Sneak Preview: HSM Data Encryption with SafeNet

16 11 2012

We’re working with SafeNet, an industry leader in data protection, to bring hardware data encryption to Secret Server. We’re adding support for SafeNet’s Hardware Security Modules, or HSMs.

SafeNet LUNA

Pictured: SafeNet LUNA PCI HSM

SafeNet’s Luna PCI HSM (pictured) is FIPS 140-2 Level 2 and 3 compliant, bringing a new level of data protection to your enterprise.

When Secret Server is configured to use SafeNet’s HSM, Secret Server will no longer store the encryption key on the server or perform the actual encryption and decryption. Instead, the encryption key is stored inside the device, and the device itself performs the encryption and decryption. Secret Server at no point is aware of the keys being used to encrypt or decrypt data. All the encryption and decryption stays in the hardware.

 

When an HSM is available, Secret Server will allow selecting the encryption key storage location during installation.

Installation HSM

SafeNet’s HSM also allows redundant configuration of two or more HSMs to ensure zero loss of data and Secret Server is always available.

We are pleased to be adding this capability to Secret Server and have enjoyed working with the smart folks over at SafeNet. The SafeNet HSM support will be available in the next release of Secret Server.


Comments : Leave a Comment »
Tags: , , ,
Categories : Secret Server, Security, Sneak Preview

Sneak Preview: Bookmarklet 2.0

7 11 2012

Our team is working to make logging in to websites easier than ever with new bookmarklet functionality.

The new bookmarklet is able to work on any web page, and automatically log you in. It is only required that the web page has a secret in the Secret Server, and that the user be logged in to Secret Server.

This will greatly improve the compatibility over the web launcher. Sites that implement client-side validation, such as a CAPTCHA, were not compatible. With the new bookmarklet, the username and password will be filled out in the webpage itself, allowing the user to fill out just the CAPTCHA.

Form Filler

Above is an example of the bookmarklet working with Gmail. The bookmarklet will be compatible with recent versions of all major browsers. There isn’t an exact release date at the moment, but expect the functionality soon.


Comments : 5 Comments »
Tags: , ,
Categories : Secret Server, Sneak Preview

Sneak Preview: Dashboard Enhancements

18 10 2012

The next release of Secret Server has a lot of new functionality, in addition several tweaks to the user interface. We can catch a of glimpse of that now with one of the improvements to Secret Server’s dashboard. The Dashboard’s Secret View widget will now dynamically expand to take up the full width of the screen if there are no widgets to the right of it.

Fullscreen

This was a popular request, and it will allow users to utilize more of their screen space to work more effectively. Widgets can still be to the right of the Secret widget, just the way Dashboard works today.

Resize

This will be available in the next release of Secret Server, 7.9 along with many other exciting features. Expect the release within the next week or two.


Comments : Leave a Comment »
Tags: , ,
Categories : Secret Server, Sneak Preview

Using a Web Launcher with Logmein

14 09 2012

Have you ever been in the situation where you needed to provide a full desktop to someone outside your organization? One way you might accomplish this is by creating a Logmein.com account allowing users to login remotely. A caveat to this solution is it requires external access to your Secret Server instance.

Follow these steps:

1. Create a Logmein account restricted to access only the target workstation.

2. Install the Logmein client on the target workstation.

3. Secure the internal workstation to include only the features you want users to use when accessed remotely.

4. Create a secret in a Secret Template that has the Web Launcher enabled. If you’re using stock Secret Templates the “Web Password” template will work just fine.

5. Enable the Web Launcher with these settings: Click Edit -> Launcher tab -> Configure Launcher Settings button -> Choose -> Type https://secure.logmein.com/login.asp for URL -> Finally click Test Launcher. If the launcher works, move on to Step 6. If the launcher doesn’t work, you may need to do some custom field mapping. Essentially the Email field from Logmein should be mapped to the username of the secret. Password is password, fairly obvious!

6. Create a user account in Secret Server that has read access to just this secret.

7. Hide the password from the users by clicking: Edit button for the Logmein account -> Security tab -> Edit button -> Check the Hide Launcher Password box -> Save.

Now, the target remote user should be able to login to Secret Server. When they do, they will have access to only this Logmein secret. Additionally, they will only be able to use the Web Launcher and not actually see the password. The end result is a remote user has access to a controlled internal system by simply logging in to Secret Server.

