Thycotic Products installed in Windows Small Business Server

16 07 2012

Thycotic Software has received several inquiries about installing Secret Server, Password Reset Server or Group Management Server in Windows Small Business Server.  For those of you who aren’t familiar with Windows Small Business Server (SBS), this is Microsoft’s description:

“Windows Small Business Server is an affordable, all-in-one solution to reduce complexity and increase manageability of server technology in a small business environment.”

SBS is not an edition of Windows Server OS, but an OS bundled with pre-configured server technologies aimed at the small business sector.  SBS has a large number of strict requirements and here is a list of the important ones:

  • Only one SBS installation per domain (other Windows server OSes are allowed.)
  • Must be the Active Directory root server and cannot trust other domains or have child domains.
  • Maximum user/workstation count is 75.
  • There are licensing restrictions and RAM restrictions (differs in versions.)
  • The SQL Server 2008 Standard is the version included with SBS 2008.

Secret Server, Password Reset Server and Group Management Server share many of the same technical requirements.  Installing any of these products in SBS would likely have the exact same challenges.  Here are the steps taken make Secret Server function in the most basic form:

  1. Start with a typical installation of SBS 2008, followed by installing Windows updates (120 of them.)
  2. Check that .NET 3.5 is updated and installed.
  3. Run SQL Server Surface Area Configuration Tool to take ownership of the preinstalled and preconfigured SBS SQL database.
  4. Run the SQL Server Configuration Manager, editing Client Protocols, services and other settings.
  5. Install Secret Server in a folder isolated from the INETPUB folder due to stock SBS pieces interfering with Secret Server pages.
  6. Edit the permissions on the isolated application folder to allow users the ability to use the application.
  7. Set the App Pool pipeline to Classic mode as it is preconfigured for Integrated mode.
  8. Specify a non-standard port for Secret Server traffic (not 80 or 443.)  These ports were already configured for SBS functionality of SharePoint, Reporting and other sites.

After the changes outlined above, the Secret Server login functioned and information was able to be stored in the password database.  However, these changes to standard functionality in SBS will break functionality in other areas.   Additionally, some of the advanced security settings for Windows found in Secret Server were not applied nor were other typical Secret Server advanced features.

Altering SBS to allow Secret Server-like applications to function requires changes that cause SBS to function as a typical Windows Server.  There is a potential to minimize some of these changes by using a database external to the SBS server.  This would likely defeat the purpose of SBS in the first place.  In summary, the recommendation is to not use SBS as the host for installing Thycotic products.  However, this could be true of many .NET web applications with a SQL database.


Comments : Leave a Comment »
Tags: , , , , , ,
Categories : Group Management Server, Password Reset Server, Secret Server

Meet Thycotic in San Francisco at RSA 2012!

7 02 2012

Will you be in San Francisco for RSA Conference 2012?  We’ll be there too!  Thycotic Software is excited to demonstrate our flagship products Secret Server and Password Reset Server live.  Please join us at the Moscone Center February 27th – March 2 and learn about the newest features.  Thycotic’s booth (#2550) is located here:

Thycotic Software's Booth #2550 at RSA Conference 2012

Thycotic Software's Booth #2550 at RSA Conference 2012

Secret Server is a privileged password management solution, designed to securely control access to critical enterprise passwords in one centralized, web-based repository.  SS is encrypted, FIPS-compliant and helps organizations to reach their Sarbanes-Oxley or PCI DSS goals.

Password Reset Server is an end-user password reset tool that combines ease-of-use with advanced security, and meets Section 508 compliance standards. PRS is designed to reduce Help Desk calls and let employees reset their own forgotten passwords through a series of secure questions and images, and even telephone verification.

See you February 27th!


Comments : Leave a Comment »
Tags: , , , , , , ,
Categories : Events, Password Reset Server, Secret Server

Using the PuTTY launcher on custom ports

23 11 2011

Do you use custom ports for accessing your systems through SSH or telnet?  If you do, you’ll find that the launcher is configured for standard ports.  Configuring these ports requires the creation of a custom launcher and a few other steps.  This information is outlined in the Secret Server KnowledgeBase under the title: How can I run the PuTTY launcher on a different port?

