A few years back, our engineers decided to solve a new password problem: Network credentials are not only used by people. Sometimes other programs need credentials to interact with the network too. Secret Server was already providing full audits of each user’s credential usage, why not create an API so programs could also use Secret Server for credential access?

Using scripts, Secret Server’s API allows third-party programs to access Secret Server programmatically. Secrets and Folders can be searched and retrieved, and new ones can be created. This not only provides a full audit trail of credential usage by third-party applications, but also improves security by getting credentials out of clear text within the application’s code.

Any developer can make use of Secret Server’s API for use in their scripts or to integrate with an existing software. It’s always great when companies use our APIs and share them with others. Here are a couple of examples:

Puppet Labs creates automation software for provisioning, maintaining infrastructure configurations, automating repetitive tasks and more. Steve Shipway, a Puppet Labs and Secret Server user, wrote a module for Puppet Labs that uses the Secret Server API to assist Puppet Labs’ configuration and provisioning tasks. The Secret Server API module for Puppet Labs is available online for free.

Devolutions’ Remote Desktop Manager provides a central location for managing remote connections, including Putty, RDP and Team Viewer. Through the Remote Desktop Manager integration with Secret Server, network admins can use their Windows Authentication credential to launch applications, providing greater network security.

Ready to start making your own third-party program integrations with Secret Server? Check out our Knowledge Database for guidance.

After installing Secret Server and thinking through your Folder and Permission structure, the next step is to import information into Secret Server.

Secret Server provides multiple tools to quickly import information into Secret Server, whether you are currently using sticky notes, Excel spreadsheets or a personal password tool such as KeePass. Secret Server can also automatically create the Secrets and manage passwords for your local Windows accounts and Windows service accounts through the Discovery Feature. In this post, we will focus on how to import Secrets from Excel spreadsheets and other personal password tools. Part Two will discuss how to set up Discovery to automatically import accounts and use the API to create Secrets.

Migration Tool Import

Secret Server has an Import Migration Tool that will allow you to pull information from KeePass, Password Safe and Password Corral. The Migration Tool generates a new Secret Template to match the fields native to the password tool. It will then generate a CSV with your information and upload it to the new Template. You can also have the Migration Tool use the folder structure from your existing password tool and bring that into Secret Server. Once Secrets are imported into Secret Server, they can have their templates converted using our Bulk Operations to make full use of Launchers and Password Changers.  You can download the Migration Tool Here <link> or you can find a link within your Secret Server by going to Tools<Import Secrets.

CSV Import

Secret Server supports importing from a CSV file for password tools that are not natively supported by the Migration Tool or for importing from Excel Spreadsheets. There are three ways to import manually from a CSV file.

Option 1:  Mimic what the Migration Tool does and create a new Secret Template to match the existing information fields. Import the entire file into the new template. Once the data is imported, convert Secret Templates manually to templates that match the information stored within.

Option 2:  Create separate CSV files before importing so that information is grouped by template type, such as one CSV for Active Directory Accounts, another for Windows Accounts, etc. Next, organize the fields to match existing templates within Secret Server. The easiest way to organize the fields is by using a spreadsheet editor. To see the fields that are used for a Template, navigate to Tools<Import Secrets and then select the template from the drop-down box. Note: the only required field during import is the Secret Name field.

XML Import

The final text-based method of importing Secrets is using our XML import. This is usually only done by advanced users and is generally used when re-building Secret Server from an XML export. The XML import can create Secret Templates and Folders, specify Secret permissions, and even set Dependencies on import. For an example XML file click here.

Check back next week to learn about importing accounts automatically with Discovery and creating and updating Secrets using our API.

In our last post we discussed importing secrets manually into Secret Server using our Migration Tool and built in CSV and XML import. This week we are going review how to automatically import credentials into Secret Server.

Discovery in Secret Server

Discovery is a major feature in Secret Server with two main functions:

1. Scan your network for local Windows accounts and import them as Secrets. With Discovery Rules, this process can be automated to run on a schedule, and new accounts will be imported based on a set parameters that you establish.
2. Scan your network and pull in Windows services, attaching them as dependencies to current Secrets or creating new Secrets based on the particular account running the service.

How to Set Up Discovery

Setting up Discovery is simple.

