Phew. Thycotic solutions remain unaffected during devastating Heartbleed vulnerability.

11 04 2014

The recent OpenSSL vulnerability CVE-2014-0160, or “Heartbleed” is affecting millions of SSL-enabled web servers worldwide; estimates are somewhere between 60% and 80% of servers are affected by the deadly bug. It’s the perfect example of a worst-case scenario: Heartbleed gives attackers the ability to reveal your server’s private SSL key by recovering just enough SSL key material.

We’re fortunate to announce that Thycotic has remained completely unaffected by this vulnerability, as our solutions are built on a Microsoft stack that doesn’t use any form of SSL technology. Our customers and partners can rest assured. However, it’s important to let others know what they can do to avoid an attack during this time.

While many tech news and media sites are advising consumers to rapidly change all web passwords that may have been affected by the Heartbleed bug, there’s still a risk for IT administrators, web admins and developers managing servers affected by the vulnerability. Question is… how do you prevent an attack while vulnerable?

Keep servers safe during Heartbleed

Website administrators were advised to patch their OpenSSL libraries on their servers to address the problem. But Heartbleed goes deeper than just patching OpenSSL. OpenSSL includes a general purpose API that software developers can use as part of their software. This is where static linking comes into play.

Static linking. Developers may choose to statically link to OpenSSL. Static linking allows developers to include OpenSSL within their software and it becomes embedded at compile time. Since the OpenSSL library is embedded in the software, upgrading the OpenSSL package on the operating system alone won’t update the OpenSSL version that software programs may have linked to statically.

Update all software, not just SSL. It is highly advisable that all software that makes use of OpenSSL technology be updated. Software vendors that statically link to OpenSSL should release updates for their software immediately by using a patched version of OpenSSL.

Keep clear, steady communications with customers. Make sure that as you’re updating systems and sending patches you’re also communicating these actions with your customers regularly. Consumers are rapidly changing web passwords and scrambling to protect their most valuable, personal data. Clear communications to your customer base (whether consumer or business) will help everyone stay on the same page and mitigate the most risk by using best practices during this time.

Integration Spotlight – Secret Server and Devolutions Remote Desktop Manager

17 09 2013


In this week’s webinar we will be diving into the integration of Devolutions Remote Desktop Manager and Secret Server. Since the software integration in 2011, users have been securing their credentials through Secret Server and remote connections using Remote Desktop Manager after several client requests. Since then, administrators have been able to use both solutions for greater convenience and added security.

Using Secret Server, you can securely store and audit access your login credentials. With Remote Desktop Manager, you can centralize your remote connections that use programs such as Remote Desktop, PuTTy, Team Viewer, and more. With the integration of Secret Server, Remote Desktop Manager seamlessly retrieves the login credentials from your Secret Server account. Using these two programs in conjunction with each other provides your company with a secure, centralized way to store, manage, and utilize your credentials for remote connections.

Join product managers Ben Yoder, Thycotic Software, and Maurice Côté, Devolutions, as they demonstrate the features and benefits of both solutions this Thursday September 19th at 11:30 AM EST. Be sure to register today!

Get Credentials out of Code with Secret Server API

16 07 2013

A few years back, our engineers decided to solve a new password problem: Network credentials are not only used by people. Sometimes other programs need credentials to interact with the network too. Secret Server was already providing full audits of each user’s credential usage, why not create an API so programs could also use Secret Server for credential access?

Using scripts, Secret Server’s API allows third-party programs to access Secret Server programmatically. Secrets and Folders can be searched and retrieved, and new ones can be created. This not only provides a full audit trail of credential usage by third-party applications, but also improves security by getting credentials out of clear text within the application’s code.

Any developer can make use of Secret Server’s API for use in their scripts or to integrate with an existing software. It’s always great when companies use our APIs and share them with others. Here are a couple of examples:

Puppet Labs creates automation software for provisioning, maintaining infrastructure configurations, automating repetitive tasks and more. Steve Shipway, a Puppet Labs and Secret Server user, wrote a module for Puppet Labs that uses the Secret Server API to assist Puppet Labs’ configuration and provisioning tasks. The Secret Server API module for Puppet Labs is available online for free.

Devolutions’ Remote Desktop Manager provides a central location for managing remote connections, including Putty, RDP and Team Viewer. Through the Remote Desktop Manager integration with Secret Server, network admins can use their Windows Authentication credential to launch applications, providing greater network security.

Ready to start making your own third-party program integrations with Secret Server? Check out our KnowledgeBase for guidance.

