Creates a fundamental very security layer. Managed from a single console – to protect privilege Accounts against cyber-attacks and insider abuse.
Provides simple, self-service Password Management. Free up IT help desk staff from time-consuming and inefficient processes, and enforces stronger end-user password controls.
Manage & Audit Privileged Accounts. Report, analyse, and manage privileged user and account activity.
Automatically rotate passwords to manage Admin & Service accounts. Discover, change and automate dependencies.
Detailed feature breakdown
Below are list of the type of privileged accounts found on typical Networks, with some suggestion as to why they should have extra attention and controls:
These can be privileged local or domain Admin Accounts that are used by an application or service to cooperate with the operating system. The consequence is that an account could literally be left unchanged for years, and yet possess the same right and privileges that a typical Domain Administrator would otherwise be changing on a regular basis. The challenge is that Service accounts can have dependencies or reliance on other Systems that if not also changed at the same time results in Network, System or User working disruption.
Thycotic Secret Server will automatically scan the network to discover the Service accounts, comprehend the dependencies along with any reliance on Systems, and apply a strong password every month, as well as ensuring the associated dependencies and reliant Systems are also updated.
Windows local admin accounts are a security problem for every organization because one set of login credentials is typically used by many IT administrators. This can make it difficult or even impossible to implement an adequate access management policy because organizations cannot track who is gaining access to what network equipment at any given time. These accounts are everywhere – Windows workstations, servers and laptops. In fact, the laptops being mobile offer more of risk of being lost or stolen, and hence more opportunity for the Admin Account on the laptop to be compromised. We have witnessed a laptop’s Admin Account being revealed using a rainbow-table brute force attack, and sobering the same password then used to access the Business’s Network due to the same Administrator using the same password!
Finding all of the Windows local administrator accounts is a challenge, especially as new machines are rapidly deployed in virtual environments. These accounts are especially important because they are the prime target for an attacker who breaches a workstation. Once the attacker breaks the admin password, they can re-use the password to breach other machines on the network as typically it will be the same password being reused by the same Administrator. Therefore, these passwords should to be randomized, changed regularly, and have strong complexity applied to prevent abuse and attacks. Ideally the usage needs to be carefully controlled and attributed to the correct user through audit trails.
Thycotic Secret Server will detect these Local Windows account with escalated privileges and automatically change and apply complex passwords regularly, as well as logging the change allowing any compromised devices to be identified, and if necessary an emergency Account password change to be quickly and seamlessly implemented.
Windows server administrators need to use domain admin (DA) accounts to perform standard administrative tasks. Ideally, AD domain admin accounts should only be used when privilege is required (admins should not run as a domain admin for their regular AD account) and they should only be used by a single administrator for accountability. Also, these accounts are highly susceptible to “Pass the Hash” attacks because their passwords are not frequently changed. Pass the Hash attack are when an adversary can use the password hash from a previous domain admin logon to emulate that user on other systems. This gives attackers domain admin access across the network. To protect these accounts, privilege management is very important. Access should be controlled and audited and passwords must be changed frequently to prevent Pass the Hash attacks – ideally after each usage of the account.
Secret Server can find Windows privileged accounts using Discovery, and can enforce password complexity and automatic password changing on a scheduled basis. Pass the Hash attacks can be prevented by using the Check Out feature. A powerful method to ensure security and accountability for Domain Admin accounts. The Check Out feature forces accountability on Secrets by grantingexclusive access to a single user, with a One Time Password (OTP).
After “check in,” by the Admin to Secret Server, the solution automatically performs a random password change on the remote machine. Whilst this in session, No other user can access a Secret while it is checked out. This establishes single accountability for a remote machine being accessed during a specific time period. Check Out requires administrators to always use Secret Server to ensure the password is changed after every use eliminating the “Pass the Hash” attack. This also ensures a complete audit trail of password usage is enforced and logged.
These are a concern because of their enormous power and simultaneous lack of accountability. In UNIX and Linux, privilege can be established two ways: by using a root account that is a full-access pass on the network, or by using a limited user account and adding Sudo access commands as needed to perform specific privileged tasks.
Both of these methods present security and compliance problems: managing who has access across multiple UNIX/Linux systems and controlling the use of the root accounts
Implementing identity access management on UNIX can be difficult because either a federated identity system or a bridge to AD is needed to allow the mapping of AD accounts to UNIX identities. Some administrators will attempt to manually manage unlinked user accounts per user across multiple UNIX environments, or use a synchronization or provisioning tool to do so. Other teams may use generic shared accounts and then control access to those shared accounts. Either way, the solution needs to be manageable and provide irrefutable accountability for who is using the system and what they are doing.
Root accounts are the most powerful accounts on a UNIX system and, without a ROOT management tool to bring accountability, cause three major problems for security and compliance:
Thycotic Secret Server helps you too apply controls to these accounts and limit UNIX root and Sudo accounts access as well as keeping the individual user accountable. Access to both sudo and the root password are controlled, and only one individual can be empowered to know a password at any point in time, this to ensure there is accurate accountability for any actions taken using the account. These accounts additionally can have also have their passwords automatically rotated on a regular basis to prevent any brute force attack and have a complex password policy applied.
Opinion & ResourcesPrivileged accounts discovery tool
CST selected Thycotic Secret Server as our customers were striving to do more about safeguarding (and in deed needing a way to demonstrating as much) the control of their privileged user accounts. They needed to regain control of the keys to the kingdom, with the least amount of resource, in the quickest possible time.Nigel Lewis
For further information, we deliver regular 60 minute Webex demonstrations for Thycotic Secret Server; please email us for the next dates.