Group Management Server Scales for Enterprise

5 09 2012

Wait, what is Group Management Server?!

Group Management Server is Thycotic Software’s brand new self service Active Directory group management tool.  IT Admins can designate Group Owners to control Active Directory Security Group and Distribution Group membership.  Reporting and full audit trails are maintained throughout the system on group management activities including adding, deleting, editing user group membership. These audit trails can be used during security audits to demonstrate compliance.

Group Management Server can be installed quickly and does not require Active Directory Schema Extension.  Even very large Active Directory environments can be quickly synchronized and managed from an easy-to-use and secure web interface.  Implementing robust Role Based Access Control and an approvals workflow, Group Management Server can automate IT Admin functions to tighten security, minimize risk, and reduce labor costs associated with managing group membership.

Let’s get back to how Group Management Server scales for the enterprise…

One of the highlights in Group Management Server is the performance during Active Directory synchronization.  Active Directory synchronization is a process in which Active Directory data (groups and users) are populated in Group Management Server.  The synchronization process makes Active Directory group management tasks lightning fast, as opposed to waiting on the Active Directory Users and Computers application to slowly search for the correct group.  In our testing, synchronization with 6 domains (one domain contained nearly 150,000 groups and 100,000 users) was completed in well under 5 minutes.  See figures 1-3 below for before and after screenshots of Active Directory synchronization with Group Management Server.

In Figure 1, this Group Management Server instance manages groups in six domains.  These domains range in size from small (250 objects) to large (100,000+ objects).  Note that domain synchronization has been started at 11:34:08 AM (highlighted in red).

Figure 1

In Figure 2, synchronization has completed for all six domains at 11:38:55 AM.  The elapsed time for the synchronization was
4 minutes and 47 seconds!

Figure 2

In Figure 3, domain statistics are displayed for synchronization.  In less than 5 minutes, Group Management Server synchronized more than 160,000 Active Directory groups and nearly 100,000 user objects spread over six separate domains.

Figure 3

Setting up Active Directory synchronization with Group Management Server

To synchronize with Active Directory, log in as an Administrator for Group Management Server.  Then click Administration -> Active Directory.  Click on the New Domain button and fill out the fields with your specific domain information and click Save.  Group Management Server will begin to synchronize with the newly added domain.  As with test example above, synchronization will take a few minutes depending on the number of groups and other objects in your domain.

Group Management Server information and resources

Try it here:  http://www.thycotic.com/products_groupmanagementserver_try.html

Support:  http://www.thycotic.com/products_groupmanagementserver_support.html

Forums:  http://www.thycotic.com/products_groupmanagementserver_forums.html


Comments : 2 Comments »
Tags: ,
Categories : Group Management Server, Releases

Creating Custom Reports in Secret Server

30 08 2012

Secret Server contains robust reporting capabilities, as mentioned in on the Secret Server Report Features Page.  In addition to the default reports included with Secret Server (see Figure 1), additional reports are available for download in the Online Reports Gallery.  Beyond these options, users who aren’t familiar with SQL reporting, may also make a Custom Report Request from Thycotic Support.

Figure 1

One of Secret Server’s most popular features is the ability for users to create custom reports.  This allows users to build the reporting their organization requires.  To make a custom report, users will need some experience with SQL commands and reporting.  If you have experience, the following steps guide you through this process:

First, you need the code for the report you want to build.  The guide shows a report that allows users to see “What types of Secrets have expired?”  The SQL code is shown below:

-Begin SQL Code-

SELECT 
   st.SecretTypeName AS [Secret Template]
   ,COUNT(*) AS  [Number Of Secrets]
  FROM tbSecret s WITH (NOLOCK) 
   INNER JOIN tbSecretType st WITH (NOLOCK) 
    ON s.SecretTypeId = st.SecretTypeId
  WHERE 
   st.ExpirationFieldId IS NOT NULL
   AND s.ExpiredFieldChangedDate + st.ExpirationDays < GETDATE()
   AND s.Active = 1
   AND st.OrganizationId = #ORGANIZATION
GROUP BY
 st.SecretTypeName
ORDER BY
 COUNT(*) DESC

-End SQL Code-

Next, login to Secret Server with a user that has the Administer Reports role permission. Click on Reports -> Create it (located on the bottom right of the window). Assign a Report Name, a Report Description, and choose a Report Category in the dropdown menu (this is where the report appears). If your report should have a chart, choose the appropriate Chart Type in the dropdown menu. If you want your chart to appear in 3 dimensions, put a checkmark in the 3D Report box. Lastly, you’ll want to select your Page Size followed by pasting your SQL Code in the text box. Now, you can Preview the report and it will appear on the bottom of the same page. If you’re happy with the result, you can click Save and your report will appear on the main Reports page under the Report Category you selected.


