Secret Server Disaster Recovery 101

22 04 2014

Part 1: Form your DR plan

Just like any tool that enhances your company’s security, the security of the tool itself is of ultimate importance. That means no backdoors and no way for Thycotic or anyone other than yourselves to decrypt your data. This is really important, but a disaster recovery plan is critical to ensure your organization’s data and hard work will be preserved in any scenario. Secret Server is designed with multiple DR options – below is a guide to the fundamental points of Secret Server disaster recovery. Don’t forget to review your disaster recovery plan regularly to make sure it meets your current needs.

The “absolute minimum” backup plan

At minimum, have a backup of your encryption.config file and database. This is the MOST IMPORTANT part!! We can’t emphasize this enough. If you lose your database, you lose your data, and if you lose your encryption.config file, you lose any ability to read that data.

For your security, we do not have copies to anyone’s encryption.config file.

Back up your encryption.config file by copying it from your Secret Server application directory. See Choose your backup option, below, for more information about taking a manual backup of your SQL database.

The comprehensive backup plan

Backing up your database and encryption.config file will allow you to restore Secret Server in an emergency, but will likely require the assistance of technical support if you don’t have the application files as well.

For a more comprehensive backup, back up the entire Secret Server application directory. This will preserve not only your encryption.config file but also the application files matching the Secret Server version of your database and files such as the web-appSettings.config that you may have customized with additional settings.

Choose your backup option

So how do I perform the backups, you might ask?

  • Back up files through the Secret Server UI. Do this from Administration > Backups. Specify a file path to back up the files. From this page, you can either perform a backup right away or configure automatic backups. For further details, see the Backup/Disaster Recovery section of the User Guide.
  • Back up files through Windows on the server(s) hosting Secret Server. This involves (1) taking a backup of the database through SQL Server Management Studio, and (2) sending the Secret Server application directory to a .zip file. See How to manually backup Secret Server for instructions.

Choose your backup paths wisely. Remember that you’ll need the files in the event that your primary servers go down, so backing them up to the same local server won’t do you any good.

Whether you choose to manage backups through Secret Server, manually, or with another tool in your environment, make sure they’re done regularly, and as a standard process before major changes are made to the server, such as migrating or upgrading Secret Server.

Know the important  accounts

Know which accounts are running your application pool and connecting Secret Server to the SQL Server database.In the event that you need to set up Secret Server on a backup server, you will need to know which account(s) to use to run the application pool and connect Secret Server to the SQL database. These accounts are configured during installation. For more information about the accounts (including how to determine the identity running your application pool), see the Installation Guide.

Know your local admin account password

Can’t log in with domain credentials? When troubleshooting login issues for domain accounts, you’ll need to have the ability to log in with a local account that has administrative rights. (Remember that local admin account you created when first installing Secret Server?) Knowing these credentials will allow you to log into Secret Server when your domain authentication isn’t working and access Active Directory sync issues. Keep a reminder of this account in a safe place, such as a safe; if Secret Server is down, you won’t be able to log in to find it. One suggestion: store a cleartext export of your most important Secrets as a printed copy in a safe or other physically secure location. See the User Guide for more information about cleartext exports.

Make use of our support number

If you are preparing for disaster recovery or find yourself in an actual DR situation, our technical support team is available to help! Give us a call and we’ll help you get things sorted out.

Contact Support

Keep an eye out for Part 2 of our disaster recovery review, where we’ll cover how to use your backups to restore Secret Server in a DR scenario.

 

 

 

 

 

 





Get Increased Control for Identity Verification with Password Reset Server’s Latest Upgrade

15 04 2014

Password Reset Server’s most recent upgrade to 3.2 gives greater control over the identity verification process by allowing administrators to define which questions users must answer correctly.

Now, verification questions can be marked as Optional, Required or Grouped.

Required Questions

Administrators can now mark specific questions as Required, meaning that users will have to provide correct answers to required questions during enrollment and will have to answer the questions correctly during a password reset.

