security secret server launchers
TRANSCRIPT
IBM® Security Secret ServerLaunchersIBM SECURITY SUPPORT OPEN MIC
NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENTTO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM’S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDINGFOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECTTO THIS CALL.June 12, 2019
2 IBM Security
IBM VIP Rewards is a way to engage with and recognize the ways that you, the client, add value to IBM. Complete fun challenges and get rewarded for interacting with IBM, learning new technologies and sharing your knowledge.
Announcing IBM VIP Rewards
Engage. Earn points. Get Rewards.
Learn more…ibm.biz/vip-rewards
Join IBM VIP Rewards for Security…ibm.biz/JoinIBMVIPRewards-Security
3 IBM Security
Name – role in IBMName – role in IBMName – role in IBMName – role in IBM
Name – Moderator - role in IBM
IBM Security Learning Academy
• Courses• Videos • Hands-on Labs • Live Events• Badges
Learning at no cost.
New content published daily.
4 IBM Security
Panelists
Jensen Toma – Presenter – L2 Support
Dan Barto – Moderator – L2 ManagerGrey Thrasher – L2 Team LeadDaryl Romano – L2 SupportMohammad Khan – L2 SupportGary Sedler – L2 Support
5 IBM Security
Agenda
• What are Launchers?
• Launcher Types̶ Remote Desktop, PuTTY, Web, Custom
• Session Management
• SSH Proxy̶ SSH Command Menus
• Live Demo
• Troubleshooting tips
• Q&A
6 IBM Security
What are Launchers?
• Secret Server launchers open a connection to a remote computer or device or logs into a website using the secret’s credentials directly from the webpage̶ Convenient and easy to use̶ Circumvents the user having to know the password̶ Launchers only work on Windows and Mac clients
7 IBM Security
Enabling Launchers
• By default, launchers are enabled̶ Administration > Configuration
8 IBM Security
Enabling Launchers
• Microsoft ClickOnce technology̶ https://docs.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2019̶ Applicable if majority of users use Internet Explorer
• Protocol Handler (default)̶ Recommended if Firefox and Chrome are used
9 IBM Security
Enabling Launchers
• Launcher Tools̶ Tools > Launcher Tools
10 IBM Security
Types of Launchers
• Admin -> Secret Templates > Click on “Configure Launchers”
11 IBM Security
Types of Launchers
• You can disable individual launchers by clicking on the launcher name, edit, then removing the checkbox in the ”Active” field
• You can also change the launcher name if you prefer to use something else
12 IBM Security
Remote Desktop Launcher
• Initiates an RDP connection to a target machine
13 IBM Security
Putty Launcher
• Initiates an SSH session to a UNIX/Linux device
14 IBM Security
Web Password Filler
• Opens a web page and injects login credentials
15 IBM Security
Custom Launcher
• Custom Launcher for TOAD
16 IBM Security
Custom Launcher
• Admin > Secret Templates > Configure Launchers > New
17 IBM Security
Session Management
• Admins can terminate active sessions that were initiated thru a launcher
18 IBM Security
Session Management
• The same functionality can be used to send a message to the user
19 IBM Security
SSH Proxy
• RDP and SSH sessions will be proxied thru the Secret Server̶ Admin > SSH Proxy
• Distributed Engines can also be used as a proxy for greater network flexibility
20 IBM Security
SSH Command Menus
• Can be enabled to restrict the commands available to a user̶ Requires that SSH Proxy be enabled̶ Creates a menu of commands that can be run
• No other commands are available to the user
Live Demonstration
Troubleshooting Tips
23 IBM Security
Requirements
• .NET Framework 4.5.1
• Workstation must trust the SSL certificate installed on the IIS server protecting Secret Server̶ If the SSL cert and/or signer certs are not trusted, launchers will fail and return an error
24 IBM Security
Items to Double Check
• Protocol Handler is installed to: ̶ C:\Program Files\Thycotic Software Ltd\Secret Server Protocol Handler
• Double check that Firefox / Chrome add-ons are installed and enabled
25 IBM Security
Common Error Messages
• The Secret Server Launcher failed to load. Exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel̶ Verify that the Secret Server SSL cert and/or signer certs are trusted by the workstation
• The process (process name) was not found̶ The application is not installed on the machine. If the application is installed, the folder location should be added to
the path.
• The stub received bad data (1783)̶ The process is set to launch using the credentials of the secret but the username or domain is incorrect.
26 IBM Security
Protocol Handler Logging
• To enable logging of the Protocol Handler, edit:̶ C:\Program Files\Thycotic Software Ltd\Secret Server Protocol Handler\RDPWin.exe.config
27 IBM Security
Questions and AnswersQ: For RDP, can we restrict the connection to local disk or other resources?
A: I believe those are RDP client itself....so you might be able to accomplish the same with custom launcher that executes mstsc with some command options to restrict to local disks. There is an option on the Windows AD Secret(s) (in "Personalize" tab) to "Allow Access to Drives", which might be what you're looking for as well.
Q: SSH Proxy is a way to implement a bastion or Jump server?A: You could use Distributed Engine(s) on other servers, for SSH Proxy(s). But yes...this would allow for more control over the access from client to endpoints, especially useful for offsite workers and/or access to systems in different network segments/behind firewalls etc. (typically not accessible directly from clients)
Q: Equivalent function for the other protocols?A: SSH and RDP supported.
Q: When will the “ssh command blacklisting” will be added? user can use any commands, except those that are on the black list.A: That would be a question for Product Management. If required, please submit a Request For Enhancement here: https://www.ibm.com/developerworks/rfe/
Q: Do you know if SAPlogon has been managed with a custom launcher with success?A: I believe I've heard of some customers/partners creating SAP custom launchers, but I have no details. I found someone had used the SHORTCUT parameters for sapgui.exe to accomplish this.
28 IBM Security
Where do you get more information?Search first, then ask in the new IBM Support Forum: http://ibm.biz/SecretServer-SupportForum
More information:• Security Learning Academy: http://ibm.biz/ISSS-LearningAcademy• IBM Knowledge Center: https://www.ibm.com/support/knowledgecenter/en/SSWHLP_10.6.0/com.ibm.isss.doc/kc-
homepage.html• IBM Security Secret Server Support: https://ibm.biz/SecretServerSupport
Useful links:Get started with IBM Security Support
IBM My Support | Sign up for “My Notifications”FREE learning resources on the Security Learning Academy
ibm.com/security/community
Follow us:
www.youtube.com/user/IBMSecuritySupport twitter.com/askibmsecurity http://ibm.biz/ISCS-LinkedIn
© Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU
xforce.ibmcloud.com
@askibmsecurity
youtube/user/IBMSecuritySupport
securityintelligence.com
SecurityLearningAcademy.com
ibm.com/security/community
IBM Security Client Success