Secret Server - Team Blog

The History of Searching in Secret Server

2008-09-21T07:41:00Z

In the recent month, we've had a lot of questions about how searching works in Secret Server, so I thought now would be a good time to answer as many questions about searching as possible.

Searching pre 5.0

Before the 5.0 edition of Secret Server searching was fairly limited. The only thing you could search on was the Secret's name. Over time, the Search criteria grew a little, but still this main limitation was always there. As soon as you wanted to search on the actual values in the secrets, you were out of luck. The ability to search by the values in a secret was one of our most requested features.

Technical Limitations

The Secret Server development team has always had a keen sense to what customers wanted, and we typically implement feature requests based on feedback. However, this particular feature had a lot of technical barriers to solve before it could be implemented.

The main barrier we had to deal with was the concept of Secret Server itself. Secret Server is designed to be as secure as possible, and one of the pieces of this design is full data encryption. All of the values of a secret, aside from its name, are stored in the database encrypted. This makes searching the database impossible. If we wanted to perform a search, we would have had to pull back every secret from the database, decrypt it, and then search it. This clearly wouldn't work from a performance angle, and didn't scale well.

Searching as of 5.0

We realized we wouldn't be able to do real-time searches on secrets. The barrier still remained though, how do we search secrets and not expose sensitive information? Our solution was a hash based index table.

A What?

Many systems, such as Windows and search providers like Google keep a search index. When you search Google, you really aren't searching the entire Internet all at once, you are searching a dictionary of content that Google has built over time. Secret Server does something similar. The trick is to build an index but also keep it secure.

Secret Server 5.0 has a background monitor, the Search Indexer, that looks for changed secrets, about every 60 seconds it queries the database looking for unindexed secrets or changes in secrets. When you create or modify a secret, we flag that secret to tell the Search Indexer to re-index it.

Security

The Search Indexer creates hashed terms from the values in a secret. More specifically for those technically interested, we use the HMAC-512 algorithm. A quick explanation of what this algorithm does is creates a one-way code. For example, if the word "book" was hashed, it would produce a unique output. However this output cannot be converted back into the original data, "book" in our case.

This technique is used when creating indexes. Let's say we have a secret with a field called "Server" with a value of "OFFICE\Webserver01". When the search indexer got around to indexing this secret, it would create a hashed value of "office\webserver01". Whenever we create hashed terms, we always convert it to lowercase so that searching isn't case-sensitive. This search index record would become associated with the secret.

Now, when a user does a search, we use the same hash algorithm to compute the hash term of what you are searching for (again converted to lowercase). We when search our index table for a match.

What About Partial Matches?

When we have a term like "OFFICE\Webserver01", we produce hashes of "pieces" of the word. In this case, we would also produce specific hashes for "office" and "webserver01". Notice that we split on the letter "\". The same happens when a search is performed. This way if you searched for "OFFICE\Webserver02", it would still come back with the OFFICE\Webserver01" because the "OFFICE" term still matched. We do this for other letters as well, that includes spaces, backslashes, slashes, periods, commas, and semicolons.

Search Index Modes

The Search Indexer has two modes. Standard, and Enhanced. So far, all of the behavior I have described has been the "Standard" mode. The Enhanced mode works very similarly, however it also produces three letter partials. Using out "OFFICE\Webserver01" example, we produce our hashes normally, but we also produce the partials. We would add hashes for "OFF", "FFI", "FIC", "ICE", etc. This allows partial matches to return.

So Many Results

The implementation sounds correct, but it has some room for improvement. Note that I said we split the terms on periods. That means if you searched for "foo@test.com", it would return everything that had "com" in it, and chances are there are a lot of results. The splitting on the period seems to be the biggest culprit for undesired results coming back. Once you throw the Enhanced mode into the mix, it gets even more complicated.

Looking Forward

Nothing has been set in stone in terms of changes and when it will be implemented, but we have been kicking around a lot of ideas. The immediate one might be to consider removing the period from the characters that we split on. Another idea was ranking the results. Secret Server right now always returns secrets sorted by their name. It would make more sense if we returned results in order of the number of hash terms that matched and if the name matched as well.

I hope that clarifies some of the mystery surrounding search. If you have any additional feedback or questions, be sure to drop by our forums and let us know!

-- Kevin

Sneak Peek: PuTTY Launcher

2008-09-11T21:52:53Z

One of a system administrator's must-have items in his toolbox is PuTTY. PuTTY is a small, lightweight program that is perfect for telnet and SSH connections. It doesn't require any installation, it's just a single EXE file and you're good to go.

A feature of Secret Server that I personally have always found extremely useful is the launching capability that we introduced with Remote Desktop. It's very handy for starting Remote Desktop sessions. We decided to take it a step further and extend this functionality to PuTTY.

