Introducing Secret Server 8.5 Pt. 5: PowerShell 3

17 04 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Each Thursday post since the 8.5 release highlighted a new Secret Server feature. Check out our previous posts to learn how 8.5 will increase your team’s overall security and productivity. This week we’re finishing up our series with the benefits of PowerShell 3.

Secret Server has an  increasing list of built-in password changers for a wide variety of platforms, including Active Directory, Windows/Unix/Mac, networking devices, databases, and any platform that can connect with an SSH/TELNET connection. Also, Secret Server can update many service/application account dependencies out-of-the-box.

However, there can be unique password changing dependencies, such as when actions have to be daisy-chained after a password change, like restarting a specific device or application. For those situations, PowerShell provides additional flexibility to save time and maintain security.

With the 8.5 release of Secret Server, and the upgrade to .NET 4.5, Secret Server now makes use of the full PowerShell 3 capabilities. The main benefit of this upgrade is eliminating PowerShell’s “Double-Hop” issue, where PowerShell did not allow users to log into one platform (in this case Secret Server) and then jump to another server with those credentials. Now, PowerShell scripts can authenticate Active Directory credentials over multiple connections. This allows you to run PowerShell with an Active Directory Secret to perform multiple tasks across the network. This will be useful for organizations that need to update custom dependencies after a password change, such as SharePoint and IIS metadata. Get full instruction on avoiding PowerShell Double-Hop here.

Want to learn more about using PowerShell with Secret Server? Check out instruction for using PowerShell with Secret Server.

We hope you’ve enjoyed the latest enhancements to Secret Server with our latest release. Of all the 8.5 features, which is your favorite? Let us know in the comment section below. If there is still a Secret Server feature you still wish to see, be sure to cast your vote here.





Get Increased Control for Identity Verification with Password Reset Server’s Latest Upgrade

15 04 2014

Password Reset Server’s most recent upgrade to 3.2 gives greater control over the identity verification process by allowing administrators to define which questions users must answer correctly.

Now, verification questions can be marked as Optional, Required or Grouped.

Required Questions

Administrators can now mark specific questions as Required, meaning that users will have to provide correct answers to required questions during enrollment and will have to answer the questions correctly during a password reset.

Grouped Questions

Questions can also be marked as Grouped. This will display all questions in the group during a password reset, but the user only has to answer one of the grouped questions correctly. This option is especially useful for companies requiring multifactor authentication, as it gives users the option to choose the multifactor method of communication works best for them at the time.

Here’s how this can work: Set three multifactor questions Grouped: email, SMS and phone. During enrollment, the user will be required to enter their email, SMS and phone numbers. Then during a password rest, the user can choose which multifactor question to answer correctly, so if they are only able to access email at the time, they can answer the email verification question correctly.

Password Reset Server Enrollment

 Security Policy question configuration: Three multifactor questions are marked as grouped (required 1 correct answer out of 3), an image question is required, and the user will choose two of the optional questions to answer during enrollment.

Password Reset Server Security Questions

Questions during enrollment: Required questions are marked with an exclamation point (!) and optional questions can be selected from the drop-down menus.

For a chance to see the new features in action, join us for our webinar this Thursday, April 17 at 11:30 a.m. EDT!





Introducing Secret Server 8.5 Pt. 4: SSH Proxy

10 04 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. This week we take a look at using Secret Server as a proxy for your SSH Launchers. Enjoy!

Secret Server’s SSH Proxy feature, added with version 8.5, allows increased security of the servers you connect to through SSH. This feature forces any SSH connection made through a Secret Server Launcher to be proxied through your Secret Server web server.

Proxing through Secret Server gives you two major benefits: The ability to enter just one IP address (your Secret Server IP) as an approved SSH connection for your servers and the opportunity for keystroke logging once an SSH session is initiated. This means that instead of including a number of your users’ client machine IP ranges, you can now specify your single Secret Server IP. Once sessions are initiated, you will also get enhanced session monitoring abilities through keystroke logs.

Configuring proxying in Secret Server is simple:

Specify your bind IP address, public host information, and port. Then create a banner to be displayed to users whenever they make an SSH connection through Secret Server. You have the option to provide a host private key or generate a new one.

