Thycotic Blog

Secret Server 5.0 is currently under development, and one of the features that we know for sure that will be in 5.0 is searching Secret Fields. This has been a popular request. We had several obstacles to achieve this, and we have implemented a solution that is secure but effective.

The search works by Secret Server creating an index catalog for search terms for each and every secret. This runs as a background process. Secret Server will then start indexing all existing Secrets in your installation, and maintain indexes for secrets as they are changed.

The indexing service allows two different modes of indexing. The standard mode, which allows you to search on whole words. The Extended Indexing option allows searching on part of a word with a precision of 3 characters. For example, "sec" would make a field with the value of "Secret", as would "secre".

Stay tuned for more features coming in Secret Server 5.0!

– Kevin

One of the things that we did notice with Secret Server is that it does take what seems to be a long time for Secret Server to start up for the first time. This started happening in Secret Server 4.0. So, what exactly is going on?

Secret Server does some startup tasks for the first time. Namely, it starts up some background monitoring tasks for synchronizing Active Directory and the Remote Password changing features. There is one more though that takes up most of the time, and that is verifying all of the Strong Name signatures.

First, what is a Strong Name? When we release Secret Server, we send out all of the DLLs with a digital signature on all of the assemblies. Secret Server has multiple DLLs that talk to each other. Now, what’s stopping someone with access to the server from dropping in a fake DLL that looks like ours, but it is also secretly emailing out information? Step in strong names. When the .NET Framework loads all of the assemblies for a particular application, it ensure that all of the assemblies have the strong name key that was used when it was compiled. If the Strong Name keys don’t match, then the .NET Framework won’t accept it. Since only Thycotic has the key, it cannot be faked.

This is a somewhat lengthy process for the .NET Framework, as it will also have to calculate checksums of the entire assembly as well. Not to mention that this entire process occurs for all 14 of the assemblies in Secret Server.

– Kevin

Secret Server has supported a "Mobile Edition" for over a year now but it is always tricky making sure that it works correctly on all devices.

Our approach was to bake mobile support into the base product (ASP.NET based) so it simply scales down to the capability of the device.  That sounds simple but unfortunately it depends on making sure that functionality will work with all the limitations of various devices.

My own favorite BlackBerry 8820 does a reasonable job of helping me get to the password I need in emergencies but it is hardly a pleasant browsing experience.  In fairness, no browsing on the device is particularly pleasant since it is slow, struggles with most layouts and has a small screen.  That said, I love it dearly and browsing has never been a core requirement for me since email, contacts and calendar are definitely my most essential.

Today we had a customer ask about the Treo 700 so I tried out the emulator from the Palm website.  It seems to work fine with Secret Server and I was able to browse around and access passwords.

–Jonathan

This year Secret Server made its debut at FOSE, one of the leading government technology events in the nation.   The show is being held at the Walter E. Washington Convention Center which is situated only a few minutes away from our offices in downtown D.C.

Despite there being several hundred kiosks and lectures, Secret Server appears to be one of the few software products featured.  Many of the exhibitions are displaying hardware and energy saving innovations.  I think a lot of people have been pleasantly surprised to see a solution for password management.

Over the last couple of days, I and some of the other team members got a chance to interact with attendees and demonstrate some of the core functionality of Secret Server.  We have received a lot of enthusiasm and great feedback on the product thus far.

Today is the final day for FOSE. Come visit us at booth #100 located in the Security section.  Hope to see you there!

–Joseph

One of the questions that I sometimes get from customers is, "I want the information on the Secret View page to display in a system font". The reason for this is it makes it easier to distinguish between O’s and zeros; and lower-case L’s and capital I’s.

This can easily be accomplished with CSS, and with since Secret Server 4.0 and up supports Themes, it is simple enough to add your own CSS to the default.css file.