Breaking the Glass With Unlimited Administration Mode

28 05 2013

What happens when a user creates Secrets and does not share them with anyone else, or if you are administrating Secret Server and need to re-organize your Secrets?

Secret Server’s “break the glass” feature, Unlimited Administration Mode, can help in those situations.

The Unlimited Administrator Mode allows designated users to manage Secrets they would normally not have access to. Administrators with the “Administer Unlimited Admin Configuration” role permission can enabled this by going to Administration > Configuration and selecting “Change Administration Mode”. Administrators can enter any optional notes explaining why they are enabling or disabling it, as well as creating an audit trail of this setting. A banner also appears in the header indicating to other users that Unlimited Administration Mode is turned on.

When enabled, users that have the “Unlimited Administrator” role permission can now access all Secrets and folders (with the exception of DoubleLocked Secrets), regardless of permissions, and all features of the Secret Server. Having a separate role permission allows administrators to specifically assign which users will be affected by the setting. Typically these should be very trusted people in the organization.

Unlimited Administration Mode is powerful, and can be locked down by to prevent abuse by ensuring no user has both permissions “Administer Role Permissions” and “Administer Unlimited Admin Configuration”. If no role has the “Unlimited Administrator” permission by default, then it will take two users to effectively turn Unlimited Administration Mode on: One user to enable it in configuration, and the other user to grant the permission to users or groups.

You can also have administrators notified by email when Unlimited Administration Mode is turned on or off by using event subscriptions. Our Knowledge Base article, How to protect the Unlimited Admin Mode using Event Subscriptions, details how to set that up.

Customizing Roles For Your Company – Part One

10 05 2013

Secret Server uses Roles and Permissions to control access to various capabilities within the system.

In this two part blog post we will review how to set up customized roles and permissions to meet your company’s security policy.

Roles in Secret Server control what a user is allowed to do in the tool. Secret Server ships with three default Roles:
1. Administrator, which has the ability to perform any task.
2. User, which allows basic functions such as create, edit and viewing of Secrets.
3. Read Only User, which only allows a user to view Secrets and Audit Reports without edit capabilities.
Although Secret Server can be used right out of the box with these default Roles, each company should personalize the Roles to fit individual company needs.


The default Roles can be edited and new Roles can also be created. For example, administration tasks can be delegated to different Administrators without giving them full control of the system (for example: Backup Administrator, Secret Template Administrator, Role Administrator and so on). An Auditor Role can also be created to give a user limited access to the system – such as to view Reports and to check compliance settings without having access to sensitive information. For more information on Roles, see our Secret Server Best Practices Guide (requires valid support).

Auditor Role

In the next part of this post we will go over how to set up permissions to control access to Secrets and Folders.

Integrated Windows Authentication and Two-Factor Authentication

11 04 2013

In Google Chrome and Internet Explorer with Integrated Windows Authentication, enabled users are automatically signed in to Secret Server when they visit the site using their Active Directory credentials. This feature reduces the number of passwords that a user has to type, and the possibility of a forgotten password. This also allows domain administrators to specify a password policy that Secret Server will adhere to, such as password strength and password history.

Radius Configuration

Two-Factor Authentication in Secret Server forces users to enter another form of authentication on login, such as a pin or token. Secret Server comes with its own built-in email two-factor authentication, and supports the existing infrastructure to make use of RADIUS two-factor systems. This adds another layer of security to user accounts, however, it increases the number of steps required to access Secret Server. Using two-factor authentication helps prevent a scenario where a user might walk away from a workstation while logged in and an attacker could walk up to it and login to Secret Server.


Secret Server Copy-To-Clipboard for Google Chrome and Mozilla Firefox

26 03 2013

The Mozilla Firefox add-on and the extension for Google Chrome allows values from Secret Server to be copied directly to the clipboard. This allows for ease of access when a user needs to apply information from Secret Server to other locations, however, clipboards generally do not clear the data that was copied.

How do you protect your Secret data from being stolen from your clipboard? Secret Server’s Copy-To-Clipboard extensions add an extra layer of security to your clipboard by allowing the configuration of an automated schedule to clear the clipboard, so that the clipboard is cleared when exiting the browser. Each clipboard extension has a section that allows you to configure these options.


This makes it safe to use your clipboard and know that if you walk away from your computer for a few moments, someone won’t be able to take a password from your clipboard. It also helps prevent the accidental pasting of sensitive information into unsafe places, such as a chat client or email.

Currently, these security options are only available in the Firefox and Chrome extensions. Stay tuned for this functionality in Internet Explorer.


Get every new post delivered to your Inbox.

Join 30 other followers