If you want, you can enable an Inactivity Timeout to control how long a proxied Launcher session can remain idle before the connection is automatically closed.

SSHProxy

Improved Session Monitoring

Whether your SSH Launchers use proxying or not, Session Monitoring (covered in Part 1 of our Introducing Secret Server 8.5 series) is a feature that will help you keep track of (and optionally, terminate) your users’ launched sessions.

SSHProxy

However, proxying your SSH connections through Secret Server provides the added capability to record and then save or search through text from the SSH session.

SSHProxy

Launchers compatible with SSH Proxying

The SSH Proxying feature applies to not only the PuTTY Launcher, but any custom Launchers you create, such as SecureCRT. Just select Proxied SSH Process as the Launcher type when configuring the custom Launcher in Secret Server.

Don’t worry, our Secret Server 8.5 blog post series is not over yet! Next week we’ll be covering changes to PowerShell.





Empower the User: Group Provisioning within Group Management Server

8 04 2014

Group Management Server already relieves a lot of stress and extra work for IT Administrators. With the latest release, we just made IT admins lives even easier by streamlining the process for creating new AD groups through Group Provisioning.

What does this mean for you?

Think of this everyday scenario: The Marketing Team just started a project and they need a new mailing list for participants. Typically, the project leader would have to submit a request to IT for the new mailing list before they could add members in Group Management Server. With Group Provisioning, the entire process is simplified. Now, the marketing project leader can submit a new group request, including group members, directly through Group Management Server. The IT administrator will receive the request through the Group Management Server interface, and can immediately approve and create the group.

Helpful Tip: Use Group Provisioning alongside Group Membership Expiration to keep your Active Directory free from outdated group clutter.

Conclusion: Group Provisioning = Streamlined group creation.

Not using Group Management Server, but interested in learning more? Request a free trial here.





Introducing Secret Server 8.5 Pt. 3: Better Access Control with Secret Server Group Ownership

3 04 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. Today’s post focuses on implementing better user access control with Group Ownership. Enjoy!

This week we’re spotlighting the Group Ownership feature. Remember when giving a user group administration privileges meant trusting them with access to membership for all groups in Secret Server? That practice is long gone. Now, administrators can delegate group membership privileges to other users for their specific groups only. The result? Less burden on Secret Server administrators to manage groups, and more control for teams over their own individual groups.

Underlying Concept

Ready for the details? Here’s how it works:

An administrator (or any user with the Administer Groups role permission), chooses a local group to edit. By default, the group is managed by “Group Administrators,” but administrators can now select one or more “Group Owners” to manage the group instead. Group Owners can be multiple individuals and/or other groups. Once a group has been switched to the “Group Owners” model, Group Administrators will no longer have inherent permissions to make any changes to that group. As soon as a user is designated a Group Owner, they’re automatically assigned the Group Owner role. The Group Owner role will allow them to access the Groups administration page, where they will see only the groups they’re an owner of and have the ability to add or remove group member and owners.

Secret Server Group Edit Group Edit Secret Server

Control Folder/Secret Permissions using Group Membership

With the addition of Group Ownership, delegating Secret and Role permissions becomes a more streamlined process. After providing a group permissions to a specific folder and then assigning a Group Owner, the Group Owner will be able to manage membership of the group, which effectively controls permissions to that folder of Secrets.

Secret Server Folder Name

Stay tuned next week for a look at the new SSH Proxy features! Hopefully you’ve had a chance to test drive the new 8.5 features in Secret Server, what do you think? Do you have a favorite 8.5 feature? Share your favorites in the comment section below.

 





Introducing Secret Server 8.5 Pt. 2: Scalability Enhancements for Remote Password Changing, Heartbeat and Discovery

27 03 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. Today we are going to focus on speed and scalability. Enjoy!

An upgrade to .NET Framework 4.5.1 isn’t the only major change Secret Server 8.5 brings with it. Our latest version of Secret Server also includes scalability enhancements for Remote Password Changing, Heartbeat and Discovery. Simply put, a lot of processes just got a whole lot faster.

Multi-threading Magic

Remote Password Changing, Heartbeat and Discovery can now take advantage of multi-threading to improve performance and scalability. Secret Server will utilize 80% of your server’s processors, leaving a remaining 20% to maintain performance of Secret Server’s interface. What does this mean? Greater performance with overall speed scaling with the power of your Secret Server machine.

