Secret Server iOS 7 Mobile App Upgrade

7 10 2013

As iOS users may have noticed, our Secret Server app received an upgrade with the recent release of iOS 7. The most noticeable sign the app was upgraded is a fresh user interface. However, there are a few other aspects of the latest update that are worth highlighting.

View & Edit Restricted Secrets
Previously, users could not view restricted Secrets from the mobile app. Now, Secrets that have the advanced security settings Require Comment, Require Approval and CheckOut are also accessible from your mobile device.

Require Comment_iOS app update post_2013

Require Comment

 

Require Approval

Require Approval

Checkout

CheckOut

When viewed through the mobile app, Secrets that require a comment will receive an audit entry called WEBSERVICEVIEWCOMMENT to help differentiate comments in the audit log:

ViewWebserviceView_iOS app update post_2013

These restricted Secrets will not be cached. Therefore, a user must re-enter information after a 5-minute period (for Require Comment) or when the approval period ends (for Require Approval and CheckOut).

More Information

If you don’t yet use the mobile app and/or would like more information, please see the following articles in our Knowledge Base:

Using the iOS 7 Mobile App with Secret Server Installed Edition

Using the iOS 7 Mobile App with Secret Server Online





The Value of SIEM and How to Integrate with Secret Server

1 10 2013

What is a SIEM tool and why should I use one?

SIEM (System Information and Event Management) tools are a type of software that pulls in log and audit information from multiple sources across your network. This can include access logs for building entry, computers, servers, network devices, databases and applications. SIEM tools can aggregate all the data pulled so that you can get a clear picture of what is going on across your network by correlating events. It also provides real-time alerting in the case of security breach.

Here’s a quick example of how a SIEM tool can identify a breach. Say an employee – let’s call her Sarah – comes to work every day around 9:00 am EST. She’s an IT admin, so she beeps into the building with her key card, logs into her computer and starts checking on the status of her assigned servers. But, one day her computer is accessed in the middle of the night, long before she typically comes in. She hasn’t beeped back into the building and her VPN connection was never activated. This could be a security breach and someone better start asking questions. If the company had a SIEM tool, it would have alerted the company that something was wrong.

Secret Server can easily integrate with your existing SIEM tool. As a privileged account manager, Secret Server records a full audit of credential usage – who accessed what and when.  Secret Server can take this audit trail and send all of its information to the SIEM tool using Syslog or CEF format. Once the data is in the SIEM tool, it will compare events from Secret Server to other usage audits throughout your network.

Now, say that Sarah’s company used Secret Server with a SIEM integration for all admin passwords. One night, someone logged into one of Sarah’s servers as the local admin, but there was no indication that anyone logged into Secret Server to retrieve the password. The SIEM tool would be able to tell that a login occurred without Secret Server and flag it as a potential breach. The SIEM tool would then alert the company of the potential breach.

Secret Server is partnered with two SIEM tools, HP ArcSight and Splunk, Inc., with more integrations in the works. Find out more about Secret Server’s SIEM integration and syslog output on our support page!





Using Secret Server to Help Maintain Compliance Mandates

24 09 2013

Secret Server is a powerful, flexible tool which can help your organization meet a variety of compliance mandates, such as SOX, PCI, HIPAA and more. In this article we are going to review several ways you can utilize Secret Server to maintain compliance by securely managing your privileged account credentials.

Centralizing Your Sensitive Information
Before you can start managing your privileged accounts they must be located and stored securely in Secret Server. This means removing them from where they’re currently stored (such as an Excel spreadsheet or personal password management tools) and placing them into Secret Server; centralizing all privileged and shared accounts while providing full auditing of the activity on those accounts.

Compliance tip: This is useful for complying with SOX as it mandates that your sensitive information be stored in a centralized encrypted vault.

You can do this in a few ways:

  1. Importing. Using a CSV or XML file, you can directly import your data into Secret Server.
  2. Migration. The Migration Tool imports credentials from several personal password management systems such as KeePass or Password Safe.
  3. Discovery.  With Discovery you can easily scan your network and import Local Windows Accounts and Service Accounts running Web Services.

Setup permissions, access and roles 
Once credentials are secured in Secret Server you will want to organize access control for each user and what privileges a user has to administer their accounts. To do so, Secret Server simply utilizes a permission structure reminiscent to that of Windows to easily delegate access to information with a full audit trail.

Compliance tip: This relates to PCI compliance as it mandates an audit be kept of access to network resources.

