Streamline Compliance with your Internal Security Policy by using Secret Server

4 03 2014

Incorporating a new tool into your company’s overall security architecture can be a tricky and time-consuming process. Fortunately, Thycotic Secret Server has a several features that streamline the process of complying with your existing corporate requirements. In this post, we will take a look at a few ways Secret Server can work in conjunction with your existing security policy to improve policy compliance and your user experience.

Enforce Password Compliance with Group Policies

Secret Server’s group policy feature allows you to set polices for local and domain account passwords, such as minimum password age, password length and password complexity. Secret Server adheres to the group policy when changing local Windows or Active Directory passwords. For example, if a password change is attempted with a weak password, Secret Server will return an error message to explain the password complexity requirements. Or, if a password change fails because it was too weak, Secret Server can send an email alert to administrators.

To eliminate the possibility that users will set weak passwords or use prohibited characters, Secret Server can automatically generate passwords using the preset password requirements. The result: secure, randomly generated passwords that are guaranteed to meet your group policy requirements each time they’re changed, whether automatically by using Auto Change or manually by a Secret Server user.

Restrict Access with Restricted Launcher Inputs

Group policy can also be used to restrict remote access to servers, which is a great way to decrease the area of attack for an account. However, with a large number of accounts this can be difficult to keep track of. Secret Server provides the ability to restrict launcher inputs to allow users to only see and connect to machines that have been whitelisted for each account. This simplifies the process for end users, who no longer need to keep track of details of their privileged account access, and allows administers to configure more granular access control in a way that is clear and fully audited.

Simplified Web Password Management

Finally, a policy that we have talked about before is allowing a user’s browser to store credentials. Auto fill for browser credentials is certainly convenient, but it does not provide an audit of usage, making it a bit of a problem for the security department. Instead, organizations can disable the browser’s password auto fill option and add those credentials to Secret Server. Users can then use the Secret Server Web Filler to directly log in to websites. This makes your environment more secure by tracking who accessed each web credential and it ensures passwords are stored securely within Secret Server instead of a user’s individual browser.

Check back next week to hear our team’s recap of RSA 2014 San Francisco.






Securing Web Browsers Through Group Policy

9 09 2013

When developing a workflow to manage shared credentials, it’s important to take into account certain environmental factors that may cache credentials on their own. These factors can decrease security around shared credentials.

This week, we’ll focus on securing your web browsers through group policy.

Disable Password Caching for IE

Note: these instructions are specific to Windows Server 2012, however may be similarly applied in Windows Server 2008.

Caching of passwords and auto-completion of usernames and passwords used in IE can be disabled from the Group Policy Management Editor under:

  •  User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer

Here, you can disable “Turn on the auto-complete feature for user names and passwords.”

Group Policy Management Editor

This will also prevent users from re-enabling the setting:

Web Browser Caching 2

Restriction of password caching in Mozilla Firefox

Locking down settings in Firefox requires use of a third-party extension. One extension that we tested is called FirefoxADM, which provides adm files that add the ability to configure Firefox settings through Windows Group Policy. However, this only seemed to work with older versions of Firefox. Other extensions and tools exist, however are not officially supported by Microsoft for use in a Windows environment.

Disable Password Caching in Google Chrome for Business

Google Chrome for Business allows for policies relating to Google Chrome to be defined at either user or device level.

The Google Chrome Password Manager can be disabled at the user level by logging into the Google Admin console and navigating to the Settings menu. After selecting the “User Settings” menu, select an OU and under the Security settings disable Password Manager.

The Google Chrome Password Manager can be disabled at the device level through Windows GPO by adding two REG_DWORD values to the Windows registry at HKEY_LOCAL_MACHINE\Software\Policies\Chrome called PasswordManagerEnabled and PasswordManagerAllowShowPasswords, each with a value of 0×00000000.

Web Browser Caching 3

Disabling the Password Manager takes away the users’ ability to enable the “Offer to save passwords I enter on the web” setting in Chrome.

Web Browser Caching 4

Controlling credential caching in Mac OS X

Safari cannot be easily managed in a Windows environment, however Mac OS X Server provides a tool called Server Admin that may facilitate control of Safari settings in the OS X environment. Third-party tools are also available for this purpose.

Web Password Filler

Once you’ve secured your browsers, you can still utilize the credentials stored in Secret Server by using the Web Password Filler. For more information, see this blog post.








Follow

Get every new post delivered to your Inbox.

Join 30 other followers