Restricting User Input for Launcher

3 05 2013

A new feature in Secret Server is the ability to control which servers users are able to connect to using a Launcher. This can be done by specifying a list of machines or servers on a Secret in a notes field. This list can either be a whitelist or a blacklist of servers the Launcher is able to connect to.

When configured as a whitelist, a list of possible servers will be presented for users to select to launch. This prevents users from logging in to places they should not be, and adds convenience by not having to remember the name of each server.

When configured as a blacklist, this allows users to enter the machine or server name as they normally would, however would prevent them from connecting to those machines which are blacklisted. This will prevent unauthorized use of credentials in your environment.

RDP1

Enabling this feature is simple through Secret Server. Navigate to Administration, Secret Templates, then select any template with a Launcher attached such as the Active Directory Account or Windows Account Template and click Edit. There, you can select Configure Launcher, and Edit.

In the Advanced section, enable Restrict User Input by checking the checkbox, and configure accordingly. When mapping a field to Restrict By Secret Field, specify a field from the template. The values for the whitelist or blacklist will be based on that field for Secrets, and can be comma separated to specify multiple machines or servers.

RDP2

Then it’s configured.


Comments : Leave a Comment »
Tags: , ,
Categories : Secret Server, Tips & Tricks

Taking Web Password Filler On The Road

23 04 2013

The same Web Password Filler that you use on your desktop browser is also available for your mobile devices.

For iPhones and iPads, first you will want to create the Web Filler on Safari on your Mac desktop, then after using iCloud Bookmark sync with your iPhone the Web Password Filler will be ready for use.

After signing into Secret Server on your phone, browse to the site that you want to log in to. Once there, open your bookmarks and select the Web Password Filler. This will make the it appear exactly how it appears in the desktop browser.

IphoneWF

For Android devices, using Opera Mini and Opera Link Secret Server’s Web Filler is available for your Android device. To begin, set up create a free Opera account and on the desktop version of Opera create the Web Filler Bookmark. Next in Opera Mobile on going into settings and enable Opera Link, this will sync your bookmarks to your Android phone. Once the account is synced, sign in to your Secret Server account. Then browse to site that you wish to log into and select the Web Filler
from the bookmark menu.

AndroidWF

This makes it more convenient than ever to log in to your favorite websites when on the go.


Comments : Leave a Comment »
Tags: , ,
Categories : Secret Server, Tips & Tricks

Integrated Windows Authentication and Two-Factor Authentication

11 04 2013

In Google Chrome and Internet Explorer with Integrated Windows Authentication, enabled users are automatically signed in to Secret Server when they visit the site using their Active Directory credentials. This feature reduces the number of passwords that a user has to type, and the possibility of a forgotten password. This also allows domain administrators to specify a password policy that Secret Server will adhere to, such as password strength and password history.

Radius Configuration

Two-Factor Authentication in Secret Server forces users to enter another form of authentication on login, such as a pin or token. Secret Server comes with its own built-in email two-factor authentication, and supports the existing infrastructure to make use of RADIUS two-factor systems. This adds another layer of security to user accounts, however, it increases the number of steps required to access Secret Server. Using two-factor authentication helps prevent a scenario where a user might walk away from a workstation while logged in and an attacker could walk up to it and login to Secret Server.

B2


Comments : Leave a Comment »
Tags: , , ,
Categories : Secret Server, Security

Secret Server Copy-To-Clipboard for Google Chrome and Mozilla Firefox

26 03 2013

The Mozilla Firefox add-on and the extension for Google Chrome allows values from Secret Server to be copied directly to the clipboard. This allows for ease of access when a user needs to apply information from Secret Server to other locations, however, clipboards generally do not clear the data that was copied.

How do you protect your Secret data from being stolen from your clipboard? Secret Server’s Copy-To-Clipboard extensions add an extra layer of security to your clipboard by allowing the configuration of an automated schedule to clear the clipboard, so that the clipboard is cleared when exiting the browser. Each clipboard extension has a section that allows you to configure these options.

Copy-to-Clipboard

This makes it safe to use your clipboard and know that if you walk away from your computer for a few moments, someone won’t be able to take a password from your clipboard. It also helps prevent the accidental pasting of sensitive information into unsafe places, such as a chat client or email.

Currently, these security options are only available in the Firefox and Chrome extensions. Stay tuned for this functionality in Internet Explorer.