Grouped Questions

Questions can also be marked as Grouped. This will display all questions in the group during a password reset, but the user only has to answer one of the grouped questions correctly. This option is especially useful for companies requiring multifactor authentication, as it gives users the option to choose the multifactor method of communication works best for them at the time.

Here’s how this can work: Set three multifactor questions Grouped: email, SMS and phone. During enrollment, the user will be required to enter their email, SMS and phone numbers. Then during a password rest, the user can choose which multifactor question to answer correctly, so if they are only able to access email at the time, they can answer the email verification question correctly.

Password Reset Server Enrollment

 Security Policy question configuration: Three multifactor questions are marked as grouped (required 1 correct answer out of 3), an image question is required, and the user will choose two of the optional questions to answer during enrollment.

Password Reset Server Security Questions

Questions during enrollment: Required questions are marked with an exclamation point (!) and optional questions can be selected from the drop-down menus.

For a chance to see the new features in action, join us for our webinar this Thursday, April 17 at 11:30 a.m. EDT!





Phew. Thycotic solutions remain unaffected during devastating Heartbleed vulnerability.

11 04 2014

The recent OpenSSL vulnerability CVE-2014-0160, or “Heartbleed” is affecting millions of SSL-enabled web servers worldwide; estimates are somewhere between 60% and 80% of servers are affected by the deadly bug. It’s the perfect example of a worst-case scenario: Heartbleed gives attackers the ability to reveal your server’s private SSL key by recovering just enough SSL key material.

We’re fortunate to announce that Thycotic has remained completely unaffected by this vulnerability, as our solutions are built on a Microsoft stack that doesn’t use any form of SSL technology. Our customers and partners can rest assured. However, it’s important to let others know what they can do to avoid an attack during this time.

While many tech news and media sites are advising consumers to rapidly change all web passwords that may have been affected by the Heartbleed bug, there’s still a risk for IT administrators, web admins and developers managing servers affected by the vulnerability. Question is… how do you prevent an attack while vulnerable?

Keep servers safe during Heartbleed

Website administrators were advised to patch their OpenSSL libraries on their servers to address the problem. But Heartbleed goes deeper than just patching OpenSSL. OpenSSL includes a general purpose API that software developers can use as part of their software. This is where static linking comes into play.

Static linking. Developers may choose to statically link to OpenSSL. Static linking allows developers to include OpenSSL within their software and it becomes embedded at compile time. Since the OpenSSL library is embedded in the software, upgrading the OpenSSL package on the operating system alone won’t update the OpenSSL version that software programs may have linked to statically.

Update all software, not just SSL. It is highly advisable that all software that makes use of OpenSSL technology be updated. Software vendors that statically link to OpenSSL should release updates for their software immediately by using a patched version of OpenSSL.

Keep clear, steady communications with customers. Make sure that as you’re updating systems and sending patches you’re also communicating these actions with your customers regularly. Consumers are rapidly changing web passwords and scrambling to protect their most valuable, personal data. Clear communications to your customer base (whether consumer or business) will help everyone stay on the same page and mitigate the most risk by using best practices during this time.





Empower the User: Group Provisioning within Group Management Server

8 04 2014

Group Management Server already relieves a lot of stress and extra work for IT Administrators. With the latest release, we just made IT admins lives even easier by streamlining the process for creating new AD groups through Group Provisioning.

What does this mean for you?

Think of this everyday scenario: The Marketing Team just started a project and they need a new mailing list for participants. Typically, the project leader would have to submit a request to IT for the new mailing list before they could add members in Group Management Server. With Group Provisioning, the entire process is simplified. Now, the marketing project leader can submit a new group request, including group members, directly through Group Management Server. The IT administrator will receive the request through the Group Management Server interface, and can immediately approve and create the group.

Helpful Tip: Use Group Provisioning alongside Group Membership Expiration to keep your Active Directory free from outdated group clutter.

