+1-202-802-9399 U.S. Headquarters

Thycotic’s CyberSecurity Publication

POPULAR CATEGORIES

Top 4 Password Blunders And How Thycotic Can Help

January 24th, 2017


Thycotic Guest Blog

Satisnet Ltd Guest Post

However bad a solution they are, we are all stuck using passwords and will be for the foreseeable future. Here are the typical bad password practices I see when I visit enterprises.

1. PASSWORD IN SPREADSHEETS, NOTEPAD FILES, NOTEBOOKS, PHOTOS ON PHONES ETC ETC

So, what’s the problem: it’s password protected, right?

WRONG! I challenge you to just Google (other search engines are available) “excel password recovery” and you’ll be presented with over 2 million hits offering everything from dodgy download links to paid software or services; ways to recover your data! Fine if you need it, but what if that file is taken by a disgruntled employee, or found on a lost laptop, then all your crown jewels are in there!

Also, what about availability? The share where the password file resides is down, and you need a password from that very file to restore access! D’oh!

2.SAME PASSWORD EVERYWHERE, AND I MEAN EVERYWHERE!

I once visited a medium sized digital services firm that had the same password on all their desktops, AND SERVERS, for the past 6 years. And everyone knew it! Try not to dwell on the possible consequences of anyone with a little knowledge, legitimately allowed on your network, and the potential damage they could do by installing some “trialware”, or by accessing the admin share on your Exchange server!

3. PASSWORDS NEVER CHANGED, EVER!

You have a service account used by scripts and applications that you daren’t change in case something breaks and brings all your worlds crashing down at once. And of course this password is known by all the IT staff, taking it with them once they left. I bet you’ve all got at least one!

4. PASSWORDS ARE CHANGED AND NOBODY KNOWS WHO CHANGED IT OR WHAT IT IS

Scenario: a new server is built, a local admin password set during install, and it’s joined to the domain. Everything’s fine, until one day it gets dropped by the domain and needs to be re-joined. No problem, log in as local admin and do your stuff, right? Wrong! The standard password isn’t working, and no one, I mean NO ONE has a clue what it is!

Another scenario is someone creates a “back door” account that now one know about, quietly hidden away for a moment of mischief at a later date.

Well I mentioned in the title a neat firm called Thycotic and want to bring to your attention a tool they’ve created called Secret Server. I’d like to take a few moments to explain how it can help you wipe these issues from your environment, and help you tighten your policies, oh, and sleep better at night!

A. SECRET SERVER – SECURE PASSWORD VAULT

Do you like the sound of a place where passwords can reside safe and sound, protected with strong encryption, and backed by scalable high-availability options with simple recovery procedures, all available through secure access with nothing more than a browser? Sound like password Nirvana? Well it’s easily achievable with Secret Server enterprise password management software.

Strong encryption

Based entirely on the Microsoft stack, Secret Server boasts AES 256 Encryption, salted hashes (tasty!), and support for hardware encryption devices (HSM)

High Availability

Supporting MS-SQL mirroring, clustering and AlwaysOn, your data is always available, and with out of the box front-end HA from simple active-passive to comprehensive multi-site geographically-disparate active/activeactive/active options, access your all-important passwords will never be a problem again.

B. SECRET SERVER – UNLIMITED PASSWORD STORAGE

Convenient though it may be for your desktop support team to have one local admin password for all your desktops, this does pose a couple of issues. First, if one machine is compromised, they are then all at risk. Second, how on earth do you go about changing the password on all those 100, 1000, or 10’000 machines to keep compliant with your corporate password policy?

Step in, Secret Server – not only can it store thousands of passwords for different machines, it can also let you launch sessions like RDP and SSH direct from the web interface. You can now afford to set much stronger password policies as you no longer need to remember passwords, or even enter them manually any more.

Another aspect we can automate is discovery. Point Secret Server at an Active Directory machine OU, give it a service account with access to the machines, and it will not only discover all the local accounts, service accounts and scheduled task accounts, it can on the fly generate new local account passwords and change them on the endpoints.

C. SECRET SERVER – AUTOMATED PASSWORD ROTATION

Secret Server has an engine that can, on demand or by schedule, automate the rotation of passwords and even SSH keys.

Take my example from point B. above where we essentially take control of local admin accounts. We can now schedule the automated changing of these passwords. How does once a quarter, monthly or even weekly sound? Wouldn’t that be music to your QSAs ears!

D. SECRET SERVER – ACCOUNT HEART BEATS

Secret Server has 2 functions that will ensure passwords are correct so this doesn’t happen. There’s the network discovery that I mentioned in point C., that will discover accounts including those that shouldn’t be there, and also password heart beats. Heartbeat is a continuous background service that checks the validity of selected accounts to ensure the credentials on file are correct. If a password is no longer valid, Secret Server can raise an alert and send an email to raise a ticket. What’s more, Secret Server will remember the history of passwords, so should you have to restore a file, database or machine from a previous date, you will know what the appropriate password(s) where at the time of the backup.

I should add that Secret Server isn’t limited to the Microsoft stack when it comes to password management. It’s equally at home with Unix, Cisco, VMware, Oracle – see there website for a much fuller list.

Secret Server will also integrate with your existing logging and SIEM systems, ticketing and alerting systems etc. You can import passwords making it easy to migrate from existing solutions. 2FA is built in, with options including Google Authenticator, RADIUS and DUO.

Having spent many years working on spreadsheets of passwords with various forms of encryption, from password protection to Truecrypt blob, I understand the pain of passwords, and the steps end users and techies take to shortcut or bypass the problem. Secret Server enables you to ensure password policies are adhered too, and security policies can be beefed up now you aren’t having to accommodate slackness dictated by what is possible without automation.

THYCOTIC – FREE TOOLS

Free? Yes, I thought that might get your attention. Thycotic is a kind bunch, and wants you to be able to improve your security stance whilst understanding there are tight budget constraints.

To this end, they’ve made available some IT tools I’m pleased to present to you:

Password Strength Checker – How strong are the passwords you are using? This free online password strength checker lets you immediately determine the strength or weakness of any password in seconds.

Weak Password Finder for Active Directory – Get your free Weak Password Finder Tool to quickly and easily identify the riskiest passwords among your Active Directory users, without revealing the passwords to you.

Secret Server Free – eh, what, free? No way. Yep, you heard right! Get the fastest-to-deploy, easiest-to-use password management tool for IT admins that supports up to 25 users and protects up to 250 privileged account passwords – for life! That’s enough to cover a small-to-medium IT Department, with all the security of the full versions!

This is a Guest Post from our partners at Satisnet Ltd, the leading IT Security Reseller dedicated to providing the highest level of customer care and technical support. Read the full article here.


The following two tabs change content below.
We deploy smart, reliable, IT security solutions that empower companies to control and monitor privileged account credentials and identities.

Leave a Reply

*