Use Custom Reports as Your Secret Weapon

10 12 2013

Custom Reports

While Secret Server contains a number of reports addressing Secrets, folders, users, activity and more, having the flexibility to create your own reports may be necessary to address your organization’s unique requirements. With the Custom Reports feature of Enterprise and Enterprise Plus editions (and a little knowledge of SQL), you can do just that.

When creating a custom report, you can either write your own SQL query or customize a SQL query from an existing report.

Create a New Custom Report

To create a new custom report, click the Create it link at the bottom-right corner of the Reports page in Secret Server. The resulting page contains a few fields that are present to customize the name, descriptions and other aspects of the report, and a large text box for the SQL query. At the bottom of the page, clicking Show Secret Server SQL database information will provide a drop-down menu and grid that allow you to take a look at the tables and table columns available for use in reporting. Clicking Preview will provide you with the results of your custom report below, so you can check the accuracy of your report.

reportsql1

Reference Custom Secret Fields

With version 8.2.000000, the ability to expose fields for display was introduced along with custom columns for the Dashboard. This means that certain Secret fields can be left unencrypted, and can therefore be used in custom reporting as well. This change can be made at the Secret Template level, and will present a message warning that the fields will be left unencrypted in the database. For this reason, it is important to not mark any fields as exposed for display if they contain sensitive information that should remain encrypted.

report2

report3

Once fields are marked to be exposed for display, they can be referenced in reports as any other field in the database. For example, the following SQL with display Secrets containing a custom field value called “Account Used By”:

SELECT

s.SecretName AS [Secret Name]

,si.ItemValue AS [Account Used By:]

FROM

tbSecret s

JOIN

tbSecretItem si

ON    s.SecretID = si.SecretID

JOIN

tbSecretField sf

ON    sf.SecretFieldID = si.SecretFieldID

WHERE

s.SecretTypeID = 6001

AND

sf.SecretFieldDisplayName = ‘Account Used By:’

This report will return results in the following manner:

report4

Dynamic Parameters

Secret Server also supports the use of several dynamic parameters that will allow report users to select a variable to apply to a report. These can be parameters such as user, group or date range. For more information on using dynamic parameters, see our KB article on the topic. A good example of dynamic parameters can be seen in the preconfigured report “What Secrets have been accessed by a user?”

report5

report6

Reports Gallery

To see custom reports that other Secret Server users have created and to share your own, you can take a look at the Custom Reports Gallery.

Want to learn even more about creating custom reports? Join us this Thursday, December 12th, at  11:30 AM EST for our Deep Dive: Secret Server – Get the most out of Reporting Webinar. Register today!  

For any questions or assistance with custom reports, contact Thycotic Support.





Announcing Our Official Technology Alliance with Splunk

3 12 2013

In the past we have discussed the benefits of using a security information and event management (SIEM) solution, not only as a compliance tool, but also for protecting against potential threats in real time.

We are excited to announce our official technology alliance with Splunk to release Secret Server for Splunk Enterprise, giving administrators deep insight into the use of privileged accounts, providing better visibility for compliance standards and detection of internal network threats.

Getting the app is simple. While logged into the Splunk interface, navigate to “apps” and search for Secret Server. Once installed, you can use the app to automatically start pulling information from the Secret Server sysLog. Make sure you have Secret Server installed and running before using the app.

Splunk1

Using Secret Server with a SIEM tool such as Splunk allows administrators to gain a clear picture of what is going on throughout their network. The app can be used to filter out key events from the Secret Server sysLog using the Event Search feature. This allows easy retrieval of information from real time events, such as when users are launching sessions, accessing reports, checking out Secrets, or when Unlimited Administrator mode is turned on.

Splunk2

In addition, the app allows you to access and create robust reports directly in the Splunk interface.

Splunk3

Want to learn more? Download Secret Server for Splunk Enterprise today!





Password Reset Server: Remind Your Users to Enroll With a Logon Script

27 11 2013

Being a self-service password reset tool, Password Reset Server needs its end-users to enroll in the product by answering security questions. This can become a challenge if you want your users to begin changing their password immediately or if you are having difficulty getting users to respond to the enrollment reminders. Password Reset Server offers a couple solutions to this challenge.