Conclusion: Group Provisioning = Streamlined group creation.

Not using Group Management Server, but interested in learning more? Request a free trial here.





Introducing Secret Server 8.5 Pt. 3: Better Access Control with Secret Server Group Ownership

3 04 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. Today’s post focuses on implementing better user access control with Group Ownership. Enjoy!

This week we’re spotlighting the Group Ownership feature. Remember when giving a user group administration privileges meant trusting them with access to membership for all groups in Secret Server? That practice is long gone. Now, administrators can delegate group membership privileges to other users for their specific groups only. The result? Less burden on Secret Server administrators to manage groups, and more control for teams over their own individual groups.

Underlying Concept

Ready for the details? Here’s how it works:

An administrator (or any user with the Administer Groups role permission), chooses a local group to edit. By default, the group is managed by “Group Administrators,” but administrators can now select one or more “Group Owners” to manage the group instead. Group Owners can be multiple individuals and/or other groups. Once a group has been switched to the “Group Owners” model, Group Administrators will no longer have inherent permissions to make any changes to that group. As soon as a user is designated a Group Owner, they’re automatically assigned the Group Owner role. The Group Owner role will allow them to access the Groups administration page, where they will see only the groups they’re an owner of and have the ability to add or remove group member and owners.

Secret Server Group Edit Group Edit Secret Server

Control Folder/Secret Permissions using Group Membership

With the addition of Group Ownership, delegating Secret and Role permissions becomes a more streamlined process. After providing a group permissions to a specific folder and then assigning a Group Owner, the Group Owner will be able to manage membership of the group, which effectively controls permissions to that folder of Secrets.

Secret Server Folder Name

Stay tuned next week for a look at the new SSH Proxy features! Hopefully you’ve had a chance to test drive the new 8.5 features in Secret Server, what do you think? Do you have a favorite 8.5 feature? Share your favorites in the comment section below.

 





Thycotic Partners with LogRhythm to Offer Continued SIEM Support for Customers

1 04 2014

In our ever expanding ecosystem of technology integration alliances, Thycotic has added another leader in SIEM technology to our list of out-of-the-box integrations. Now, Secret Server event logs integrate with LogRhythm’s Security Intelligence Engine to improve network visibility for users.

LogRhythm’s Security Intelligence Platform is known for combining enterprise-class SIEM, log management, file integrity monitoring and machine analytics to provide broad and deep visibility across an organization’s entire IT environment. Using Syslog format, Secret Server can ship important syslog data into LogRhythm to compare events and ensure a more successful audit for your organization. By pairing Secret Server with LogRhythm, administrators can better monitor successful and failed user logins to privileged accounts, secret expirations and unsanctioned changes to administrator privileges.

Out of the box, Secret Server comes standard with 44 different events tracking more than 20 unique data fields, as well as the ability to create custom events based on your organization’s security policy.

A few examples of SIEM events that come standard with Secret Server.

A few examples of SIEM events that come standard with Secret Server.

Implementing an enterprise-class privileged account management tool such as Secret Server with a SIEM solution not only helps organizations reach password compliance and mitigate risk, but also removes the complexities associated with the management and monitoring of privileged account credentials across a network.

For more information on how to successfully integrate SIEM solutions with Secret Server, read our Value of SIEM blog post and integration guide here.





Introducing Secret Server 8.5 Pt. 2: Scalability Enhancements for Remote Password Changing, Heartbeat and Discovery

27 03 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. Today we are going to focus on speed and scalability. Enjoy!

An upgrade to .NET Framework 4.5.1 isn’t the only major change Secret Server 8.5 brings with it. Our latest version of Secret Server also includes scalability enhancements for Remote Password Changing, Heartbeat and Discovery. Simply put, a lot of processes just got a whole lot faster.

Multi-threading Magic

Remote Password Changing, Heartbeat and Discovery can now take advantage of multi-threading to improve performance and scalability. Secret Server will utilize 80% of your server’s processors, leaving a remaining 20% to maintain performance of Secret Server’s interface. What does this mean? Greater performance with overall speed scaling with the power of your Secret Server machine.

