Secret Server is a feature rich product that can be introduced to your prospects in many different ways. Below is a generic outline of several of the most important features that should be covered during a demo. Note that you will need to have a demo environment set up in order to showcase these features. This outline is subject to changes in the app. Here at Thycotic, we usually start with the Architecture diagram followed by a presentation of the application. For an example of a full recorded demo, please click here. Knowing Secret Server and being able to Demo the product to your prospects is key to closing the sales. Presentation of the Architecture Diagram ASP.NET application WEB APPLICATION (IIS) Windows Server 2008 + (and virtual machine) AES 256 encryption Microsoft SQL database (SQL Server 2005+, all editions including Express) High availability o SQL Mirroring database side o Front-end web clustering application side Role-Based Access Control Any major web browser, http or https Mobile apps, Desktop client (offline caching) Common web services API o Create, search, update Secrets o Major programming languages, i.e..net or Java o Major scripting languages, i.e. Powershell or Perl Secrets instead of passwords o Pin codes, combinations, contact information, file attachments/certificates Secret Templates o Ship with ~20, major account types (Windows, Unix, AD accounts) o Customizable Once you have information organized and stored in Secret Server, there are features available to make your life much easier and more secure in using that information. One of these features: Session Launcher o RDP, PuTTY, Custom (credentials on Secret) o Custom launcher unique any arbitrary executable (will see this shortly) Session Recording o Creates video of session, stores in audit log Authentication o Local Secret Server accounts o Active Directory accounts
o Two-factor authentication (RADIUS, email) Remote Password Changing o Many platforms supported (read some) o Devices that accept password changes via console commands over SSH, Telnet o Service Accounts Windows Services, Scheduled Tasks, App Pools, COM+ Apps, flat files Discover Windows Service, local accounts on network, import Agent o Password changing, monitoring us. on same network (web server to device) o Outside networks install on network uses 1 configurable port All action are audited o Built-in reports, custom reports, subscribe to emailed alerts o Actions: edit, view, configuration changes o Can be exported to SIEM tools in Syslog format
Presentation of the Application (Log in using your credentials) Dashboard Windows explorer (folders, Secrets, columns) Search Bulk operations (demonstrate remote password changing option) Widgets (drag/drop/add new) Tabs (drag/add new) Per-user configurable Secret View Set up a Secret and configure it to log in remotely using a launcher Show fields on the Secret (e.g: Secret Name, username/password, notes, file attachments) Icon indicating Launcher associated with this Secret Closer look View o Password copy to clipboard, unmask o Expiration will take a closer look at that shortly o Heartbeat Connects to device using credentials on Secret Manual, otherwise run on own timer o Sharing Permissions, inheritance, tabs Secret Template Note template type on example Secret, go to corresponding template Expiration explain RPC and autochange, use cases (AD) Audits Secret Audit User Audit Report (you may have a case in which a user leaves need audit trail etc.) o Difficult w/out tool like Secret Server, comprehensive audit trail
Launchers Comparison of two PuTTY launchers set up with different permissions o The first one has Session Recording icon with no possibility to copy to clipboard or unmask password o The second one has Password unmasking/copy to clipboard o Give use case for each type. (e.g.: contractors should only have a limited view of the password) Security tab review settings Launch recorded session and type whoami to show how you are logged into a separate session using the credential on the Secret Audit show video Custom launcher can be shown by launching a MS SQL Server Management Studio session, for example Custom launcher elevated command prompt run as user on Secret Remote Password Changing Dashboard acknowledge previous bulk operation password change example. Can change for individual Secrets as well. Go into a specific Secret to showcase the remote password changing capabilities and click on View o RPC tab Acknowledge Auto-change Demo change - enter password or Generate Show successfully changed password o AutoChange settings Next password Sometimes credentials on a Secret do not have rights to change the password on its own account need privileged acct Agent explain Local RPC directly from webserver to device on which the password must be changed Choose a Service Account to showcase Service Accounts management o Dependencies: how RPC handles service accounts o Changed in order order can be easily changed o Created new dependencies Privileged account may be necessary as well
Advanced Security Settings (choose a Secret that has those configurations in place) Hide Launcher Password Require Comment Requires Approval for Access optional workflow o May specify approvers (users or groups) o May include editor, owners, approvers o Administration > Manage Secret Access Requests Approve requests Specify period of time allowed for access DoubleLock o More for security, not convenience (no RPC or Heartbeat) o Set up password, used to generate encryption keys called DoubleLock o Password required to access Check Out o exclusive access mode o Change Password on Check In provides secure audit trail Unlimited Administration Mode (Break the Glass) Explain Admin, User roles Brief look at creating a role Typical administrator only has access to Secrets shared with them Unlimited Administrator receives Owner permissions for all Secrets in UA mode Common use case: only user who has access to Secrets for a few servers is gone when an emergency occurs, need to have access to reboot servers Check & balances o 2 permissions o Banner notification o Alerts (event subscription) Event Subscription Come up with a few examples (Secret is edited from specific folder, Heartbeat fails, etc.) Email recipients, users, groups Mention Heartbeat value of knowing when passwords are changed outside of SS
Discovery Local & Service accounts (for Windows services) Will scan domain-joined machines for accounts o Finds OU s, finds machines, scans using WMI for accounts o Import o Passwords Rules (Enterprise Plus) o Apply to Local accounts only o Email notifications OR just import as new Secret (or both) Reports/Scheduled Reports Large # of reports already created Look at one (Secret Template Distribution is pretty) o Email report o Schedule report Emphasize value of having daily or weekly reports (for Heartbeat, Users, etc.) Healthcheck (no data, won t send) Edit report or create new one show block of SQL Import CSV and/or XML CSV o Less error-prone (can check columns before importing) o Recommended for 1 st time imports of data o Show example of import (type fake data) XML o Better for repetitive tasks, such as bulk folder creation o Creating users/groups Backup Backs up 2 parts: 1.) Database and 2.) Application files Note network share May be scheduled Notifies users with Administer Backup role permission on failure
Web Password Filler Search for web folder Chose a web password as an example Show mapping of fields