Introducing Secret Server 8.5 Pt. 2: Scalability Enhancements for Remote Password Changing, Heartbeat and Discovery

27 03 2014

Secret Server 8.5 adds a number of new features and functionality. These new features are pretty awesome, so we decided this release deserves a little extra showcasing. Check back each week through April to learn something new about 8.5 and how it will increase your team’s overall security and productivity. Today we are going to focus on speed and scalability. Enjoy!

An upgrade to .NET Framework 4.5.1 isn’t the only major change Secret Server 8.5 brings with it. Our latest version of Secret Server also includes scalability enhancements for Remote Password Changing, Heartbeat and Discovery. Simply put, a lot of processes just got a whole lot faster.

Multi-threading Magic

Remote Password Changing, Heartbeat and Discovery can now take advantage of multi-threading to improve performance and scalability. Secret Server will utilize 80% of your server’s processors, leaving a remaining 20% to maintain performance of Secret Server’s interface. What does this mean? Greater performance with overall speed scaling with the power of your Secret Server machine.

You can see the maximum degrees of parallelism of your primary server on Secret Server’s Diagnostics page.

Max Degrees of Parallelism

 

Speedy Remote Password Changing & Heartbeat

With multi-threading, Secrets queued for Remote Password Changing can now have their password changes handled simultaneously. This gives you seriously increased speed! Additionally, Remote Password Changing uses intelligent batching to manage the queue of Secrets, ensuring that Secrets and privileged accounts are never changed in the same batch. The scalability improvements also apply to Secrets using Agent for Remote Password Changing.

Before the 8.5.000000 upgrade, password changes were executed one at a time:

Before password changes were executed one at a time

After 8.5.000000 upgrade, multiple password changes are executed at once:

Remote Password Changing After

Lightning Discovery

Secret Server’s Discovery feature, in addition to using a multi-threaded approach for scanning your machines, takes an improved approach to service account scanning to reduce scan time by up to 20 seconds per computer. Combining these two enhancements to Discovery makes scanning hundreds or thousands of computers faster than ever before!

Are the speed enhancements to Remote Password Changing, Heartbeat and Discovery your favorite 8.5 feature so far? Don’t worry there is more to come! You’ll just have to check back next week for the next 8.5 feature showcase. Here’s a little hint, we’ll be talking membership. See you next week!





IT’s TIME: Update Those Security Settings with PowerShell

18 03 2014

Secret Server 8.4, released in January, included additional ways to update Secret security settings via the web services API. This week, we’ll show you how to use PowerShell to access the Secret Server web services API and configure security settings for Secrets.

Web Service security settings: What’s available?

The web services API can help you configure Remote Password Changing and advanced security settings, including:

capture3

These settings correspond to those you will see in the browser interface on the Remote Password Changing and Security tabs of a Secret.

The sample script we’ll use today creates a new Secret and then updates it to use the Require Approval for Access security setting. Because this setting also requires Approvers, our PowerShell script includes parameters to set both a user and a group as approvers. For the entire script, see our KB article HERE.

Review: Authentication

First, provide your Secret Server URL in the script. You’ll be prompted for your Secret Server login credentials at runtime:

Webservices1

If you’re using a domain account, add a similar line for the domain. See Using Web Services with Windows Authentication (PowerShell) if you use Integrated Windows Authentication.

Generating Passwords

Utilize the password generator to create new, randomized passwords when you aren’t using an already-existing password:

Webservices2

Create the Secret

Create a Secret by providing the Template ID, new Secret name, field ID’s and value, and destination folder with the AddSecret method. Helper functions findFieldId, findTemplate and findFolderId take care of automating the process of determining ID’s, if you don’t already know these ID values.

Webservices3

Update Secret security settings

Once your new Secret has been created, modify its security settings using the result of AddSecret. In this case, we’ll utilize another method to obtain the object type necessary for adding groups and users, and create new records (one for a user, one for a group). Then we’ll add them to the Secret as approvers:

Webservices4

Finally, we’ll use the UpdateSecret method to apply our new security settings to the same Secret we created earlier.

Keep errors in check!

Don’t forget to use an error-checking function to assist with debugging and determine whether there are any errors to return for each web services call you make:

Webservices5

For an example of retrieving and updating Remote Password Changing settings for existing Secrets, see our previous blog post on the web services API.

For additional resources on using the web services API, see our Knowledge Base and Web Services API Guide. Troubleshooting your own script using Secret Server web services? Our technical support team is always available to help! Contact support HERE.