Comments : Leave a Comment »
Tags: , , ,
Categories : Secret Server, Tips & Tricks

SOX Compliance on external systems using PowerShell scripts in Secret Server

25 02 2013

A critical component of many compliance mandates such as SOX, HIPAA, and PCI is guaranteeing that user activity is audited.  Secret Server maintains an internal audit trail for user actions and access to shared privileged accounts, but it doesn’t necessarily guarantee that external systems maintain their own audits.  After several customer requests, Secret Server  can now be configured to audit external systems through custom PowerShell scripting to enhance auditing when a privileged account is used on an external system.

For example, we can look at Microsoft SQL Server’s auditing. How can an Administrator ensure that auditing of an account is in place when that privileged account is used?

Secret Server can be used to combine custom PowerShell scripts with its one time password (OTP) feature called CheckOut.  This allows a user to access a password from the repository but Secret Server will change it to a new random password afterwards.  Administrators can also upload PowerShell scripts to Secret Server and set them to run before an account is checked out, and after it is checked back in.  This can be used to ensure that various compliance actions occur before or after a password is used.

In the below example I’ve created a Secret for an account with access to the AdventureWorks database, and set up an Audit Specification in Microsoft SQL Server.

Image

In Secret Server I can now safeguard that the auditing I’ve set up for SOX, PCI, or HIPAA compliance is enabled whenever a user accesses the database with the AdventureWorksAdmin user.

On the Secret for the AdventureWorksAdmin user, I’ve enabled CheckOut.  Now when a user accesses the account the password will be changed once they are finished.  Next I uploaded a PowerShell script that ensures the Audit Specification is enabled on AdventureWorks, and set it to run before the Secret is Checked Out to the user.

Image

This Hook guarantees that auditing is turned on by preventing CheckOut if the PowerShell script fails.  If for any reason the script can’t ensure that the compliance auditing is enabled, then it will return an error and the user won’t be granted access the AdventureWorksAdmin SQL Account.  The CheckOut feature will also change the password after the user is finished with the Secret, so users are forced to go through Secret Server to access the privileged account.  This now provides named user audits in Secret Server that are tied to a specific shared account, and Microsoft SQL Server is guaranteed to maintain its own auditing whenever that account is used.

Ben Yoder is the Product Owner for Secret Server – you can find him at the Thycotic booth (#2644) at the RSA Conference in San Francisco this week.  Stop by to chat to Ben about SOX, PowerShell scripting or other cool stuff.


Comments : Leave a Comment »
Tags: ,
Categories : Best Practices, Events, Secret Server

Launching Batch Files in Secret Server

18 01 2013

A feature that was introduced in Secret Server 8.0 was the ability for the launcher to launch a batch script that is stored in Secret Server. This is useful when a custom launcher needs to be able to start multiple processes. For example, to create a custom launcher that starts an SSH tunnel program then starting PuTTY.

Batch Launcher

Create a Custom Launcher and upload your batch file to Secret Server and it will be encrypted and stored in your database. Secret values, including usernames and passwords, can be pulled from a Secret at launch time and passed as command line arguments to the batch file. After it runs, the batch file will be deleted from the local machine. Having your batch files launched from Secret Server adds security to your system by preventing end-users from changing batch commands and restricting the access to the files, and you get an audit trail for changes to the launcher and batch file.

Secret Server also helps with the ease of access to the batch file by having it stored in one central location instead of having to maintain batch files on each individual computer.


Comments : Leave a Comment »
Tags: ,
Categories : Secret Server, Tips & Tricks

Sneak Preview: HSM Data Encryption with SafeNet

16 11 2012

We’re working with SafeNet, an industry leader in data protection, to bring hardware data encryption to Secret Server. We’re adding support for SafeNet’s Hardware Security Modules, or HSMs.

SafeNet LUNA

Pictured: SafeNet LUNA PCI HSM

SafeNet’s Luna PCI HSM (pictured) is FIPS 140-2 Level 2 and 3 compliant, bringing a new level of data protection to your enterprise.

When Secret Server is configured to use SafeNet’s HSM, Secret Server will no longer store the encryption key on the server or perform the actual encryption and decryption. Instead, the encryption key is stored inside the device, and the device itself performs the encryption and decryption. Secret Server at no point is aware of the keys being used to encrypt or decrypt data. All the encryption and decryption stays in the hardware.

 

When an HSM is available, Secret Server will allow selecting the encryption key storage location during installation.

Installation HSM

SafeNet’s HSM also allows redundant configuration of two or more HSMs to ensure zero loss of data and Secret Server is always available.