First, Password Reset Server has recently released Automatic Enrollment.  Automatic Enrollment will sync users’ Active Directory attributes, such as email, phone, address, etc. and allow those answers to be used as the end-user’s security questions. This works well if your user’s profile in Active Directory is accurate and up to date, and if you are using text, email or SMS based questions.

Second, for those of you who want security questions about more than what is listed in AD attributes, you can use a Logon Script to get your users to enroll. The Logon Script can be used for organizations that also want to include more personal challenge questions, such as a user’s “Favorite Food” and “Childhood Friend.”

A Logon Script is a piece of code, usually either a batch file or Visual Basic/PowerShell script, which is deployed using Group Policy and runs as a user logs into their machine. Password Reset Server has an accessible API that can be used to create personalized reminders for those users that have not yet enrolled into Password Reset Server, or completed their personal security questions.

Setting up a Logon Script is simple! First, we created the script to call the Password Reset Server Web Services <http://support.thycotic.com/KB/a382/calling-web-services-password-reset-server-with-powershell.aspx>, and then we created a script to be performed on the user’s logon. For example, we used the following PowerShell script that will check the enrollment status of a user, and direct them to Password Reset Server if they are not yet enrolled.  If they have enrolled, it will simply stop running.

$url = ‘http://www.MyPasswordResetServer.com/webservices/webservice.asmx&#8217;

$proxy = New-WebServiceProxy -uri $url -UseDefaultCredential

$enrolled=$proxy.UserEnrolled($env:USERDOMAIN,$env:USERNAME)

IF ($enrolled -ne $true)

{

Start -Path “http://www.MyPasswordResetServer.com/PasswordResetServer&#8221;

}

ELSE

{

Exit

}

After creating the script, you will want to assign the script in the domain Group Policy. Then, select the objects that you want affected by the Logon Script, edit the policy and navigate to User Configuration>Polices> Windows Settings>Scripts. Right click and select Properties.  After this step, you will want to click the PowerShell Scripts tab inside Group Policy Editor and add your newly created script. Next, you can select the GPO run policy to have this script run first or last after logon. When this is done, click Apply and Ok, and you have successfully created a logon script that will prompt users to enroll in Password Reset Server if they have not already. It’s that easy!





Are You Using One Time Passwords?

26 11 2013

Secret Server can easily be configured so that end users do not have to see the password to make use of a resource, such as logging onto a remote server. Using Hide Launcher Password, Secret passwords can be hidden from users, forcing them to use a Launcher to access the machine or device. This makes it easier for admins to use long and complex passwords and also improves security by eliminating the ability for users to write down and save passwords. You can even create white or black-lists< http://blog.thycotic.com/2013/05/03/restricting-user-input-for-launcher/> to restrict the devices that users can launch into. In addition, Secret Sever also has a Web Filler< http://blog.thycotic.com/2013/02/20/webinar-secret-server-web-password-filler/> to launch into website accounts.

Whenever possible (without impending workflow, of course!) passwords should only be revealed when necessary. This keeps passwords from being written down or memorized and enforces using the vault to ensure a full audit trail. Hiding passwords for all of your accounts, however, may not always be possible. For instance, if an administrator creates a new service, she will need to manually enter a password from Secret Server. To do this, you can certainly give the administrator permission to view the Secret’s password, but it risks the password being compromised.

Secret Server’s solution to this is Check Out. Utilizing Check Out allows you to configure how long a user has access to any given Secret. You also have the option of having Secret Server change the password when the access period expires or the user checks in the password themselves.

Here’s an example of how this can work. Say Sarah, our imaginary system administer, checks out a Secret to go preform maintenance on a couple Windows servers.  She decides to write the password down and then gets to work on the different servers using that Secret’s credentials. In the process, she gets a little distracted and leaves her sticky note with the password behind when she goes to grab a cup of coffee. Luckily, Check Out with Expiration is configured. While she is out, the Check Out period automatically ends and Secret Server checks in the password and changes it automatically. When Sarah returns from her coffee break, she will have to go back to Secret Server for the new password. This keeps her usage audited in the system, and protects the company against her stray sticky note, which has now been forgotten. For companies that want even more of an audit trail, they can use Check Out in conjunction with Require Access for Approval< http://blog.thycotic.com/2013/10/15/create-an-approval-workflow-for-sensitive-secrets/> to create an easy and secure workflow for your more sensitive accounts.





