Thycotic Secret Server System Operation Tasks - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Saturday, December 5, 2020

Thycotic Secret Server System Operation Tasks

Thycotic Secret Server is a full-featured PAM solution which gives security and IT ops teams the agility to secure and manage all types of privileges, protecting administrator, service, application, and root accounts from cyber attack. It also provides a free version for small business which allows 10 users and manages 250 privileged accounts , supports RDP and Putty and can be integrated with AD. 

This post is to collect some basic Thycotic SS operation tasks.




Local Secret Server Basic Architecture

1 Local Site Basic Secret Server Architecture






2 Thycotic Secret Server Components:


1. Install CA-Signed Web Application Certs

2. Licensing & Integrated AD - Direcotry Service

3. Create/Sync Secret Server Users

4. Enable/Configure Security Features 



Install CA-Signed Web Application Certs









Licensing








Integrated AD - Directory Services











Create/Sync Secret Server Users






Enable Security Features

1. Session Recording


2. Remote Password Changing


3. Discovery






RDP Launch 

Click RDP Launcher from your secret account page:


Enter Computer host name or FQDN, or IP address. 






Some Warning Messages or Error Messages when using RDP Launcher:
1 Protocol Handler Failed to Launch
Usually it is caused by missing Protocol Handler program. Click link based on your system to install.


2 Did you mean to switch apps?
If you are using Microsoft Edge browser, it might ask you if switch to another app MSTSC to open "RDPWinBootstrapper". Click Yes to continue. System might ask you if to remember this selection. Click Yes as well. 

3 Secret Server Launcher Attempts
Secret Server Launcher is attempting to launch with the following Secret Server URL:
https://<fqdn name of your Secret Server>/secretserver


4 The publisher of this remote connection can't be identified. 

Click the check box for "Don't ask me again for connections to this computer" and click Connect button to continue




5 Secret Server Error:

The Secre Server Launcher failed to load.

The underlying connections was closed : Could not establish trust relationship for the SSL/TLS secure channel.

Usually caused by untrusted RDP SSL certificate. Once client machine joined into domain, this error message will go away. 



Enable Session Monitoring

1 Enable Session Recording Globally

2 Enable Session Recording in Secret Settings


3 Check Session Recording Records




Remote Password Changing (RPC) Steps


1 Enable Globally
  • Remote Password Changing
  • Heartbeat

2 Password Changers
  • Review built-in changers
  • Create Custom
  • Test Actions

3 Secret Template
  • Configure Expiration
  • Configure template RPC and Heartbeat Settings

4 Secret or Secret Policy
  • On-Demand
  • Auto-Change
  • Auto-Change Schedule

Notes: https://thycotic.force.com/support/s/article/Remote-Password-Changing-Expiration





Secret Policy

Explain
  • Any items selected as 'Default' will be applied on the creation of any Secret that has this Secret Policy applied to it.
  • Any items selected as 'Enforced' will be applied to all Secrets that have this Secret Policy applied to it.
  • 'Enforced' settings cannot be changed on the Secret.
  • Certain settings will only be applied to a Secret if they are valid settings for the Secret.
Three settings:
  • <Not Set> will cause a setting to stay off
  • <Default> will cause the setting to be on, but editable in the future by users with edit permissions on secret
  • <Envorced> will cause the setting to be on and be uneditable, it will be locked onto any secret with this policy

SECTIONSECRET POLICY ITEM NAMESETTINGVALUESecurity SettingsRequire Check Out

Security SettingsCustom Check Out Interval (Minutes)
(Dependent on: Require Check Out)
Security SettingsEnable Requires Approval for Access

Security SettingsRequest Access Approvers
(Dependent on: Enable Requires Approval for Access)
Security SettingsRequest Access Workflow
(Dependent on: Enable Requires Approval for Access)
Security SettingsEvent Pipeline Policy

Security SettingsEditors also Require Approval
(Dependent on: Enable Requires Approval for Access)
Overridden by General Configuration Permission Option "Force Require Approval for Editors on Approval Secrets"
Security SettingsOwners and Approvers also Require Approval
(Dependent on: Enable Requires Approval for Access)
(Can be overridden by General Configuration Permission Option "Force Require Approval for Owners on Approval Secrets")
Security SettingsRequire Comment

Security SettingsEnable Session Recording

Security SettingsViewing Password Requires Edit

Security SettingsRun Launcher using SSH Key

Security SettingsEnable SSH Command Restrictions

Security SettingsAllow Owners Unrestricted SSH Commands
(Dependent on: Enable SSH Command Restrictions)
Security SettingsSSH Command Menu Groups
(Dependent on: Enable SSH Command Restrictions)


  • <Not Set> - this is the default setting which mark the item as disabled/not in effect;
  • Default – selecting this option will apply the Policy Item across all Secrets in the target folder, with the option of doing manual changes on the Secret settings further down the line. Any items selected as 'Default' will be applied on the creation of any Secret that has this Secret Policy applied to it.
  • Enforced - selecting this option will apply the Policy Item across all Secrets in the target folder, without the option of changing these applied settings on the Secrets in that folder. Any items selected as 'Enforced' will be applied to all Secrets that have this Secret Policy applied to it.


Update




Backup

Both Backup File Path and Backup DB File Path will need to be accessible from that current secret server. Permission for both folders will be full control for everyone. Else the backup will fail. 

For network share folder, check KB, https://docs.thycotic.com/ss/10.8.0/backup-and-disaster-recovery/backing-up-to-network-share/index.md







Web Service API -REST


Enable Webservices:








Secret Server SDK

Secret Server SDK Client
  • Retrieve Secret values from Secret server programmatically
  • Integrate with scripts and build tools
  • File-grained access control
  • Secure configuration storage
  • Available in Secret Server 10.4
  • Support Windows,Linux, MacOS
Used Scenerios
  • Accessing authenticated resources from within a script
  • Deploying build artifacts from CI/CD process
  • Deploying credentials to client machines using a configuration management tool
  • Building containers with credentials baked in
Steps:
1. Enable Webservice
2. Create Web Service Account, just like to create a normal user. Check Application account option.
3. Grant your secret to use this new web service account at least view permission.
4. Admin - SDK Client Management -> Create a client to tell system which client can use Web Service account using which key. 
5. Enable SDK Client Function
6. Download TSS cmd client to a folder to run it. 

7. After TSS client connected, you can check Accounts tab from admin - SDK Client mgmt page to see the current session. 
Example: Pull out secret out using secret id 1:
c:\sdkclient> tss secret -s 1

For specific field:
c:\sdkclient> tss secret -s 1 -f password 

using it with REST API call:
c:\sdkclient> tss token




Configuring SS to Use Okta for SSO









No comments:

Post a Comment