Comments

Latest Posts

Thycotic Secret Server Discovery

 What is discovery in Thycotic Secret Server:

  • Discovery finds secrets in an IT environment and imports them into secret server.
  • Secret server is most effective when it covers all privileged accounts
  • Discovery helps to eliminate,
    • Unknown privileged accounts
    • Backdoor Access
    • Gaps in security
  • Auditors want automated processes to reduce human mistakes


Discovery types

Out-of-box:

  • AD (using LDAPs and WMI)
    • Domain Computers' local accounts
    • Domain accounts
    • Domain accounts running 
      • Window Services
      • Scheduled Tasks
      • IIS Application Pools
      • IIS Application Pool Recycles
  • Unix/Linux Local accounts
    • Machines - finds out Operating System first then local accounts
    • Non-Daemon Users - most other user accounts
    • All users - built-in accounts
    • Scanning accounts
      • need to be able to connect over ssh
      • read /etc/passwd
      • minimum permissions for taking over account during import sudoer permissions
      • sudoer permissions on /etc/passwd
    • Define host range
      • IP address
      • Host name
      • IP address range
  • Hypervisor ESXi accounts
    • vSphere PowerCLI 5.5 release 2 - API installed on your Secret server
    • PowerShell 3 or greater on your secret server
    • Scanning accounts
      • Shell Access
      • Query VRM policy permission
    • Define host range
      • IP address
      • Host name
      • IP address range
  • Amazon Web services
    • AWS accounts
      • AWS access key
      • AWS console account
    • one secret using Amazon IAM secret template
    • Amazon IAM access key permissions
      • Iam:ListUsers
      • Iam:GetLoginProfile
      • Iam:ListAccessKeys
  • Google Cloud platform
    • Discovery and password changing of IAM service account users
    • Discovery of instances associated to the projects
    • Heartbeat and password changing of GCP service accounts
    • Token rotation for GCP service accounts




Custom (Extensible)

  • Anything - leverages PowerShell scripts
  • SQL accounts & DB links
  • Networking equipment
  • Embedded password



Accounts Discovery Flow Charts



AD accounts discovery flow chart:

Unix/Linux accounts discovery flow chart:


Vmware ESX/ESXi accounts discovery flow chart:




AWS accounts discovery flow chart:





GCP accounts discovery flow chart:




Steps to Use Discovery


  1. Enable Globally
  2. Configure Settings
  3. Add Discovery Sources and Rules
  4. Run Discovery
  5. Import Accounts




Set up a scheduled task to test service account








Troubleshooting - Discovery


Identify the issue(s):

  • Discovery logs: admin -> Discovery -> Discovery logs and Computer Scan logs
  • System logs: admin -> system logs
  • Distributed Engine Logs: C:\Program Files -> Thycotic Software Ltd -> Distributed Engine -> Log -> SSDE file -> at the bottom of the file

Find the solution(s):

  • Review the account running engine service
  • Confirm the account has the appropriate permissions
  • Compare this account to the account be used for discovery

Note:

Scanning Account's Permission:

  1. Make the account e able to log on as service
  2. Grant the account read, write, and execute privileges to the entire distributed engine install directory and sub-folders
  3. Add the account to the administrators group on each computer that will be scanned
  4. same account as you run Distributed Engine Service. 

Example: Error!

Exception: Retrieving the COM class factory for remote component with CLISID from <machine> failed due to error: 80070005






No comments