- Export and import to and from Excel with the PowerShell module ImportExcel - Thu, Apr 21 2022
- Getting started with the PSReadLine module for PowerShell - Thu, Feb 24 2022
- SecretsManagement module for PowerShell: Save passwords in PowerShell - Tue, Dec 22 2020
So how does it work? Securden discovers endpoints, servers, and users in the network all from an easy-to-understand web dashboard. You can import accounts from Active Directory, local server accounts, and others like SQL. You can push agents to endpoints all through the console with relative ease. The agent then steps in and handles the elevation of privileges going forward. All users can then run as standard users, and they can request time-limited privileges to run applications, commands, and other activities whenever required.
Administrators can review privilege requests and grant approval on a case-by-case basis in advance or set auto approvals for certain privileges. Securden adds a "Run with Securden Privilege" option in the menu for users to gain admin rights. There's also an option for apps and commands that do not interact with the Windows GUI.
Administrators have full control over the elevation process and can revoke permissions anytime as needed. At the end of the approved time, Securden will automatically terminate all the applications opened with admin privileges. It can notify users when elevated session permissions will expire shortly before the end of an approved time limit. Additionally, Securden can report on the activities a user executes during an elevated session.
In addition to all of this, Securden can act as a password vault and enforce password policies with advanced features such as randomizing passwords at periodic intervals and automatically taking care of propagating the changes across dependencies as well.
So let's dive in and take look at some of the features in depth.
Installation
Installation is a breeze because Securden comes with everything bundled and does not require installation of any specific software separately. Securden is self-contained in one installer file. The requirements to run the tool are not excessive, but these are minimums, and you'll want to throw more resources at this tool so it runs efficiently.
- Hardware: 4 GB RAM, 2 GB hard disk space
- Operating systems: Windows Server (2008 R2, 2012, 2012 R2, 2016), Windows 8, or Windows 10
- Database: PostgreSQL bundled with the product; supports MS SQL Server 2008 and above
- Web interface: IE 10 and above, Chrome, Firefox, and Safari
I downloaded the tool, read the included quick start guide (which is very clear and easy to follow), and then installed the tool with the defaults. Five minutes later, I was up and running with a local web server installed and configured.
Default website after install
After logging into the console, it immediately presented me with a "getting started page" that was super easy to understand and navigate.
Getting started web page
The first thing Securden recommends is to discover users, groups, and endpoints. So that's what I did. In my lab, I'm running three servers, one acting as a domain controller (DC) and two members servers all running Server 2012 R2 and patched up to this month. We can target the discovery process toward a group, an organizational unit (OU), specific nodes, user accounts, or group accounts. The screen capture below is my search for any folders named "users." It's probably not immediately obvious, but Securden can import many different kinds of accounts, such as local accounts, SQL accounts, domain accounts, and Azure accounts.
Searching for specific groups
After performing a few look-ups and importing the data, my discovery summary showed the following results:
Imported objects
After importing data, you need to organize it. Securden does this by creating folders. You then can apply settings and policies to those folders. I found this effortless in my small test domain. The folders are useful for setting password change frequency on a large scale for different account groups, reporting, and for sharing config access among Securden users.
Password policy per folder
I mentioned earlier that Securden can manage many different account types. One interesting feature is that you can create password policies and apply them to different account types. For example, you can require that all Azure accounts have 25-character passwords and different forms of complexity. You can then assign a different policy for Windows domain users and another for SQL Server accounts. The part I found really interesting is that the "types" of accounts are totally configurable, which means you can create your own "types" and assign policies to each type as you wish.
Configure password policies
Account types
Assign password policies to different account types
Once we've organized our accounts and assigned password policies to the various account types, Securden can start rotating passwords automatically behind the scenes. It can record the new passwords in its database for safekeeping based on the frequency we prescribed per folder.
Managing service accounts
Securden can also manage the accounts and associated passwords for things like services, scheduled tasks, and IIS app pools controlled by an "account," meaning a username and password. One interesting aspect of Securden's account management is that it can handle dependencies. So for example, whenever the password of a domain account changes, Securden takes care of propagating the change across all dependencies that also use that account. This way, you can always have complete visibility and control over service accounts and dependencies.
