Thycotic – Using the Privileged Accounts Discovery Tool
Thycotic has released yet another free tool for IT admins in an attempt to help them discover where privileged accounts may be utilized within their infrastructure. Utilizing a free tool such as this can be important in many scenarios including:
- Discovery mechanism for IT staff unfamiliar with the company’s infrastructure (new staff, consultants, etc)
- Auditing the utilization of accounts with elevated privileges (ensuring IT compliance)
- Account lockout scenarios (where are problematic accounts used)
- Detection of unauthorized accounts tied to services or scheduled tasks (think virus, spyware, or unauthorized services)
- Identifying the use of what unfamiliar accounts may be utilized for (think Active Directory cleanup)
A huge benefit of this tool is that it’s both agentless and does not require an installation on the host performing the scan. Additionally, it’s only 14MB when compressed and 37MB when extracted, making it extremely portable for IT professionals. For such a small tool, it’s fairly simple to see how powerful it can be for even the largest enterprise. Tie this tool’s results with Excel formulas or something like BeyondCompare and it could become a fairly powerful auditing tool.
To get started with the tool, download the application from Thycotic using the link above. Extract the contents of the .zip file and run the executable (yup, it’s that easy). Enter the domain you wish to scan and appropriate credentials for the servers and workstations you wish to scan. (Thycotic states that the account must have administrative privileges on the target hosts.) Select the appropriate scan, or choose both, and start the scan. Upon completion, the tool asks for a company name to append to the report’s title and saves the results in a variety of formats in the location chosen.
In viewing the results, start with the Executive Summary (the file is named ThycoticWindowsAccountAnalysis – domain – date). This quick and great looking report gives you a quick breakdown of items such as what Windows Components are utilizing these accounts (services, scheduled tasks, application pools, etc), whether the account is marked for password expiration, and the age of the existing password tied to that account. Furthermore, the report displays what service accounts it discovered and how many instances of said accounts were found across the infrastructure.
Last but not least, the results are also available as a CSV which provide you all the discovered accounts, the name of the host it was found on, and where on that host it’s being utilized. It also provides the Password Last Set Date and the expiration status of said account. An example of these results are shown below (yeah…I’m using an account named bryan in my lab 🙂 )
The only change to the tool that I’d love to see is the ability to scan using IP Range. This would enable the discovery of hosts sitting in a segregated DMZ or when a user wants to discover accounts on specific hosts where scanning the entire domain might not be feasible. The great folks at Thycotic have already sent this feedback to the developers so hopefully we’ll see a version 2.0 with new features 🙂
So discovery away you IT admins, you consultants, and security pros. Take control of your privileged accounts and run a more secure business.