Note: The workstation being accessed remotely can be a virtual workstation. This would make it very easy to control content and access (if the virtual machine isn’t running, no one can access it).

Advantages:

  • This is very easy to use as it only requires a Secret Server account.
  • You’ll have an auditable history of when a user logged into Secret Server and the actions they took.
  •  Workstation login credentials don’t have to be shared or even visible.
  • This method of access works from multiple browsers and across operating systems and devices.

Comments : Leave a Comment »
Tags: , , , , , ,
Categories : Secret Server, Security, Tips & Tricks

Secret Server and DoubleLock

13 09 2012

Do you have a need for additional security when storing your most sensitive data?

Where do you store the company’s banking account numbers and other critical financial data?  …top-level credentials for your customer database that contains Credit Card and Social Security numbers?  …credentials for classified system access?

When you need that additional layer of security within an already secure system, DoubleLock is your answer.  DoubleLock encrypts Secret data with an additional encryption key that is only accessible with an additional password that is unique per user, regardless of permissions or physical access to the machine running Secret Server. Private/public key encryption technology enables you to securely share access to the DoubleLock between users.

Benefits of enabling the DoubleLock feature include:

  • Secrets cannot be decrypted even if Secret Server is compromised.
  • Secrets cannot be decrypted even when someone is accidentally granted permissions to a Secret based on AD group membership.
  • DoubleLock provides an additional grouping of privilege to grant select individuals access to highly sensitive data.

There is one caveat to consider when using DoubleLock:

Resetting a forgotten DoubleLock password is irreversible and can result in permanent loss of the data. In the case that a user has sole access to a DoubleLocked Secret, the data will be lost and the Secret locked with that DoubleLock key will be deleted.  However, if another user has access to the Secret, they will need to re-assign you to the DoubleLock.

When resetting a DoubleLock password, a list of the assigned DoubleLocks and the Secrets they protect are displayed for the user.  Check that the secrets have at least one additional user with DoubleLock access.  This way, the data is not deleted due to a forgotten DoubleLock password.

To enable DoubleLock, a password will need to be created.  In Secret Server, click: Tools menu -> Create DoubleLock Password -> enter the desired Password (minimum 8 characters) -> Create Password.  Then, click on the Administration menu -> DoubleLock -> Create New button -> type a Name for your DoubleLock -> Save.

Now that a DoubleLock has been created, assign the appropriate users and secrets to the DoubleLock.  In more complicated environments, multiple DoubleLocks can be created.  Each of these DoubleLocks can be assigned their own set of users.  To assign DoubleLock to a secret, click the Edit button on the desired secret.  Then, click the Security tab -> check the Enable DoubleLock box -> select the appropriate DoubleLock in the dropdown menu -> Save.  Remember that the DoubleLock selected will already have a list of defined users.

As a safety net, always have at least 2 users for each DoubleLock to avoid the potential loss of data if the DoubleLock password has to be reset.


Comments : Leave a Comment »
Tags: , , , , , ,
Categories : Secret Server, Security, Tips & Tricks

Sneak Preview: Secret Server Launcher for Mac

11 09 2012

The Thycotic Dev Team is hard at work with new functionality for Mac!  While I don’t have all the details, I do have a few items I can share.  Currently, we’re looking at an “end-of-Q4 2012” release date.  This date may slip, but it’s accurate for now.

Details I can share:

  • The Launcher will support Safari, Firefox, and Google Chrome.
  • The underlying technology uses is a NPAPI plugin. A quick install of a plugin is all it takes to enable the launcher for Mac.
  • Will support SSH and a built-in SSH client will be used.
  • Will support Microsoft Remote Desktop provided the Mac Remote Desktop application is installed.  See Figure 1 for the screenshot of Remote Desktop.  Figure 2 shows the Launcher Helper application in Firefox.

Figure 1

Figure 2

Features due out after the initial release (available in later updates):

  • Custom Launchers will be available in a subsequent update.  Remote Desktop and SSH will be the only launchers supported initially.
  • Session Recording functionality will be available in a subsequent updates.

The Dev Team is interested in hearing your comments, please post your questions and thoughts below!


Comments : 2 Comments »
Tags: , , , , ,
Categories : Secret Server, Sneak Preview

Creating Custom Reports in Secret Server

30 08 2012

Secret Server contains robust reporting capabilities, as mentioned in on the Secret Server Report Features Page.  In addition to the default reports included with Secret Server (see Figure 1), additional reports are available for download in the Online Reports Gallery.  Beyond these options, users who aren’t familiar with SQL reporting, may also make a Custom Report Request from Thycotic Support.