Privilege management
I have spent a lot of time on setup and password management, but probably the most powerful piece of the Securden software suite is the ability to remove local admin privileges in bulk from many accounts. We can use the software console to remove admin privileges for everyone, or you can choose which accounts to remove admin access for individually.
If you have a large number of accounts you wish to remove access for, you can also use group policy to do the work for you. However, you can't use GPOs to remove access for local accounts and application accounts like in SQL.
For Securden to remove access to local accounts and elevate privileges for applications, you need to deploy agents. Just like earlier, the console makes it dead simple to browse for nodes and push agents to those nodes. I pushed agents to two servers, and the installs were lightning quick. Deploying agents is literally a button click and you're done!
Deploying agents to nodes
The software also has robust reporting features. For example, maybe you want to see a report of all nodes that have an account with local admin access. The term "Reports" is a bit of a misnomer because the reports are really dashboards that are dynamic and interactive as opposed to static page reports. These reports are rich with detail and graphics, and all of them allow you to drill down deeper into each report.
Rich interactive dashboards
Main dashboard
Once you've removed existing admin access from PCs or servers and installed the agent, the process to gain administrative access is very simple. Users without admin access will have a new prompt in their right-click menu called "Run with Securden privilege." They can select that menu option, and the software will send an email to the Securden admins requesting elevated access.
Elevating privileges for non admins
The admin then approves the request, which then generates an email back to the user who requested access. It includes an access code the user can now enter to get elevated access for a period of time. Users can also go to a self-service portal to preselect admin access for a particular application.
Securden allows you to deploy a secondary server with a few clicks to which users can connect to get uninterrupted access, in the event of the primary server going down.
Summary
I have taken you through a very brief tour of the Securden privilege management tool. If I had to describe this software to a friend, I would say this software can control local admin privileges on all the nodes in your network and you can configure the software in just a few hours!
The software itself has a super-clean interface and is easy to understand. The included documentation was a little thin at times but was surely adequate to get me started. Moreover, the software is pretty slick, and it is fairly intuitive to figure out how to configure most of the features without consulting the manual every two minutes.
Overall, this product is well done and fairly simple to use considering the complexity possibilities involved with removing local admin rights across a domain full of computers. I literally set up this software in my test domain in just a few hours. Installing this product in a larger environment should not take much more time and effort than what I spent setting this software up for demonstration. If you are struggling with local admin accounts on PCs and servers, this product is definitely worth a look.
Subscribe to 4sysops newsletter!
Securden offers a 30-day free trial.
Thank you Mike for this article. It is an interesting product with nice features ( i.e. ability to remove local admin privileges in bulk from many accounts and detailed reporting).
The challenge of reviewing a product like this and keeping the review concise enough for readers to enjoy reading while figuring out what to write about and what not to cover.
The short version is that I was impressed with the product enough that I would want to take look at the software. The product is pretty deep in functionality and I really just scratched the surface on what it can do and how well it works.
My recommendation to anyone who reads this article and is curious about this product is to call the vendor and ask for a product demo. I say this because that’s a really good way to get a high-level overview of the product strengths in a short amount of time.
If the product still interests you, download the product and do a proof of concept in your test lab. This tool has so much capability that it’s hard to really appreciate how it works through a medium length blog post. With that being said, I really tried hard to give readers an idea of what to expect when setting up and testing this tool.
How does this fair in comparison to “Thycotic Secret Server”?
This products looks great, but I am concern of one think , as it is installed on a windows server , how it can secure itself , in PAM solution the first question is that how secure the product is and then how it can secure the rest of environment.
IMHO having been aboard the Securden wagon since about 02/2021. I would liken this to a real power-tool in the IT workshop. This has surprised me in many ways and the first one was that it “passed” rigorous requirements of our Enterprise Security team. One of the automation tasks it does for us is password rotation, this is saving us literally hundreds of labor hours per year. We use the RDP feature and provide our Securden portal as a “Launch pad” to let our internal customers RDP direct from the portal to a “Clean-room” or “Jump-server” where some production servers are. We do not pass around passwords any longer – Securden does this for us. Impressively locked down.
I wish them all the best!