While responding to a different but related forum question, a Secret Server Admin made a good point: Split the ability to enable Unlimited Administrator Mode and the ability to use it. This is outlined in the Secret Server Best Practices Guide. Here is a quote from the forum post:
1.) I encourage this on all SS installs. Separate the roles of both Enabling Unlimited Admin mode and Unlimited Admin from a user. Configure SS to require that one (or more) people are the only ones that can enable Unlimited Admin mode but not be an Unlimited Admin. The opposite for the Unlimited Admin, they shouldnt be able to put SS in Unlimited Admin mode. This prevents a single person from having the ability to flip the god switch.
2.) Setup event subscriptions/notifications that email all users of SS when Unlimited Admin mode is enabled.
3.) Direct all users to the appropriate report(s) that show what an Unlimited Admin did while that mode is enabled.
Splitting these roles into two different users or groups of users adds an additional layer of accountability to Secret Server. One Administrator will not have the ability to authorize a switch to Unlimited Administrator Mode and consequently gain access to all of the secret data stored in the database.
Do you have questions, comments, and concerns about Unlimited Administrator Mode? Please post in our forums: http://www.thycotic.com/products_secretserver_forums.html
Latest posts by JordanTrue (see all)
- Streamline Compliance with your Internal Security Policy by using Secret Server - March 4, 2014
- Is Your Hash Being Passed? - February 25, 2014
- Sneak Peek: New Secret Server features only at RSA Conference 2014 - February 20, 2014