Storing Physical Secrets in Secret Server: The Cipher Lock

8 07 2014

Cipher Lock

Cipher locks are still widely used today, but a major concern still exists and that’s how to manage and secure them. A cipher lock is a lock that is opened with a programmable keypad that is used to limit and control access to a highly sensitive area. Many organizations use cipher locks to control access to their server rooms, development laboratories or storage rooms. Cipher locks are easy to maintain and allow for quick combination changes when necessary, but the problem arises when the combination is changed. How do you store the code and manage access?

Cipher Lock Template

Secret Server ships with about 20 customizable templates, including a Cipher Lock template. From the ‘Create Secret’ tab select the ‘Cipher Lock’ template.

Secret Server Cipher Template

Many offices have multiple cipher locks used to restrict access to different rooms so be sure to specify which room in the Secret Name field (See above) so that when you need to search for the Secret in Secret Server it is easy to find. Insert the other relevant information in the fields. Next, determine who needs access to the Cipher Lock Combination and share the credentials by clicking the ‘Save and Share’ button.

Sharing the Cipher Lock Combination

Now that you have the Cipher Lock combination securely stored in Secret Server you have the ability to change the combination when needed (After an employee leaves or someone changes departments) and share the new combination securely.

TIP: Need to change the combination quickly? Make your life easier by storing the reset instructions as a file attachment on the secret.

Cipher Locks aren’t going away any time soon. As an affordable way to restrict access to different rooms, organizations will continue to use them, so it is critical to keep them secure. Combinations must be locked down and controlled.  What other information have you stored in Secret Server other than passwords that has helped your team manage access?

It’s almost time for VMworld 2014 in San Francisco! Is your team attending? If so, don’t forget to register for our party on Monday, August 25th at San Francisco’s popular organic brewery and tapas bar, ThirstyBear. Register for the party here. See you there!

Don’t let your company’s social media get hacked: Deploy Secret Server to end-users

1 07 2014

An innocent action performed by an Austrian teen recently affected the Twitter handles of BBC News and CNN accounts. He was experimenting with HTML when he exploited an open vulnerability in TweetDeck, Twitter’s social media management platform. Over 10.1 million of BBC News’s followers received a self-retweeting hack, in just seconds damaging the reputation of London’s most popular news source. BBC News and other large organizations weren’t the only ones affected: nearly one thousand Twitter accounts were hijacked. Users were prompted to immediately stop using TweetDeck and to reset their passwords, but unfortunately for many the damage was already done.

Social media compromises are becoming more prevalent, shedding light on the concern for organization’s password practices, and not just at the IT level. It isn’t just social media accounts that can cause damage to a company – human resources, accounting and even sales have accounts that, if compromised, could cause big problems. There is no better time to get password management under control than today. Here’s how to get started.

Setting Controls

Social media, payroll and accounting systems are often shared accounts with a lot of power and should be treated with the same level of security as privileged IT account passwords. For full accountability and security, these shared accounts need to be locked down and audited. To begin, it is important to understand everyone’s responsibility and what accounts they should have access to. We recommend scheduling time with your organization’s department managers in order to create the proper role-based access controls and to get a better understanding of how they are managing their team’s shared passwords today.

Important Questions to Ask:

1.)    What account passwords do your teams share?

2.)    Who should have access to the accounts?

3.)    Do any of these accounts need added security, like Require Approval for Access or Require Comment? If so, who is allowed to approve access?

4.)    Do different groups use different accounts? For example, do you have a payroll team that only handles payroll, while an accounts receivable team uses a different set of accounts? (See the Folders section below for more ideas on account categories)

5.)    How are you currently storing and sharing these passwords? (You will need this information later when you think about importing the passwords.)

6.)    How many employees are in the department? Will they all need access to these passwords within Secret Server?

Creating the Basic User Role

Secret Server already has a Basic User Role configured with selected permissions. If there are changes you would like to make regarding the Basic User Role, like any Role in Secret Server, you can customize the permissions and make changes per individual.

Secret Server Basic User Role

Once you’ve configured the Basic User role to meet the department’s needs, import your new end-users into Secret Server and assign them the Basic User role. Now when they log in, they have access strictly to the Secret Server Basic user interface.


Although the Basic View does not show a folder structure, as an admin you can give each department a set of folders to use. This can help you assign Secret Policies at the folder level. Make folders for each department, based on the discussion you had with the department head earlier. Some departments may also want each employee to have a personal folder, which is possible if you allow personal folders within your main Secret Server account. Depending on the size and activities of each department, here are some sample folder categories that your business departments may want:

Marketing: Trade Shows, social media, digital advertising, website, video production, public relations, traditional advertising.

Accounting: Payroll history, benefits, job postings, compliance.

Human Resources: Bookkeeping, payroll, finance, tax.