We are pleased to be adding this capability to Secret Server and have enjoyed working with the smart folks over at SafeNet. The SafeNet HSM support will be available in the next release of Secret Server.


Comments : Leave a Comment »
Tags: , , ,
Categories : Secret Server, Security, Sneak Preview

Sneak Preview: Bookmarklet 2.0

7 11 2012

Our team is working to make logging in to websites easier than ever with new bookmarklet functionality.

The new bookmarklet is able to work on any web page, and automatically log you in. It is only required that the web page has a secret in the Secret Server, and that the user be logged in to Secret Server.

This will greatly improve the compatibility over the web launcher. Sites that implement client-side validation, such as a CAPTCHA, were not compatible. With the new bookmarklet, the username and password will be filled out in the webpage itself, allowing the user to fill out just the CAPTCHA.

Form Filler

Above is an example of the bookmarklet working with Gmail. The bookmarklet will be compatible with recent versions of all major browsers. There isn’t an exact release date at the moment, but expect the functionality soon.


Comments : 5 Comments »
Tags: , ,
Categories : Secret Server, Sneak Preview

Sneak Preview: Dashboard Enhancements

18 10 2012

The next release of Secret Server has a lot of new functionality, in addition several tweaks to the user interface. We can catch a of glimpse of that now with one of the improvements to Secret Server’s dashboard. The Dashboard’s Secret View widget will now dynamically expand to take up the full width of the screen if there are no widgets to the right of it.

Fullscreen

This was a popular request, and it will allow users to utilize more of their screen space to work more effectively. Widgets can still be to the right of the Secret widget, just the way Dashboard works today.

Resize

This will be available in the next release of Secret Server, 7.9 along with many other exciting features. Expect the release within the next week or two.


Comments : Leave a Comment »
Tags: , ,
Categories : Secret Server, Sneak Preview

Get passwords out of batch files and scripts

28 09 2012

Secret Server Enterprise Plus Edition has an Application Server API that can be used to get passwords out of your configuration files and scripts.  The idea is to authorize the application server to access Secret Server (this is done by installing the Secret Server Application Server API on the application server) – there is then a user account in Secret Server for the application server – this means you can then assign permissions for which Secrets it can access.

Here is an example of a batch file doing some FTP uploads with an FTP sync tool:

line01: @echo off
line02: echo —————————————-
line03: echo Uploading changes…
line04: echo —————————————-
line05: ftpsync-1.3.04\ftpsync.pl documents ftp://jsmith:passJgH47523@10.0.10.100/stage/mydocuments

Notice the embedded password in the file?  Not very secure or accountable.

Here are the steps to get rid of that embedded password:

  1. Create an Application Account user in Secret Server.
  2. Install the Secret Server Application Server API on the workstation or server where the script runs
    (the API is a jar file and the install is done from the command line …
    java -jar secretserver-jconsole.jar -i <username> <password> <URL to Secret Server>
    This will change the password on the Application Account to a random value and will lock the account usage to that machine.
  3. Create a new Secret in Secret Server with the password from the batch file.  Give the Application Account access through the permissions.
  4. Change the batch file to make the call to the API and use a variable for the password. (the 1587 is the secretid of the new Secret and “Password” is the field name)
    The value of the password is stored in the variable FieldValue which can be used in the FTP command using %FieldValue%.
  5. That’s it – no more embedded password!

line01: @echo off
line02: echo —————————————-
line03: echo Connecting to Secret Server API…
line04: echo —————————————-
line05: FOR /F “tokens=*” %%A IN (‘java -jar secretserver-jconsole.jar -s 1587 Password’) DO SET FieldValue=%%A
line06: echo —————————————-
line07: echo Uploading changes…
line08: echo —————————————-
line09: ftpsync-1.3.04\ftpsync.pl documents ftp://jsmith:%FieldValue%@10.0.10.100/stage/mydocuments

We could also look up the username “jsmith” from the same Secret instead of having it in the script too.

There are other benefits to getting the password out of the batch file:

  • The password can now be rotated by Secret Server on a schedule.
  • There is now a full audit trail in Secret Server for when this password is accessed and used.
  • The batch file can now be added to backups, source code control and documentation without fear of spreading the production password.

It is recommended that you lock down modification to the batch file on the server using ACLs in the operating system (to prevent batch file changes).  Ideally the server has limited access for users since it is a production environment anyway.

What other uses can you see for this technology?


Comments : Leave a Comment »

Categories : Secret Server, Security, Tips & Tricks

« Previous Entries


Follow

Get every new post delivered to your Inbox.