The major benefit of integrating Secret Server with your ticketing system is that it helps create a stronger audit trail on more sensitive Secrets. This is done by requiring that a ticket number be added each time a Secret is viewed. This forces users to have a traceable component when accessing certain Secrets. It also allows administrators to view the audit of the Secret and click a link to go directly to the ticket in the ticketing system.

Setting up the integration is simple. First, visit Administration > Configuration > Ticket System. Once here, enable the integration by selecting the checkbox and then insert the URL template for your ticketing system. Next, you will want to enter the Regex that Secret Server will use to validate the ticket number that a user would input. Finally, you have the option to customize the message for an invalid ticket number and require users to enter a ticket number. Now, any Secret with Require Comment or Require Approval for Access will have a section to input a ticket number.

Roles give a user the ability to perform actions inside Secret Server, whereas Permissions dictate the level of control a user has within Secret Server. There are three Permissions within Secret Server:

1. View, which allows a user to see a Secret/Folder.
2. Edit, which allows a user to change Secret/Folder information.
3. Owner, the highest level of control which grants a user the ability to change advanced security settings for a Secret/Folder.

Permissions can be bulk-assigned by Folder. By default Secrets inherit the Permissions of the Folder where it is created. This set up requires two steps. First, create a folder structure that is separated by Permission level. Typically, this would follow your company’s team structure. For example, you could configure folders in the hierarchy:

Second, assign Permissions to each folder based on the users that need access to that information. Now, when a Secret is created inside a folder it will automatically be assigned the Permissions of that Folder.

Permissions can be individually assigned to specific Secrets. When setting up Permissions in this way, Folders are used primarily as an organization tool and typically are named in a much more general manner, such as:

When assigning Permissions to individual Secrets, the Secret will not inherit Folder Permissions and can be placed in a Folder alongside Secrets that have different levels of Permissions. To ensure Secrets do not inherit Permissions from the Folder, update your product settings by going to Administration > Configuration and setting the Default Secret Permissions to “Only Creator Has Permissions to New Secrets”.

Permissions can be bulk AND individually assigned. It is also possible to set up Secret Permissions through a combination of the options above. In this case, you would use the Folder to push Permissions to the Secrets through inheritance when a Secret is created. Once this is complete, Secrets do not have to stay within that Folder. Inheritance can be turned off for individual Secrets afterward to allow assignment of custom Permissions.

Secret Server’s “break the glass” feature, Unlimited Administration Mode, can help in those situations.

The Unlimited Administrator Mode allows designated users to manage Secrets they would normally not have access to. Administrators with the “Administer Unlimited Admin Configuration” role permission can enabled this by going to Administration > Configuration and selecting “Change Administration Mode”. Administrators can enter any optional notes explaining why they are enabling or disabling it, as well as creating an audit trail of this setting. A banner also appears in the header indicating to other users that Unlimited Administration Mode is turned on.

When enabled, users that have the “Unlimited Administrator” role permission can now access all Secrets and folders (with the exception of DoubleLocked Secrets), regardless of permissions, and all features of the Secret Server. Having a separate role permission allows administrators to specifically assign which users will be affected by the setting. Typically these should be very trusted people in the organization.

Unlimited Administration Mode is powerful, and can be locked down by to prevent abuse by ensuring no user has both permissions “Administer Role Permissions” and “Administer Unlimited Admin Configuration”. If no role has the “Unlimited Administrator” permission by default, then it will take two users to effectively turn Unlimited Administration Mode on: One user to enable it in configuration, and the other user to grant the permission to users or groups.

You can also have administrators notified by email when Unlimited Administration Mode is turned on or off by using event subscriptions. Our Knowledge Base article, How to protect the Unlimited Admin Mode using Event Subscriptions, details how to set that up.

In this two part blog post we will review how to set up customized roles and permissions to meet your company’s security policy.

Roles in Secret Server control what a user is allowed to do in the tool. Secret Server ships with three default Roles:
1. Administrator, which has the ability to perform any task.
2. User, which allows basic functions such as create, edit and viewing of Secrets.
3. Read Only User, which only allows a user to view Secrets and Audit Reports without edit capabilities.
Although Secret Server can be used right out of the box with these default Roles, each company should personalize the Roles to fit individual company needs.