1. On the Administration>Discovery page, check the box enabling Discovery.
2. Set the interval that you want Discovery to perform scans of the domain.
3. Create a domain for Discovery to run against: on Administration>Discovery, click Edit Domains and then click Create New. Here you will enter the Fully Qualified Domain Name. Use an account that has access to all the machines you would like to discover and the ability to change the passwords for those accounts.
4. Check the Enable Discovery box for the new domain and then click Save and Validate. Secret Server will confirm that it can reach your domain.

Once Discovery is turned on, it will start running scans throughout the network. This occurs in batches so as to not bog down your network.

Import Accounts using Discovery

1. When the scans finish, click Discovery Network View on the Administration>Discovery page.
2. You will see two tabs, one for local Windows accounts and another for service accounts. This page enables you to find the accounts you would like to import. It allows you to filter computers based on organizational unit (OU) and search for specific computers and accounts.
3. Check the accounts you wish to import and click the import button. Secret Server will automatically create a Secret for each. You also have the option of changing the passwords for the accounts when the Secrets are created.

Using the API to Create Secrets

The final method of importing Secrets is to use our API to programmatically create the Secrets. The Secret Server API allows basic functions to be performed on Secrets, such as creating, deleting or modifying.

The API is especially useful when you have an existing script that already provisions accounts. Secret Server provides web service API calls that can be added to your existing script in order to create Secrets after your new accounts are provisioned.

After Secrets are imported, the API can also be used if you have third party applications that need credential access (i.e. the API can then be used to programmatically provide credentials stored in Secret Server). The API is also good for updating existing Secrets. For example, if your domain name has changed, you can use the API to quickly update all applicable Secrets to match the new domain.

Check out our Knowledge Base and API Guides located on the Secret Server technical support page for examples on how to utilize Secret Server’s API.

When developing a workflow to manage shared credentials, it’s important to take into account certain environmental factors that may cache credentials on their own. These factors can decrease security around shared credentials.

This week, we’ll focus on securing your web browsers through group policy.

Disable Password Caching for IE

Note: these instructions are specific to Windows Server 2012, however may be similarly applied in Windows Server 2008.

Caching of passwords and auto-completion of usernames and passwords used in IE can be disabled from the Group Policy Management Editor under:

•  User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer

Here, you can disable “Turn on the auto-complete feature for user names and passwords.”

This will also prevent users from re-enabling the setting:

Restriction of password caching in Mozilla Firefox

Locking down settings in Firefox requires use of a third-party extension. One extension that we tested is called FirefoxADM, which provides adm files that add the ability to configure Firefox settings through Windows Group Policy. However, this only seemed to work with older versions of Firefox. Other extensions and tools exist, however are not officially supported by Microsoft for use in a Windows environment.

Disable Password Caching in Google Chrome for Business

Google Chrome for Business allows for policies relating to Google Chrome to be defined at either user or device level.

The Google Chrome Password Manager can be disabled at the user level by logging into the Google Admin console and navigating to the Settings menu. After selecting the “User Settings” menu, select an OU and under the Security settings disable Password Manager.

The Google Chrome Password Manager can be disabled at the device level through Windows GPO by adding two REG_DWORD values to the Windows registry at HKEY_LOCAL_MACHINE\Software\Policies\Chrome called PasswordManagerEnabled and PasswordManagerAllowShowPasswords, each with a value of 0×00000000.

Disabling the Password Manager takes away the users’ ability to enable the “Offer to save passwords I enter on the web” setting in Chrome.

Controlling credential caching in Mac OS X

Safari cannot be easily managed in a Windows environment, however Mac OS X Server provides a tool called Server Admin that may facilitate control of Safari settings in the OS X environment. Third-party tools are also available for this purpose.

Web Password Filler

Once you’ve secured your browsers, you can still utilize the credentials stored in Secret Server by using the Web Password Filler. For more information, see this blog post.

In this week’s webinar we will be diving into the integration of Devolutions Remote Desktop Manager and Secret Server. Since the software integration in 2011, users have been securing their credentials through Secret Server and remote connections using Remote Desktop Manager after several client requests. Since then, administrators have been able to use both solutions for greater convenience and added security.

Using Secret Server, you can securely store and audit access your login credentials. With Remote Desktop Manager, you can centralize your remote connections that use programs such as Remote Desktop, PuTTy, Team Viewer, and more. With the integration of Secret Server, Remote Desktop Manager seamlessly retrieves the login credentials from your Secret Server account. Using these two programs in conjunction with each other provides your company with a secure, centralized way to store, manage, and utilize your credentials for remote connections.

