Thycotic Secret Server – Installation Overview
As many of you know, I’ve long been a fan of Thycotic’s Secret Server product and have written a few posts (here and here) about it. Even more exciting is the fact that I’ve had the opportunity to publicly speak alongside Thycotic’s Director of Security at the Rapid7 security conference this year. Needless to say, the kind folks at Thycotic are second to none when it comes to both products and customer service.
As a former systems engineer with almost 15 years of experience, my opinion is if you’re managing any type of infrastructure, privileged account management is critical for a multitude of reasons. First and foremost, a consolidated password database allows your team to share account information to ensure critical applications are properly configured, maintained, and issues can be resolved quickly. Relying on individual vaults can work but it introduces problems when team members are not available.
Second, take a minute and think about those service accounts utilized throughout your environment…specifically those accounts that have non-expiring passwords. Now think of those service accounts that are used for large tasks that touch the entire environment…think antivirus, vulnerability scanning, AD backup and scripting accounts, SCCM deployment accounts, etc. What do those accounts typically have in common? If you guessed elevated privileges, you’re on the right track. Now be honest with yourself, when is the last time any of those passwords changed? Last month? Last year? Never? Secret Server can not only safely store those passwords but ensure they are safely rotated to ensure you’re meeting security compliance requirements.
To get started, let’s take a look to see how easy it is to get started with Secret Server:
There are a few prerequisites that need to be met before installing Secret Server. The fastest way to install these required features is to use PowerShell. Here are a few commands you can use to quickly knock out the prerequisites and get to the good stuff. *Note that the last command should only be utilized if you want to run the Advanced install. If you remove the Default Web Site, the Simple install will fail.
#Install IIS, Required Frameworks, and Management Tools Add-WindowsFeature Web-Server, Web-Mgmt-Tools, Web-Asp-Net45, NET-Framework-45-ASPNET, NET-Framework-45-ASPNET, NET-Framework-45-ASPNET #Displays that all Prerequisites are Installed Get-WindowsFeature Web-Server, Web-Mgmt-Tools, Web-Asp-Net45, NET-Framework-45-ASPNET, NET-Framework-45-ASPNET, NET-Framework-45-ASPNET #Remove the default web site in IIS #Prevents warning about existing port 80 utilization in SS Advanced install Remove-Website "Default Web Site"
Let’s Install SecretServer
Launch the Secret Server setup.exe. This initial setup configures how you’d like to setup the application within IIS. Walk through the wizard (it’s basically Next, Next, Finish) and complete the install. Personally I always do the Advanced install simply because I don’t like to use a virtual directory when accessing Secret Server. Plus, in my opinion, it’s easier to convey a simple URL to your team without explaining the required “/SecretServer”.
Configure the Application
Once the initial deployment to IIS is complete it will launch the Installer wizard within IE. This will allow you to customize your installation such as configure your database, service accounts, and download updates. There are only 6 quick steps to complete here including agreeing to the Terms and Licensing. Each of the configuration steps have troubleshooting links if you run into an issue. You can check out the official Windows 2012 install guide here.
As you can see, getting started with SecretServer is ridiculously easy, especially with the PowerShell commands provided above. (On a personal note, I would love to see the Thycotic team add the ability to invoke the install of the required Windows features right from the installer).
I’m currently working on additional posts to show off some of the capabilities that SecretServer provides and how you can use them in your environment to better secure your privileged accounts.