The default Roles can be edited and new Roles can also be created. For example, administration tasks can be delegated to different Administrators without giving them full control of the system (for example: Backup Administrator, Secret Template Administrator, Role Administrator and so on). An Auditor Role can also be created to give a user limited access to the system – such as to view Reports and to check compliance settings without having access to sensitive information. For more information on Roles, see our Secret Server Best Practices Guide (requires valid support).

In the next part of this post we will go over how to set up permissions to control access to Secrets and Folders.

When configured as a whitelist, a list of possible servers will be presented for users to select to launch. This prevents users from logging in to places they should not be, and adds convenience by not having to remember the name of each server.

When configured as a blacklist, this allows users to enter the machine or server name as they normally would, however would prevent them from connecting to those machines which are blacklisted. This will prevent unauthorized use of credentials in your environment.

Enabling this feature is simple through Secret Server. Navigate to Administration, Secret Templates, then select any template with a Launcher attached such as the Active Directory Account or Windows Account Template and click Edit. There, you can select Configure Launcher, and Edit.

In the Advanced section, enable Restrict User Input by checking the checkbox, and configure accordingly. When mapping a field to Restrict By Secret Field, specify a field from the template. The values for the whitelist or blacklist will be based on that field for Secrets, and can be comma separated to specify multiple machines or servers.

Then it’s configured.

For iPhones and iPads, first you will want to create the Web Filler on Safari on your Mac desktop, then after using iCloud Bookmark sync with your iPhone the Web Password Filler will be ready for use.

After signing into Secret Server on your phone, browse to the site that you want to log in to. Once there, open your bookmarks and select the Web Password Filler. This will make the it appear exactly how it appears in the desktop browser.

For Android devices, using Opera Mini and Opera Link Secret Server’s Web Filler is available for your Android device. To begin, set up create a free Opera account and on the desktop version of Opera create the Web Filler Bookmark. Next in Opera Mobile on going into settings and enable Opera Link, this will sync your bookmarks to your Android phone. Once the account is synced, sign in to your Secret Server account. Then browse to site that you wish to log into and select the Web Filler
from the bookmark menu.

This makes it more convenient than ever to log in to your favorite websites when on the go.

Two-Factor Authentication in Secret Server forces users to enter another form of authentication on login, such as a pin or token. Secret Server comes with its own built-in email two-factor authentication, and supports the existing infrastructure to make use of RADIUS two-factor systems. This adds another layer of security to user accounts, however, it increases the number of steps required to access Secret Server. Using two-factor authentication helps prevent a scenario where a user might walk away from a workstation while logged in and an attacker could walk up to it and login to Secret Server.

Watch the video below to learn more about this incredible new product from Thycotic Software.

Oh yeah, and Happy April Fools Day from the entire Thycotic Team.

How do you protect your Secret data from being stolen from your clipboard? Secret Server’s Copy-To-Clipboard extensions add an extra layer of security to your clipboard by allowing the configuration of an automated schedule to clear the clipboard, so that the clipboard is cleared when exiting the browser. Each clipboard extension has a section that allows you to configure these options.

This makes it safe to use your clipboard and know that if you walk away from your computer for a few moments, someone won’t be able to take a password from your clipboard. It also helps prevent the accidental pasting of sensitive information into unsafe places, such as a chat client or email.

Currently, these security options are only available in the Firefox and Chrome extensions. Stay tuned for this functionality in Internet Explorer.

Use discovery to quickly find all your local Windows administrator accounts – import them into the Secret Server vault (even if you don’t know the current password). Then set a schedule (30, 90 days etc.) for regular password changing and never worry about those passwords again.  Whenever a sysadmin needs a password, they just come to Secret Server to find it.  Using Discovery Rules allows all of this to be automated.

Join us for this Webinar on Thursday, March 28th 2013 at 11:30am EST (requires active support). This will be the first of a new Webinar series that will happen on the 4th Thursday of each month.  Change your email preferences to receive updates about these upcoming webinars.

These webinars will also be recorded so you can view them after the event or share them with your team members.  Each Webinar will have two engineers speaking about best practices, features, security and general problems you can solve using Thycotic products.  If you have specific items you would like to see covered, please email your Account Manager.

Thanks, Kaitlin.