Comments : Leave a Comment »
Tags: , , ,
Categories : Secret Server, Tips & Tricks

How to Create a Custom Web Launcher in Secret Server

29 08 2012

Creating a custom Web Launcher in Secret Server is useful for several reasons.  First, it allows your organization to share online accounts without revealing the password.  Second, it saves time for Secret Server users.  It allows users to use one click from Secret Server seamlessly pass the credentials directly to the destination’s login page.  Used over time and across more than one site, it reduces the time spent on logging in.  It even helps to eliminate locked out accounts because the username and password don’t have to be typed in by a user.

To create a custom Web Launcher, start by using a Secret Template that has the Launcher feature enabled and configured to the Website Login type.  If you’re using a custom Secret Template, you can configure this by clicking Administration -> Secret Templates.  Select the desired Template in the drop down menu and click Edit. Click Configure Launcher and Edit. The box for Enable Launcher should be checked and the drop down menu for Launcher type to use should be Website Login.  Also, make sure the corresponding fields are matched properly (Password to the actual password field in the Secret Template and so on).  Make sure to click Save when making any changes!  Now your Secret Template is configured to use the Website Login Launcher.

Go back the secret you want to use to with the Web Launcher.  Click on Edit -> Launcher tab -> then Configure Web Launcher.  The URL should be populated in the field and you can click on View Page to verify you have the actual login page selected.  If not, browse to the actual login page and copy that URL to this field.  Then, click Next and Secret Server will evaluate the code to see if it can automatically pass credentials using the Web Launcher.  If you have the correct URL for login and the Web Launcher evaluates the login page as usable, you’ll see a list of Available Forms

You may need to experiment with different listings you may find in this field.  Many times, the choice is obvious.  In the case of twitter.com, the correct form is actually listed first.  Once you select a form, click Next and you may need to edit the mapped fields.  If the mapped fields are correct (user for UserName for instance) click Test Launcher.

If the launcher works, great job!  You’re done!  If it doesn’t work, make sure your fields are mapped correctly.  You may also want to click Reconfigure Web Launcher.  This will allow you to try a different form in the list of Available Forms.  Select a different form, try mapping fields again, and test the launcher.

Not all websites will allow the launcher to work, and even those that do may have exceedingly complex fields to fill out.  If this is the case, remember that you can contact support by posting in the Forums, by searching our Knowledge Base, or by contacting Thycotic Support directly!


Comments : Leave a Comment »
Tags: , , , ,
Categories : Secret Server, Tips & Tricks

SSL Certificates, License Keys & More in Secret Server

27 08 2012

Do you have copies of your SSL Certificates, Licensing Data, and Support Documentation?  Of course!  Can you easily search for all of those files with a single term?  Maybe.  Is it well-organized, access-controlled, and verified?  Maybe not.

Secret Server supports the functionality above by simply building a Secret Template with the proper settings.  For example:  Instead of using DFS or a SharePoint plug-in to store your documentation and important files, why not leverage Secret Server?  You’ve already committed your Admin username and password.  By editing a Secret Template, you can easily create a designated file location for each workstation, server, and appliance in your network.  Once you’ve created the template, you’ll know precisely where all your documentation is stored.  When coupled with adequate Disaster Recovery plans (Microsoft SQL Clusters, Mirroring the database, or a frequent database backup), you’ve added additional layers of protection to your critical technical documents.

Storing documents in Secret Server has distinct advantages beyond access control and redundancy.  First, Secret Server admins can require fields to contain data before saving new secrets.  While you can’t control the quality of the documents that people might store – but at least you will know that a document was saved.  Second, these documents are encrypted in the Secret Server database.  Third, the documents can be relayed to a coworker or a third party with a simple http link.  (Note the previous blog post about this.)

Secret data saved using the "Hardware - Remote Desktop" Secret Template.

Secret data saved using the “Hardware – Remote Desktop” Secret Template.

Making a Secret Template may take some thought about what your organization finds useful.  However, once you’ve created a template, it’s very easy to edit, copy, and enhance.  One potential side benefit of structuring the above information is data in Reports.  Using some extra data points like I have in this Template may be of benefit in Secret Server Reports.

Thycotic’s Secret Template Gallery contains the content for the Secret Template I created above.  The Template can be found by searching “Hardware Remote Desktop” or by using this direct link.  Import this or any template by clicking Administration -> Secret Templates.  Paste the XML into the Import Secret Templates text box and click the Import button.

If you think you have a great and useful Secret Template, comment below!  We want to hear about it and what makes it useful.


