Thycotic Secret Server is a full-featured PAM solution which gives security and IT ops teams the agility to secure and manage all types of privileges, protecting administrator, service, application, and root accounts from cyber attack. It also provides a free version for small business which allows 10 users and manages 250 privileged accounts , supports RDP and Putty and can be integrated with AD.Â
This post is to collect some basic Thycotic SS operation tasks.
Local Secret Server Basic Architecture
1Â Local Site Basic Secret Server Architecture
2Â Thycotic Secret Server Components:
1. Install CA-Signed Web Application Certs
2. Licensing & Integrated AD - Direcotry Service
3. Create/Sync Secret Server Users
4. Enable/Configure Security FeaturesÂ
Install CA-Signed Web Application Certs
Licensing
Integrated AD - Directory Services
Create/Sync Secret Server Users
Enable Security Features
1. Session Recording
2. Remote Password Changing
3. Discovery
RDP LaunchÂ
Click RDP Launcher from your secret account page:
Enter Computer host name or FQDN, or IP address.Â
Some Warning Messages or Error Messages when using RDP Launcher:
1Â Protocol Handler Failed to Launch
Usually it is caused by missing Protocol Handler program. Click link based on your system to install.
2Â Did you mean to switch apps?
If you are using Microsoft Edge browser, it might ask you if switch to another app MSTSC to open "RDPWinBootstrapper". Click Yes to continue. System might ask you if to remember this selection. Click Yes as well.Â
3Â Secret Server Launcher Attempts
Secret Server Launcher is attempting to launch with the following Secret Server URL:
https://<fqdn name of your Secret Server>/secretserver
4Â The publisher of this remote connection can't be identified.Â
Click the check box for "Don't ask me again for connections to this computer" and click Connect button to continue
5Â Secret Server Error:
The Secre Server Launcher failed to load.
The underlying connections was closed : Could not establish trust relationship for the SSL/TLS secure channel.
Usually caused by untrusted RDP SSL certificate. Once client machine joined into domain, this error message will go away.Â
Any items selected as 'Default' will be applied on the creation of any Secret that has this Secret Policy applied to it.
Any items selected as 'Enforced' will be applied to all Secrets that have this Secret Policy applied to it.
'Enforced' settings cannot be changed on the Secret.
Certain settings will only be applied to a Secret if they are valid settings for the Secret.
Three settings:
<Not Set> will cause a setting to stay off
<Default> will cause the setting to be on, but editable in the future by users with edit permissions on secret
<Envorced> will cause the setting to be on and be uneditable, it will be locked onto any secret with this policy
SECTIONSECRET POLICY ITEM NAMESETTINGVALUESecurity SettingsRequire Check Out Security SettingsCustom Check Out Interval (Minutes) (Dependent on: Require Check Out) Security SettingsEnable Requires Approval for Access Security SettingsRequest Access Approvers (Dependent on: Enable Requires Approval for Access) Security SettingsRequest Access Workflow (Dependent on: Enable Requires Approval for Access) Security SettingsEvent Pipeline Policy Security SettingsEditors also Require Approval (Dependent on: Enable Requires Approval for Access) Overridden by General Configuration Permission Option "Force Require Approval for Editors on Approval Secrets"Security SettingsOwners and Approvers also Require Approval (Dependent on: Enable Requires Approval for Access) (Can be overridden by General Configuration Permission Option "Force Require Approval for Owners on Approval Secrets")Security SettingsRequire Comment Security SettingsEnable Session Recording Security SettingsViewing Password Requires Edit Security SettingsRun Launcher using SSH Key Security SettingsEnable SSH Command Restrictions Security SettingsAllow Owners Unrestricted SSH Commands (Dependent on: Enable SSH Command Restrictions) Security SettingsSSH Command Menu Groups (Dependent on: Enable SSH Command Restrictions)
<Not Set> - this is the default setting which mark the item as disabled/not in effect;
Default – selecting this option will apply the Policy Item across all Secrets in the target folder, with the option of doing manual changes on the Secret settings further down the line. Any items selected as 'Default' will be applied on the creation of any Secret that has this Secret Policy applied to it.
Enforced - selecting this option will apply the Policy Item across all Secrets in the target folder, without the option of changing these applied settings on the Secrets in that folder. Any items selected as 'Enforced' will be applied to all Secrets that have this Secret Policy applied to it.
Update
Backup
Both Backup File Path and Backup DB File Path will need to be accessible from that current secret server. Permission for both folders will be full control for everyone. Else the backup will fail.Â
For network share folder, check KB, https://docs.thycotic.com/ss/10.8.0/backup-and-disaster-recovery/backing-up-to-network-share/index.md
No comments:
Post a Comment