Figure 1

One of Secret Server’s most popular features is the ability for users to create custom reports.  This allows users to build the reporting their organization requires.  To make a custom report, users will need some experience with SQL commands and reporting.  If you have experience, the following steps guide you through this process:

First, you need the code for the report you want to build.  The guide shows a report that allows users to see “What types of Secrets have expired?”  The SQL code is shown below:

-Begin SQL Code-

SELECT 
   st.SecretTypeName AS [Secret Template]
   ,COUNT(*) AS  [Number Of Secrets]
  FROM tbSecret s WITH (NOLOCK) 
   INNER JOIN tbSecretType st WITH (NOLOCK) 
    ON s.SecretTypeId = st.SecretTypeId
  WHERE 
   st.ExpirationFieldId IS NOT NULL
   AND s.ExpiredFieldChangedDate + st.ExpirationDays < GETDATE()
   AND s.Active = 1
   AND st.OrganizationId = #ORGANIZATION
GROUP BY
 st.SecretTypeName
ORDER BY
 COUNT(*) DESC

-End SQL Code-

Next, login to Secret Server with a user that has the Administer Reports role permission. Click on Reports -> Create it (located on the bottom right of the window). Assign a Report Name, a Report Description, and choose a Report Category in the dropdown menu (this is where the report appears). If your report should have a chart, choose the appropriate Chart Type in the dropdown menu. If you want your chart to appear in 3 dimensions, put a checkmark in the 3D Report box. Lastly, you’ll want to select your Page Size followed by pasting your SQL Code in the text box. Now, you can Preview the report and it will appear on the bottom of the same page. If you’re happy with the result, you can click Save and your report will appear on the main Reports page under the Report Category you selected.


Comments : Leave a Comment »
Tags: , , ,
Categories : Secret Server, Tips & Tricks

How to Create a Custom Web Launcher in Secret Server

29 08 2012

Creating a custom Web Launcher in Secret Server is useful for several reasons.  First, it allows your organization to share online accounts without revealing the password.  Second, it saves time for Secret Server users.  It allows users to use one click from Secret Server seamlessly pass the credentials directly to the destination’s login page.  Used over time and across more than one site, it reduces the time spent on logging in.  It even helps to eliminate locked out accounts because the username and password don’t have to be typed in by a user.

To create a custom Web Launcher, start by using a Secret Template that has the Launcher feature enabled and configured to the Website Login type.  If you’re using a custom Secret Template, you can configure this by clicking Administration -> Secret Templates.  Select the desired Template in the drop down menu and click Edit. Click Configure Launcher and Edit. The box for Enable Launcher should be checked and the drop down menu for Launcher type to use should be Website Login.  Also, make sure the corresponding fields are matched properly (Password to the actual password field in the Secret Template and so on).  Make sure to click Save when making any changes!  Now your Secret Template is configured to use the Website Login Launcher.

Go back the secret you want to use to with the Web Launcher.  Click on Edit -> Launcher tab -> then Configure Web Launcher.  The URL should be populated in the field and you can click on View Page to verify you have the actual login page selected.  If not, browse to the actual login page and copy that URL to this field.  Then, click Next and Secret Server will evaluate the code to see if it can automatically pass credentials using the Web Launcher.  If you have the correct URL for login and the Web Launcher evaluates the login page as usable, you’ll see a list of Available Forms

You may need to experiment with different listings you may find in this field.  Many times, the choice is obvious.  In the case of twitter.com, the correct form is actually listed first.  Once you select a form, click Next and you may need to edit the mapped fields.  If the mapped fields are correct (user for UserName for instance) click Test Launcher.

If the launcher works, great job!  You’re done!  If it doesn’t work, make sure your fields are mapped correctly.  You may also want to click Reconfigure Web Launcher.  This will allow you to try a different form in the list of Available Forms.  Select a different form, try mapping fields again, and test the launcher.

Not all websites will allow the launcher to work, and even those that do may have exceedingly complex fields to fill out.  If this is the case, remember that you can contact support by posting in the Forums, by searching our Knowledge Base, or by contacting Thycotic Support directly!


Comments : Leave a Comment »
Tags: , , , ,
Categories : Secret Server, Tips & Tricks

SSL Certificates, License Keys & More in Secret Server

27 08 2012

Do you have copies of your SSL Certificates, Licensing Data, and Support Documentation?  Of course!  Can you easily search for all of those files with a single term?  Maybe.  Is it well-organized, access-controlled, and verified?  Maybe not.