Comments : Leave a Comment »
Tags: , , , , ,
Categories : Secret Server, Security, Tips & Tricks

Using Secret Server Links to Securely Transmit Sensitive Data

24 08 2012

Having been a Systems Engineer, I’m familiar with the problem of sharing credentials.  My method for sharing login credentials with a colleague consisted of access to a spreadsheet with everything or a Post-it that would be shredded (hopefully).  However, with Secret Server, System Admins are easily able to share credentials with colleagues by sending them a simple URL format:

http://SERVERNAME/VIRTUALDIRECTORY/SecretView.aspx?secretid=SECRETNUMBER

  • “SERVERNAME” is the DNS name or IP Address of the server that hosts Secret Server.
  • “VIRTUALDIRECTORY“ is the name of the Virtual Directory used when Secret Server was installed.  Typically, this is “SecretServer”.
  • “SECRETNUMBER” is the actual number associated with the secret data as found in your instance of Secret Server.  This number increases sequentially as secrets are added.

For instance, the secret of a test server I have installed is shared with this link:  http://192.168.0.2/SecretServer/SecretView.aspx?secretid=52

Note: Using this link requires Secret Server login permissions and permissions for that user to at least view the secret you’re trying to share.

The elegance of this method is that users can share credentials between them through email.  The use of the data and permission to use the data is still controlled by a Secret Server Administrator.  It’s worth mentioning is that all of this activity is logged and reportable within Secret Server.

Admins with the need for additional security can link to a secret that has a Launcher enabled and the password is hidden from users.  This way, an Engineer can directly link to a secret’s launcher with a coworker.  The coworker can use the credential to login via Remote Desktop (or any other launcher functionality) to a server without knowing the actual credentials.

Hide Launcher Password is a feature that allows the password field of a secret to remain hidden from view or clipboard access, but still usable by the launcher.  The activity is completely logged in Secret Server and nothing was written down, able to be copied, or shared with anyone but those that have express permissions in Secret Server.  Enable this security feature by clicking the Edit button for a secret, then Security tab -> Edit button -> check Hide Launcher Password -> Save button.

The use of links go beyond email.  Admins could also use these links in support documentation for applications or systems.  In the documentation, a link to Secret Server data can be embedded in place of the actual admin credentials.  This would negate the need for a document-based password protection scheme.


Comments : 2 Comments »
Tags: , , , ,
Categories : Secret Server, Security, Tips & Tricks

Unlimited Administrator Mode Suggestions from a Secret Server Admin

20 08 2012

While responding to a different but related forum question, a Secret Server Admin made a good point:  Split the ability to enable Unlimited Administrator Mode and the ability to use it.  This is outlined in the Secret Server Best Practices Guide.  Here is a quote from the forum post:

1.) I encourage this on all SS installs. Separate the roles of both Enabling Unlimited Admin mode and Unlimited Admin from a user. Configure SS to require that one (or more) people are the only ones that can enable Unlimited Admin mode but not be an Unlimited Admin. The opposite for the Unlimited Admin, they shouldnt be able to put SS in Unlimited Admin mode. This prevents a single person from having the ability to flip the god switch.
2.) Setup event subscriptions/notifications that email all users of SS when Unlimited Admin mode is enabled.
3.) Direct all users to the appropriate report(s) that show what an Unlimited Admin did while that mode is enabled.

Splitting these roles into two different users or groups of users adds an additional layer of accountability to Secret Server.  One Administrator will not have the ability to authorize a switch to Unlimited Administrator Mode and consequently gain access to all of the secret data stored in the database.

Do you have questions, comments, and concerns about Unlimited Administrator Mode?  Please post in our forums:  http://www.thycotic.com/products_secretserver_forums.html


Comments : Leave a Comment »
Tags: , , , , ,
Categories : Secret Server, Security, Tips & Tricks

Secret Server version 7.8.000061 Released!

17 08 2012

A new release for Secret Server is now available.  For full details, view the official release notes available here:  http://www.thycotic.com/Secretserver_releasenotes.html

Secret Server Release version 7.8.000061 is primarily about reporting features and enhancements.  The big announcement is Scheduled Reports.  Secret Server Administrators can now schedule their reports and also have them emailed to a subscription list.  Additionally, a feature called “Health Checks” has been built into Scheduled Reports.  Health Checks allows “if-then” scheduling for reports that should be delivered when user-defined conditions are met.  New parameters #STARTWEEK and #ENDWEEK have been added to the list of dynamic Report parameters.

Other features found in the new release include changes to make Active Directory Synchronization easier when dealing with large Domains.  We also added an Event Subscription for notification messages based on license expiration.  Cosmetic changes can be found throughout the application concerning search controls and maintaining consistency between different parts of Secret Server.  Aside from a short list of self-explanatory bug fixes, the Inactivity Timeout enhancement is the last notable addition.  Inactivity Timeout should now work when closing only browser tabs, but not the browser.  Specifically, when users have multiple tabs open for Secret Server, activity in any one tab will prevent a timeout.

Please tell us how these features help you, ask questions, or join the discussion in our forums:  http://www.thycotic.com/products_secretserver_forums.html


Comments : Leave a Comment »
Tags: , ,
Categories : Releases, Secret Server

« Previous Entries Next Entries »


Follow

Get every new post delivered to your Inbox.