Password Reset Server: Remind Your Users to Enroll With a Logon Script

27 11 2013

Being a self-service password reset tool, Password Reset Server needs its end-users to enroll in the product by answering security questions. This can become a challenge if you want your users to begin changing their password immediately or if you are having difficulty getting users to respond to the enrollment reminders. Password Reset Server offers a couple solutions to this challenge.

First, Password Reset Server has recently released Automatic Enrollment.  Automatic Enrollment will sync users’ Active Directory attributes, such as email, phone, address, etc. and allow those answers to be used as the end-user’s security questions. This works well if your user’s profile in Active Directory is accurate and up to date, and if you are using text, email or SMS based questions.

Second, for those of you who want security questions about more than what is listed in AD attributes, you can use a Logon Script to get your users to enroll. The Logon Script can be used for organizations that also want to include more personal challenge questions, such as a user’s “Favorite Food” and “Childhood Friend.”

A Logon Script is a piece of code, usually either a batch file or Visual Basic/PowerShell script, which is deployed using Group Policy and runs as a user logs into their machine. Password Reset Server has an accessible API that can be used to create personalized reminders for those users that have not yet enrolled into Password Reset Server, or completed their personal security questions.

Setting up a Logon Script is simple! First, we created the script to call the Password Reset Server Web Services <http://support.thycotic.com/KB/a382/calling-web-services-password-reset-server-with-powershell.aspx>, and then we created a script to be performed on the user’s logon. For example, we used the following PowerShell script that will check the enrollment status of a user, and direct them to Password Reset Server if they are not yet enrolled.  If they have enrolled, it will simply stop running.

$url = ‘http://www.MyPasswordResetServer.com/webservices/webservice.asmx&#8217;

$proxy = New-WebServiceProxy -uri $url -UseDefaultCredential

$enrolled=$proxy.UserEnrolled($env:USERDOMAIN,$env:USERNAME)

IF ($enrolled -ne $true)

{

Start -Path “http://www.MyPasswordResetServer.com/PasswordResetServer&#8221;

}

ELSE

{

Exit

}

After creating the script, you will want to assign the script in the domain Group Policy. Then, select the objects that you want affected by the Logon Script, edit the policy and navigate to User Configuration>Polices> Windows Settings>Scripts. Right click and select Properties.  After this step, you will want to click the PowerShell Scripts tab inside Group Policy Editor and add your newly created script. Next, you can select the GPO run policy to have this script run first or last after logon. When this is done, click Apply and Ok, and you have successfully created a logon script that will prompt users to enroll in Password Reset Server if they have not already. It’s that easy!





Are You Using One Time Passwords?

26 11 2013

Secret Server can easily be configured so that end users do not have to see the password to make use of a resource, such as logging onto a remote server. Using Hide Launcher Password, Secret passwords can be hidden from users, forcing them to use a Launcher to access the machine or device. This makes it easier for admins to use long and complex passwords and also improves security by eliminating the ability for users to write down and save passwords. You can even create white or black-lists< http://blog.thycotic.com/2013/05/03/restricting-user-input-for-launcher/> to restrict the devices that users can launch into. In addition, Secret Sever also has a Web Filler< http://blog.thycotic.com/2013/02/20/webinar-secret-server-web-password-filler/> to launch into website accounts.

Whenever possible (without impending workflow, of course!) passwords should only be revealed when necessary. This keeps passwords from being written down or memorized and enforces using the vault to ensure a full audit trail. Hiding passwords for all of your accounts, however, may not always be possible. For instance, if an administrator creates a new service, she will need to manually enter a password from Secret Server. To do this, you can certainly give the administrator permission to view the Secret’s password, but it risks the password being compromised.

Secret Server’s solution to this is Check Out. Utilizing Check Out allows you to configure how long a user has access to any given Secret. You also have the option of having Secret Server change the password when the access period expires or the user checks in the password themselves.