Join product managers Ben Yoder, Thycotic Software, and Maurice Côté, Devolutions, as they demonstrate the features and benefits of both solutions this Thursday September 19^th at 11:30 AM EST. Be sure to register today!

Secret Server is a powerful, flexible tool which can help your organization meet a variety of compliance mandates, such as SOX, PCI, HIPAA and more. In this article we are going to review several ways you can utilize Secret Server to maintain compliance by securely managing your privileged account credentials.

Centralizing Your Sensitive Information
Before you can start managing your privileged accounts they must be located and stored securely in Secret Server. This means removing them from where they’re currently stored (such as an Excel spreadsheet or personal password management tools) and placing them into Secret Server; centralizing all privileged and shared accounts while providing full auditing of the activity on those accounts.

Compliance tip: This is useful for complying with SOX as it mandates that your sensitive information be stored in a centralized encrypted vault.

You can do this in a few ways:

1. Importing. Using a CSV or XML file, you can directly import your data into Secret Server.
2. Migration. The Migration Tool imports credentials from several personal password management systems such as KeePass or Password Safe.
3. Discovery.  With Discovery you can easily scan your network and import Local Windows Accounts and Service Accounts running Web Services.

Setup permissions, access and roles 
Once credentials are secured in Secret Server you will want to organize access control for each user and what privileges a user has to administer their accounts. To do so, Secret Server simply utilizes a permission structure reminiscent to that of Windows to easily delegate access to information with a full audit trail.

Compliance tip: This relates to PCI compliance as it mandates an audit be kept of access to network resources.

Permissions allow you to store information from multiple groups and departments while managing exactly which users have access and have been accessing sensitive information.

Role based access in Secret Server can be broken down between different users so that no one user has full control of the system, giving granular control of user ability.

Password creation and regular rotation 
A big part of most compliance standards is using strong passwords and updating passwords on a regular basis. Secret Server can automate password changing on a wide variety of devices and accounts.

Compliance Tip: This is an import piece to many compliance standards included in HIPAA regarding regularly changing passwords for credentials.

Passwords can be changed automatically on a fixed schedule or can be set to change immediately. Secret Server also has the ability to report all information that a user has access to and queue them for remote password changing with a few clicks. This is especially helpful for when someone leaves the company and all their credentials need to be changed.

Remote Password Changing can generate passwords for the accounts based on the type of account. With Password Requirements you can specify the length of password, types of characters used, and the frequency that they show up.

These are just a few ways Secret Server can help your organization maintain compliance. Next week we will discuss the benefits of using a SIEM tool with Secret Server.

What is a SIEM tool and why should I use one?

SIEM (System Information and Event Management) tools are a type of software that pulls in log and audit information from multiple sources across your network. This can include access logs for building entry, computers, servers, network devices, databases and applications. SIEM tools can aggregate all the data pulled so that you can get a clear picture of what is going on across your network by correlating events. It also provides real-time alerting in the case of security breach.

Here’s a quick example of how a SIEM tool can identify a breach. Say an employee – let’s call her Sarah – comes to work every day around 9:00 am EST. She’s an IT admin, so she beeps into the building with her key card, logs into her computer and starts checking on the status of her assigned servers. But, one day her computer is accessed in the middle of the night, long before she typically comes in. She hasn’t beeped back into the building and her VPN connection was never activated. This could be a security breach and someone better start asking questions. If the company had a SIEM tool, it would have alerted the company that something was wrong.

Secret Server can easily integrate with your existing SIEM tool. As a privileged account manager, Secret Server records a full audit of credential usage – who accessed what and when.  Secret Server can take this audit trail and send all of its information to the SIEM tool using Syslog or CEF format. Once the data is in the SIEM tool, it will compare events from Secret Server to other usage audits throughout your network.

Now, say that Sarah’s company used Secret Server with a SIEM integration for all admin passwords. One night, someone logged into one of Sarah’s servers as the local admin, but there was no indication that anyone logged into Secret Server to retrieve the password. The SIEM tool would be able to tell that a login occurred without Secret Server and flag it as a potential breach. The SIEM tool would then alert the company of the potential breach.