Basic User Dashboard View

Adding Secrets

Now it’s time to get started and populate Secret Server with your accounts. Users can easily add accounts, or Secrets, by clicking the ‘Create New’ button and then selecting the appropriate template.

This is also an important time to begin changing the passwords by having Secret Server generate a strong, unique password that no one will want to memorize, write down, or type out. Soon your end users will see just how handy the launchers really are.

Set length and complexity rules for all Secrets to enforce strong passwords. Enable the Launcher for all web Secrets and consider masking the passwords to make using Secret Server a necessary part of your users’ workflow.

Set expiration limits for each Secret. Because there are so many types of accounts used by these departments, they will likely have to manually change their passwords. To ensure they do so on a schedule, which can be especially important if your company has to meet compliance mandates, you can enforce expiration to indicate when it’s time to change a password.

Secret Server Web Password Template


Don’t forget to schedule some time to train each department. It won’t take long! Many of our customers say they can provide basic training within a half hour. During training, make sure that you:

  1. Explain why complex passwords, regular password changing, and auditing account usage is so important, even to non-IT departments. Use our story above to spark the conversation and don’t be surprised if they can share even more examples.
  2. Show employees how to view, create, edit and share Secrets. Remember, they won’t have complex permissions, so they can’t make custom Secret Templates.
  3. Explain how the Launchers work and show how to map fields if the web launcher doesn’t automatically find the username and password fields on a site.
  4. Show how to copy to clipboard.
  5. Give them a list of their folder structure and ask the department manager to explain what kinds of credentials belong in each folder.
  6. Tell them about the mobile apps, if allowed by your company.

Once your different departments begin to use Secret Server for their password management, they’ll realize the time saved having one centralized vault for all of their passwords. Another major advantage is the ability to access passwords on the run. Learn more about our adaptive view for mobile devices in our previous blog post.  From a security perspective, being able to lock down access, have full accountability, and enforce strong passwords is critical in today’s threat landscape.

Give us your feedback

We would love to hear your story. How are your non-IT departments using Secret Server for increased security and what do they think? Leave your story in the comment box below.

Define, Apply & Standardize Security Policies across Secret Server

17 06 2014

When managing sensitive, privileged accounts, the ability to dial down granular policies and controls is imperative for a strong security posture. Secret Server provides a wide landscape of customization for security policies on Secrets. Most configurations can be set at either the Template or the Secret level. This approach provides admins global and granular control of Secrets to optimize your company’s internal security policies.

In previous versions of Secret Server, a fair amount of administration was needed to maintain newly configured Secrets. Security settings had to be set when the Secret was created, while administrators checked that users were assigning the correct configurations based on company policy. By introducing Secret Policy, administrators can cut down on time used to manage individual policies on secrets and ensure their instance of Secret Server is configured correctly.

As of 8.6, Security Policy allows administrators to set controls at the folder level, affecting all Secrets in a particular folder and confirming that any Secret created within a folder has the correct security settings assigned.

For example, if Active Directory accounts are set to Auto Change their password every 90 days, but there are 100 of these that are domain administrator accounts needing to expire every 45 days, a Secret Policy can be created and applied only to these Secrets that activates this timed password rotation. Without making any changes at the template level, I am still able to maintain the default settings for my other Active Directory Secrets.

Secret Policy also provides the option to configure a default setting, such as when a new Secret is added to a folder with the policy applied, as well as the option to enforce settings so users cannot change them. Below is an example of a security policy set for domain admin accounts. This policy sets Auto-Change for every 45 days. Heartbeat and Check Out are required, while changing passwords on Check In is optional. Require Comment is also enforce for all the secrets created with this policy in effect.

Secret Server Secret Policy


Want to learn more about Secret Policies? Join us Thursday, July 10 at 1:00 PM for live demonstrations of setting Security Policies in our monthly webinar. We hope to see you there!

Real Time Security with Secret Server and BalaBit IT

12 06 2014

Since Thycotic started in 1996 as an IT consulting company we’ve kept to our roots by listening to customer feedback before implementation, new features and integrations. Based on this feedback, we’ve added many proactive security features to Secret Server over the last few years, things like custom reports and detailed auditing, role-based access, session recording, and SIEM Integration. The result is that we are able to provide proactive and defensive security.

With that in mind, Thycotic is pleased to announce our integration with BalaBit’s Shell Control Box. The Shell Control Box is an activity monitoring appliance that sits on your network, transparently controlling privileged access to your servers and recording activity across your network in a movie-type audit. The Shell Control Box monitors activity on your network in real-time, looking for suspicious actions such as risky console commands,  unwanted windows, or  exposure of sensitive information. With this information the Shell Control Box can create detailed user reports, generate real-time alerts via email, send them out to your SIEM tool, and even automatically terminate connections.

