Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL
+44 (0) 1582 434320

Protect your crown jewels – hardening access to Thycotic Secret Server

Protect your crown jewels – hardening access to Thycotic Secret Server

Protect your crown jewels – hardening access to Thycotic Secret Server

So, you have invested time and resource into Thycotic’s flagship product, Secret Server, in the understanding that all your privilege account information is secretly buried away, highly encrypted in a highly available MS-SQL cluster, redundant across all 5 continents.

Friday night comes, and someone forgot to share a critical credential and breaks every rule in the book by SHARING HIS DOMAIN PASSWORD with an out-of-hours support techie so he can fix a router.

So, he may have saved the day like a hero, but in doing so he’s broken a fundamental rule of IT security – don’t tell your password to anyone! Who knows what the grateful techie might have done, who else he may have divulged it to, or worst case, was this a late-night disaster being averted or a clever hacker getting away with corporate murder!

So how can Thycotic help you avert this sort of scenario?

A couple of quick thoughts spring to my Friday-afternoon mind:

  1. Implement IP restrictions on Secret Server logins.
    Yes, simple as it may seem, you can apply IP filtering to all or just certain accounts, so the most privileged of Secret Server users can only login from a specific range or IP address.
    We implement this in our environment so the local accounts that aren’t domain credentials can only be accessed from a very small number of hard-to-reach jump boxes.
  2. Implement 2FA.
    Secret Server has built in support for many types of two-factor authentication. You can even have different types for different staff.
    Again, our most privileged users access Secret Server with their domain admin accounts, and SafeNet 2FA.
    Other users have Google Authenticator to secure their access, and low-privilege users just have their domain creds with no 2FA.

Check out the full list of supported two-factor authentication methods over at Thycotic