Secret Server from Thycotic is a mighty, web-based password management software that allows you to store securely all critical passwords in a central database.
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
When I started with system administration (must have been a century ago), one of the biggest sins was writing down passwords. Those times are long gone. The number of passwords each of us are using has skyrocketed , and a password is only secure if it can't be easily memorized. Thus, nowadays, it is commonplace that passwords are stored in a secure place.
It is a Sisyphean challenge for every IT department of a certain size to keep track of admins who has access to certain management passwords and to change passwords regularly without locking out admins. Have you ever come back from a vacation and realized that you can no longer log on to your servers?
With Secret Server, you ensure that passwords are changed regularly and that every admin always has access to the latest passwords. You can configure either intervals or specific dates when a certain password expires. Admins can be informed automatically by email once a password has been changed. Then they only have to log on to Secret Server to get access to the latest passwords
Thycotic prefers the term "secrets" instead of passwords because you can store all kinds of additional information with Secret Server. The free password management software offers quite a few templates that allow you to create new secrets easily for a specific application type. Each template has different database fields that are useful for the corresponding secret.
For instance, there are templates for Active Directory accounts, Remote Desktop accounts, web passwords, and social security numbers. You can also create your own templates, which enables you to store every kind of confidential information with Secret Server.
Secret Server is equipped to manage a huge number of passwords. You can organize passwords in folders, and you can restrict your search to the password type (template) and to the status of a password (active, deleted).
The powerful reporting features are not only useful for large organizations. In particular, the user auditing reports help you to improve security because you can see when and from where secrets have been accessed. You can also access the audit trail for a particular secret. For example, you can view when a certain password was changed or viewed.
Thycotic offers an online version of Secret Server, but I suppose most organizations will prefer to install the password management software in their own datacenter. Secret Server runs on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 and requires Microsoft SQL Server 2005 or 2008. Secrets are encrypted with AES 256, and the communication between browser and server is secured with SSL.
The main limitation of the free edition of Secret Server is that it only supports one user account. That means that all admins in your organization will have access to all passwords. The commercial edition allows you to configure different privileges for individual admins and groups. Other important features of the Professional edition are Active Directory integration and automatic password changing (Windows accounts, UNIX accounts, database passwords, Cisco devices).
I only scratched the surface of this powerful password management software. I didn't cover the mobile apps (iPhone, Blackberry), automatic logins, custom encryption keys (DoubleLock) and other cool features. When I played with the online password manager version, I missed quite a few of Secret Server's important functions. Only when someone from Thycotic presented the tool to me in an online demo did I get an idea of the extent of Secret Server's capabilities.
Want to write for 4sysops? We are looking for new authors.
Storing my passwords in the cloud, on a company’s server I never heard before? No, thanks…
I prefer to use KeePass on my computer with a firewall outbound block rule to ensure this software won’t have access to Internet.
Keepass is nice, but you can’t compare the desktop tool to Secret Server. Keepass is only for one user. Secret Server is central password management solution. And as mentioned in the article, you can install Secret Server on your own machine behind your corporate firewall.
OK, Michael, I agree with you on Secrect Server advantages when compared with KeePass.
But I still wouldn’t rely on ANY company to store my passwords out of my “view”… No way!
Well, it seems you trust the Keepass guys. What is difference?
I don’t trust ANYBODY, Michael!
But with KeePass at least:
1) my passwords are stored with me
2) I can control whether data will send to Internet
3) there’s a lot of users around who ensure to trust at this software too
I’m NOT their representative, and I won’t earn a nickel with my “defense”, but the major issue related cloud-computing is to store sensitive data outside your company… imagine then passwords!
I see your point, so I know you can see mine. Thanks for your great work!
Mateus, just to be clear, with Secret Software you don’t store sensitive outside your company. You install the software on your own computer. So you points 1-2 also apply to Secret Server. And Thycotic is a certified Microsoft partner. So no reason for worries.