This can be a useful tool for Secret Server users, especially in those situations that require a non-standard port.  While the jury is out on whether changing standard ports offers any real security, some situations may require them.  In Secret Server, creating a custom launcher for using custom ports will make life easier for Secret Server users.  The custom launcher will launch PuTTY, configure the client for SSH over the specified port, pass the credentials and grant access in one simple click!


Comments : Leave a Comment »
Tags: , , , ,
Categories : Secret Server, Tips & Tricks

Inheriting Permissions Based on Folders

29 07 2011

Inheriting Permissions based on Folders

It is possible for Secrets in Secret Server to inherit permissions from the folder where they are placed. For example, if you install a new managed switch in your network, instead of setting an Active Directory group or users for every network-based Secret, you set the Active Directory group or individual user accounts to the folder. That way, when an admin enters a new Secret into Secret Server they don’t have to worry about selecting all the people that need access. Instead, they can place it into the correct folder that already has the correct permission level. Not only does it save time, but it also ensures that everyone who needs access to a Secret has it.

Adding Permissions to a folder
First, move your mouse to the Administration tab, then select Folders.

Then select the folder you want to edit permissions on, select edit

From here you can add Active Directory groups and individual Secret Server users. They will have access to any Secret that inherits permissions with the level you select.

Having a Secret Inherit Permissions From a Folder

Click to expand the Secret, and then select view.

Now, select share.

From here, select edit.

Finally, check the “Inherit Permissions from folder” box.

That’s it! Now any user in the Active Directory group or one you manually added to the folder permissions will have access. You can also turn on this behavior by default with the “Default Secrets Inherit Permissions” setting on the configuration page. It is important to note that a user with folder-based permissions will have that level of access to any Secret in the folder .


Comments : Leave a Comment »
Tags: , , , , ,
Categories : Secret Server, Security, Tips & Tricks

Selection/Dropdown fields on Secrets

16 03 2011

Secret Server supports Selection/Dropdown fields but not many customers know about this feature.  In this example, you can capture the version of SQL Server as a dropdown field in your Secret.

selection0

Selection fields can be created by editing a Secret Template and adding a new field (Administration | Secret Templates | Edit).  Then choose the selection list icon on the Secret Template Designer screen.selection1

You can then add different field values … in our example, we added 2000, 2005, 2008 to represent the different versions of SQL Server for our SQL Server Account Secret Template.


Comments : 2 Comments »
Tags: ,
Categories : Secret Server, Tips & Tricks

Secret Server iPhone app does not use keychain

15 03 2011

There have been some movies going around lately showing how to compromise an iPhone and reveal all the stored passwords in the Apple keychain in minutes.

David from our engineering team talks about how the Secret Server password app for iPhone is not susceptible to this type of attack because it uses its own files for encryption along with a randomly generated key that includes device specific information.

David talks about encryption on Secret Server iPhone app.

Comments : Leave a Comment »
Tags: , , , , , ,
Categories : Mobile, Secret Server, Security

Saved Searches in Secret Server Dashboard

14 03 2011

A little known feature in the new dashboard is the ability to “save searches”.  I didn’t know about this until one of the engineers showed me … it isn’t exactly a saved search but it is close.

Steps

  1. Drag the <All Folders> folder to the top to create a new tab. This will create a new tab with a Secret Explorer widget.
  2. Type your search term in the search bar and choose any other desired search parameters – in my case, I typed “cisco” and changed to only show “Cisco Router” templates.
  3. Click on the tab to rename it to match your search – in my case, I named my tab “Cisco”.

 

That’s it.  You now have a tab called Cisco that holds a saved search to find all your Cisco devices.  You can come back to this tab at any time to see the results of that search.

 

savedsearch


Comments : Leave a Comment »
Tags: , ,
Categories : Secret Server, Tips & Tricks

« Previous Entries Next Entries »


Follow

Get every new post delivered to your Inbox.