You can see the maximum degrees of parallelism of your primary server on Secret Server’s Diagnostics page.

Max Degrees of Parallelism

 

Speedy Remote Password Changing & Heartbeat

With multi-threading, Secrets queued for Remote Password Changing can now have their password changes handled simultaneously. This gives you seriously increased speed! Additionally, Remote Password Changing uses intelligent batching to manage the queue of Secrets, ensuring that Secrets and privileged accounts are never changed in the same batch. The scalability improvements also apply to Secrets using Agent for Remote Password Changing.

Before the 8.5.000000 upgrade, password changes were executed one at a time:

Before password changes were executed one at a time

After 8.5.000000 upgrade, multiple password changes are executed at once:

Remote Password Changing After

Lightning Discovery

Secret Server’s Discovery feature, in addition to using a multi-threaded approach for scanning your machines, takes an improved approach to service account scanning to reduce scan time by up to 20 seconds per computer. Combining these two enhancements to Discovery makes scanning hundreds or thousands of computers faster than ever before!

Are the speed enhancements to Remote Password Changing, Heartbeat and Discovery your favorite 8.5 feature so far? Don’t worry there is more to come! You’ll just have to check back next week for the next 8.5 feature showcase. Here’s a little hint, we’ll be talking membership. See you next week!





Introducing Secret Server 8.5 Pt. 1: Session Recording Retention and Session Monitoring

25 03 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. Today we are going to focus on taking control of launched sessions. Enjoy!

While every action to a Secret is audited, administrators of the Enterprise Plus edition have the option to add Session Recording for sensitive accounts or servers. For those of you who are not already familiar with this feature, Session Recording records a video of the session launched from Secret Server and stores it in the Secret audit.

Introducing Session Monitoring:

Those of you with security responsibilities get excited, because 8.5 brings you a whole new level of control. Session Monitoring is a new feature that gives Secret Server administrators the ability to see what sessions currently are open.

Administrators now have a real-time view of all the sessions launched from Secret Server, can watch the live feed of a session, and terminate sessions immediately or send a message directly to the user. Imagine seeing a list of active sessions directly from your dashboard, be able to stream the live video feed and end the session immediately, or send a note, like, “Hey Bob, I need the server. Can you finish up soon?”

SessionMonitoring_Image2

Session Recording Enhancements:

With the 8.5 release, we added Microsoft Video Codec 9 to our list of available codecs (joining XVID, DIVX and Microsoft Video Codec 1). We also changed how the sessions are stored, to give you more storage space flexibility.

Why did we do this? Depending on how many sessions you record, how long each session lasts, and what video codec was used, video recordings can take up a lot of space within the Secret Server database!

What did we change to make this better? First, we now allow administrators to choose where session recordings are stored, whether in the database or a disk. Second, we now have a configurable expiration date for videos. Once a video is expired, Secret Server will automatically purge the old recording, freeing up your disk space.

Session_Retention

Secret Server Session Recording Edit

Stay tuned next week…

Secret Server 8.5 is packed with features to improve functionality and your security options. Check back next week to learn more about 8.5. Want a sneak peek? We’ll be discussing performance enhancements to Discovery, Remote Password Changing and Heartbeat. Do you already have a favorite 8.5 feature? Let us know in the comments!

 





IT’s TIME: Update Those Security Settings with PowerShell

18 03 2014

Secret Server 8.4, released in January, included additional ways to update Secret security settings via the web services API. This week, we’ll show you how to use PowerShell to access the Secret Server web services API and configure security settings for Secrets.

Web Service security settings: What’s available?

The web services API can help you configure Remote Password Changing and advanced security settings, including:

capture3

These settings correspond to those you will see in the browser interface on the Remote Password Changing and Security tabs of a Secret.

The sample script we’ll use today creates a new Secret and then updates it to use the Require Approval for Access security setting. Because this setting also requires Approvers, our PowerShell script includes parameters to set both a user and a group as approvers. For the entire script, see our KB article HERE.

Review: Authentication

First, provide your Secret Server URL in the script. You’ll be prompted for your Secret Server login credentials at runtime:

Webservices1

If you’re using a domain account, add a similar line for the domain. See Using Web Services with Windows Authentication (PowerShell) if you use Integrated Windows Authentication.

