Thycotic Secret Server Intermediate Knowledges

Thycotic Secret Server Intermediate Knowledges

 This post summarizes some Thycotic SS knowledges which considered as intermediate level. 

Table of Contents

Launchers

Launcher Setup:

• Variety of options depending on needs

• Chrome Extension
• Web password filler
• Protocol Handler

• Protocol Handler

• Pings Secret Server on interval to ensure sessions is valid
• Kills Session if check fails or callback times out

• Prompted at the first Launch

Launchers Types:

• Default Launchers

• RDP
• PUTTY
• Web Password Filler/Launcher
• Powershell
• SQL Server
• Sybase isql (SAP SQL Anywhere)
• IBM z/os
• IBM i-Series

• Custom Launchers

• Process
• Proxied SSH
• Batch File

• Launchers can be configured with Secret Templates

Proxy

Proxy Benefits

• Without a Proxy

• Session is established from client to the target
• Credentials sent from Secret Server to the client
• Possible to dump memory and compromise the credentials

• With a Proxy

•  Session is established from Secret Server to the target
• Credentials never transmitted to the client

Proxy Type

• SSH Proxy
• RDP Proxy
• SSH Proxy Tunnel local RDP Session to remote server (Note recommended way since credential will be sent to client machine)

Troubleshooting Tips

• Verify Remote Certificates are both Valid and Trusted
• Check Firewall Ports - RDP Proxy default port is 3360, The Distributed Engine or Web Node default Port is 3389.
• Credential on % Secret can be viewed by selecting More/Show Proxy Credentials and then choosing the Launcher
• Verify the Latest Version of .NET framework is installed.

Discovery

Discovery finds Secrets in an IT environment and brings them into Secret Server

• Secret Server is most effective when it covers all privileged accounts
• Discovery helps to eliminate - Unknown Privileged Accounts, Backdoor Access and Gaps in Security
• Auditors want automated processes to reduce human errors

Secret Server Discovery Out-Of-Box vs Custom

Out-of-Box

• Active Directory
• Unix/Linux local accounts
• Hypervisor ESXi accounts
• Amazon Web Services
• Google Cloud Platform

Custom (Extensible)

• ANYTHING -Leverages PowerShell scripts
• SQL Accounts & Database links
• Networking equipment
• Embedded passwords

Extensible Discovery Overview

•  Extends Secret Server's Discovery capabilities
•  Built-in and/or Custom Scanners
•  Discovery Process Scans:
• •  Host Range Discovery
  •  Machine Discovery
  •  Local Account Discovery
  •  Dependency Discovery
• Not required to use Discovery in Secret Server but needed for most environments

Why Use Extensible Discovery?

• Discover configuration files containing passwords
• Scan computers not joined to the domain
• Dependencies that run a SQL, SSH, or PowerShell script
• Bring information back to custom fields in a Secret Template
• Discover SQL Server logins as "Local Accounts"

Remote Password Changing

Remote Password Changing Summary

Enable Globally:

• Remote Password Changing
• Heartbeat

Password Changers:

• Review built-in Changers
• Create Custom
• Test Actions

Secret Template:

• Configure Expiration
• Configure Template RPC and Heartbeat Settings

Secret or Secret Policy:

• On-Demand
• Auto-Change
• Auto-Change Schedule

Dependency

Creating Custom Dependencies

If there are different dependency types that you want to manage that are not supported out of the box, new ones can be created based on a script. A custom dependency consists of two components:

• Dependency Template: The dependency template defines how a dependency is matched to discovered accounts and how it updates the target after a password change occurs on the account. to create a new dependency template, go to Admin > Secret Templates and click the Dependency Templates button.
• Dependency Changer: A dependency changer is a script and the associated parameters to be passed into the script. Dependency changers can be created and modified by going to Admin > Remote Password Changing > Configure Dependency Changers.

PowerShell, SSH, and SQL dependencies can have script arguments that derive their values from values on the dependency, the secret it belongs to, or any other secrets associated for remote password changing. Starting with Secret Server 10.0, tokens can also be used in ODBC connection string arguments. Script arguments are defined on dependency changers in Secret Server 10.0 and above and on the dependency in earlier versions of Secret Server.

Workflow

Secret Workflow Summary

Require Comment:

• Justification that extends audit
• Ticket Integration Optional

Request Access/Require Approval:

• One-Step
• Multi-Step (New IJI Only)
• Enforces Tme and Approval
• Ticket Integration Optional

Check-Out:

• Enforces Sole Access
• Enforces Tme
• Enforces Rotation (Optional)
• Hooks (Optional) — SSH, SQL, or PowerShell scripts that perform actions at check-out and/or check-in

Doublelock:

• Additional Encryption
• For your most sensitive Secrets
• Cannot be exported or use RPC
• Requires Doublelock Password

Event Pipelines

Overview of Event Pipelines:

• Are created in Secret Server then assigned to
• an Event Pipeline Policy
• Can be in multiple EP Policies
• Do nothing if not assigned to an EP Policy
• Policies can target Folders or Secret Policies
• Have no effect if it has no target (Folder or Policy)

Event Pipelines Filters:

• Parameters that limit when an EP runs
• Have settings and can be added to multiple times

Filter Examples:

• Custom Variable
• Group
• Policy on a Secret
• Role
• Role Permission
• Secret Access Role Permission
• Secret Field
• Secret has Field
• Secret has RPC enabled
• Secret Name
• Secret Setting
• Secret Template
• Site

Event Pipelines Targets:

• Folders — Secrets inside folders
• • Not recursive — only the secrets directly in the folder can trigger EP
• Secret Policies (SP) — Secrets leveraging a specific SP

Event Pipelines Tasks:

• Actions which are triggered in ap EP — over 30 built in
• EP targets are NOT the receiveß of task actions — receivers are usually components of Secret Server
• Event variable are used in EP tasks — Secret Field Tokens, Event Settings Tokens, Secret Setting Tokens, and some additional tokens
• Example Tasks:
• • Change password remotely
  • Delete
  • Change Secret to require workflow
  • Etc.

Auditing

Introduction — Data Retention Policies

• Automatically delete older audit and audit-like information
• Two-data retention policies:
• • Personally Identifiable Information (PII)
  • Database Size Management
• All records in each table older than the set max record age will be deleted from the database

Alerting and SIEM Integration

Alerting and SIEM Integration

Per Secret Alertieg

• Set on the Secret
• Set for the Individual User

Per User Alerting

• Set per User
• Set for all Secrets they have Access to

Event Subscriptions

• Customizable alerts throughout Secret Server
• E-Mail Notifications

SIEM Integration

• Correlation with events outside of Secret Server

Session Recording and Connector

Records Launched Sessions

Works with all Launchers Including

• Remote Desktop

• Putty SSH

• Microsoft SQL Management Studio

• Custom Launchers

Session Recording is Available

• From the Secret Audit

• Under Admin -> Session Monitoring

Can be Enabled

• Per Secret

• By Secret Policy

Secret Server Session Connector Introduction

• Clientless session recording

• Launchers session through Microsoft remote desktop services (RDS)

• Requires setup and configuration of MS RDS server
• Requires Thycotic components installed on MS RDS Server
• Provides an additional launcher type " Session Connector Launcher"

• No need for Connection Manager or Protocol Handler on endpoint

• Target server credentials are never sent to user's endpoint

via Blogger https://ift.tt/3vYrol1
June 26, 2021 at 06:04PM Thycotic