Secret Server is partnered with two SIEM tools, HP ArcSight and Splunk, Inc., with more integrations in the works. Find out more about Secret Server’s SIEM integration and syslog output on our support page!

As iOS users may have noticed, our Secret Server app received an upgrade with the recent release of iOS 7. The most noticeable sign the app was upgraded is a fresh user interface. However, there are a few other aspects of the latest update that are worth highlighting.

View & Edit Restricted Secrets
Previously, users could not view restricted Secrets from the mobile app. Now, Secrets that have the advanced security settings Require Comment, Require Approval and CheckOut are also accessible from your mobile device.

Require Comment

Require Approval

CheckOut

When viewed through the mobile app, Secrets that require a comment will receive an audit entry called WEBSERVICEVIEWCOMMENT to help differentiate comments in the audit log:

These restricted Secrets will not be cached. Therefore, a user must re-enter information after a 5-minute period (for Require Comment) or when the approval period ends (for Require Approval and CheckOut).

More Information

If you don’t yet use the mobile app and/or would like more information, please see the following articles in our Knowledge Base:

Using the iOS 7 Mobile App with Secret Server Installed Edition

Using the iOS 7 Mobile App with Secret Server Online

It’s important to understand how to properly create a workflow in Secret Server for secrets of a sensitive nature. For example, let’s say you have a Secret for the admin account on your production web server. You want to give all your web server administrators access to the Secret, but you only want them to log in for a specific reason, such as during an emergency or to perform maintenance or install new software.

To address this issue, Secret Server has a security feature called Require Approval for Access. This setting lets you grant a user access to a Secret by making the user enter a reason they would like to access the Secret. It can be used for any Secret within Secret Server. For our example today, your web server admins would enter the reason why they want to access the web server.

Secret Access Request | Secret Server

After the web admin explains why he wants access to the production web server, an email is sent to one or more people to approve. You can customize who receives the email and is allowed to approve the request – every Secret has a customizable approval list.

Next, those approving the request will receive an email notifying them of the request. Inside Secret Server, they can read the request, deny or approve it, and specify how long that user may have access to the Secret before they have to submit another request for access.

Request Access for Workflow | Secret Server

This entire request and approval process is logged in the audit trail of Secret Server, so if there are ever questions later, it can be double checked.

This cyber security month, we’d like to congratulate and thank Microsoft on their efforts to block Pass the Hash cyber-attacks. Known by Microsoft as “one of the most popular types of credential theft and reuse attacks ,” Pass the Hash attacks are known for their ability to infiltrate full networks within minutes, making a major mess along the way.

With the Windows 8.1 update released on October 1, Microsoft has added major security improvements that are intended to block the ability of hackers to use these kinds of attacks. With the new release, Microsoft has bought us all some “space to breathe.”

Use your space wisely and remember that cyber security is constantly evolving. Take these three steps to help strengthen your organization’s password practices.

1. Administrator accounts still need to be separated and used with care. Segment administrator accounts into a regular AD account and a user-specific Domain Administrator account for use only when privilege is needed.
2. Lock down Domain Administrator passwords in a secure place where the administrator can access them when needed, and admin access is fully audited, so you have a record of use.
3. Change Domain Administrator passwords to a new, random value after each use.

These steps can be incorporated into your security policy and implemented manually or through an automation tool, such as Secret Server. Password management tools provide added value to security and password management when they enable role-based access, sharing among teams, and full auditing for compliance.

Learn more about the Windows 8.1 update here.

Every month, Thycotic hosts a webinar to explore new features, technical integrations and best practices. Last week we discussed a fairly new feature added to Secret Server version 8.3, which has expanded the list of web password changers. Secret Server can now change passwords on Windows Live, Google and Amazon accounts. This means you can now manage your Office 365, Google Apps and Amazon Web Services through Secret Server. These sites are just the beginning of web password changing for Secret Server. If you missed the live webinar, you can watch a recorded version here.

We have several upcoming webinars, including a feature deep-dive and tech integration case study.

Sign up now to get them on your calendar!

Learn how America First Increased Security through Authenticated QualysGuard Scanning with Secret Server

November 5, 2013 at 1:00 pm EST.

