Thycotic Secret Server is a full-featured PAM solution which gives security and IT ops teams the agility to secure and manage all types of privileges, protecting administrator, service, application, and root accounts from cyber attack. It also provides a free version for small business which allows 10 users and manages 250 privileged accounts , supports RDP and Putty and can be integrated with AD. 

This post is to collect some basic Thycotic SS operation tasks.

2 Thycotic Secret Server Components:

1. Install CA-Signed Web Application Certs

2. Licensing & Integrated AD – Direcotry Service

3. Create/Sync Secret Server Users

4. Enable/Configure Security Features 

Install CA-Signed Web Application Certs

Licensing

Integrated AD – Directory Services

Create/Sync Secret Server Users

Enable Security Features

1. Session Recording
2. Remote Password Changing
3. Discovery

RDP Launch 

Click RDP Launcher from your secret account page:

Enter Computer host name or FQDN, or IP address. 

Some Warning Messages or Error Messages when using RDP Launcher:

1 Protocol Handler Failed to Launch
Usually it is caused by missing Protocol Handler program. Click link based on your system to install.
2 Did you mean to switch apps?
If you are using Microsoft Edge browser, it might ask you if switch to another app MSTSC to open “RDPWinBootstrapper”. Click Yes to continue. System might ask you if to remember this selection. Click Yes as well. 

3 Secret Server Launcher Attempts
Secret Server Launcher is attempting to launch with the following Secret Server URL:
https://<fqdn name of your Secret Server>/secretserver

4 The publisher of this remote connection can’t be identified. 

Click the check box for “Don’t ask me again for connections to this computer” and click Connect button to continue

5 Secret Server Error:

The Secre Server Launcher failed to load.

The underlying connections was closed : Could not establish trust relationship for the SSL/TLS secure channel.

Usually caused by untrusted RDP SSL certificate. Once client machine joined into domain, this error message will go away. 

Enable Session Monitoring

1 Enable Session Recording Globally

2 Enable Session Recording in Secret Settings

3 Check Session Recording Records

Remote Password Changing (RPC) Steps

1 Enable Globally
  • Remote Password Changing
  • Heartbeat


2 Password Changers
  • Review built-in changers
  • Create Custom
  • Test Actions

3 Secret Template
  • Configure Expiration
  • Configure template RPC and Heartbeat Settings

4 Secret or Secret Policy
  • On-Demand
  • Auto-Change
  • Auto-Change Schedule

Notes: https://thycotic.force.com/support/s/article/Remote-Password-Changing-Expiration


Secret Policy

Explain

  • Any items selected as ‘Default’ will be applied on the creation of any Secret that has this Secret Policy applied to it.
  • Any items selected as ‘Enforced’ will be applied to all Secrets that have this Secret Policy applied to it.
  • ‘Enforced’ settings cannot be changed on the Secret.
  • Certain settings will only be applied to a Secret if they are valid settings for the Secret.
Three settings:
  • <Not Set> will cause a setting to stay off
  • <Default> will cause the setting to be on, but editable in the future by users with edit permissions on secret
  • <Envorced> will cause the setting to be on and be uneditable, it will be locked onto any secret with this policy

SECTIONSECRET POLICY ITEM NAMESETTINGVALUESecurity SettingsRequire Check Out

Security SettingsCustom Check Out Interval (Minutes)
(Dependent on: Require Check Out)

Security SettingsEnable Requires Approval for Access

Security SettingsRequest Access Approvers
(Dependent on: Enable Requires Approval for Access)

Security SettingsRequest Access Workflow
(Dependent on: Enable Requires Approval for Access)

Security SettingsEvent Pipeline Policy

Security SettingsEditors also Require Approval
(Dependent on: Enable Requires Approval for Access)
Overridden by General Configuration Permission Option “Force Require Approval for Editors on Approval Secrets”

Security SettingsOwners and Approvers also Require Approval
(Dependent on: Enable Requires Approval for Access)
(Can be overridden by General Configuration Permission Option “Force Require Approval for Owners on Approval Secrets”)

Security SettingsRequire Comment

Security SettingsEnable Session Recording

Security SettingsViewing Password Requires Edit

Security SettingsRun Launcher using SSH Key

Security SettingsEnable SSH Command Restrictions

Security SettingsAllow Owners Unrestricted SSH Commands
(Dependent on: Enable SSH Command Restrictions)

Security SettingsSSH Command Menu Groups
(Dependent on: Enable SSH Command Restrictions)



  • <Not Set> – this is the default setting which mark the item as disabled/not in effect;
  • Default – selecting this option will apply the Policy Item across all Secrets in the target folder, with the option of doing manual changes on the Secret settings further down the line. Any items selected as ‘Default’ will be applied on the creation of any Secret that has this Secret Policy applied to it.
  • Enforced – selecting this option will apply the Policy Item across all Secrets in the target folder, without the option of changing these applied settings on the Secrets in that folder. Any items selected as ‘Enforced’ will be applied to all Secrets that have this Secret Policy applied to it.

Update




By netsec

Leave a Reply

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

%d