Latest Posts

TSS Intermediate Knowledges - Launchers, Proxy, Discovery, Dependencies, Remote Password Changing

 This post summarizes some Thycotic SS knowledges which considered as intermediate level. 


Launcher Setup:

• Variety of options depending on needs

  • Chrome Extension
  • Web password filler
  • Protocol Handler

• Protocol Handler

  • Pings Secret Server on interval to ensure sessions is valid
  • Kills Session if check fails or callback times out

• Prompted at the first Launch

Launchers Types:

• Default Launchers

  • RDP
  • Web Password Filler/Launcher
  • Powershell
  • SQL Server
  • Sybase isql (SAP SQL Anywhere)
  • IBM z/os
  • IBM i-Series

• Custom Launchers

  • Process
  • Proxied SSH
  • Batch File

• Launchers can be configured with Secret Templates

When creating a custom launcher, a batch file on the user's machine can be used to start multiple processes using information from Secret Server.
Creating a custom batch launcher
1.  From the ADMIN menu, select Secret Templates.
2.  Click Configure Launchers, and then click +New.
3.  Select Batch File for the Launcher Type, and then type a name for the launcher.
4.  Select the batch file you would like to launch by clicking the Choose File to browse to the file location.
5.  If the batch file requires extra arguments, type them in the Process Arguments option. To reference a Secret field, type $ followed by the name of the relevant Secret field. For example, $USERNAME where Username is the name of a Secret field on the Secret template that will be used with this launcher. A corresponding % and a number can be placed in the batch file to obtain value from the Secret field in that order. An example for a batch launcher and the batch file for mapped drive could be similar to below:

6.  If you want the batch file to run as the credential that is on the Secret, select the Run Process As Secret Credentials check box.
7.  If the batch file requires UAC confirmation, select the Use Operating System Shell check box.
8.  Click Save.
Adding a custom launcher to a Secret template
1.  From the ADMIN menu, select Secret Templates.
2.  Select the Secret template you want to add the launcher to, and then click Edit.
3.  Click Configure Launcher (at the bottom of the page), and then click Add New Launcher.
4.  Select the name of your custom launcher, and then map Secret fields to those that will be used by the launcher. If you only see Domain, Password, and Username, map these to those same fields on the template. These will be used if you have chosen to run the launcher as the Secret credentials.
5.  Click Save.


Proxy Benefits

• Without a Proxy

  • Session is established from client to the target
  • Credentials sent from Secret Server to the client
  • Possible to dump memory and compromise the credentials

• With a Proxy

  •  Session is established from Secret Server to the target
  • Credentials never transmitted to the client

Proxy Type

  • SSH Proxy
  • RDP Proxy
  • SSH Proxy Tunnel local RDP Session to remote server (Note recommended way since credential will be sent to client machine)

Troubleshooting Tips

  • Verify Remote Certificates are both Valid and Trusted
  • Check Firewall Ports - RDP Proxy default port is 3360, The Distributed Engine or Web Node default Port is 3389.
  • Credential on % Secret can be viewed by selecting More/Show Proxy Credentials and then choosing the Launcher
  • Verify the Latest Version of .NET framework is installed.


Discovery finds Secrets in an IT environment and brings them into Secret Server
  • Secret Server is most effective when it covers all privileged accounts
  • Discovery helps to eliminate - Unknown Privileged Accounts, Backdoor Access and Gaps in Security
  • Auditors want automated processes to reduce human errors

Best Practice:

When to Run Discovery

Currently, you cannot set when discovery runs via a control or setting. You can, however, approximately set when it runs by disabling and enabling it at the desired time. It runs daily around the same time as when it was first enabled and then again according to whatever the discovery scan offset hours interval was set to. 

Secret Server Discovery Out-Of-Box vs Custom


  • Active Directory
  • Unix/Linux local accounts
  • Hypervisor ESXi accounts
  • Amazon Web Services
  • Google Cloud Platform

Custom (Extensible)

  • ANYTHING -Leverages PowerShell scripts
  • SQL Accounts & Database links
  • Networking equipment
  • Embedded passwords

Extensible Discovery Overview

  •  Extends Secret Server's Discovery capabilities
  •  Built-in and/or Custom Scanners
  •  Discovery Process Scans:
    •  Host Range Discovery
    •  Machine Discovery
    •  Local Account Discovery
    •  Dependency Discovery
  • Not required to use Discovery in Secret Server but needed for most environments

Why Use Extensible Discovery?

  • Discover configuration files containing passwords
  • Scan computers not joined to the domain
  • Dependencies that run a SQL, SSH, or PowerShell script
  • Bring information back to custom fields in a Secret Template
  • Discover SQL Server logins as "Local Accounts"

After discovery, you can search / filter the services for certain accounts, then import them to the right secret. You might have multiple secrets associating with one domain account. You will need to clean it up and make sure import the dependencies into the right secret. Also make sure other existing secret will not causing problems by using password change function. 

Default settings after you imported a group of dependencies into a secret. 