Do you have a full understanding of your network security, from both external and internal threats? Performing authenticated scanning for internal threats while keeping credentials locked-down on premises can greatly mitigate security risk. Find out how America First, a national credit union, implemented secure authenticated scans with Secret Server.

Register here for the Qualys Authenticated Scanning webinar

Thycotic Software Introduces- Password Reset Server

November 14, 2013 at 11:30 am EST.

Learn how Thycotic can help solve your end-user AD password rests. Password Reset Server is an AD self-service reset tool that helps reduce your help desk calls.

Register here for the Password Reset Server webinar

For the latest security news and Thycotic product updates, follow us on LinkedIn!

It’s important to have an Identity Access Management (IAM) strategy, whether you are trying to meet a compliance standard such as PCI, SOXS or FIPS, or you just want accountability for what is going on throughout your network. Secret Server has many ways that it can help administrators accomplish this. In this article, we will be going over three different features that will help establish your IAM strategy.

1. Role-based access:

With roles, administrators can delegate permission and access to appropriate information quickly and easily. Integrating Secret Server with Active Directory will enable you to assign roles automatically based on existing Active Directory groups. This ensures that users only see information that is necessary for them to complete their work, without exposing excess data.

2. Audits and Reporting:

Every time a user has any interaction with a Secret, an audit is created to record: (1) the action, (2) the person and (3) the exact time the action occurred. Using the audit information, administrators are able to see exactly what users are doing within the system. For example, they can tell how Secrets are shared between users, Secrets with the most views, and which users are not logging into the system at all.

3. Session Recording:

Secret Server can record everything that occurs during a session. By using the recording launcher, Secret Server takes a screenshot every second and then compiles the images into a movie that is saved on the audit log. This is great for your most critical machines, where you want to know exactly what is going on when a user is logged in. Now, should anything go wrong on these servers, it is easy to retrieve the recording from Secret Server and view exactly what occurred, increasing the speed at which the issue can be resolved.

Using these three features will put you on track to creating a complete Identity and Access Management strategy in which your team may become more productive and secure.

If you are in Los Angeles this week for the Gartner IAM conference, stop by our booth # 210 or join us tonight at 5:45 PM PST for a drink in our “Made in DC” hospitality suite.

Secret Server can easily be configured so that end users do not have to see the password to make use of a resource, such as logging onto a remote server. Using Hide Launcher Password, Secret passwords can be hidden from users, forcing them to use a Launcher to access the machine or device. This makes it easier for admins to use long and complex passwords and also improves security by eliminating the ability for users to write down and save passwords. You can even create white or black-lists< http://blog.thycotic.com/2013/05/03/restricting-user-input-for-launcher/> to restrict the devices that users can launch into. In addition, Secret Sever also has a Web Filler< http://blog.thycotic.com/2013/02/20/webinar-secret-server-web-password-filler/> to launch into website accounts.

Whenever possible (without impending workflow, of course!) passwords should only be revealed when necessary. This keeps passwords from being written down or memorized and enforces using the vault to ensure a full audit trail. Hiding passwords for all of your accounts, however, may not always be possible. For instance, if an administrator creates a new service, she will need to manually enter a password from Secret Server. To do this, you can certainly give the administrator permission to view the Secret’s password, but it risks the password being compromised.

Secret Server’s solution to this is Check Out. Utilizing Check Out allows you to configure how long a user has access to any given Secret. You also have the option of having Secret Server change the password when the access period expires or the user checks in the password themselves.

Here’s an example of how this can work. Say Sarah, our imaginary system administer, checks out a Secret to go preform maintenance on a couple Windows servers.  She decides to write the password down and then gets to work on the different servers using that Secret’s credentials. In the process, she gets a little distracted and leaves her sticky note with the password behind when she goes to grab a cup of coffee. Luckily, Check Out with Expiration is configured. While she is out, the Check Out period automatically ends and Secret Server checks in the password and changes it automatically. When Sarah returns from her coffee break, she will have to go back to Secret Server for the new password. This keeps her usage audited in the system, and protects the company against her stray sticky note, which has now been forgotten. For companies that want even more of an audit trail, they can use Check Out in conjunction with Require Access for Approval< http://blog.thycotic.com/2013/10/15/create-an-approval-workflow-for-sensitive-secrets/> to create an easy and secure workflow for your more sensitive accounts.

In the past we have discussed the benefits of using a security information and event management (SIEM) solution, not only as a compliance tool, but also for protecting against potential threats in real time.