Our integration combines Thycotic Secret Server’s password management and access control with Shell Control Box’s active session monitoring. This is a powerful addition, especially for companies already using Secret Server’s session monitoring and management features, and that want to automate the session management process.

Learn more about BalaBit Shell Control Box here. For those not yet using Secret Server’s session management options, learn more in our previous blog post.

Video How-to: Customizing Your Company’s Secret Server

10 06 2014

If you follow our blog, you’ll know Secret Server version 8.6 includes a new user interface. This week, we’re bringing you a how-to video all about the theme roller. Jacob Stucky, UI Team Lead, walks you through the steps to customize Secret Server with your company’s theme.

Theme Roller How-to 

Basic Dashboard

In addition to increased control over your Secret Server theme, you also have more control over your end-user experience with Basic Dashboard. This is a streamlined view of Dashboard for users that don’t need any widgets other than to create and use Secrets. With Basic view, users can log in and view the Secrets they need instantly.

Basic Dashboard can be enforced for your users by assigning them to the new Basic User role, which is included in version 8.6. You can also enforce Basic User mode by omitting the “View Advanced Dashboard” permission from a user’s role.

Secret Server Roles View


Adaptive View

Another must-see addition to the new UI is the adaptive interface that makes it easier than ever to utilize Secret Server from your mobile device. To use this, be sure to select Basic for your Dashboard view:


Not only will Dashboard allow you to search and view Secrets in this simple interface, but it continues to provide access to the menu, so you can continue to access the full functionality of the site:

Secret Server Basic View 3

The adaptive interface also applies to any web browser – test it out by accessing Secret Server with Basic Dashboard and resizing your browser:

Secret Server Basic View

We hope you enjoy creating your own theme. Be sure to check out the new features and let us know what you think!

SSL: Beyond the Basics Part 4: Strict Transport Security

5 06 2014

In our previous post, we discussed SSL certificates and new cryptographic functionality that can be used with modern SSL certificates. Next, we are going to look at how to make sure SSL is always used for web clients in a browser.

SSL doesn’t do much for securing browsers if it isn’t used, which is why most web applications, including Secret Server, automatically redirect browsers to the SSL-secured version of the application.

Secret Server currently handles redirects like this: Secret Server Redirect

The server checks to see if SSL is enabled, and if it’s not, instructs the browser to go to the SSL-enabled site. However, this poses one potential risk. Suppose there is a man-in-the-middle attack, where an attacker intercepts the server’s response and instead of redirecting to the SSL-enabled site, sends them somewhere else that looks like Secret Server.

Man-in-the-middle attack

Since there is still a small window in which an attacker can intercept a non-SSL request, they can redirect the browser to a URL that might look very similar to Secret Server’s URL, but displays a fake login form to steal credentials.

To mitigate this, modern browsers support Strict Transport Security, or HSTS. HSTS is where the server can inform the browser that the site should always be accessed over SSL. From that point on, the client does the redirect to SSL, not the server, which removes the opportunity for a man-in-the-middle attack.

HSTS is accomplished by the web server by including an HTTP header with a name of “Strict-Transport-Security” and a value of “max-age=n” where n is a numeric value that indicates how long the browser should remember to always redirect to SSL.

support Strict Transport Security, or HSTS


While “Assign HSTS Policy” and “Display Login Page” are the same step, this illustrates the benefit of HSTS. This makes the window of opportunity for attackers much smaller. The attacker must now make the interception before the HSTS policy has been established, or between valid re-establishments. Configure HSTS with a very high max-age to establish how long the policy is valid for in seconds. For example, you might configure HSTS with a max age of 31536000 seconds, which is one year.

Configuring HSTS in Internet Information Services (IIS) is possible with no additional software, given a little bit of additional configuration. One requirement of the HSTS specification is that the HTTP header is only sent by the server if the connection is on SSL. This can be done in IIS with a proxy web site.

Typically, customers configure their Secret Server’s website to bind on ports 80 (HTTP) and 443 (HTTPS). When Secret Server sees that the request came in over HTTP, it redirects to HTTPS.

To configure HSTS for Secret Server, use IIS to configure the Secret Server website to only accept HTTPS connections. Next, create a website that listens only for HTTP connections. This HTTP-only website will redirect to the HTTPS Secret Server using IIS’s HTTP Redirection feature. Finally, the HTTPS-only website is configured to send the HTTP header in IIS’s “HTTP Response Headers” by setting the Strict-Transport-Security header with a maximum age. This achieves having the header only sent when HTTPS is being used.

Thanks to all for following our SSL: Beyond the Basics posts! Get more security information by subscribing to our blog and following us on LinkedIn and Twitter, where we keep you updated on the latest IT security trends and Thycotic product updates.


Get every new post delivered to your Inbox.

Join 35 other followers