Michael, interesting article. Maybe you could dig into LastPass Enterprise and PassPack offerings as well? On the surface the might look like a big no-no but their solutions seems pretty safe with all the encryption/decryption occuring on the host and only the encrypted data are stored on their servers.
Andreas, thanks for the tips. Those two tools look interesting too. LastPass doesn’t seem to have a free version though. And PasPack’s free version is limited to 100 passwords. As for the no-no, I suppose all these tools rely heavily on encryption. I had the same reservations at first, but on second thought, it is more secure to have a solution in place that ensures that shared admin passwords are changed regularly.
You could use the LastPass Enterprise 14-day trial available here: http://lastpass.com/enterprise_trial.php.
PassPacks free version has the same features as the bigger plans but has strong limitations on number of passwords, users, groups and travel logins. If the free version doesn’t allow you to review all the features perhaps you could use their 30-day Money Back Guarantee to try out the Pro or Group account. Passpacks upcoming on-premise Black Box solution also looks interesting.
Thanks! It is on my to to-do list.
As I’m only one of a few admins, I usually just store my passwords with 1Password on my iPhone, which also happens to syncs nicely with Mac and soon Windows. But, I’ll agree, that with so many passwords nowadays, it’s hard to keep track of them all!
SLam, the main question is how you communicate to other admins in your organization when you set a new password for an account that is also used by others. This is not possible with all solutions where every admins maintains an individual password list.
This isn’t free. It is a 30 day trial.
You may want to consider changing the article title to reflect this.
Loren, the free version has the restrictions as described in the article. This was confirmed by a Thycotic official. The Secret Server user guide (p.82) also confirms it: “Secret Server ships with a free single User and support license.”
Michael, my comment was based solely upon the lack of a “free” designation on the Secret Server website.
I did, however, see confirmation of free on the download page in the installation paragraph.
Thank you for the good work. Yours is one of the key Windows websites I monitor for timely news and relevant downloads.
Thanks, Loren. The info about the free version is indeed a bit hidden.
Stumbled onto your site this morning. Great stuff man! Wanted to comment about this as I’ve been thinking about it a LOT lately. I am a heavy Keepass user. Mac, Windows, Droid, iPhone, Blackberry, and Winmo. Every major platform. Many of which are synced using Dropbox. I use a lot of the automation stuff that is in Keepass.
What I recall is that Keepass 2.0 is capable of working in a multi-user environment, but the 2.0 database isn’t compatible with all platforms.
You may have heard of it, but I also stumbled onto Remote Desktop Manager (RDM) – http://remotedesktopmanager.com – this morning, and it has a lot of the automation stuff that Keepass has (it is basically it’s first line duty), but it also can store (twice encrypted) passwords and configuration information in SQL, and can run in a read-only off-line mode (as well as from EC2 if that’s your preference) when you aren’t connected. If you have heard of RDM, what are your thoughts about it. If you haven’t I’d recommend giving it a look!
I highly recomend using TiddlyWiki for password storage on a safe network share.
It is basically one html file which writes changes to itself. You need no third party program to run it apart from the normal browser, if everything fails you can still view the contents from any text editor. Easy to put on a usb stick and store in a bank vault. Good for searching. Since it is a wiki it has multi user support (only one for writing at the time though) and a timeline of recent changes. Also offers backups, by saving a copy of the whole file each time you write to it.
Looks like an interesting option if you ensure that the HTML file is encrypted. However, Secret Server has quite a few specific password management features like password templates, auditing and reporting
It seems that the secret server is really very helpful to admins or users. The main advantage I think is its capability of storing other data in addition to passwords. I don’t think that the single user feature will be a problem for large organization as the account can be handled by the system manager through whom all other users will get the required data. In this way the management will track individual activity also.
Quite an impressive article on details about Secret Server from Thycotic. Most of the features are like that of other password management tools available in web. But it has also unique advantages like storing other details in addition to passwords which is rare. So now another great tools for system administrators.