Secret Server and Privilege Manager 10.4: Six improvements mean more security in less time

Thycotic is proud to announce the release of version 10.4 for Secret Server and Privilege Manager.

Secret Server

1. Software Development Kit (SDK)

One of the greatest problems in IT security today is the widespread use of embedded credentials—usually as part of a connection string, scripts and applications can contain usernames and passwords that they need to access other systems.  There are two major issues with this approach.  First, those scripts and applications get completely broken each time a password change occurs on the account that they’re using.  The result of this is that often the passwords are never rotated, which is poor security practice.  Second, those credentials are often sitting in plain-text where anyone can view them.  This can potentially provide an intruder or malicious insider the credentials they need to spread laterally through the network.

Raising the bar on password security, 10.4 comes with Secret Server SDK

Secret Server’s Java and .NET Application API has allowed customers to solve this problem for years, but with version 10.4 we have introduced a replacement—the Secret Server SDK.  The SDK is a local application that gets installed onto a host, and allows for the replacement of embedded credentials with token-based API calls.  This way, each time the application runs it obtains the latest credentials, and those passwords can now be rotated at will without breaking anything.

Security around the SDK has also been simplified—Secret Server Admins can specify exactly what local user account each of those SDK installations will use.  This means that you can give each application access to only the passwords it needs with fine-grained permissions.  IP restrictions and access keys can also be specified for additional security.

The SDK also allows for local caching of those credentials.  This becomes particularly important for customers with a large DevOps user-base, where thousands on API calls per day per user can be expected.  Instead of waiting for the Secret Server host to respond, the SDK has those credentials ready on the local machine, cutting down on time and preventing any situation where the application won’t be able to start because of network connectivity issues.

2. Active Directory User Caching

Another 10.4 improvement that addresses network connectivity is the ability for Secret Server to cache users’ AD login credentials.  This is particularly important for Secret Server Cloud customers, but also relevant for any situation in which a Distributed Engine is being used for AD authentication.  Prior to 10.4, if a user was trying to log into Secret Server and their Distributed Engine was offline or extremely overburdened with other tasks, they might see a delay in logging in and assume that their Secret Server instance was offline.

With the new encrypted AD credential caching, Secret Server knows that the user was able to log in with the stored credentials recently, and can allow them access to the vault (after a recommended two factor check) even when that connectivity is down.

3. Privileged Behavior Analytics

Our user behavior analytics product has also received some upgrades in version 10.4.  While previously this product was specific to on-premise Secret Server installs, it can now accept data from Secret Server Cloud customers and provide them with the same real-time alerting and access challenges when unusual behavior is noticed.

Improvements have also been made to the user experience, including a shared login with Secret Server, a dashboard assistant to help guide new users, and App Cues—shortcuts that allow for easy navigation to frequently used features.

Privileged Behavior Analytics Dashboard

Privileged Behavior Analytics has a great dashboard that users love!

Privilege Manager

Our endpoint application control solution, Privilege Manager, has received quite a bit of love with this release too.

4. Local Account Management

With version 10.4, Privilege Manager now has the ability to manage membership in the Local Administrators group on each endpoint.  Policies can be created that define exactly which groups and users belong in that group, and any attempt to add new user or groups (or remove existing users and groups) will be rejected.

This functionality also allows for the easy cataloging of existing local administrator accounts and groups present on your endpoints.  You can quickly decide which accounts belong and which do not.

Do you have machines that are not domain joined and need their local administrator passwords rotated?  Privilege Manager can now help with that, too.  Character and password length requirements can be specified and enforced across all endpoints that Privilege Manager is installed on.

5. New User Interface

In addition to adding new functionality, Privilege Manager has also received a brand new user interface!  Creating policies and managing applications has never been easier, with new filter navigation options and actionable tips that pop up when best practices could be followed better.  The dashboard also gives vital information on agent health immediately upon login, so you’ll know instantly if actions need to be taken.

Thycotic's Privilege Manager 10.4 New User Interface

Privilege Manager’s intuitive and easy-to-use new UI

6. Reporting and Dashboards

Last but not least, new reports and dashboards have been added that give insight into local user and group membership, and auditing of passwords that Privilege Manager is responsible for managing.  These reports and charts have been added in a way that provides context-driven information on users and computers so you don’t have to go looking for the information that is important to you.  Like the new Local Account management feature, all reporting functionality is included within Privilege Manager, so no additional licensing or charges are necessary.

FREE IT Tools

IT Admins: Our collection of free IT tools makes your life easy and your organization safer!



This is a Security Bloggers Network syndicated blog post authored by Dan Ritch. Read the original post at: Thycotic