Secret Server supports the functionality above by simply building a Secret Template with the proper settings.  For example:  Instead of using DFS or a SharePoint plug-in to store your documentation and important files, why not leverage Secret Server?  You’ve already committed your Admin username and password.  By editing a Secret Template, you can easily create a designated file location for each workstation, server, and appliance in your network.  Once you’ve created the template, you’ll know precisely where all your documentation is stored.  When coupled with adequate Disaster Recovery plans (Microsoft SQL Clusters, Mirroring the database, or a frequent database backup), you’ve added additional layers of protection to your critical technical documents.

Storing documents in Secret Server has distinct advantages beyond access control and redundancy.  First, Secret Server admins can require fields to contain data before saving new secrets.  While you can’t control the quality of the documents that people might store – but at least you will know that a document was saved.  Second, these documents are encrypted in the Secret Server database.  Third, the documents can be relayed to a coworker or a third party with a simple http link.  (Note the previous blog post about this.)

Secret data saved using the "Hardware - Remote Desktop" Secret Template.

Secret data saved using the “Hardware – Remote Desktop” Secret Template.

Making a Secret Template may take some thought about what your organization finds useful.  However, once you’ve created a template, it’s very easy to edit, copy, and enhance.  One potential side benefit of structuring the above information is data in Reports.  Using some extra data points like I have in this Template may be of benefit in Secret Server Reports.

Thycotic’s Secret Template Gallery contains the content for the Secret Template I created above.  The Template can be found by searching “Hardware Remote Desktop” or by using this direct link.  Import this or any template by clicking Administration -> Secret Templates.  Paste the XML into the Import Secret Templates text box and click the Import button.

If you think you have a great and useful Secret Template, comment below!  We want to hear about it and what makes it useful.


Comments : Leave a Comment »
Tags: , , , , ,
Categories : Secret Server, Security, Tips & Tricks

Using Secret Server Links to Securely Transmit Sensitive Data

24 08 2012

Having been a Systems Engineer, I’m familiar with the problem of sharing credentials.  My method for sharing login credentials with a colleague consisted of access to a spreadsheet with everything or a Post-it that would be shredded (hopefully).  However, with Secret Server, System Admins are easily able to share credentials with colleagues by sending them a simple URL format:

http://SERVERNAME/VIRTUALDIRECTORY/SecretView.aspx?secretid=SECRETNUMBER

  • “SERVERNAME” is the DNS name or IP Address of the server that hosts Secret Server.
  • “VIRTUALDIRECTORY“ is the name of the Virtual Directory used when Secret Server was installed.  Typically, this is “SecretServer”.
  • “SECRETNUMBER” is the actual number associated with the secret data as found in your instance of Secret Server.  This number increases sequentially as secrets are added.

For instance, the secret of a test server I have installed is shared with this link:  http://192.168.0.2/SecretServer/SecretView.aspx?secretid=52

Note: Using this link requires Secret Server login permissions and permissions for that user to at least view the secret you’re trying to share.

The elegance of this method is that users can share credentials between them through email.  The use of the data and permission to use the data is still controlled by a Secret Server Administrator.  It’s worth mentioning is that all of this activity is logged and reportable within Secret Server.

Admins with the need for additional security can link to a secret that has a Launcher enabled and the password is hidden from users.  This way, an Engineer can directly link to a secret’s launcher with a coworker.  The coworker can use the credential to login via Remote Desktop (or any other launcher functionality) to a server without knowing the actual credentials.

Hide Launcher Password is a feature that allows the password field of a secret to remain hidden from view or clipboard access, but still usable by the launcher.  The activity is completely logged in Secret Server and nothing was written down, able to be copied, or shared with anyone but those that have express permissions in Secret Server.  Enable this security feature by clicking the Edit button for a secret, then Security tab -> Edit button -> check Hide Launcher Password -> Save button.

The use of links go beyond email.  Admins could also use these links in support documentation for applications or systems.  In the documentation, a link to Secret Server data can be embedded in place of the actual admin credentials.  This would negate the need for a document-based password protection scheme.


Comments : 2 Comments »
Tags: , , , ,
Categories : Secret Server, Security, Tips & Tricks

« Previous Entries


Follow

Get every new post delivered to your Inbox.