Blog

  • Using Secret Server Links to Securely Transmit Sensitive Data

    Having been a Systems Engineer, I’m familiar with the problem of sharing credentials.  My method for sharing login credentials with a colleague consisted of access to a spreadsheet with everything or a Post-it that would be shredded (hopefully).  However, with Secret Server, System Admins are easily able to share credentials with colleagues by sending them a simple URL format:

    http://SERVERNAME/VIRTUALDIRECTORY/SecretView.aspx?secretid=SECRETNUMBER

    • “SERVERNAME” is the DNS name or IP Address of the server that hosts Secret Server.
    • “VIRTUALDIRECTORY“ is the name of the Virtual Directory used when Secret Server was installed.  Typically, this is “SecretServer”.
    • “SECRETNUMBER” is the actual number associated with the secret data as found in your instance of Secret Server.  This number increases sequentially as secrets are added.

    For instance, the secret of a test server I have installed is shared with this link:  http://192.168.0.2/SecretServer/SecretView.aspx?secretid=52

    Note: Using this link requires Secret Server login permissions and permissions for that user to at least view the secret you’re trying to share.

    The elegance of this method is that users can share credentials between them through email.  The use of the data and permission to use the data is still controlled by a Secret Server Administrator.  It’s worth mentioning is that all of this activity is logged and reportable within Secret Server.

    Admins with the need for additional security can link to a secret that has a Launcher enabled and the password is hidden from users.  This way, an Engineer can directly link to a secret’s launcher with a coworker.  The coworker can use the credential to login via Remote Desktop (or any other launcher functionality) to a server without knowing the actual credentials.

    Hide Launcher Password is a feature that allows the password field of a secret to remain hidden from view or clipboard access, but still usable by the launcher.  The activity is completely logged in Secret Server and nothing was written down, able to be copied, or shared with anyone but those that have express permissions in Secret Server.  Enable this security feature by clicking the Edit button for a secret, then Security tab -> Edit button -> check Hide Launcher Password -> Save button.

    The use of links go beyond email.  Admins could also use these links in support documentation for applications or systems.  In the documentation, a link to Secret Server data can be embedded in place of the actual admin credentials.  This would negate the need for a document-based password protection scheme.

    Leave a reply →
  • Posted by Nick on August 24, 2012, 5:07 pm

    We use the functionality of emailing or embedding links to secrets in documentation so much that our Knowledge Management team wrote a MediaWiki plugin to use that shortens the need to use the entire URL. For example out entire internal documentation and information sharing portal is MediaWiki, and we will reference accounts/passwords by saying “Click Here” which would link to the secret url. However, rather than type/paste the URL all a user needs to do is insert the tag “{{secret | id=20}}” for example.

    Reply →

Leave a reply

Cancel reply