Introducing Secret Server 8.5 Pt. 4: SSH Proxy

10 04 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. This week we take a look at using Secret Server as a proxy for your SSH Launchers. Enjoy!

Secret Server’s SSH Proxy feature, added with version 8.5, allows increased security of the servers you connect to through SSH. This feature forces any SSH connection made through a Secret Server Launcher to be proxied through your Secret Server web server.

Proxing through Secret Server gives you two major benefits: The ability to enter just one IP address (your Secret Server IP) as an approved SSH connection for your servers and the opportunity for keystroke logging once an SSH session is initiated. This means that instead of including a number of your users’ client machine IP ranges, you can now specify your single Secret Server IP. Once sessions are initiated, you will also get enhanced session monitoring abilities through keystroke logs.

Configuring proxying in Secret Server is simple:

Specify your bind IP address, public host information, and port. Then create a banner to be displayed to users whenever they make an SSH connection through Secret Server. You have the option to provide a host private key or generate a new one.

If you want, you can enable an Inactivity Timeout to control how long a proxied Launcher session can remain idle before the connection is automatically closed.

SSHProxy

Improved Session Monitoring

Whether your SSH Launchers use proxying or not, Session Monitoring (covered in Part 1 of our Introducing Secret Server 8.5 series) is a feature that will help you keep track of (and optionally, terminate) your users’ launched sessions.

SSHProxy

However, proxying your SSH connections through Secret Server provides the added capability to record and then save or search through text from the SSH session.

SSHProxy

Launchers compatible with SSH Proxying

The SSH Proxying feature applies to not only the PuTTY Launcher, but any custom Launchers you create, such as SecureCRT. Just select Proxied SSH Process as the Launcher type when configuring the custom Launcher in Secret Server.

Don’t worry, our Secret Server 8.5 blog post series is not over yet! Next week we’ll be covering changes to PowerShell.





Launch Away-Multiple Launcher Sneak Peek

17 12 2013

One of the most popular features in Secret Server is the Launcher. With one click, Secret Server can launch and authenticate to RDP, PuTTY or a website. You can also launch a custom executable with Secret Server and pass in command-line arguments that reference Secret values. Additionally, the Windows Form Filler can be used to auto-fill credentials for programs that cannot launch with command-line arguments.

Using the Launcher is easy. First, go to the Secret that you want to use. Then, click the Launcher icon to initiate the session directly from your computer. This way, as long as an employee can access Secret Server, they can get their work done – a convenient feature for anyone working offsite.

With the next product release, Secret Server will allow users to assign multiple launchers to a single Secret. This is valuable when one set of credentials is used for multiple access points. For example, you could launch an RDP session with an Active Directory account, then, using the same credentials you could launch a PuTTY session.

MLBlog1

You will be able to add as many Launchers as you would like to a Secret, including custom Launchers. Any user with access to the Secret will be able to use all of the configured Launchers. Add and configure new Launchers to a Secret at the Secret Template level, as shown below.

MLBlog2

Look for the release later this week. As always, we’ll send out an email announcement once the update is live. If you do not get emails about the latest product releases, update your email preferences here.





Restricting User Input for Launcher

3 05 2013

A new feature in Secret Server is the ability to control which servers users are able to connect to using a Launcher. This can be done by specifying a list of machines or servers on a Secret in a notes field. This list can either be a whitelist or a blacklist of servers the Launcher is able to connect to.

When configured as a whitelist, a list of possible servers will be presented for users to select to launch. This prevents users from logging in to places they should not be, and adds convenience by not having to remember the name of each server.

When configured as a blacklist, this allows users to enter the machine or server name as they normally would, however would prevent them from connecting to those machines which are blacklisted. This will prevent unauthorized use of credentials in your environment.

RDP1

Enabling this feature is simple through Secret Server. Navigate to Administration, Secret Templates, then select any template with a Launcher attached such as the Active Directory Account or Windows Account Template and click Edit. There, you can select Configure Launcher, and Edit.

In the Advanced section, enable Restrict User Input by checking the checkbox, and configure accordingly. When mapping a field to Restrict By Secret Field, specify a field from the template. The values for the whitelist or blacklist will be based on that field for Secrets, and can be comma separated to specify multiple machines or servers.

RDP2

Then it’s configured.





Launching Batch Files in Secret Server

18 01 2013

A feature that was introduced in Secret Server 8.0 was the ability for the launcher to launch a batch script that is stored in Secret Server. This is useful when a custom launcher needs to be able to start multiple processes. For example, to create a custom launcher that starts an SSH tunnel program then starting PuTTY.

Batch Launcher

Create a Custom Launcher and upload your batch file to Secret Server and it will be encrypted and stored in your database. Secret values, including usernames and passwords, can be pulled from a Secret at launch time and passed as command line arguments to the batch file. After it runs, the batch file will be deleted from the local machine. Having your batch files launched from Secret Server adds security to your system by preventing end-users from changing batch commands and restricting the access to the files, and you get an audit trail for changes to the launcher and batch file.

Secret Server also helps with the ease of access to the batch file by having it stored in one central location instead of having to maintain batch files on each individual computer.





Sneak Preview: Secret Server Launcher for Mac

11 09 2012

The Thycotic Dev Team is hard at work with new functionality for Mac!  While I don’t have all the details, I do have a few items I can share.  Currently, we’re looking at an “end-of-Q4 2012” release date.  This date may slip, but it’s accurate for now.

