Fasten Your Seat belts! Advancements to Web Services API Speed Up Remote Password Changing

14 01 2014

If you are familiar with Secret Server’s web services API, you already know that it can be a convenient way to retrieve, create and update Secrets individually and in bulk, especially if you already use scripts to accomplish account-related tasks in your environment. Some of the most common use cases require only simple calls to Secret Server to add and retrieve stored information, such as:

  • Efficiently adding new Secrets as new domain accounts are created.
  • Replacing privileged account credentials with web service calls to retrieve and utilize the account information within the same script.

More fine-grained operations, such as updating Secret security and Remote Password Changing settings require increased functionality from web service calls. This week, we’ll take a look at the additions to web services that have come with the release of Secret Server version 8.4, providing more control over Remote Password Changing for Secrets.

To start, let’s see how web services would assist Sarah, our handy system administrator, in the following scenario:

Sarah has decided that she wants to use a dedicated privileged account to change passwords for all service accounts in her production domain. A great deal of these accounts are scattered throughout her folder structure in Secret Server. Without using web services, Sarah would have to find every account in the Secret Server GUI and set the privileged account manually. Now, if the Secrets were all located in a single folder, Bulk Operation would make this a breeze. However, with the varying locations of these accounts, searching for each individual Secret to update will be time-consuming. Fortunately, Sarah is familiar with PowerShell and can use web services to update all of her service account Secrets. She uses the script below:

Web Services API PowerShell Script for Remote Password Changing

This script will search Sarah’s Secret Server to find any Secret with a name containing the word ‘Service.’ The script then updates the Secret’s privileged account setting for Remote Password Changing. Sarah can also reuse the script any time privileged accounts need to be updated for a large number of Secrets.

The scripts can also be used to change additional Secret properties, such as Require Approval for Access, Require Comment and Check Out. For more information about these properties, see our Web Service API Guide (Pages 60-62), available from the Secret Server Support page.

On another topic, are you tired of endless calls to the help desk to reset a user’s forgotten AD password? You won’t want to miss this week’s webinar, introducing Password Reset Server, our AD self-service password reset tool. Register now!





Enable, Disable, or Mirror: A Deeper Look into User Administration

7 01 2014

Controlling users is one of the most important facets of Secret Server password management administration. While Secret Server supports local users and groups, the easiest way to administer users is to use Active Directory (AD) integration. Secret Server can automatically pull in existing AD users and groups and create user accounts with the same permissions. After discovering the groups, Secret Server offers several different options on importing the data. 

secret-server-user-administration-screen.jpg

Enabling Users. First, you have the option of automatically creating and enabling all users from the selected groups. This is the best option for small groups with only user accounts that need enabling.

Disabling Users. The next option is to have the users created and marked as disabled. Don’t worry, disabled users do not count towards license seats. This is ideal when importing groups with a mix of service and user accounts. Disabling allows administrators to import the existing groups without worrying about exceeding license limits and adds another layer security because users added through AD don’t automatically have access to Secret Server. Simply import and select which users you want to enable. This can all be done using the Bulk Operation feature by administrating multiple users at once.

Mirroring User’s Status. Finally, Secret Server can mirror the user’s status in AD. Mirroring the status will not only create the users in Secret Server but also automatically enable and disable users based on their status within the AD group. Unlike the other options, it is the only method that actively affects existing users. This is useful for administrators who want to automate permissions based on groups. Mirroring allows you to administer AD groups and automatically reflect changes within Secret Server. As for security options, Secret Server supports the use of RADIUS if two-factor authentication is a concern, along with our built-in email based two-factor.

Upcoming webinars. Join us next week for our Deep Dive: Service Account Discovery Webinar. Product manager Ben Yoder will show you how to gain control of your network’s service accounts and dependencies through a step-by-step guide in our live webinar.

Also, be sure to check back next week as we will go over recent changes made to our Web Service API with the release of Secret Server 8.4.000000.

We want your feedback for future blog posts! Leave a request below and we will consider it for a later post. Happy 2014 everyone.





