Guest Post from our partners at Satisnet Ltd, the leading IT Security Reseller dedicated to providing the highest level of customer care and technical support. Read the full article here.
The fact is that however bad a solution they are, we are all stuck using passwords, and, with few exceptions, they will be for the foreseeable future. These are the typical bad password practices I see when I’ve visited enterprises over recent times.
1. PASSWORD IN SPREADSHEETS, NOTEPAD FILES, NOTEBOOKS, PHOTOS ON PHONES ETC ETC
So, what’s the problem: it’s password protected, right?
WRONG! I challenge you to just Google (other search engines are available) “excel password recovery” and you’ll be presented with over 2 million hits offering everything from dodgy download links to paid software or services; ways to recover your data! Fine if you need it, but what if that file is taken by a disgruntled employee, or found on a lost laptop, then all your crown jewels are in there!
Also, what about availability? The share where the password file resides is down, and you need a password from that very file to restore access! D’oh!
2.SAME PASSWORD EVERYWHERE, AND I MEAN EVERYWHERE!
I once visited a medium sized digital services firm that had the same password on all their desktops, AND SERVERS, for the past 6 years. And everyone knew it! Try not to dwell on the possible consequences of anyone with a little knowledge, legitimately allowed on your network, and the potential damage they could do by installing some “trialware”, or by accessing the admin share on your Exchange server!
3. Passwords never changed, EVER!
You have a service account used by scripts and applications that you daren’t change in case something breaks and brings all your worlds crashing down at once. And of course this password is known by all the IT staff, taking it with them once they left. I bet you’ve all got at least one!
4. PASSWORDS ARE CHANGED AND NOBODY KNOWS WHO CHANGED IT OR WHAT IT IS
Scenario: a new server is built, a local admin password set during install, and it’s joined to the domain. Everything’s fine, until one day it gets dropped by the domain and needs to be re-joined. No problem, log in as local admin and do your stuff, right? Wrong! The standard password isn’t working, and no one, I mean NO ONE has a clue what it is!
Another scenario is someone creates a “back door” account that now one know about, quietly hidden away for a moment of mischief at a later date…
Well I mentioned in the title a neat firm called Thycotic and want to bring to your attention a really neat tool they’ve created called Secret Server. I’d like to take a few moments to explain how it can help you wipe these issues from your environment, and help you tighten your policies, oh, and sleep better at night!
A. SECRET SERVER – SECURE PASSWORD VAULT
Do you like the sound of a place where passwords can reside safe and sound, protected with strong encryption, and backed by scalable high-availability options with simple recovery procedures, all available through secure access with nothing more than a browser? Sound like password Nirvana? Well it’s easily achievable with Secret Server.
Based entirely on the Microsoft stack, Secret Server boasts AES256 Encryption, salted hashes (tasty!), and support for hardware encryption devices (HSM)
Supporting MS-SQL mirroring, clustering and AlwaysOn, your data is always available, and with out of the box front-end HA from simple active-passive to comprehensive multi-site geographically-disparate active/activeactive/active options, access your all-important passwords will never be a problem again.
B. SECRET SERVER – UNLIMITED PASSWORD STORAGE
Convenient though it may be for your desktop support team to have one local admin password for all your desktops, this does pose a couple of issues. First, if one machine is compromised, they are then all at risk. Second, how on earth do you got about changing the password on all those 100, 100, 10’000 machines to keep compliant with your corporate password policy?
Step in Secret Server – not only can it store thousands of passwords for different machines, it can also let you launch sessions like RDP and SSH direct from the web interface. You can now afford to set much stronger password policies as you no longer need to remember passwords, or even enter them manually any more.
Another aspect we can automate is discovery. Point Secret Server at an Active Directory machine OU, give it a service account with access to the machines, and it will not only discover all the local accounts, service accounts and scheduled task accounts, it can on the fly generate new local account passwords and change them on the endpoints.
C. SECRET SERVER – AUTOMATED PASSWORD ROTATION
Secret Server has an engine that can, on demand or by schedule, automate the rotation of passwords and even SSH keys.
Take my example from point B. above where we essentially take control of local admin accounts. We can now schedule the automated changing of these passwords. How does once a quarter, monthly or even weekly sound? Wouldn’t that be music to your QSAs ears!
D. SECRET SERVER – ACCOUNT HEART BEATS
Secret Server has 2 functions that will ensure passwords are correct to this doesn’t happen. There’s the network discovery that I mentioned in point C., that will discover accounts including those that shouldn’t be there, and also password heart beats. Password heart beat is a continuous background service that checks the validity of selected accounts to ensure the credentials on file are correct. If a password is no longer valid, Secret Server can raise an alert and send an email to raise a ticket. What’s more, Secret Server will remember the history of passwords, so should you have to restore a file, database or machine from a previous date, you will know what the appropriate password(s) where at the time of the backup.
I should add that Secret Server isn’t limited to the Microsoft stack when it comes to password management. It’s equally at home with Unix, Cisco, VMware, Oracle – see there website for a much fuller list.
Secret Server will also integrate with your existing logging and SIEM systems, ticketing and alerting systems etc. You can import passwords making it easy to migrate from existing solutions. 2FA is built in, with options including Google Authenticator, RADIUS and DUO.
Having spent many years working on spreadsheets of passwords with various forms of encryption, from password protection to Truecrypt blob, I understand the pain of passwords, and the steps end users and techies take to shortcut or bypass the problem. Secret Server enables you to ensure password policies are adhered too, and security policies can be beefed up now you aren’t having to accommodate slackness dictated by what is possible without automation.
THYCOTIC – FREE TOOLS
Free? Yes, I thought that might have your attention. Thycotic are a kind bunch, and they want you to be able to improve your security stance whilst understanding there are tight budget constraints.
To this end, they’ve made available a couple of tools I’m pleased to present to you:
Password Strength Checker – How strong are the passwords you are using? This Free online password checker lets you immediately determine the strength or weakness of any password in seconds
Weak Password Finder for Active Directory – Get your FREE Weak Password Finder Tool from Thycotic to quickly and easily identify the riskiest passwords among your Active Directory users, without revealing the passwords to you
Secret Server Free – eh, what, free? No way?! Yep, you heard right! Get the fastest to deploy, easiest to use privileged access password security solution in this free edition that supports up to 25 users and protects up to 250 privileged account passwords – for life! That’s enough to cover a small to medium IT Department, with all the security of the full versions – awesome!
Want to see Thycotic for yourself? Contact Satisnet Ltd to book your demonstration of Secret Server to see how it can help your organisation with password protection!