Details I can share:

  • The Launcher will support Safari, Firefox, and Google Chrome.
  • The underlying technology uses is a NPAPI plugin. A quick install of a plugin is all it takes to enable the launcher for Mac.
  • Will support SSH and a built-in SSH client will be used.
  • Will support Microsoft Remote Desktop provided the Mac Remote Desktop application is installed.  See Figure 1 for the screenshot of Remote Desktop.  Figure 2 shows the Launcher Helper application in Firefox.

Figure 1

Figure 2

Features due out after the initial release (available in later updates):

  • Custom Launchers will be available in a subsequent update.  Remote Desktop and SSH will be the only launchers supported initially.
  • Session Recording functionality will be available in a subsequent updates.

The Dev Team is interested in hearing your comments, please post your questions and thoughts below!





How to Create a Custom Web Launcher in Secret Server

29 08 2012

Creating a custom Web Launcher in Secret Server is useful for several reasons.  First, it allows your organization to share online accounts without revealing the password.  Second, it saves time for Secret Server users.  It allows users to use one click from Secret Server seamlessly pass the credentials directly to the destination’s login page.  Used over time and across more than one site, it reduces the time spent on logging in.  It even helps to eliminate locked out accounts because the username and password don’t have to be typed in by a user.

To create a custom Web Launcher, start by using a Secret Template that has the Launcher feature enabled and configured to the Website Login type.  If you’re using a custom Secret Template, you can configure this by clicking Administration -> Secret Templates.  Select the desired Template in the drop down menu and click Edit. Click Configure Launcher and Edit. The box for Enable Launcher should be checked and the drop down menu for Launcher type to use should be Website Login.  Also, make sure the corresponding fields are matched properly (Password to the actual password field in the Secret Template and so on).  Make sure to click Save when making any changes!  Now your Secret Template is configured to use the Website Login Launcher.

Go back the secret you want to use to with the Web Launcher.  Click on Edit -> Launcher tab -> then Configure Web Launcher.  The URL should be populated in the field and you can click on View Page to verify you have the actual login page selected.  If not, browse to the actual login page and copy that URL to this field.  Then, click Next and Secret Server will evaluate the code to see if it can automatically pass credentials using the Web Launcher.  If you have the correct URL for login and the Web Launcher evaluates the login page as usable, you’ll see a list of Available Forms

You may need to experiment with different listings you may find in this field.  Many times, the choice is obvious.  In the case of twitter.com, the correct form is actually listed first.  Once you select a form, click Next and you may need to edit the mapped fields.  If the mapped fields are correct (user for UserName for instance) click Test Launcher.

If the launcher works, great job!  You’re done!  If it doesn’t work, make sure your fields are mapped correctly.  You may also want to click Reconfigure Web Launcher.  This will allow you to try a different form in the list of Available Forms.  Select a different form, try mapping fields again, and test the launcher.

Not all websites will allow the launcher to work, and even those that do may have exceedingly complex fields to fill out.  If this is the case, remember that you can contact support by posting in the Forums, by searching our Knowledge Base, or by contacting Thycotic Support directly!





Sneak Peek: PuTTY Launcher

11 09 2008

putty1 One of a system administrator’s must-have items in his toolbox is PuTTY. PuTTY is a small, lightweight program that is perfect for telnet and SSH connections. It doesn’t require any installation, it’s just a single EXE file and you’re good to go.

A feature of Secret Server that I personally have always found extremely useful is the launching capability that we introduced with Remote Desktop. It’s very handy for starting Remote Desktop sessions. We decided to take it a step further and extend this functionality to PuTTY.

An initial obstacle that needed to be overcome was figuring out how to make sure PuTTY was on the client’s machine. The creators of PuTTY are generous, and fortunately they allow us to distribute PuTTY with Secret Server. Since the Remote Launcher capability is a Microsoft ClickOnce application, it seemed reasonable to distribute PuTTY with our application. This would avoid the need for users having to tell our application where to look for PuTTY, or us requiring that you have it in a certain location on the machine.

putty2 However, PuTTY is 500 kilobytes, and the initial application was a mere 12 kilobytes. 500K is small in today’s high tech world, but to reduce corporate bandwidth use, we only distribute it when you need it for the first time. That means when you make your first launch of PuTTY, we’ll download the application for you from your Secret Server installation, thus not needing an outside Internet connection, but after that it’s cached so you only need to download it once.

putty3Once PuTTY is downloaded successfully, the application will automatically start already logged in at the prompt. For the first release of the PuTTY launcher, we will only support SSH.

If you want to see additional launchers built into Secret Server, make sure you stop by our forums and let us know!

– Kevin





Remote Desktop – peek into the future …

13 12 2007

Here is a teaser trailer showing automatic opening of Remote Desktop from a secret in Secret Server.

 

Watch movie (Remote Desktop from Internet Explorer)

Watch movie (Remote Desktop from Firefox)

 

There are some technical difficulties in getting Remote Desktop to work like this since it encrypts the password in the .rdp file in a machine/user specific way.

This feature is unlikely to be ready for the Secret Server 4.0 release but should come in an update soon after.

–Jonathan








Follow

Get every new post delivered to your Inbox.

Join 30 other followers