We are excited to announce our official technology alliance with Splunk to release Secret Server for Splunk Enterprise, giving administrators deep insight into the use of privileged accounts, providing better visibility for compliance standards and detection of internal network threats.

Getting the app is simple. While logged into the Splunk interface, navigate to “apps” and search for Secret Server. Once installed, you can use the app to automatically start pulling information from the Secret Server sysLog. Make sure you have Secret Server installed and running before using the app.

Using Secret Server with a SIEM tool such as Splunk allows administrators to gain a clear picture of what is going on throughout their network. The app can be used to filter out key events from the Secret Server sysLog using the Event Search feature. This allows easy retrieval of information from real time events, such as when users are launching sessions, accessing reports, checking out Secrets, or when Unlimited Administrator mode is turned on.

In addition, the app allows you to access and create robust reports directly in the Splunk interface.

Want to learn more? Download Secret Server for Splunk Enterprise today!

Custom Reports

While Secret Server contains a number of reports addressing Secrets, folders, users, activity and more, having the flexibility to create your own reports may be necessary to address your organization’s unique requirements. With the Custom Reports feature of Enterprise and Enterprise Plus editions (and a little knowledge of SQL), you can do just that.

When creating a custom report, you can either write your own SQL query or customize a SQL query from an existing report.

Create a New Custom Report

To create a new custom report, click the Create it link at the bottom-right corner of the Reports page in Secret Server. The resulting page contains a few fields that are present to customize the name, descriptions and other aspects of the report, and a large text box for the SQL query. At the bottom of the page, clicking Show Secret Server SQL database information will provide a drop-down menu and grid that allow you to take a look at the tables and table columns available for use in reporting. Clicking Preview will provide you with the results of your custom report below, so you can check the accuracy of your report.

Reference Custom Secret Fields

With version 8.2.000000, the ability to expose fields for display was introduced along with custom columns for the Dashboard. This means that certain Secret fields can be left unencrypted, and can therefore be used in custom reporting as well. This change can be made at the Secret Template level, and will present a message warning that the fields will be left unencrypted in the database. For this reason, it is important to not mark any fields as exposed for display if they contain sensitive information that should remain encrypted.

Once fields are marked to be exposed for display, they can be referenced in reports as any other field in the database. For example, the following SQL with display Secrets containing a custom field value called “Account Used By”:

SELECT

s.SecretName AS [Secret Name]

,si.ItemValue AS [Account Used By:]

FROM

tbSecret s

JOIN

tbSecretItem si

ON    s.SecretID = si.SecretID

JOIN

tbSecretField sf

ON    sf.SecretFieldID = si.SecretFieldID

WHERE

s.SecretTypeID = 6001

AND

sf.SecretFieldDisplayName = ‘Account Used By:’

This report will return results in the following manner:

Dynamic Parameters

Secret Server also supports the use of several dynamic parameters that will allow report users to select a variable to apply to a report. These can be parameters such as user, group or date range. For more information on using dynamic parameters, see our KB article on the topic. A good example of dynamic parameters can be seen in the preconfigured report “What Secrets have been accessed by a user?”

Reports Gallery

To see custom reports that other Secret Server users have created and to share your own, you can take a look at the Custom Reports Gallery.

Want to learn even more about creating custom reports? Join us this Thursday, December 12th, at  11:30 AM EST for our Deep Dive: Secret Server – Get the most out of Reporting Webinar. Register today!  

For any questions or assistance with custom reports, contact Thycotic Support.

One of the most popular features in Secret Server is the Launcher. With one click, Secret Server can launch and authenticate to RDP, PuTTY or a website. You can also launch a custom executable with Secret Server and pass in command-line arguments that reference Secret values. Additionally, the Windows Form Filler can be used to auto-fill credentials for programs that cannot launch with command-line arguments.

Using the Launcher is easy. First, go to the Secret that you want to use. Then, click the Launcher icon to initiate the session directly from your computer. This way, as long as an employee can access Secret Server, they can get their work done – a convenient feature for anyone working offsite.

With the next product release, Secret Server will allow users to assign multiple launchers to a single Secret. This is valuable when one set of credentials is used for multiple access points. For example, you could launch an RDP session with an Active Directory account, then, using the same credentials you could launch a PuTTY session.

