51 Security

Learning, Sharing, Creating

Thycotic

Thycotic Secret Server Intermediate Knowledges

ByJon

Jun 26, 2021 #Thycotic

 This post summarizes some Thycotic SS knowledges which considered as intermediate level. 

    Launchers

    Launcher Setup:

    • Variety of options depending on needs

    • Chrome Extension
    • Web password filler
    • Protocol Handler

    • Protocol Handler

    • Pings Secret Server on interval to ensure sessions is valid
    • Kills Session if check fails or callback times out

    • Prompted at the first Launch

    Launchers Types:

    • Default Launchers

    • RDP
    • PUTTY
    • Web Password Filler/Launcher
    • Powershell
    • SQL Server
    • Sybase isql (SAP SQL Anywhere)
    • IBM z/os
    • IBM i-Series

    • Custom Launchers

    • Process
    • Proxied SSH
    • Batch File

    • Launchers can be configured with Secret Templates

    Proxy

    Proxy Benefits

    • Without a Proxy

    • Session is established from client to the target
    • Credentials sent from Secret Server to the client
    • Possible to dump memory and compromise the credentials

    • With a Proxy

    •  Session is established from Secret Server to the target
    • Credentials never transmitted to the client

    Proxy Type

    • SSH Proxy
    • RDP Proxy
    • SSH Proxy Tunnel local RDP Session to remote server (Note recommended way since credential will be sent to client machine)

    Troubleshooting Tips

    • Verify Remote Certificates are both Valid and Trusted
    • Check Firewall Ports – RDP Proxy default port is 3360, The Distributed Engine or Web Node default Port is 3389.
    • Credential on % Secret can be viewed by selecting More/Show Proxy Credentials and then choosing the Launcher
    • Verify the Latest Version of .NET framework is installed.

    Discovery

    Discovery finds Secrets in an IT environment and brings them into Secret Server

    • Secret Server is most effective when it covers all privileged accounts
    • Discovery helps to eliminate – Unknown Privileged Accounts, Backdoor Access and Gaps in Security
    • Auditors want automated processes to reduce human errors

    Secret Server Discovery Out-Of-Box vs Custom

    Out-of-Box

    • Active Directory
    • Unix/Linux local accounts
    • Hypervisor ESXi accounts
    • Amazon Web Services
    • Google Cloud Platform

    Custom (Extensible)

    • ANYTHING -Leverages PowerShell scripts
    • SQL Accounts & Database links
    • Networking equipment
    • Embedded passwords



    Extensible Discovery Overview

    •  Extends Secret Server’s Discovery capabilities
    •  Built-in and/or Custom Scanners
    •  Discovery Process Scans:
      •  Host Range Discovery
      •  Machine Discovery
      •  Local Account Discovery
      •  Dependency Discovery
    • Not required to use Discovery in Secret Server but needed for most environments

    Why Use Extensible Discovery?

    • Discover configuration files containing passwords
    • Scan computers not joined to the domain
    • Dependencies that run a SQL, SSH, or PowerShell script
    • Bring information back to custom fields in a Secret Template
    • Discover SQL Server logins as “Local Accounts”

    Remote Password Changing

    Remote Password Changing Summary

    Enable Globally:

    • Remote Password Changing
    • Heartbeat

    Password Changers:

    • Review built-in Changers
    • Create Custom
    • Test Actions

    Secret Template:

    • Configure Expiration
    • Configure Template RPC and Heartbeat Settings

    Secret or Secret Policy:

    • On-Demand
    • Auto-Change
    • Auto-Change Schedule

    Dependency

    Creating Custom Dependencies

    If there are different dependency types that you want to manage that are not supported out of the box, new ones can be created based on a script. A custom dependency consists of two components:

    • Dependency Template: The dependency template defines how a dependency is matched to discovered accounts and how it updates the target after a password change occurs on the account. to create a new dependency template, go to Admin > Secret Templates and click the Dependency Templates button.
    • Dependency Changer: A dependency changer is a script and the associated parameters to be passed into the script. Dependency changers can be created and modified by going to Admin > Remote Password Changing > Configure Dependency Changers.

    PowerShell, SSH, and SQL dependencies can have script arguments that derive their values from values on the dependency, the secret it belongs to, or any other secrets associated for remote password changing. Starting with Secret Server 10.0, tokens can also be used in ODBC connection string arguments. Script arguments are defined on dependency changers in Secret Server 10.0 and above and on the dependency in earlier versions of Secret Server.