Because of the way Copy to Clipboard works, all of the attributes that contain information are held in a custom attribute "t". This attribute is on the span elements and the text boxes when in edit mode. In theory, it should be as simple as this:

*[t]
{
    font-family:Consolas,System;
}

This is part of the CSS 2 specification, and the selector states "Any element with the attribute ‘t’." As expected, this works well with FireFox. This took care of the labels and the text boxes all-in-one. However, IE presented a bit of an issue. This simple solution didn’t seem to work. It’s not a secret to web developers that Trident, IE’s rendering engine, is pretty buggy as far as rendering engines go. What surprised me more was that the IE 8 beta, the up-and-coming super-compliant version of IE, still did not take. What was strange that when using a simple test page, the attribute selector did work; so it is supported in IE 7 and 8. There just appears to be an issue with that particular page.

So the solution became a little more complex. A lot of the elements on the secret view page don’t have classes or ID’s at the moment, which makes applying CSS to just some of the elements a bit trickier. In the end, this is how it turned out:

And the CSS used to accomplish this that works in both IE and FireFox:

div#SecretViewDialog * td.SecretFieldCell span, * span#iSM li
{
    font-family:Verdana ! important;
    font-size:10pt ! important;
}

input.SecretViewTextbox, input.SecretPasswordTextbox, div#SecretViewDialog * span
{
    font-family:Consolas,System;
    font-size:11pt;
}

The font of my choice is Consolas, a nice font that makes it easy to distinguish characters. It is a free font for user’s that own Visual Studio 2005 via download, and also ships with Visual Studio 2008.

– Kevin

Here is a new feature coming in Secret Server 4.1 – it is the visual keyboard and is a configurable option for the login screen. 

It is designed to thwart malware such as keyloggers which could be running on a public computer and could capture your password if you entered it using the keyboard.  The visual keyboard uses a different random alternate character set each time it is loaded – this means that when you click "a" it may type "3" in the password textbox – the garbled password is reconstituted on the server side when you login.  By using a garbled password then the HTTP POST back to the server if even further protected (and should be protected again by using SSL on your Secret Server installation).

Look for more sneak peeks soon as we approach the release date for Secret Server 4.1 which will be 3/14/2008 – specifically there will screenshots of the new role-based security and the launcher (launch Remote Desktop from Secret Server!).

–Jonathan

With the new release of Windows Server 2008, we wanted to make sure that Secret Server is always able to use the latest technology. So, we set out to prove that Secret Server would work on Windows Server 2008. To take it even further, we wanted to see it work on the 64-bit platform. So how did Secret Server do?

We’re excited to say that yes, Secret Server does work on Windows Server 2008 x64 Edition. Here was our setup:

- Windows Server 2008 Enterprise x64 Edition (IIS 7.0)
- SQL Server 2005 Developer x64 Edition
- Secret Server 4.0.000003.

There are a few things to note before Secret Server will function properly. IIS 7.0 had some ground breaking changes with the way it integrates with ASP.NET 2.0. Unfortunately, Secret Server currently cannot support this. This is called "Integrated Managed Pipeline Mode". Secret Server currently will only work properly with IIS’s Pipeline mode configured to "Classic". Fortunately, this isn’t a problem at all. It is really as simple as changing the Application Pool that Secret Server is in to use Classic Pipeline.

While Secret Server is functional in this environment, we can’t officially support it yet; there are a few features of Secret Server that are problematic due to the new environment. The immediate one is a lack of support for IPv6 for the IP Address Restrictions, which we will be addressing in a release in the near future. This is due to the fact that the IPv6 protocol is installed by default on Windows Server 2008. The same problem arises when the IPv6 protocol is installed on a previous version of Windows.

We still have a lot of testing to do on Windows Server 2008. We want to make sure that Secret Server works just as well as it always has on previous versions of Windows Server. Once we have finished our testing process, and resolved any issues that arose, we will be able to officially support the Windows Server 2008 x64 and x86 platform.

In the near future, we will be testing Secret Server against the up-and-coming SQL Server 2008.