You will be able to add as many Launchers as you would like to a Secret, including custom Launchers. Any user with access to the Secret will be able to use all of the configured Launchers. Add and configure new Launchers to a Secret at the Secret Template level, as shown below.

Look for the release later this week. As always, we’ll send out an email announcement once the update is live. If you do not get emails about the latest product releases, update your email preferences here.

Secret Server version 8.4.000000 boasts a number of exciting new features for Discovery, with a focus on expanded functionality for rules and service account dependencies.

Discovery has always been a great tool for detecting and importing Windows local accounts and service accounts from the computers on your network. Now, in addition to Windows services, Discovery can also detect IIS Application Pools and Scheduled Tasks running on your domain-joined machines. Secret Server can either import them as dependencies for existing Secrets or create a new Secret for the account and dependency.

What to look for: An icon indicating the dependency type on the Service Accounts tab of Discovery Network View.

Another addition to service account Discovery is Dependency Rules. Much like the Discovery Rules that apply to local Windows accounts, Dependency Rules allow you automatically import dependencies based on domain or OU. Subsequently, new event subscription actions are available that provide the option to send notifications when dependencies are added, deleted, or fail a password change.

What to look for: Discovery Dependency Rules can be found by clicking Discovery Rules from the main Discovery page, or by clicking View Rules at the bottom of the Service Accounts tab of Discovery Network View.

The Discovery administration page has also had a bit of a makeover. You will now have the option to enable or disable Discovery for each account/dependency type. For example, if you would only like to use Discovery for Windows services, you can disable Discovery for all other types, leaving Windows Service Discovery enabled. Now when Discovery scans machines, either automatically or manually (click the Run Now button above the Computer Scan Log), it will only return Windows service results. Scanning will be completely turned off and inaccessible for every type of Discovery that is marked disabled.

What to look for: Additional Discovery options at the top of the main Discovery page. Discovery logs for local and service accounts have also been consolidated on this page to make viewing Discovery logs simpler and more centralized.

Check out Secret Server 8.4.000000 release notes HERE, and be sure to upgrade to receive all of the latest improvements to Discovery and the Launcher.

What did 2013 hold for Thycotic Software? New partners, software releases, and other exciting milestones. Join us for our movie themed year-in-review.

This year, in the wake of dozens of newsworthy data breaches, the landscape for IT security broadened with every headline. The importance of securing privileged credentials and managing identity went from a “nice to have” to a “need to have” seemingly overnight. It became more apparent from IT teams across the globe that a spreadsheet was no longer a trusted, secure repository to manage privileged passwords in an organization.

So what did this mean for Thycotic? Keeping a close eye on security trends, we listened to our customers and built the features they requested to solve their most essential use-cases in privileged account management. But that wasn’t all we did.

Here are just a few highlights of what made 2013 a defining year for Thycotic Software.

Let it snow, let it snow? More like, let it grow, let it grow!

Inc. Magazine named us one of the Top 5000 Fastest Growing Companies in the US, and #33 in the top 100 fastest growing companies in DC. We couldn’t be more honored to receive this privilege. Our growth is attributed directly to our fantastic customers and our intelligent, hard-working team.

Lions, Tigers, and Splunk – Oh, My!

This year we announced several great partnerships, ending the year with an official announcement of our partnership with Splunk to release the Secret Server App for Splunk Enterprise. We’re proud of all of our new partnerships, and especially of our rapidly growing technology integration partner program. You can read more about the Splunk integration with Secret Server in our press release.

Come fly with me, let’s fly, let’s fly away.

We broke a personal record at Thycotic by sponsoring over 35 tradeshows across the world in 2013. We’ve presented dozens of keynotes, spotlight sessions, thought leadership interviews and spoke directly with thousands IT security and operations professionals in every major vertical about their security needs. Thanks to our dedicated team who worked round-the-clock to make those events a major success.

Release the kracken!

This year we’ve had several exciting releases to our products Secret Server, Password Reset Server and Group Management Server based on direct requests from our customers.

For Secret Server, some notable new features are: SAP support for natively changing passwords on SAP accounts; expanded API to increase automation in scripting; Custom Columns for a more tailored dashboard view; Website Password Changing to automatically change passwords for Windows LIVE, Google and Amazon accounts; SAML Support for increased security and single-sign on convenience; and Improved Discovery for Scheduled Tasks and Application Pools, now discoverable by Secret Server.

