Introducing Secret Server 8.5 Pt. 2: Scalability Enhancements for Remote Password Changing, Heartbeat and Discovery

27 03 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. Today we are going to focus on speed and scalability. Enjoy!

An upgrade to .NET Framework 4.5.1 isn’t the only major change Secret Server 8.5 brings with it. Our latest version of Secret Server also includes scalability enhancements for Remote Password Changing, Heartbeat and Discovery. Simply put, a lot of processes just got a whole lot faster.

Multi-threading Magic

Remote Password Changing, Heartbeat and Discovery can now take advantage of multi-threading to improve performance and scalability. Secret Server will utilize 80% of your server’s processors, leaving a remaining 20% to maintain performance of Secret Server’s interface. What does this mean? Greater performance with overall speed scaling with the power of your Secret Server machine.

You can see the maximum degrees of parallelism of your primary server on Secret Server’s Diagnostics page.

Max Degrees of Parallelism

 

Speedy Remote Password Changing & Heartbeat

With multi-threading, Secrets queued for Remote Password Changing can now have their password changes handled simultaneously. This gives you seriously increased speed! Additionally, Remote Password Changing uses intelligent batching to manage the queue of Secrets, ensuring that Secrets and privileged accounts are never changed in the same batch. The scalability improvements also apply to Secrets using Agent for Remote Password Changing.

Before the 8.5.000000 upgrade, password changes were executed one at a time:

Before password changes were executed one at a time

After 8.5.000000 upgrade, multiple password changes are executed at once:

Remote Password Changing After

Lightning Discovery

Secret Server’s Discovery feature, in addition to using a multi-threaded approach for scanning your machines, takes an improved approach to service account scanning to reduce scan time by up to 20 seconds per computer. Combining these two enhancements to Discovery makes scanning hundreds or thousands of computers faster than ever before!

Are the speed enhancements to Remote Password Changing, Heartbeat and Discovery your favorite 8.5 feature so far? Don’t worry there is more to come! You’ll just have to check back next week for the next 8.5 feature showcase. Here’s a little hint, we’ll be talking membership. See you next week!





Limited time only: Secret Server Express Edition 100 users, 1000 Secrets 5 reasons to switch your password manager

26 03 2014

It’s no secret – managing IT passwords is a major hassle. Spreadsheets are a temporary bandage to a bigger security issue, and simple password vaults don’t scale to meet the real security needs of an IT team.

Security, team sharing and scalability are important points when picking your IT password management tool. With our limited-time offer of Secret Server Express edition with expanded users and Secrets (what we call credentials in the tool), we want to give you 5 reasons to seriously consider switching to the Express edition of our enterprise-class password management tool.

1.) You’re sick of using spreadsheets to manage IT passwords. Spreadsheets are the security bane of any IT team’s existence. With all of the shared credentials stored in a single encrypted spreadsheet, there’s no way to separate accounts out based on team member needs. Plus, once that spreadsheet is hacked you can say goodbye to your network. The eggs have been successfully swiped from the basket.

2.) People are still using “Password” for shared admin credentials. Weak passwords are often the culprit of compromised accounts. Generating strong, complicated passwords adds a layer of protection to managing privileged accounts.

3.) Half of your team writes passwords down on sticky notes. Do we even have to elaborate here? It’s the 21st century…c’mon people!

4.) Our Express edition costs a whopping $10. A year. Yup. We’re not kidding. And if you buy before Friday, April 25, 2014, you lock in expanded users and Secrets (100 users and 1,000 Secrets). Oh, and the yearly fee goes directly to support our community charity partner Reading is Fundamental, the nation’s largest non-profit child literacy organization.

5.) We scale as your security needs grow. Eventually you may need to meet compliance mandates and enforce more complex security practices around managing privileged accounts and identities. When you buy a simple tool, you’ll have to shop around for a more robust solution later on. Express edition scales into any of our enterprise-grade editions swiftly and easily, reducing time and effort in strengthening your security posture – from small business to the enterprise.

So, do you think it’s time to switch? Try Secret Server Express today and let us know what you think.

Express edition offer of 100 users and 1,000 Secrets is good through Friday, April 25, 2014. Purchases made by this date are guaranteed the higher user and Secret limits, even when you renew each year. Purchases after April 25, 2014 will receive the standard 10 users and 100 Secret limits.





Introducing Secret Server 8.5 Pt. 1: Session Recording Retention and Session Monitoring

25 03 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. Today we are going to focus on taking control of launched sessions. Enjoy!

While every action to a Secret is audited, administrators of the Enterprise Plus edition have the option to add Session Recording for sensitive accounts or servers. For those of you who are not already familiar with this feature, Session Recording records a video of the session launched from Secret Server and stores it in the Secret audit.

Introducing Session Monitoring:

Those of you with security responsibilities get excited, because 8.5 brings you a whole new level of control. Session Monitoring is a new feature that gives Secret Server administrators the ability to see what sessions currently are open.

