Thycotic Secret Server is a full-featured PAM solution which gives security and IT ops teams the agility to secure and manage all types of privileges, protecting administrator, service, application, and root accounts from cyber attack. It also provides a free version for small business which allows 10 users and manages 250 privileged accounts , supports RDP and Putty and can be integrated with AD.
This post is to collect some basic Thycotic SS operation tasks.
Local Secret Server Basic Architecture
1. Install CA-Signed Web Application Certs
2. Licensing & Integrated AD – Direcotry Service
3. Create/Sync Secret Server Users
4. Enable/Configure Security Features
Install CA-Signed Web Application Certs
Enable Security Features
Click RDP Launcher from your secret account page:
Some Warning Messages or Error Messages when using RDP Launcher:
The publisher of this remote connection can’t be identified.
Click the check box for “Don’t ask me again for connections to this computer” and click Connect button to continue
Secret Server Error:
The Secre Server Launcher failed to load.
The underlying connections was closed : Could not establish trust relationship for the SSL/TLS secure channel.
Usually caused by untrusted RDP SSL certificate. Once client machine joined into domain, this error message will go away.
Enable Session Monitoring
Enable Session Recording in Secret Settings
Remote Password Changing (RPC) Steps
- Remote Password Changing
- Review built-in changers
- Create Custom
- Test Actions
- Configure Expiration
- Configure template RPC and Heartbeat Settings
- Auto-Change Schedule
- <Not Set> will cause a setting to stay off
- <Default> will cause the setting to be on, but editable in the future by users with edit permissions on secret
- <Envorced> will cause the setting to be on and be uneditable, it will be locked onto any secret with this policy
Overridden by General Configuration Permission Option “Force Require Approval for Editors on Approval Secrets”
(Can be overridden by General Configuration Permission Option “Force Require Approval for Owners on Approval Secrets”)
- <Not Set> – this is the default setting which mark the item as disabled/not in effect;
- Default – selecting this option will apply the Policy Item across all Secrets in the target folder, with the option of doing manual changes on the Secret settings further down the line. Any items selected as ‘Default’ will be applied on the creation of any Secret that has this Secret Policy applied to it.
- Enforced – selecting this option will apply the Policy Item across all Secrets in the target folder, without the option of changing these applied settings on the Secrets in that folder. Any items selected as ‘Enforced’ will be applied to all Secrets that have this Secret Policy applied to it.