3 Ways Secret Server will Enhance your Identity Access Management Strategy

19 11 2013

It’s important to have an Identity Access Management (IAM) strategy, whether you are trying to meet a compliance standard such as PCI, SOXS or FIPS, or you just want accountability for what is going on throughout your network. Secret Server has many ways that it can help administrators accomplish this. In this article, we will be going over three different features that will help establish your IAM strategy.

1. Role-based access:

With roles, administrators can delegate permission and access to appropriate information quickly and easily. Integrating Secret Server with Active Directory will enable you to assign roles automatically based on existing Active Directory groups. This ensures that users only see information that is necessary for them to complete their work, without exposing excess data.

Image

2. Audits and Reporting:

Every time a user has any interaction with a Secret, an audit is created to record: (1) the action, (2) the person and (3) the exact time the action occurred. Using the audit information, administrators are able to see exactly what users are doing within the system. For example, they can tell how Secrets are shared between users, Secrets with the most views, and which users are not logging into the system at all.

Image

3. Session Recording:

Secret Server can record everything that occurs during a session. By using the recording launcher, Secret Server takes a screenshot every second and then compiles the images into a movie that is saved on the audit log. This is great for your most critical machines, where you want to know exactly what is going on when a user is logged in. Now, should anything go wrong on these servers, it is easy to retrieve the recording from Secret Server and view exactly what occurred, increasing the speed at which the issue can be resolved.

Using these three features will put you on track to creating a complete Identity and Access Management strategy in which your team may become more productive and secure.

Image

Image

If you are in Los Angeles this week for the Gartner IAM conference, stop by our booth # 210 or join us tonight at 5:45 PM PST for a drink in our “Made in DC” hospitality suite.





Reduce Help Desk Calls with Password Reset Server

12 11 2013

Any help desk or system administrator will tell you that their company spends much more time resetting end-user passwords then they should. Constant calls to the help desk for this simple yet urgent problem eat a lot IT’s time that could be spent working on other projects and support issues.

To help alleviate this problem, Thycotic Software developed Password Reset Server. Password Reset Server is a self-service password reset tool for Active Directory end-users. It makes the password reset process very simple and straightforward, with a Windows login integration for in-network employees and a web portal for those off-site.

Some of the main features of Password Reset Server include:

Self-Service Password Resets

End-users are put in charge of changing their own passwords. With secure identification, I.T. no longer has to be directly involved.

Automatic Enrollment

IT teams can bulk-enroll all employees. That way, users can simply log into the site and answer questions based on Active Directory attributes when they need to change their passwords.

Multi-factor Questions

Add security to ensure the correct person is resetting their password with multi-factor authentication, including verification via phone, email and SMS.

By providing a secure method for end-users to reset their Active Directory passwords, Password Reset Server helps reduce support demands on help desk staff and allows them to focus on other tasks while giving end-users a quick and easy interface for changing their own passwords.

Learn more about Password Reset Server at our upcoming webinar on Thursday, November 14, at 11:30am EST. We hope you’ll join us!

Register here for the Password Reset Server webinar





Create an Approval Workflow for Sensitive Secrets

15 10 2013

It’s important to understand how to properly create a workflow in Secret Server for secrets of a sensitive nature. For example, let’s say you have a Secret for the admin account on your production web server. You want to give all your web server administrators access to the Secret, but you only want them to log in for a specific reason, such as during an emergency or to perform maintenance or install new software.

To address this issue, Secret Server has a security feature called Require Approval for Access. This setting lets you grant a user access to a Secret by making the user enter a reason they would like to access the Secret. It can be used for any Secret within Secret Server. For our example today, your web server admins would enter the reason why they want to access the web server.

Secret Access Request | Secret Server

Secret Access Request | Secret Server

After the web admin explains why he wants access to the production web server, an email is sent to one or more people to approve. You can customize who receives the email and is allowed to approve the request – every Secret has a customizable approval list.

Next, those approving the request will receive an email notifying them of the request. Inside Secret Server, they can read the request, deny or approve it, and specify how long that user may have access to the Secret before they have to submit another request for access.

Request Access for Workflow | Secret Server

Request Access for Workflow | Secret Server

This entire request and approval process is logged in the audit trail of Secret Server, so if there are ever questions later, it can be double checked.