You can see the maximum degrees of parallelism of your primary server on Secret Server’s Diagnostics page.

Max Degrees of Parallelism

 

Speedy Remote Password Changing & Heartbeat

With multi-threading, Secrets queued for Remote Password Changing can now have their password changes handled simultaneously. This gives you seriously increased speed! Additionally, Remote Password Changing uses intelligent batching to manage the queue of Secrets, ensuring that Secrets and privileged accounts are never changed in the same batch. The scalability improvements also apply to Secrets using Agent for Remote Password Changing.

Before the 8.5.000000 upgrade, password changes were executed one at a time:

Before password changes were executed one at a time

After 8.5.000000 upgrade, multiple password changes are executed at once:

Remote Password Changing After

Lightning Discovery

Secret Server’s Discovery feature, in addition to using a multi-threaded approach for scanning your machines, takes an improved approach to service account scanning to reduce scan time by up to 20 seconds per computer. Combining these two enhancements to Discovery makes scanning hundreds or thousands of computers faster than ever before!

Are the speed enhancements to Remote Password Changing, Heartbeat and Discovery your favorite 8.5 feature so far? Don’t worry there is more to come! You’ll just have to check back next week for the next 8.5 feature showcase. Here’s a little hint, we’ll be talking membership. See you next week!





Limited time only: Secret Server Express Edition 100 users, 1000 Secrets 5 reasons to switch your password manager

26 03 2014

It’s no secret – managing IT passwords is a major hassle. Spreadsheets are a temporary bandage to a bigger security issue, and simple password vaults don’t scale to meet the real security needs of an IT team.

Security, team sharing and scalability are important points when picking your IT password management tool. With our limited-time offer of Secret Server Express edition with expanded users and Secrets (what we call credentials in the tool), we want to give you 5 reasons to seriously consider switching to the Express edition of our enterprise-class password management tool.

1.) You’re sick of using spreadsheets to manage IT passwords. Spreadsheets are the security bane of any IT team’s existence. With all of the shared credentials stored in a single encrypted spreadsheet, there’s no way to separate accounts out based on team member needs. Plus, once that spreadsheet is hacked you can say goodbye to your network. The eggs have been successfully swiped from the basket.

2.) People are still using “Password” for shared admin credentials. Weak passwords are often the culprit of compromised accounts. Generating strong, complicated passwords adds a layer of protection to managing privileged accounts.

3.) Half of your team writes passwords down on sticky notes. Do we even have to elaborate here? It’s the 21st century…c’mon people!

4.) Our Express edition costs a whopping $10. A year. Yup. We’re not kidding. And if you buy before Friday, April 25, 2014, you lock in expanded users and Secrets (100 users and 1,000 Secrets). Oh, and the yearly fee goes directly to support our community charity partner Reading is Fundamental, the nation’s largest non-profit child literacy organization.

5.) We scale as your security needs grow. Eventually you may need to meet compliance mandates and enforce more complex security practices around managing privileged accounts and identities. When you buy a simple tool, you’ll have to shop around for a more robust solution later on. Express edition scales into any of our enterprise-grade editions swiftly and easily, reducing time and effort in strengthening your security posture – from small business to the enterprise.

So, do you think it’s time to switch? Try Secret Server Express today and let us know what you think.

Express edition offer of 100 users and 1,000 Secrets is good through Friday, April 25, 2014. Purchases made by this date are guaranteed the higher user and Secret limits, even when you renew each year. Purchases after April 25, 2014 will receive the standard 10 users and 100 Secret limits.





Introducing Secret Server 8.5 Pt. 1: Session Recording Retention and Session Monitoring

25 03 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. Today we are going to focus on taking control of launched sessions. Enjoy!

