Comments

Latest Posts

Thycotic Secret Server Intermediate Knowledges

 This post summarizes some Thycotic SS knowledges which considered as intermediate level. 




    Launchers

    Launcher Setup:

    • Variety of options depending on needs

    • Chrome Extension
    • Web password filler
    • Protocol Handler

    • Protocol Handler

    • Pings Secret Server on interval to ensure sessions is valid
    • Kills Session if check fails or callback times out

    • Prompted at the first Launch


    Launchers Types:

    • Default Launchers

    • RDP
    • PUTTY
    • Web Password Filler/Launcher
    • Powershell
    • SQL Server
    • Sybase isql (SAP SQL Anywhere)
    • IBM z/os
    • IBM i-Series

    • Custom Launchers

    • Process
    • Proxied SSH
    • Batch File

    • Launchers can be configured with Secret Templates




    When creating a custom launcher, a batch file on the user's machine can be used to start multiple processes using information from Secret Server.
     
    Creating a custom batch launcher
     
    1.  From the ADMIN menu, select Secret Templates.
    2.  Click Configure Launchers, and then click +New.
    3.  Select Batch File for the Launcher Type, and then type a name for the launcher.
    4.  Select the batch file you would like to launch by clicking the Choose File to browse to the file location.
    5.  If the batch file requires extra arguments, type them in the Process Arguments option. To reference a Secret field, type $ followed by the name of the relevant Secret field. For example, $USERNAME where Username is the name of a Secret field on the Secret template that will be used with this launcher. A corresponding % and a number can be placed in the batch file to obtain value from the Secret field in that order. An example for a batch launcher and the batch file for mapped drive could be similar to below:




     
    6.  If you want the batch file to run as the credential that is on the Secret, select the Run Process As Secret Credentials check box.
    7.  If the batch file requires UAC confirmation, select the Use Operating System Shell check box.
    8.  Click Save.
     
    Adding a custom launcher to a Secret template
     
    1.  From the ADMIN menu, select Secret Templates.
    2.  Select the Secret template you want to add the launcher to, and then click Edit.
    3.  Click Configure Launcher (at the bottom of the page), and then click Add New Launcher.
    4.  Select the name of your custom launcher, and then map Secret fields to those that will be used by the launcher. If you only see Domain, Password, and Username, map these to those same fields on the template. These will be used if you have chosen to run the launcher as the Secret credentials.
    5.  Click Save.

    Proxy

    Proxy Benefits

    • Without a Proxy

    • Session is established from client to the target
    • Credentials sent from Secret Server to the client
    • Possible to dump memory and compromise the credentials

    • With a Proxy

    •  Session is established from Secret Server to the target
    • Credentials never transmitted to the client


    Proxy Type

    • SSH Proxy
    • RDP Proxy
    • SSH Proxy Tunnel local RDP Session to remote server (Note recommended way since credential will be sent to client machine)


    Troubleshooting Tips

    • Verify Remote Certificates are both Valid and Trusted
    • Check Firewall Ports - RDP Proxy default port is 3360, The Distributed Engine or Web Node default Port is 3389.
    • Credential on % Secret can be viewed by selecting More/Show Proxy Credentials and then choosing the Launcher
    • Verify the Latest Version of .NET framework is installed.




    Discovery

    Discovery finds Secrets in an IT environment and brings them into Secret Server
    • Secret Server is most effective when it covers all privileged accounts
    • Discovery helps to eliminate - Unknown Privileged Accounts, Backdoor Access and Gaps in Security
    • Auditors want automated processes to reduce human errors

    Secret Server Discovery Out-Of-Box vs Custom

    Out-of-Box

    • Active Directory
    • Unix/Linux local accounts
    • Hypervisor ESXi accounts
    • Amazon Web Services
    • Google Cloud Platform

    Custom (Extensible)

    • ANYTHING -Leverages PowerShell scripts
    • SQL Accounts & Database links
    • Networking equipment
    • Embedded passwords











    Extensible Discovery Overview

    •  Extends Secret Server's Discovery capabilities
    •  Built-in and/or Custom Scanners
    •  Discovery Process Scans:
      •  Host Range Discovery
      •  Machine Discovery
      •  Local Account Discovery
      •  Dependency Discovery
    • Not required to use Discovery in Secret Server but needed for most environments


    Why Use Extensible Discovery?