2013: A Security Odyssey

31 12 2013

What did 2013 hold for Thycotic Software? New partners, software releases, and other exciting milestones. Join us for our movie themed year-in-review.

This year, in the wake of dozens of newsworthy data breaches, the landscape for IT security broadened with every headline. The importance of securing privileged credentials and managing identity went from a “nice to have” to a “need to have” seemingly overnight. It became more apparent from IT teams across the globe that a spreadsheet was no longer a trusted, secure repository to manage privileged passwords in an organization.

So what did this mean for Thycotic? Keeping a close eye on security trends, we listened to our customers and built the features they requested to solve their most essential use-cases in privileged account management. But that wasn’t all we did.

Here are just a few highlights of what made 2013 a defining year for Thycotic Software.

Let it snow, let it snow? More like, let it grow, let it grow!

Inc. Magazine named us one of the Top 5000 Fastest Growing Companies in the US, and #33 in the top 100 fastest growing companies in DC. We couldn’t be more honored to receive this privilege. Our growth is attributed directly to our fantastic customers and our intelligent, hard-working team.

Lions, Tigers, and Splunk – Oh, My!

This year we announced several great partnerships, ending the year with an official announcement of our partnership with Splunk to release the Secret Server App for Splunk Enterprise. We’re proud of all of our new partnerships, and especially of our rapidly growing technology integration partner program. You can read more about the Splunk integration with Secret Server in our press release.

Come fly with me, let’s fly, let’s fly away.

We broke a personal record at Thycotic by sponsoring over 35 tradeshows across the world in 2013. We’ve presented dozens of keynotes, spotlight sessions, thought leadership interviews and spoke directly with thousands IT security and operations professionals in every major vertical about their security needs. Thanks to our dedicated team who worked round-the-clock to make those events a major success.

Release the kracken!

This year we’ve had several exciting releases to our products Secret Server, Password Reset Server and Group Management Server based on direct requests from our customers.

For Secret Server, some notable new features are: SAP support for natively changing passwords on SAP accounts; expanded API to increase automation in scripting; Custom Columns for a more tailored dashboard view; Website Password Changing to automatically change passwords for Windows LIVE, Google and Amazon accounts; SAML Support for increased security and single-sign on convenience; and Improved Discovery for Scheduled Tasks and Application Pools, now discoverable by Secret Server.

Other new product features are Active Directory Attribute Integration to let employees easily update their own AD information with Password Reset Server, and Group Renewal for Group Management Server to remind Active Directory group managers to double check their group membership from time to time.

So what’s next for 2014?

We think that 2014 will trump this year in success stories, growth, partnerships and products. We hope you join us every step of the way. Join us on LinkedIn and Twitter for the latest news in cybersecurity and be sure to stop by our booth at RSA 2014 in San Francisco as we kick off another thrilling year in IT security.  Also Thycotic is hiring, join the Thycotic team – read these great Thycotic reviews and see the latest Thycotic videos.






Launch Away-Multiple Launcher Sneak Peek

17 12 2013

One of the most popular features in Secret Server is the Launcher. With one click, Secret Server can launch and authenticate to RDP, PuTTY or a website. You can also launch a custom executable with Secret Server and pass in command-line arguments that reference Secret values. Additionally, the Windows Form Filler can be used to auto-fill credentials for programs that cannot launch with command-line arguments.

Using the Launcher is easy. First, go to the Secret that you want to use. Then, click the Launcher icon to initiate the session directly from your computer. This way, as long as an employee can access Secret Server, they can get their work done – a convenient feature for anyone working offsite.

With the next product release, Secret Server will allow users to assign multiple launchers to a single Secret. This is valuable when one set of credentials is used for multiple access points. For example, you could launch an RDP session with an Active Directory account, then, using the same credentials you could launch a PuTTY session.

MLBlog1

You will be able to add as many Launchers as you would like to a Secret, including custom Launchers. Any user with access to the Secret will be able to use all of the configured Launchers. Add and configure new Launchers to a Secret at the Secret Template level, as shown below.

