as it mandates that your sensitive information be stored in a centralized encrypted vault.

You can do this in a few ways:

  1. Importing. Using a CSV or XML file, you can directly import your data into Secret Server.
  2. Migration. The Migration Tool imports credentials from several personal password management systems such as KeePass or Password Safe.
  3. Discovery.  With Discovery you can easily scan your network and import Local Windows Accounts and Service Accounts running Web Services.

Setup permissions, access and roles 
Once credentials are secured in Secret Server you will want to organize access control for each user and what privileges a user has to administer their accounts. To do so, Secret Server simply utilizes a permission structure reminiscent to that of Windows to easily delegate access to information with a full audit trail.

Compliance tip: This relates to PCI compliance as it mandates an audit be kept of access to network resources.

Permissions allow you to store information from multiple groups and departments while managing exactly which users have access and have been accessing sensitive information.

Role based access in Secret Server can be broken down between different users so that no one user has full control of the system, giving granular control of user ability.

Password creation and regular rotation 
A big part of most compliance standards is using strong passwords and updating passwords on a regular basis. Secret Server can automate password changing on a wide variety of devices and accounts.

Compliance Tip: This is an import piece to many compliance standards included in HIPAA regarding regularly changing passwords for credentials.

Passwords can be changed automatically on a fixed schedule or can be set to change immediately. Secret Server also has the ability to report all information that a user has access to and queue them for remote password changing with a few clicks. This is especially helpful for when someone leaves the company and all their credentials need to be changed.

Remote Password Changing can generate passwords for the accounts based on the type of account. With Password Requirements you can specify the length of password, types of characters used, and the frequency that they show up.

These are just a few ways Secret Server can help your organization maintain compliance. Next week we will discuss the benefits of using a SIEM tool with Secret Server.








Follow

Get every new post delivered to your Inbox.

Join 30 other followers