    • Discover configuration files containing passwords
    • Scan computers not joined to the domain
    • Dependencies that run a SQL, SSH, or PowerShell script
    • Bring information back to custom fields in a Secret Template
    • Discover SQL Server logins as "Local Accounts"




    Remote Password Changing


    Remote Password Changing Summary

    Enable Globally:

    • Remote Password Changing
    • Heartbeat

    Password Changers:

    • Review built-in Changers
    • Create Custom
    • Test Actions

    Secret Template:

    • Configure Expiration
    • Configure Template RPC and Heartbeat Settings

    Secret or Secret Policy:

    • On-Demand
    • Auto-Change
    • Auto-Change Schedule


    Dependency

    Creating Custom Dependencies

    If there are different dependency types that you want to manage that are not supported out of the box, new ones can be created based on a script. A custom dependency consists of two components:

    • Dependency Template: The dependency template defines how a dependency is matched to discovered accounts and how it updates the target after a password change occurs on the account. to create a new dependency template, go to Admin > Secret Templates and click the Dependency Templates button.
    • Dependency Changer: A dependency changer is a script and the associated parameters to be passed into the script. Dependency changers can be created and modified by going to Admin > Remote Password Changing > Configure Dependency Changers.

    PowerShell, SSH, and SQL dependencies can have script arguments that derive their values from values on the dependency, the secret it belongs to, or any other secrets associated for remote password changing. Starting with Secret Server 10.0, tokens can also be used in ODBC connection string arguments. Script arguments are defined on dependency changers in Secret Server 10.0 and above and on the dependency in earlier versions of Secret Server.



    Workflow


    Secret Workflow Summary

    Require Comment:

    • Justification that extends audit
    • Ticket Integration Optional

    Request Access/Require Approval:

    • One-Step
    • Multi-Step (New IJI Only)
    • Enforces Tme and Approval
    • Ticket Integration Optional

    Check-Out:

    • Enforces Sole Access
    • Enforces Tme
    • Enforces Rotation (Optional)
    • Hooks (Optional) — SSH, SQL, or PowerShell scripts that perform actions at check-out and/or check-in

    Doublelock:

    • Additional Encryption
    • For your most sensitive Secrets
    • Cannot be exported or use RPC
    • Requires Doublelock Password



    Event Pipelines

    Overview of Event Pipelines:

    • Are created in Secret Server then assigned to
    • an Event Pipeline Policy
    • Can be in multiple EP Policies
    • Do nothing if not assigned to an EP Policy
    • Policies can target Folders or Secret Policies
    • Have no effect if it has no target (Folder or Policy)

    Event Pipelines Filters:

    • Parameters that limit when an EP runs
    • Have settings and can be added to multiple times

    Filter Examples:

    • Custom Variable
    • Group
    • Policy on a Secret
    • Role
    • Role Permission
    • Secret Access Role Permission
    • Secret Field
    • Secret has Field
    • Secret has RPC enabled
    • Secret Name
    • Secret Setting
    • Secret Template
    • Site

    Event Pipelines Targets:

    • Folders — Secrets inside folders
      • Not recursive — only the secrets directly in the folder can trigger EP
    • Secret Policies (SP) — Secrets leveraging a specific SP

    Event Pipelines Tasks:

    • Actions which are triggered in ap EP — over 30 built in
    • EP targets are NOT the receiveß of task actions — receivers are usually components of Secret Server
    • Event variable are used in EP tasks — Secret Field Tokens, Event Settings Tokens, Secret Setting Tokens, and some additional tokens
    • Example Tasks:
      • Change password remotely
      • Delete
      • Change Secret to require workflow
      • Etc.




    Auditing



    Introduction — Data Retention Policies
    • Automatically delete older audit and audit-like information
    • Two-data retention policies:
      • Personally Identifiable Information (PII)
      • Database Size Management
    • All records in each table older than the set max record age will be deleted from the database


    Alerting and SIEM Integration

    Alerting and SIEM Integration
    Per Secret Alertieg
    • Set on the Secret
    • Set for the Individual User
    Per User Alerting
    • Set per User
    • Set for all Secrets they have Access to
    Event Subscriptions
    • Customizable alerts throughout Secret Server
    • E-Mail Notifications
    SIEM Integration
    • Correlation with events outside of Secret Server


    Session Recording and Connector

    Records Launched Sessions
    Works with all Launchers Including
    • Remote Desktop
    • Putty SSH
    • Microsoft SQL Management Studio
    • Custom Launchers

    Session Recording is Available
    • From the Secret Audit
    • Under Admin -> Session Monitoring

    Can be Enabled
    • Per Secret
    • By Secret Policy




    Secret Server Session Connector Introduction
    • Clientless session recording
    • Launchers session through Microsoft remote desktop services (RDS)
    • Requires setup and configuration of MS RDS server
    • Requires Thycotic components installed on MS RDS Server
    • Provides an additional launcher type " Session Connector Launcher"
    • No need for Connection Manager or Protocol Handler on endpoint
    • Target server credentials are never sent to user's endpoint







    No comments