Don’t Just Store, Actively Manage Your Passwords! Create Custom Password Changers for All Devices

28 01 2014

 

You just purchased a new network device or server and realized that Secret Server doesn’t contain a specific password changer for it. You figure the best you can do is store the static credentials in Secret Server, but there’s no way Secret Server could actively manage password changing, right? Think again! Secret Server has a variety of ways you can customize password changers, no matter how complex your environment.

SSH

SSH password changers can change passwords for ANY of your SSH-compatible devices. Modify an existing SSH password changer or create your own. Enter the SSH commands in Secret Server, replacing actual credentials in the commands with values that reference the credentials stored in the Secret. The same will work for any device accessible for password changes over Telnet.

HP iLO Account Custom Password Changer Template

A few examples:

  • Configure a Dell DRAC password changer:

http://support.thycotic.com/KB/a166/how-to-manage-drac-passwords-with-secret-server-using-ssh.aspx

  • Use the built-in Cisco password changer (customizable):

http://support.thycotic.com/KB/a251/heartbeat-and-remote-password-changing-for-cisco-accounts.aspx

  • Use the built-in Unix Root account password changer:

http://support.thycotic.com/KB/a369/heartbeat-remote-password-changing-unix-root-accounts.aspx

LDAP

Secret Server comes with several LDAP password changers configured for Active Directory, DSEE and OpenLDAP. You can either customize the existing password changers or use one as a template to create your own custom configurations, for example to change passwords for 389 Directory Server. Customizable settings include enabling SSL, method of authentication, and username authentication format. See the article below for details:

  • Use and configure custom LDAP password changers:

http://support.thycotic.com/KB/a183/ldap-password-changing.aspx

Web Passwords

Secret Server’s web password management includes Remote Password Changing for Amazon Web Services, Google, and Windows Live accounts. Configure these options under the Remote Password Changing tab for any Secret using the Web User Account password changer.

Remote Password Changing for a Windows Live Account

Password Changing for Additional Account Types

Secret Server contains password changers for many other account types as well. While these are not all customizable, they include many commonly used account types such as Oracle, SQL Server, SonicWall NSA and more. A full list of included password changers can be accessed here.

See the Secret Server User Guide for more info on creating and testing custom password changers.

Did you create your own custom password changer? Share it with others on our forum.

Send us your ideas and suggestions any time. Post new feature requests and see what other customers have requested at feedback.thycotic.com.





Fasten Your Seat belts! Advancements to Web Services API Speed Up Remote Password Changing

14 01 2014

If you are familiar with Secret Server’s web services API, you already know that it can be a convenient way to retrieve, create and update Secrets individually and in bulk, especially if you already use scripts to accomplish account-related tasks in your environment. Some of the most common use cases require only simple calls to Secret Server to add and retrieve stored information, such as:

  • Efficiently adding new Secrets as new domain accounts are created.
  • Replacing privileged account credentials with web service calls to retrieve and utilize the account information within the same script.

More fine-grained operations, such as updating Secret security and Remote Password Changing settings require increased functionality from web service calls. This week, we’ll take a look at the additions to web services that have come with the release of Secret Server version 8.4, providing more control over Remote Password Changing for Secrets.

To start, let’s see how web services would assist Sarah, our handy system administrator, in the following scenario:

Sarah has decided that she wants to use a dedicated privileged account to change passwords for all service accounts in her production domain. A great deal of these accounts are scattered throughout her folder structure in Secret Server. Without using web services, Sarah would have to find every account in the Secret Server GUI and set the privileged account manually. Now, if the Secrets were all located in a single folder, Bulk Operation would make this a breeze. However, with the varying locations of these accounts, searching for each individual Secret to update will be time-consuming. Fortunately, Sarah is familiar with PowerShell and can use web services to update all of her service account Secrets. She uses the script below:

Web Services API PowerShell Script for Remote Password Changing

This script will search Sarah’s Secret Server to find any Secret with a name containing the word ‘Service.’ The script then updates the Secret’s privileged account setting for Remote Password Changing. Sarah can also reuse the script any time privileged accounts need to be updated for a large number of Secrets.

The scripts can also be used to change additional Secret properties, such as Require Approval for Access, Require Comment and Check Out. For more information about these properties, see our Web Service API Guide (Pages 60-62), available from the Secret Server Support page.

On another topic, are you tired of endless calls to the help desk to reset a user’s forgotten AD password? You won’t want to miss this week’s webinar, introducing Password Reset Server, our AD self-service password reset tool. Register now!








Follow

Get every new post delivered to your Inbox.

Join 30 other followers