    Workflow

    Secret Workflow Summary

    Require Comment:

    • Justification that extends audit
    • Ticket Integration Optional

    Request Access/Require Approval:

    • One-Step
    • Multi-Step (New IJI Only)
    • Enforces Tme and Approval
    • Ticket Integration Optional

    Check-Out:

    • Enforces Sole Access
    • Enforces Tme
    • Enforces Rotation (Optional)
    • Hooks (Optional) — SSH, SQL, or PowerShell scripts that perform actions at check-out and/or check-in

    Doublelock:

    • Additional Encryption
    • For your most sensitive Secrets
    • Cannot be exported or use RPC
    • Requires Doublelock Password

    Event Pipelines

    Overview of Event Pipelines:

    • Are created in Secret Server then assigned to
    • an Event Pipeline Policy
    • Can be in multiple EP Policies
    • Do nothing if not assigned to an EP Policy
    • Policies can target Folders or Secret Policies
    • Have no effect if it has no target (Folder or Policy)

    Event Pipelines Filters:

    • Parameters that limit when an EP runs
    • Have settings and can be added to multiple times

    Filter Examples:

    • Custom Variable
    • Group
    • Policy on a Secret
    • Role
    • Role Permission
    • Secret Access Role Permission
    • Secret Field
    • Secret has Field
    • Secret has RPC enabled
    • Secret Name
    • Secret Setting
    • Secret Template
    • Site

    Event Pipelines Targets:

    • Folders — Secrets inside folders
      • Not recursive — only the secrets directly in the folder can trigger EP
    • Secret Policies (SP) — Secrets leveraging a specific SP

    Event Pipelines Tasks:

    • Actions which are triggered in ap EP — over 30 built in
    • EP targets are NOT the receiveß of task actions — receivers are usually components of Secret Server
    • Event variable are used in EP tasks — Secret Field Tokens, Event Settings Tokens, Secret Setting Tokens, and some additional tokens
    • Example Tasks:
      • Change password remotely
      • Delete
      • Change Secret to require workflow
      • Etc.

    Auditing

    Introduction — Data Retention Policies
    • Automatically delete older audit and audit-like information
    • Two-data retention policies:
      • Personally Identifiable Information (PII)
      • Database Size Management
    • All records in each table older than the set max record age will be deleted from the database

    Alerting and SIEM Integration

    Alerting and SIEM Integration
    Per Secret Alertieg
    • Set on the Secret
    • Set for the Individual User
    Per User Alerting
    • Set per User
    • Set for all Secrets they have Access to
    Event Subscriptions
    • Customizable alerts throughout Secret Server
    • E-Mail Notifications
    SIEM Integration
    • Correlation with events outside of Secret Server

    Session Recording and Connector

    Records Launched Sessions
    Works with all Launchers Including
    • Remote Desktop
    • Putty SSH
    • Microsoft SQL Management Studio
    • Custom Launchers
    Session Recording is Available
    • From the Secret Audit
    • Under Admin -> Session Monitoring
    Can be Enabled
    • Per Secret
    • By Secret Policy
    Secret Server Session Connector Introduction
    • Clientless session recording
    • Launchers session through Microsoft remote desktop services (RDS)
    • Requires setup and configuration of MS RDS server
    • Requires Thycotic components installed on MS RDS Server
    • Provides an additional launcher type ” Session Connector Launcher”
    • No need for Connection Manager or Protocol Handler on endpoint
    • Target server credentials are never sent to user’s endpoint

    from Blogger http://blog.51sec.org/2021/06/thycotic-secret-server-intermediate.html

    By Jon

    Related Post

    CyberArk Thycotic

    PAM Solution Roadmap or Project Phases

    May 9, 2022 netsec
    Thycotic

    (Delinea) Thycotic Secret Server Report Script Collection

    Feb 21, 2022 netsec
    Thycotic

    Thycotic Secret Server Best Practice

    Dec 23, 2021 Jon

    Leave a Reply

    You missed

    Vulnerability Scan

    Tenable Web Application Cerdential Scans For Web Appications and APIs

    2024-10-30 netsec
    CyberArk

    Steps to Update/Renew Your CyberArk Infrastrucure Certificates (PSM)

    2024-10-30 netsec
    Vulnerability Scan

    Tenable Lab Steps and Notes – Part 1 (Discovery, NNM, Assessment, Plugins, Compliance, VPR, Analysis)

    2024-10-30 netsec
    Vulnerability Scan

    Tenable Lab Steps and Notes – Part 2 (Dashboards, Reports, Core, Nessus, NNM, Agent, Scanner Groups)

    2024-10-30 netsec