Generating Passwords

Utilize the password generator to create new, randomized passwords when you aren’t using an already-existing password:

Webservices2

Create the Secret

Create a Secret by providing the Template ID, new Secret name, field ID’s and value, and destination folder with the AddSecret method. Helper functions findFieldId, findTemplate and findFolderId take care of automating the process of determining ID’s, if you don’t already know these ID values.

Webservices3

Update Secret security settings

Once your new Secret has been created, modify its security settings using the result of AddSecret. In this case, we’ll utilize another method to obtain the object type necessary for adding groups and users, and create new records (one for a user, one for a group). Then we’ll add them to the Secret as approvers:

Webservices4

Finally, we’ll use the UpdateSecret method to apply our new security settings to the same Secret we created earlier.

Keep errors in check!

Don’t forget to use an error-checking function to assist with debugging and determine whether there are any errors to return for each web services call you make:

Webservices5

For an example of retrieving and updating Remote Password Changing settings for existing Secrets, see our previous blog post on the web services API.

For additional resources on using the web services API, see our Knowledge Base and Web Services API Guide. Troubleshooting your own script using Secret Server web services? Our technical support team is always available to help! Contact support HERE.





Sneak Peek: New Secret Server features only at RSA Conference 2014

20 02 2014

2014 marks Thycotic’s 5th year exhibiting at the RSA cybersecurity conference. RSA is one of the largest gatherings of IT security professionals and analysts in North America. This year, the conference takes place February 24-28th 2014 at the Moscone Center.

RSA Conference 2014

Thycotic to unveil new Secret Server features

We’re excited to demonstrate not-yet-published Secret Server features before they’re officially released at booth 415 during RSA expo hours. Our team will also give demos of our other IT products and are available to answer any questions you have on our products or password management best practices. Product Manager Ben Yoder and CEO Jonathan Cogley will be there, as well as many more of our great team. Look for our 20X20 black and green booth, you can’t miss us!

What to expect from RSA

Informations sessions cover a variety of security hot topics: hackers and threats, governance, risk and compliance, cryptography, data privacy and more. IT security professionals come eager to discover the latest in security technology, debate fiery issues and mingle with the best in breed vendors and industry experts. Oh, and don’t forget the rocking vendor parties that pack the evenings; complete with food, drinks and entertainment of all kinds amidst the backdrop of a lively San Francisco nightlife.

Awesome keynote lineup

RSA 2014 boasts an impressive speaker lineup worth checking out, including Nawaf Bitar of Juniper Networks, Art Gilliland of HP, James Comey of the FBI and a special closing keynote appearance by Stephen Colbert guaranteed to bring some hilarity to the mix.

Thinking about attending? Register for RSA 2014 here.

See you there!

 





Password Reset Server User Interface REFRESH

18 02 2014

Face it, there will always be end-users that forget their passwords. Giving them the ability to reset their own password is key to saving time, money and unnecessary stress, both for the user and the help desk.

The trick is to make the reset process as simple as possible. We kept this in mind with the latest release of Password Reset Server, our end user self-service password reset tool. We focused on enhancing the user interface to make the process for end-users simple and intuitive. The modern interface provides clear action steps and a newly designed enrollment process tailored to the end-user. Below are screen shots of the new, fresh face of Password Reset Server:

Introducing the new Password Reset Sever landing page

Password Reset Server Login

Updated enrollment process: End-users can now select the questions they want to answer

Enrollment Security Questions

Modern end-user interface to manage their answers

PRSSecurity Questions

And for administrators (Don’t think we would leave you out!) check out our new configuration screen

Administrator Configuration User Interface

Like what you see? Join us this Thursday February 20th at 11:30 AM EST for our Password Reset Server Webinar as we showcase the new user interface and the other features of our last release.

Look out for the next Password Reset Server Release coming in April, which is feature-focused. Want a sneak peek? In THIS release, you got the ability for end-users to choose the security questions they want to answer. In the NEXT release, you’ll be able to flag specific questions from that list as required. And, if you have a Security Policy for different groups in your organization, you can choose different required questions for each group.








Follow

Get every new post delivered to your Inbox.

Join 30 other followers