Here’s an example of how this can work. Say Sarah, our imaginary system administer, checks out a Secret to go preform maintenance on a couple Windows servers.  She decides to write the password down and then gets to work on the different servers using that Secret’s credentials. In the process, she gets a little distracted and leaves her sticky note with the password behind when she goes to grab a cup of coffee. Luckily, Check Out with Expiration is configured. While she is out, the Check Out period automatically ends and Secret Server checks in the password and changes it automatically. When Sarah returns from her coffee break, she will have to go back to Secret Server for the new password. This keeps her usage audited in the system, and protects the company against her stray sticky note, which has now been forgotten. For companies that want even more of an audit trail, they can use Check Out in conjunction with Require Access for Approval< http://blog.thycotic.com/2013/10/15/create-an-approval-workflow-for-sensitive-secrets/> to create an easy and secure workflow for your more sensitive accounts.





3 Ways Secret Server will Enhance your Identity Access Management Strategy

19 11 2013

It’s important to have an Identity Access Management (IAM) strategy, whether you are trying to meet a compliance standard such as PCI, SOXS or FIPS, or you just want accountability for what is going on throughout your network. Secret Server has many ways that it can help administrators accomplish this. In this article, we will be going over three different features that will help establish your IAM strategy.

1. Role-based access:

With roles, administrators can delegate permission and access to appropriate information quickly and easily. Integrating Secret Server with Active Directory will enable you to assign roles automatically based on existing Active Directory groups. This ensures that users only see information that is necessary for them to complete their work, without exposing excess data.

Image

2. Audits and Reporting:

Every time a user has any interaction with a Secret, an audit is created to record: (1) the action, (2) the person and (3) the exact time the action occurred. Using the audit information, administrators are able to see exactly what users are doing within the system. For example, they can tell how Secrets are shared between users, Secrets with the most views, and which users are not logging into the system at all.

Image

3. Session Recording:

Secret Server can record everything that occurs during a session. By using the recording launcher, Secret Server takes a screenshot every second and then compiles the images into a movie that is saved on the audit log. This is great for your most critical machines, where you want to know exactly what is going on when a user is logged in. Now, should anything go wrong on these servers, it is easy to retrieve the recording from Secret Server and view exactly what occurred, increasing the speed at which the issue can be resolved.

Using these three features will put you on track to creating a complete Identity and Access Management strategy in which your team may become more productive and secure.

Image

Image

If you are in Los Angeles this week for the Gartner IAM conference, stop by our booth # 210 or join us tonight at 5:45 PM PST for a drink in our “Made in DC” hospitality suite.





Reduce Help Desk Calls with Password Reset Server

12 11 2013

Any help desk or system administrator will tell you that their company spends much more time resetting end-user passwords then they should. Constant calls to the help desk for this simple yet urgent problem eat a lot IT’s time that could be spent working on other projects and support issues.

To help alleviate this problem, Thycotic Software developed Password Reset Server. Password Reset Server is a self-service password reset tool for Active Directory end-users. It makes the password reset process very simple and straightforward, with a Windows login integration for in-network employees and a web portal for those off-site.

Some of the main features of Password Reset Server include:

Self-Service Password Resets

End-users are put in charge of changing their own passwords. With secure identification, I.T. no longer has to be directly involved.

Automatic Enrollment

IT teams can bulk-enroll all employees. That way, users can simply log into the site and answer questions based on Active Directory attributes when they need to change their passwords.

Multi-factor Questions

Add security to ensure the correct person is resetting their password with multi-factor authentication, including verification via phone, email and SMS.

By providing a secure method for end-users to reset their Active Directory passwords, Password Reset Server helps reduce support demands on help desk staff and allows them to focus on other tasks while giving end-users a quick and easy interface for changing their own passwords.

Learn more about Password Reset Server at our upcoming webinar on Thursday, November 14, at 11:30am EST. We hope you’ll join us!

Register here for the Password Reset Server webinar





Don’t miss our monthly webinars!

5 11 2013

Every month, Thycotic hosts a webinar to explore new features, technical integrations and best practices. Last week we discussed a fairly new feature added to Secret Server version 8.3, which has expanded the list of web password changers. Secret Server can now change passwords on Windows Live, Google and Amazon accounts. This means you can now manage your Office 365, Google Apps and Amazon Web Services through Secret Server. These sites are just the beginning of web password changing for Secret Server. If you missed the live webinar, you can watch a recorded version here.