Remote Password Changing

Remote Password Changing Summary

Enable Globally: admin-> Remote Password Changing

  • Remote Password Changing - Yes
  • Heartbeat - Yes

Password Changers:

  • Review built-in Changers
  • Create Custom
  • Test Actions

Secret Template:

  • Configure Expiration
  • Configure Template RPC and Heartbeat Settings

Secret or Secret Policy:

  • On-Demand
  • Auto-Change
  • Auto-Change Schedule
  • Change when it is expired.


Creating Custom Dependencies

If there are different dependency types that you want to manage that are not supported out of the box, new ones can be created based on a script. A custom dependency consists of two components:

  • Dependency Template: The dependency template defines how a dependency is matched to discovered accounts and how it updates the target after a password change occurs on the account. to create a new dependency template, go to Admin > Secret Templates and click the Dependency Templates button.
  • Dependency Changer: A dependency changer is a script and the associated parameters to be passed into the script. Dependency changers can be created and modified by going to Admin > Remote Password Changing > Configure Dependency Changers.

PowerShell, SSH, and SQL dependencies can have script arguments that derive their values from values on the dependency, the secret it belongs to, or any other secrets associated for remote password changing. Starting with Secret Server 10.0, tokens can also be used in ODBC connection string arguments. Script arguments are defined on dependency changers in Secret Server 10.0 and above and on the dependency in earlier versions of Secret Server.

Dependencies Tab for the secret

There are two actions you can execute on the dependencies. 

  • Run Dependency: This is to run the script on the selected dependency and set the password on the selected dependency to the current password for the secret
  • Test Connection: This is to test the dependency connection, the tests results are displayed afterward. You might get a API_AccessDenied error when test dependency result.

Go to admin - > configuration:
1. Make sure Enable Webservices  = Yes
2. Make sure Prevent Direct API Authentication = No

Note: Check this url for more settings information :


Secret Workflow Summary

Require Comment:

  • Justification that extends audit
  • Ticket Integration Optional

Request Access/Require Approval:

  • One-Step
  • Multi-Step (New IJI Only)
  • Enforces Tme and Approval
  • Ticket Integration Optional


  • Enforces Sole Access
  • Enforces Tme
  • Enforces Rotation (Optional)
  • Hooks (Optional) — SSH, SQL, or PowerShell scripts that perform actions at check-out and/or check-in


  • Additional Encryption
  • For your most sensitive Secrets
  • Cannot be exported or use RPC
  • Requires Doublelock Password

Event Pipelines

Overview of Event Pipelines:

  • Are created in Secret Server then assigned to
  • an Event Pipeline Policy
  • Can be in multiple EP Policies
  • Do nothing if not assigned to an EP Policy
  • Policies can target Folders or Secret Policies
  • Have no effect if it has no target (Folder or Policy)

Event Pipelines Filters:

  • Parameters that limit when an EP runs
  • Have settings and can be added to multiple times

Filter Examples:

  • Custom Variable
  • Group
  • Policy on a Secret
  • Role
  • Role Permission
  • Secret Access Role Permission
  • Secret Field
  • Secret has Field
  • Secret has RPC enabled
  • Secret Name
  • Secret Setting
  • Secret Template
  • Site

Event Pipelines Targets:

  • Folders — Secrets inside folders
    • Not recursive — only the secrets directly in the folder can trigger EP
  • Secret Policies (SP) — Secrets leveraging a specific SP

Event Pipelines Tasks:

  • Actions which are triggered in ap EP — over 30 built in
  • EP targets are NOT the receiveß of task actions — receivers are usually components of Secret Server
  • Event variable are used in EP tasks — Secret Field Tokens, Event Settings Tokens, Secret Setting Tokens, and some additional tokens
  • Example Tasks:
    • Change password remotely
    • Delete
    • Change Secret to require workflow
    • Etc.


Introduction — Data Retention Policies
  • Automatically delete older audit and audit-like information
  • Two-data retention policies:
    • Personally Identifiable Information (PII)
    • Database Size Management
  • All records in each table older than the set max record age will be deleted from the database

Alerting and SIEM Integration

Alerting and SIEM Integration
Per Secret Alertieg
  • Set on the Secret
  • Set for the Individual User
Per User Alerting
  • Set per User
  • Set for all Secrets they have Access to
Event Subscriptions
  • Customizable alerts throughout Secret Server
  • E-Mail Notifications
SIEM Integration
  • Correlation with events outside of Secret Server

Session Recording and Connector

Records Launched Sessions
Works with all Launchers Including
• Remote Desktop
• Putty SSH
• Microsoft SQL Management Studio
• Custom Launchers

Session Recording is Available
• From the Secret Audit
• Under Admin -> Session Monitoring

Can be Enabled
• Per Secret
• By Secret Policy

Secret Server Session Connector Introduction
• Clientless session recording
• Launchers session through Microsoft remote desktop services (RDS)
  • Requires setup and configuration of MS RDS server
  • Requires Thycotic components installed on MS RDS Server
  • Provides an additional launcher type " Session Connector Launcher"
• No need for Connection Manager or Protocol Handler on endpoint
• Target server credentials are never sent to user's endpoint

No comments