Administrators now have a real-time view of all the sessions launched from Secret Server, can watch the live feed of a session, and terminate sessions immediately or send a message directly to the user. Imagine seeing a list of active sessions directly from your dashboard, be able to stream the live video feed and end the session immediately, or send a note, like, “Hey Bob, I need the server. Can you finish up soon?”

SessionMonitoring_Image2

Session Recording Enhancements:

With the 8.5 release, we added Microsoft Video Codec 9 to our list of available codecs (joining XVID, DIVX and Microsoft Video Codec 1). We also changed how the sessions are stored, to give you more storage space flexibility.

Why did we do this? Depending on how many sessions you record, how long each session lasts, and what video codec was used, video recordings can take up a lot of space within the Secret Server database!

What did we change to make this better? First, we now allow administrators to choose where session recordings are stored, whether in the database or a disk. Second, we now have a configurable expiration date for videos. Once a video is expired, Secret Server will automatically purge the old recording, freeing up your disk space.

Session_Retention

Secret Server Session Recording Edit

Stay tuned next week…

Secret Server 8.5 is packed with features to improve functionality and your security options. Check back next week to learn more about 8.5. Want a sneak peek? We’ll be discussing performance enhancements to Discovery, Remote Password Changing and Heartbeat. Do you already have a favorite 8.5 feature? Let us know in the comments!

 





IT’s TIME: Update Those Security Settings with PowerShell

18 03 2014

Secret Server 8.4, released in January, included additional ways to update Secret security settings via the web services API. This week, we’ll show you how to use PowerShell to access the Secret Server web services API and configure security settings for Secrets.

Web Service security settings: What’s available?

The web services API can help you configure Remote Password Changing and advanced security settings, including:

capture3

These settings correspond to those you will see in the browser interface on the Remote Password Changing and Security tabs of a Secret.

The sample script we’ll use today creates a new Secret and then updates it to use the Require Approval for Access security setting. Because this setting also requires Approvers, our PowerShell script includes parameters to set both a user and a group as approvers. For the entire script, see our KB article HERE.

Review: Authentication

First, provide your Secret Server URL in the script. You’ll be prompted for your Secret Server login credentials at runtime:

Webservices1

If you’re using a domain account, add a similar line for the domain. See Using Web Services with Windows Authentication (PowerShell) if you use Integrated Windows Authentication.

Generating Passwords

Utilize the password generator to create new, randomized passwords when you aren’t using an already-existing password:

Webservices2

Create the Secret

Create a Secret by providing the Template ID, new Secret name, field ID’s and value, and destination folder with the AddSecret method. Helper functions findFieldId, findTemplate and findFolderId take care of automating the process of determining ID’s, if you don’t already know these ID values.

Webservices3

Update Secret security settings

Once your new Secret has been created, modify its security settings using the result of AddSecret. In this case, we’ll utilize another method to obtain the object type necessary for adding groups and users, and create new records (one for a user, one for a group). Then we’ll add them to the Secret as approvers:

Webservices4

Finally, we’ll use the UpdateSecret method to apply our new security settings to the same Secret we created earlier.

Keep errors in check!

Don’t forget to use an error-checking function to assist with debugging and determine whether there are any errors to return for each web services call you make:

Webservices5

For an example of retrieving and updating Remote Password Changing settings for existing Secrets, see our previous blog post on the web services API.

For additional resources on using the web services API, see our Knowledge Base and Web Services API Guide. Troubleshooting your own script using Secret Server web services? Our technical support team is always available to help! Contact support HERE.





Bam! Thycotic now integrates with Tenable Security’s Log Correlation Engine

11 03 2014

In a continuation of our discussion around the strengths of combining secure privileged account management with SIEM capabilities, we’re excited to announce our new alliance with Tenable Network Security!

tenable

Integrating Secret Server with Tenable’s log correlation engine, SecurityCenter Continuous View, will provide administrators with improved oversight of their organization’s security practices.

What is Tenable SecurityCenter Continuous View?

Tenable SecurityCenter Continuous View provides organizations with a uniquely integrated vulnerability and SIEM functionality, helping them move from periodic assessment to continuous and instant identification and response for security and compliance threats.

How does it integrate with Secret Server?

Secret Server works with Tenable SecurityCenter CV by sending event engine logs to the tool in the form of syslog. SecurityCenter CV now has built-in support for processing Secret Server events, such as Heartbeat success, Secret expiration and user login activity. For a more detailed description of supported events see Tenable’s forum page.

The benefits of integration:

Incorporating event logs from Secret Server into the rest of your collective SIEM data allows you to maintain more comprehensive records of user access to privileged credentials for every account you manage through Secret Server, from workstations and servers to network devices and many more. Ultimately, this means your administrators have access to faster and more reliable attack detection and mitigation.

For more information:

See our Syslog Integration Guide for details on configuring Secret Server to log events to your SIEM tool.