We have several upcoming webinars, including a feature deep-dive and tech integration case study.

Sign up now to get them on your calendar!

Learn how America First Increased Security through Authenticated QualysGuard Scanning with Secret Server

November 5, 2013 at 1:00 pm EST.

Do you have a full understanding of your network security, from both external and internal threats? Performing authenticated scanning for internal threats while keeping credentials locked-down on premises can greatly mitigate security risk. Find out how America First, a national credit union, implemented secure authenticated scans with Secret Server.

Register here for the Qualys Authenticated Scanning webinar

Thycotic Software Introduces- Password Reset Server

November 14, 2013 at 11:30 am EST.

Learn how Thycotic can help solve your end-user AD password rests. Password Reset Server is an AD self-service reset tool that helps reduce your help desk calls.

Register here for the Password Reset Server webinar

For the latest security news and Thycotic product updates, follow us on LinkedIn!





Increase Security Scanning Capability with Secret Server

29 10 2013

Today, we’re going to talk a little about improving security scans as a precursor to our upcoming webinar with Qualys on Nov. 5 at 1:00 p.m. EST (register here).

Every network administrator spends part of their working hours checking their network for vulnerabilities. This may be done manually, but if using a tool, the most common type is a security scan.

For the most part, security scans examine your network from the outside looking in. They give you an idea of what an outside attacker might find when trying to break into your network. That, however, is only part the overall threats to your network. If an attacker gains access to an admin-level password, they will have a whole new, internal perspective of the network. Internal threats also need to be considered, such as employees that have network access but may be vengeful and angry, or may simply be less-than-careful and share their passwords with others or leave them lying around.

For these insider perspectives, a normal security scan looking at perimeter security will not provide useful information. Instead, you would need a scanning tool that can search inside your network to understand internal security holes and how easily someone with credentials could move within the network.

The QualysGuard cloud platform offers a variety of tools to secure your network, including authenticated scans. Unlike unauthenticated scans, which can only give the perspective of someone without credentials trying to break in from the outside, authenticated scanning allows you to search within your network. With authenticated scanning, your tool would have access to network credentials, allowing it to look for possible malware, registry problems, patch issues, incorrect software configurations and more.

Thycotic Software is partnered with QualysGaurd with an  integration built so that credentials used for scanning are securely stored within Secret Server. The vulnerability scanning tool, such as QualysGuard, connects with Secret Server to gain credential access as needed. This enables teams to keep credentials secure and change passwords as needed with Secret Server, while ensuring the vulnerability scanning tool always has accurate credentials for authenticated scans.

Join our webinar on Nov. 5 at 1:00 p.m. EST to learn more about authenticated scanning and find out why America First, a national credit union, implemented authenticated scanning with QualysGuard and Secret Server. Sign up here.





Windows 8.1 Security Improvements Helps Protect Against Pass the Hash Attacks

21 10 2013

This cyber security month, we’d like to congratulate and thank Microsoft on their efforts to block Pass the Hash cyber-attacks. Known by Microsoft as “one of the most popular types of credential theft and reuse attacks ,” Pass the Hash attacks are known for their ability to infiltrate full networks within minutes, making a major mess along the way.

With the Windows 8.1 update released on October 1, Microsoft has added major security improvements that are intended to block the ability of hackers to use these kinds of attacks. With the new release, Microsoft has bought us all some “space to breathe.”

Use your space wisely and remember that cyber security is constantly evolving. Take these three steps to help strengthen your organization’s password practices.

  1. Administrator accounts still need to be separated and used with care. Segment administrator accounts into a regular AD account and a user-specific Domain Administrator account for use only when privilege is needed.
  2. Lock down Domain Administrator passwords in a secure place where the administrator can access them when needed, and admin access is fully audited, so you have a record of use.
  3. Change Domain Administrator passwords to a new, random value after each use.

These steps can be incorporated into your security policy and implemented manually or through an automation tool, such as Secret Server. Password management tools provide added value to security and password management when they enable role-based access, sharing among teams, and full auditing for compliance.

Learn more about the Windows 8.1 update here.








Follow

Get every new post delivered to your Inbox.

Join 30 other followers