Permissions allow you to store information from multiple groups and departments while managing exactly which users have access and have been accessing sensitive information.

Role based access in Secret Server can be broken down between different users so that no one user has full control of the system, giving granular control of user ability.

Password creation and regular rotation 
A big part of most compliance standards is using strong passwords and updating passwords on a regular basis. Secret Server can automate password changing on a wide variety of devices and accounts.

Compliance Tip: This is an import piece to many compliance standards included in HIPAA regarding regularly changing passwords for credentials.

Passwords can be changed automatically on a fixed schedule or can be set to change immediately. Secret Server also has the ability to report all information that a user has access to and queue them for remote password changing with a few clicks. This is especially helpful for when someone leaves the company and all their credentials need to be changed.

Remote Password Changing can generate passwords for the accounts based on the type of account. With Password Requirements you can specify the length of password, types of characters used, and the frequency that they show up.

These are just a few ways Secret Server can help your organization maintain compliance. Next week we will discuss the benefits of using a SIEM tool with Secret Server.





Integration Spotlight – Secret Server and Devolutions Remote Desktop Manager

17 09 2013

 

In this week’s webinar we will be diving into the integration of Devolutions Remote Desktop Manager and Secret Server. Since the software integration in 2011, users have been securing their credentials through Secret Server and remote connections using Remote Desktop Manager after several client requests. Since then, administrators have been able to use both solutions for greater convenience and added security.

Using Secret Server, you can securely store and audit access your login credentials. With Remote Desktop Manager, you can centralize your remote connections that use programs such as Remote Desktop, PuTTy, Team Viewer, and more. With the integration of Secret Server, Remote Desktop Manager seamlessly retrieves the login credentials from your Secret Server account. Using these two programs in conjunction with each other provides your company with a secure, centralized way to store, manage, and utilize your credentials for remote connections.

Join product managers Ben Yoder, Thycotic Software, and Maurice Côté, Devolutions, as they demonstrate the features and benefits of both solutions this Thursday September 19th at 11:30 AM EST. Be sure to register today!





Securing Web Browsers Through Group Policy

9 09 2013

When developing a workflow to manage shared credentials, it’s important to take into account certain environmental factors that may cache credentials on their own. These factors can decrease security around shared credentials.

This week, we’ll focus on securing your web browsers through group policy.

Disable Password Caching for IE

Note: these instructions are specific to Windows Server 2012, however may be similarly applied in Windows Server 2008.

Caching of passwords and auto-completion of usernames and passwords used in IE can be disabled from the Group Policy Management Editor under:

  •  User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer

Here, you can disable “Turn on the auto-complete feature for user names and passwords.”

Group Policy Management Editor

This will also prevent users from re-enabling the setting:

Web Browser Caching 2

Restriction of password caching in Mozilla Firefox

Locking down settings in Firefox requires use of a third-party extension. One extension that we tested is called FirefoxADM, which provides adm files that add the ability to configure Firefox settings through Windows Group Policy. However, this only seemed to work with older versions of Firefox. Other extensions and tools exist, however are not officially supported by Microsoft for use in a Windows environment.

Disable Password Caching in Google Chrome for Business

Google Chrome for Business allows for policies relating to Google Chrome to be defined at either user or device level.

The Google Chrome Password Manager can be disabled at the user level by logging into the Google Admin console and navigating to the Settings menu. After selecting the “User Settings” menu, select an OU and under the Security settings disable Password Manager.

The Google Chrome Password Manager can be disabled at the device level through Windows GPO by adding two REG_DWORD values to the Windows registry at HKEY_LOCAL_MACHINE\Software\Policies\Chrome called PasswordManagerEnabled and PasswordManagerAllowShowPasswords, each with a value of 0×00000000.

Web Browser Caching 3

Disabling the Password Manager takes away the users’ ability to enable the “Offer to save passwords I enter on the web” setting in Chrome.

Web Browser Caching 4

Controlling credential caching in Mac OS X

Safari cannot be easily managed in a Windows environment, however Mac OS X Server provides a tool called Server Admin that may facilitate control of Safari settings in the OS X environment. Third-party tools are also available for this purpose.

Web Password Filler

Once you’ve secured your browsers, you can still utilize the credentials stored in Secret Server by using the Web Password Filler. For more information, see this blog post.





Importing Credentials into Secret Server Part Two of Two

3 09 2013

In our last post we discussed importing secrets manually into Secret Server using our Migration Tool and built in CSV and XML import. This week we are going review how to automatically import credentials into Secret Server.