Other new product features are Active Directory Attribute Integration to let employees easily update their own AD information with Password Reset Server, and Group Renewal for Group Management Server to remind Active Directory group managers to double check their group membership from time to time.

So what’s next for 2014?

We think that 2014 will trump this year in success stories, growth, partnerships and products. We hope you join us every step of the way. Join us on LinkedIn and Twitter for the latest news in cybersecurity and be sure to stop by our booth at RSA 2014 in San Francisco as we kick off another thrilling year in IT security.

Controlling users is one of the most important facets of Secret Server password management administration. While Secret Server supports local users and groups, the easiest way to administer users is to use Active Directory (AD) integration. Secret Server can automatically pull in existing AD users and groups and create user accounts with the same permissions. After discovering the groups, Secret Server offers several different options on importing the data. 

Enabling Users. First, you have the option of automatically creating and enabling all users from the selected groups. This is the best option for small groups with only user accounts that need enabling.

Disabling Users. The next option is to have the users created and marked as disabled. Don’t worry, disabled users do not count towards license seats. This is ideal when importing groups with a mix of service and user accounts. Disabling allows administrators to import the existing groups without worrying about exceeding license limits and adds another layer security because users added through AD don’t automatically have access to Secret Server. Simply import and select which users you want to enable. This can all be done using the Bulk Operation feature by administrating multiple users at once.

Mirroring User’s Status. Finally, Secret Server can mirror the user’s status in AD. Mirroring the status will not only create the users in Secret Server but also automatically enable and disable users based on their status within the AD group. Unlike the other options, it is the only method that actively affects existing users. This is useful for administrators who want to automate permissions based on groups. Mirroring allows you to administer AD groups and automatically reflect changes within Secret Server. As for security options, Secret Server supports the use of RADIUS if two-factor authentication is a concern, along with our built-in email based two-factor.

Upcoming webinars. Join us next week for our Deep Dive: Service Account Discovery Webinar. Product manager Ben Yoder will show you how to gain control of your network’s service accounts and dependencies through a step-by-step guide in our live webinar.

Also, be sure to check back next week as we will go over recent changes made to our Web Service API with the release of Secret Server 8.4.000000.

We want your feedback for future blog posts! Leave a request below and we will consider it for a later post. Happy 2014 everyone.

If you are familiar with Secret Server’s web services API, you already know that it can be a convenient way to retrieve, create and update Secrets individually and in bulk, especially if you already use scripts to accomplish account-related tasks in your environment. Some of the most common use cases require only simple calls to Secret Server to add and retrieve stored information, such as:

• Efficiently adding new Secrets as new domain accounts are created.
• Replacing privileged account credentials with web service calls to retrieve and utilize the account information within the same script.

More fine-grained operations, such as updating Secret security and Remote Password Changing settings require increased functionality from web service calls. This week, we’ll take a look at the additions to web services that have come with the release of Secret Server version 8.4, providing more control over Remote Password Changing for Secrets.

To start, let’s see how web services would assist Sarah, our handy system administrator, in the following scenario:

Sarah has decided that she wants to use a dedicated privileged account to change passwords for all service accounts in her production domain. A great deal of these accounts are scattered throughout her folder structure in Secret Server. Without using web services, Sarah would have to find every account in the Secret Server GUI and set the privileged account manually. Now, if the Secrets were all located in a single folder, Bulk Operation would make this a breeze. However, with the varying locations of these accounts, searching for each individual Secret to update will be time-consuming. Fortunately, Sarah is familiar with PowerShell and can use web services to update all of her service account Secrets. She uses the script below:

This script will search Sarah’s Secret Server to find any Secret with a name containing the word ‘Service.’ The script then updates the Secret’s privileged account setting for Remote Password Changing. Sarah can also reuse the script any time privileged accounts need to be updated for a large number of Secrets.

The scripts can also be used to change additional Secret properties, such as Require Approval for Access, Require Comment and Check Out. For more information about these properties, see our Web Service API Guide (Pages 60-62), available from the Secret Server Support page.

On another topic, are you tired of endless calls to the help desk to reset a user’s forgotten AD password? You won’t want to miss this week’s webinar, introducing Password Reset Server, our AD self-service password reset tool. Register now!