The Value of SIEM and How to Integrate with Secret Server

1 10 2013

What is a SIEM tool and why should I use one?

SIEM (System Information and Event Management) tools are a type of software that pulls in log and audit information from multiple sources across your network. This can include access logs for building entry, computers, servers, network devices, databases and applications. SIEM tools can aggregate all the data pulled so that you can get a clear picture of what is going on across your network by correlating events. It also provides real-time alerting in the case of security breach.

Here’s a quick example of how a SIEM tool can identify a breach. Say an employee – let’s call her Sarah – comes to work every day around 9:00 am EST. She’s an IT admin, so she beeps into the building with her key card, logs into her computer and starts checking on the status of her assigned servers. But, one day her computer is accessed in the middle of the night, long before she typically comes in. She hasn’t beeped back into the building and her VPN connection was never activated. This could be a security breach and someone better start asking questions. If the company had a SIEM tool, it would have alerted the company that something was wrong.

Secret Server can easily integrate with your existing SIEM tool. As a privileged account manager, Secret Server records a full audit of credential usage – who accessed what and when.  Secret Server can take this audit trail and send all of its information to the SIEM tool using Syslog or CEF format. Once the data is in the SIEM tool, it will compare events from Secret Server to other usage audits throughout your network.

Now, say that Sarah’s company used Secret Server with a SIEM integration for all admin passwords. One night, someone logged into one of Sarah’s servers as the local admin, but there was no indication that anyone logged into Secret Server to retrieve the password. The SIEM tool would be able to tell that a login occurred without Secret Server and flag it as a potential breach. The SIEM tool would then alert the company of the potential breach.

Secret Server is partnered with two SIEM tools, HP ArcSight and Splunk, Inc., with more integrations in the works. Find out more about Secret Server’s SIEM integration and syslog output on our support page!





Using Secret Server to Help Maintain Compliance Mandates

24 09 2013

Secret Server is a powerful, flexible tool which can help your organization meet a variety of compliance mandates, such as SOX, PCI, HIPAA and more. In this article we are going to review several ways you can utilize Secret Server to maintain compliance by securely managing your privileged account credentials.

Centralizing Your Sensitive Information
Before you can start managing your privileged accounts they must be located and stored securely in Secret Server. This means removing them from where they’re currently stored (such as an Excel spreadsheet or personal password management tools) and placing them into Secret Server; centralizing all privileged and shared accounts while providing full auditing of the activity on those accounts.

Compliance tip: This is useful for complying with SOX as it mandates that your sensitive information be stored in a centralized encrypted vault.

You can do this in a few ways:

  1. Importing. Using a CSV or XML file, you can directly import your data into Secret Server.
  2. Migration. The Migration Tool imports credentials from several personal password management systems such as KeePass or Password Safe.
  3. Discovery.  With Discovery you can easily scan your network and import Local Windows Accounts and Service Accounts running Web Services.

Setup permissions, access and roles 
Once credentials are secured in Secret Server you will want to organize access control for each user and what privileges a user has to administer their accounts. To do so, Secret Server simply utilizes a permission structure reminiscent to that of Windows to easily delegate access to information with a full audit trail.

Compliance tip: This relates to PCI compliance as it mandates an audit be kept of access to network resources.

Permissions allow you to store information from multiple groups and departments while managing exactly which users have access and have been accessing sensitive information.

Role based access in Secret Server can be broken down between different users so that no one user has full control of the system, giving granular control of user ability.

Password creation and regular rotation 
A big part of most compliance standards is using strong passwords and updating passwords on a regular basis. Secret Server can automate password changing on a wide variety of devices and accounts.

Compliance Tip: This is an import piece to many compliance standards included in HIPAA regarding regularly changing passwords for credentials.

Passwords can be changed automatically on a fixed schedule or can be set to change immediately. Secret Server also has the ability to report all information that a user has access to and queue them for remote password changing with a few clicks. This is especially helpful for when someone leaves the company and all their credentials need to be changed.

Remote Password Changing can generate passwords for the accounts based on the type of account. With Password Requirements you can specify the length of password, types of characters used, and the frequency that they show up.

These are just a few ways Secret Server can help your organization maintain compliance. Next week we will discuss the benefits of using a SIEM tool with Secret Server.








Follow

Get every new post delivered to your Inbox.

Join 30 other followers