Discovery in Secret Server

Discovery is a major feature in Secret Server with two main functions:

  1. Scan your network for local Windows accounts and import them as Secrets. With Discovery Rules, this process can be automated to run on a schedule, and new accounts will be imported based on a set parameters that you establish.
  2. Scan your network and pull in Windows services, attaching them as dependencies to current Secrets or creating new Secrets based on the particular account running the service.

How to Set Up Discovery

Setting up Discovery is simple.

  1. On the Administration>Discovery page, check the box enabling Discovery.
  2. Set the interval that you want Discovery to perform scans of the domain.
  3. Create a domain for Discovery to run against: on Administration>Discovery, click Edit Domains and then click Create New. Here you will enter the Fully Qualified Domain Name. Use an account that has access to all the machines you would like to discover and the ability to change the passwords for those accounts.
  4. Check the Enable Discovery box for the new domain and then click Save and Validate. Secret Server will confirm that it can reach your domain.

Once Discovery is turned on, it will start running scans throughout the network. This occurs in batches so as to not bog down your network.

Import Accounts using Discovery

  1. When the scans finish, click Discovery Network View on the Administration>Discovery page.
  2. You will see two tabs, one for local Windows accounts and another for service accounts. This page enables you to find the accounts you would like to import. It allows you to filter computers based on organizational unit (OU) and search for specific computers and accounts.
  3. Check the accounts you wish to import and click the import button. Secret Server will automatically create a Secret for each. You also have the option of changing the passwords for the accounts when the Secrets are created.

Using the API to Create Secrets

The final method of importing Secrets is to use our API to programmatically create the Secrets. The Secret Server API allows basic functions to be performed on Secrets, such as creating, deleting or modifying.

The API is especially useful when you have an existing script that already provisions accounts. Secret Server provides web service API calls that can be added to your existing script in order to create Secrets after your new accounts are provisioned.

After Secrets are imported, the API can also be used if you have third party applications that need credential access (i.e. the API can then be used to programmatically provide credentials stored in Secret Server). The API is also good for updating existing Secrets. For example, if your domain name has changed, you can use the API to quickly update all applicable Secrets to match the new domain.

Check out our Knowledge Base and API Guides located on the Secret Server technical support page for examples on how to utilize Secret Server’s API.





Importing Credentials into Secret Server Part One of Two

28 08 2013

After installing Secret Server and thinking through your Folder and Permission structure, the next step is to import information into Secret Server.

Secret Server provides multiple tools to quickly import information into Secret Server, whether you are currently using sticky notes, Excel spreadsheets or a personal password tool such as KeePass. Secret Server can also automatically create the Secrets and manage passwords for your local Windows accounts and Windows service accounts through the Discovery Feature. In this post, we will focus on how to import Secrets from Excel spreadsheets and other personal password tools. Part Two will discuss how to set up Discovery to automatically import accounts and use the API to create Secrets.

Migration Tool Import

Secret Server has an Import Migration Tool that will allow you to pull information from KeePass, Password Safe and Password Corral. The Migration Tool generates a new Secret Template to match the fields native to the password tool. It will then generate a CSV with your information and upload it to the new Template. You can also have the Migration Tool use the folder structure from your existing password tool and bring that into Secret Server. Once Secrets are imported into Secret Server, they can have their templates converted using our Bulk Operations to make full use of Launchers and Password Changers.  You can download the Migration Tool Here <link> or you can find a link within your Secret Server by going to Tools<Import Secrets.

CSV Import

Secret Server supports importing from a CSV file for password tools that are not natively supported by the Migration Tool or for importing from Excel Spreadsheets. There are three ways to import manually from a CSV file.

Option 1:  Mimic what the Migration Tool does and create a new Secret Template to match the existing information fields. Import the entire file into the new template. Once the data is imported, convert Secret Templates manually to templates that match the information stored within.

Option 2:  Create separate CSV files before importing so that information is grouped by template type, such as one CSV for Active Directory Accounts, another for Windows Accounts, etc. Next, organize the fields to match existing templates within Secret Server. The easiest way to organize the fields is by using a spreadsheet editor. To see the fields that are used for a Template, navigate to Tools<Import Secrets and then select the template from the drop-down box. Note: the only required field during import is the Secret Name field.