Streamline Compliance with your Internal Security Policy by using Secret Server

4 03 2014

Incorporating a new tool into your company’s overall security architecture can be a tricky and time-consuming process. Fortunately, Thycotic Secret Server has a several features that streamline the process of complying with your existing corporate requirements. In this post, we will take a look at a few ways Secret Server can work in conjunction with your existing security policy to improve policy compliance and your user experience.

Enforce Password Compliance with Group Policies

Secret Server’s group policy feature allows you to set polices for local and domain account passwords, such as minimum password age, password length and password complexity. Secret Server adheres to the group policy when changing local Windows or Active Directory passwords. For example, if a password change is attempted with a weak password, Secret Server will return an error message to explain the password complexity requirements. Or, if a password change fails because it was too weak, Secret Server can send an email alert to administrators.

To eliminate the possibility that users will set weak passwords or use prohibited characters, Secret Server can automatically generate passwords using the preset password requirements. The result: secure, randomly generated passwords that are guaranteed to meet your group policy requirements each time they’re changed, whether automatically by using Auto Change or manually by a Secret Server user.

Restrict Access with Restricted Launcher Inputs

Group policy can also be used to restrict remote access to servers, which is a great way to decrease the area of attack for an account. However, with a large number of accounts this can be difficult to keep track of. Secret Server provides the ability to restrict launcher inputs to allow users to only see and connect to machines that have been whitelisted for each account. This simplifies the process for end users, who no longer need to keep track of details of their privileged account access, and allows administers to configure more granular access control in a way that is clear and fully audited.

Simplified Web Password Management

Finally, a policy that we have talked about before is allowing a user’s browser to store credentials. Auto fill for browser credentials is certainly convenient, but it does not provide an audit of usage, making it a bit of a problem for the security department. Instead, organizations can disable the browser’s password auto fill option and add those credentials to Secret Server. Users can then use the Secret Server Web Filler to directly log in to websites. This makes your environment more secure by tracking who accessed each web credential and it ensures passwords are stored securely within Secret Server instead of a user’s individual browser.

Check back next week to hear our team’s recap of RSA 2014 San Francisco.






Is Your Hash Being Passed?

25 02 2014

 

A typical day in IT:

It’s another day-in-the-life of an IT administrator and you have yet another 1,000 problems to solve. Around noon you receive a ticket saying Bob is having trouble with his computer’s performance. Instead of grabbing lunch, you RDP into his computer to figure out the problem. You need admin credentials to see what’s going on, so you use your Domain Administrator account.  Turns out Bob needs to update a driver. It was a simple fix and you disconnect from the user’s computer, happy to have a couple minutes left to grab a sandwich.

Later that day you see login alerts from your SIEM tool for several machines you don’t typically access. Alarmingly, they happened while you were picking up your sandwich. Your password is strong and well above the company’s password recommended length, including alphanumeric and symbols. How was it used?

Turns out, the person who “borrowed” your credentials didn’t have to figure out your password. Instead, they infected Bob’s less secure computer and waited for you to log in using your Domain Administrator credentials. When you used RDP to enter Bob’s machine they captured the clear text hash of your password. Congratulations, your hash was passed.

What is Pass-the-Hash?

A Pass-the-Hash attack is where an attacker captures and uses the plain text hash of a user’s password instead of their plain text password. It allows an attacker to impersonate another user, typically a privileged account. This type of attack can affect ANY network using Windows machines. For the attacker, the advantage getting a hash instead of the password is it can be done without a brute-force attack, which is not as effective and takes a lot more time.

How is the Hash acquired?

Hashes can be acquired through a variety of methods, two being the most common. The first is to retrieve the hash from a SAM dump for the local machine users. The second is to grab the dump of a user’s credentials stored by Windows in the LSASS.exe process, allowing the attacker to retrieve the hash of any account that connects to the machine for example; an RDP-connected domain accounts. This is how the attacker compromised the Domain Administrator’s credentials from Bob’s computer in the scenario above.

How can Secret Server mitigate the threat of Pass-the-Hash?

While Pass-the-Hash attacks have existed for the last 17 years, the threat is now bigger than ever, with tools to exploit this vulnerability continuously improving. Currently the best way to protect yourself from a Pass-the-Hash threat is to upgrade to Windows 8.1 and Server 2012 R2. The new Windows updates have built-in security measures, including making the LSASS.exe a protected process, adding new security identifiers, and changing RDP so it no longer stores the remote login’s credentials on the target machine.

It is typically not practical to upgrade every computer in an organization quickly, and a network would still be vulnerable during the upgrade process. However, there are other protective measures that can be taken by using Secret Server. For example, organizations can use Secret Server’s Check Out feature and configure it to automatically change the password after each RDP session’s Check Out is complete. This would render any hash that was captured during the session useless; when the password is changed, the hash also changes. Secret Server can also restrict which computers can use an account by restricting the launcher inputs. These measures mitigate the chance of a Pass-the-Hash attacks by greatly reducing the amount of time a hash is valid and decreasing the computers accessible for attack on privileged accounts.








Follow

Get every new post delivered to your Inbox.

Join 30 other followers