MLBlog2

Look for the release later this week. As always, we’ll send out an email announcement once the update is live. If you do not get emails about the latest product releases, update your email preferences here.





Use Custom Reports as Your Secret Weapon

10 12 2013

Custom Reports

While Secret Server contains a number of reports addressing Secrets, folders, users, activity and more, having the flexibility to create your own reports may be necessary to address your organization’s unique requirements. With the Custom Reports feature of Enterprise and Enterprise Plus editions (and a little knowledge of SQL), you can do just that.

When creating a custom report, you can either write your own SQL query or customize a SQL query from an existing report.

Create a New Custom Report

To create a new custom report, click the Create it link at the bottom-right corner of the Reports page in Secret Server. The resulting page contains a few fields that are present to customize the name, descriptions and other aspects of the report, and a large text box for the SQL query. At the bottom of the page, clicking Show Secret Server SQL database information will provide a drop-down menu and grid that allow you to take a look at the tables and table columns available for use in reporting. Clicking Preview will provide you with the results of your custom report below, so you can check the accuracy of your report.

reportsql1

Reference Custom Secret Fields

With version 8.2.000000, the ability to expose fields for display was introduced along with custom columns for the Dashboard. This means that certain Secret fields can be left unencrypted, and can therefore be used in custom reporting as well. This change can be made at the Secret Template level, and will present a message warning that the fields will be left unencrypted in the database. For this reason, it is important to not mark any fields as exposed for display if they contain sensitive information that should remain encrypted.

report2

report3

Once fields are marked to be exposed for display, they can be referenced in reports as any other field in the database. For example, the following SQL with display Secrets containing a custom field value called “Account Used By”:

SELECT

s.SecretName AS [Secret Name]

,si.ItemValue AS [Account Used By:]

FROM

tbSecret s

JOIN

tbSecretItem si

ON    s.SecretID = si.SecretID

JOIN

tbSecretField sf

ON    sf.SecretFieldID = si.SecretFieldID

WHERE

s.SecretTypeID = 6001

AND

sf.SecretFieldDisplayName = ‘Account Used By:’

This report will return results in the following manner:

report4

Dynamic Parameters

Secret Server also supports the use of several dynamic parameters that will allow report users to select a variable to apply to a report. These can be parameters such as user, group or date range. For more information on using dynamic parameters, see our KB article on the topic. A good example of dynamic parameters can be seen in the preconfigured report “What Secrets have been accessed by a user?”

report5

report6

Reports Gallery

To see custom reports that other Secret Server users have created and to share your own, you can take a look at the Custom Reports Gallery.

Want to learn even more about creating custom reports? Join us this Thursday, December 12th, at  11:30 AM EST for our Deep Dive: Secret Server – Get the most out of Reporting Webinar. Register today!  

For any questions or assistance with custom reports, contact Thycotic Support.





Announcing Our Official Technology Alliance with Splunk

3 12 2013

In the past we have discussed the benefits of using a security information and event management (SIEM) solution, not only as a compliance tool, but also for protecting against potential threats in real time.

We are excited to announce our official technology alliance with Splunk to release Secret Server for Splunk Enterprise, giving administrators deep insight into the use of privileged accounts, providing better visibility for compliance standards and detection of internal network threats.

Getting the app is simple. While logged into the Splunk interface, navigate to “apps” and search for Secret Server. Once installed, you can use the app to automatically start pulling information from the Secret Server sysLog. Make sure you have Secret Server installed and running before using the app.

Splunk1

Using Secret Server with a SIEM tool such as Splunk allows administrators to gain a clear picture of what is going on throughout their network. The app can be used to filter out key events from the Secret Server sysLog using the Event Search feature. This allows easy retrieval of information from real time events, such as when users are launching sessions, accessing reports, checking out Secrets, or when Unlimited Administrator mode is turned on.

Splunk2

In addition, the app allows you to access and create robust reports directly in the Splunk interface.

Splunk3

Want to learn more? Download Secret Server for Splunk Enterprise today!








Follow

Get every new post delivered to your Inbox.

Join 30 other followers