XML Import

The final text-based method of importing Secrets is using our XML import. This is usually only done by advanced users and is generally used when re-building Secret Server from an XML export. The XML import can create Secret Templates and Folders, specify Secret permissions, and even set Dependencies on import. For an example XML file click here.

Check back next week to learn about importing accounts automatically with Discovery and creating and updating Secrets using our API.






Conventions for Naming Secrets

9 07 2013

When first adding Secrets to your Secret Server account, one of your questions might be, “What should I name my Secrets?” This is a great question and one that we recommend thinking about for any new Secret Server customer. Secret names should be descriptive, but should not reveal any sensitive data. An option for Administrators to ensure Secrets are easily identifiable in Reports and in searches is to use naming requirements. For example, UserName\DeviceName. Whatever naming convention you choose, it will simplify your experience in the long-term.

Once you create a name convention, you will want to be able to enforce the naming requirements. Secret Server can use Regex to validate a Secret name upon creation. This will ensure that Secret names will match a desired pattern. Naming patterns are assigned by Secret Template.

For this example, we’ll walk you through the steps set naming rules for a Secret Template by using the Windows Server 2008 R2 Local Admin Account Template. First, visit Administration > Secret Templates. Next, select the Windows Account and click Edit. The current Template configuration and fields will appear, and then you will want to click Change. Now, you can enter Regex. For this example, we want all Secrets using this Template to be named the following: admin\computername-PC

To enforce our chosen naming pattern we will use the following Regex: ^admin\\\w+-PC$

Now you can set the Error Message that will appear when users attempt to create a Secret using a name that does not match your chosen pattern. In this case, we’ll have the error message say “Secret Name must be admin\computerName-PC”

SecretNaming





Password Requirements in Secret Server

28 06 2013

An important part of account security is choosing a strong password to be used to protect the account. The biggest challenge for most users is designing a strong password – one that contains at least eight characters consisting of a mix of upper- and lower-case letters, numbers, and symbols. It can be tedious and time consuming for an administrator whose task it is to design and manage passwords for a large a number and variety of accounts. In most all cases, each of these accounts will have their own password requirements including minimum and maximum character length along with their own set of illegal characters.

Password Generator

Secret Server solves the problem of creating strong, complex passwords with its Password Generator. This feature will generate passwords containing a random assortment of characters to be used for any account, and may be used in conjunction with Remote Password Changing.

Password Requirements

Secret Server’s Password Generator creates passwords in compliance with Password Requirements that are assigned at the Secret Template level. You can view the Password Requirements that are already available to you by going to Administration>Secret Templates and clicking “Password Requirements”. Note the Default Password Requirement – this is used for new Secret Templates by default and may be edited. To create a new set of Password Requirements, click “Create New.”

On this page, you can set the following parameters:

  • Password length
  • Types of characters required (Character Sets)
  • Minimum number of each character type required
  • Minimum frequency that each character type may appear

Password Requirements use Character Sets to group characters that may be required or excluded from requirements.

Character Sets

Character Sets may also be edited at any time and customized based on the requirements of the account type you plan to generate passwords for. You can create, view or edit Character Sets by clicking “Character Sets” on the Secret Templates page.

Below is a sample Password Requirement that we created for Local Windows Accounts:

PasswordRequirments





Restricting User Input for Launcher

3 05 2013

A new feature in Secret Server is the ability to control which servers users are able to connect to using a Launcher. This can be done by specifying a list of machines or servers on a Secret in a notes field. This list can either be a whitelist or a blacklist of servers the Launcher is able to connect to.

When configured as a whitelist, a list of possible servers will be presented for users to select to launch. This prevents users from logging in to places they should not be, and adds convenience by not having to remember the name of each server.

When configured as a blacklist, this allows users to enter the machine or server name as they normally would, however would prevent them from connecting to those machines which are blacklisted. This will prevent unauthorized use of credentials in your environment.

RDP1

Enabling this feature is simple through Secret Server. Navigate to Administration, Secret Templates, then select any template with a Launcher attached such as the Active Directory Account or Windows Account Template and click Edit. There, you can select Configure Launcher, and Edit.

In the Advanced section, enable Restrict User Input by checking the checkbox, and configure accordingly. When mapping a field to Restrict By Secret Field, specify a field from the template. The values for the whitelist or blacklist will be based on that field for Secrets, and can be comma separated to specify multiple machines or servers.

RDP2

Then it’s configured.








Follow

Get every new post delivered to your Inbox.

Join 30 other followers