While every action to a Secret is audited, administrators of the Enterprise Plus edition have the option to add Session Recording for sensitive accounts or servers. For those of you who are not already familiar with this feature, Session Recording records a video of the session launched from Secret Server and stores it in the Secret audit.

Introducing Session Monitoring:

Those of you with security responsibilities get excited, because 8.5 brings you a whole new level of control. Session Monitoring is a new feature that gives Secret Server administrators the ability to see what sessions currently are open.

Administrators now have a real-time view of all the sessions launched from Secret Server, can watch the live feed of a session, and terminate sessions immediately or send a message directly to the user. Imagine seeing a list of active sessions directly from your dashboard, be able to stream the live video feed and end the session immediately, or send a note, like, “Hey Bob, I need the server. Can you finish up soon?”

SessionMonitoring_Image2

Session Recording Enhancements:

With the 8.5 release, we added Microsoft Video Codec 9 to our list of available codecs (joining XVID, DIVX and Microsoft Video Codec 1). We also changed how the sessions are stored, to give you more storage space flexibility.

Why did we do this? Depending on how many sessions you record, how long each session lasts, and what video codec was used, video recordings can take up a lot of space within the Secret Server database!

What did we change to make this better? First, we now allow administrators to choose where session recordings are stored, whether in the database or a disk. Second, we now have a configurable expiration date for videos. Once a video is expired, Secret Server will automatically purge the old recording, freeing up your disk space.

Session_Retention

Secret Server Session Recording Edit

Stay tuned next week…

Secret Server 8.5 is packed with features to improve functionality and your security options. Check back next week to learn more about 8.5. Want a sneak peek? We’ll be discussing performance enhancements to Discovery, Remote Password Changing and Heartbeat. Do you already have a favorite 8.5 feature? Let us know in the comments!

 





IT’s TIME: Update Those Security Settings with PowerShell

18 03 2014

Secret Server 8.4, released in January, included additional ways to update Secret security settings via the web services API. This week, we’ll show you how to use PowerShell to access the Secret Server web services API and configure security settings for Secrets.

Web Service security settings: What’s available?

The web services API can help you configure Remote Password Changing and advanced security settings, including:

capture3

These settings correspond to those you will see in the browser interface on the Remote Password Changing and Security tabs of a Secret.

The sample script we’ll use today creates a new Secret and then updates it to use the Require Approval for Access security setting. Because this setting also requires Approvers, our PowerShell script includes parameters to set both a user and a group as approvers. For the entire script, see our KB article HERE.

Review: Authentication

First, provide your Secret Server URL in the script. You’ll be prompted for your Secret Server login credentials at runtime:

Webservices1

If you’re using a domain account, add a similar line for the domain. See Using Web Services with Windows Authentication (PowerShell) if you use Integrated Windows Authentication.

Generating Passwords

Utilize the password generator to create new, randomized passwords when you aren’t using an already-existing password:

Webservices2

Create the Secret

Create a Secret by providing the Template ID, new Secret name, field ID’s and value, and destination folder with the AddSecret method. Helper functions findFieldId, findTemplate and findFolderId take care of automating the process of determining ID’s, if you don’t already know these ID values.

Webservices3

Update Secret security settings

Once your new Secret has been created, modify its security settings using the result of AddSecret. In this case, we’ll utilize another method to obtain the object type necessary for adding groups and users, and create new records (one for a user, one for a group). Then we’ll add them to the Secret as approvers:

Webservices4

Finally, we’ll use the UpdateSecret method to apply our new security settings to the same Secret we created earlier.

Keep errors in check!

Don’t forget to use an error-checking function to assist with debugging and determine whether there are any errors to return for each web services call you make:

Webservices5

For an example of retrieving and updating Remote Password Changing settings for existing Secrets, see our previous blog post on the web services API.

For additional resources on using the web services API, see our Knowledge Base and Web Services API Guide. Troubleshooting your own script using Secret Server web services? Our technical support team is always available to help! Contact support HERE.








Follow

Get every new post delivered to your Inbox.

Join 30 other followers