An initial obstacle that needed to be overcome was figuring out how to make sure PuTTY was on the client's machine. The creators of PuTTY are generous, and fortunately they allow us to distribute PuTTY with Secret Server. Since the Remote Launcher capability is a Microsoft ClickOnce application, it seemed reasonable to distribute PuTTY with our application. This would avoid the need for users having to tell our application where to look for PuTTY, or us requiring that you have it in a certain location on the machine.

However, PuTTY is 500 kilobytes, and the initial application was a mere 12 kilobytes. 500K is small in today's high tech world, but to reduce corporate bandwidth use, we only distribute it when you need it for the first time. That means when you make your first launch of PuTTY, we'll download the application for you from your Secret Server installation, thus not needing an outside Internet connection, but after that it's cached so you only need to download it once.

Once PuTTY is downloaded successfully, the application will automatically start already logged in at the prompt. For the first release of the PuTTY launcher, we will only support SSH.

If you want to see additional launchers built into Secret Server, make sure you stop by our forums and let us know!

-- Kevin

Sneak Peek - Secret Server 5.0 and Searching Fields

2008-07-07T03:05:52Z

Secret Server 5.0 is currently under development, and one of the features that we know for sure that will be in 5.0 is searching Secret Fields. This has been a popular request. We had several obstacles to achieve this, and we have implemented a solution that is secure but effective.

The search works by Secret Server creating an index catalog for search terms for each and every secret. This runs as a background process. Secret Server will then start indexing all existing Secrets in your installation, and maintain indexes for secrets as they are changed.

The indexing service allows two different modes of indexing. The standard mode, which allows you to search on whole words. The Extended Indexing option allows searching on part of a word with a precision of 3 characters. For example, "sec" would make a field with the value of "Secret", as would "secre".

Stay tuned for more features coming in Secret Server 5.0!

-- Kevin

Why does Secret Server take so long to start up?

2008-05-18T23:14:20Z

One of the things that we did notice with Secret Server is that it does take what seems to be a long time for Secret Server to start up for the first time. This started happening in Secret Server 4.0. So, what exactly is going on?

Secret Server does some startup tasks for the first time. Namely, it starts up some background monitoring tasks for synchronizing Active Directory and the Remote Password changing features. There is one more though that takes up most of the time, and that is verifying all of the Strong Name signatures.

First, what is a Strong Name? When we release Secret Server, we send out all of the DLLs with a digital signature on all of the assemblies. Secret Server has multiple DLLs that talk to each other. Now, what's stopping someone with access to the server from dropping in a fake DLL that looks like ours, but it is also secretly emailing out information? Step in strong names. When the .NET Framework loads all of the assemblies for a particular application, it ensure that all of the assemblies have the strong name key that was used when it was compiled. If the Strong Name keys don't match, then the .NET Framework won't accept it. Since only Thycotic has the key, it cannot be faked.

This is a somewhat lengthy process for the .NET Framework, as it will also have to calculate checksums of the entire assembly as well. Not to mention that this entire process occurs for all 14 of the assemblies in Secret Server.

-- Kevin

Secret Server on the Treo 700

2008-04-19T12:25:06Z

Secret Server has supported a "Mobile Edition" for over a year now but it is always tricky making sure that it works correctly on all devices.

Our approach was to bake mobile support into the base product (ASP.NET based) so it simply scales down to the capability of the device. That sounds simple but unfortunately it depends on making sure that functionality will work with all the limitations of various devices.

My own favorite BlackBerry 8820 does a reasonable job of helping me get to the password I need in emergencies but it is hardly a pleasant browsing experience. In fairness, no browsing on the device is particularly pleasant since it is slow, struggles with most layouts and has a small screen. That said, I love it dearly and browsing has never been a core requirement for me since email, contacts and calendar are definitely my most essential.

Today we had a customer ask about the Treo 700 so I tried out the emulator from the Palm website. It seems to work fine with Secret Server and I was able to browse around and access passwords.

--Jonathan

Secret Server at FOSE 2008

2008-04-03T15:27:22Z

This year Secret Server made its debut at FOSE, one of the leading government technology events in the nation. The show is being held at the Walter E. Washington Convention Center which is situated only a few minutes away from our offices in downtown D.C.

Despite there being several hundred kiosks and lectures, Secret Server appears to be one of the few software products featured. Many of the exhibitions are displaying hardware and energy saving innovations. I think a lot of people have been pleasantly surprised to see a solution for password management.

Over the last couple of days, I and some of the other team members got a chance to interact with attendees and demonstrate some of the core functionality of Secret Server. We have received a lot of enthusiasm and great feedback on the product thus far.

Today is the final day for FOSE. Come visit us at booth #100 located in the Security section. Hope to see you there!

--Joseph

Giving Secret View a System Font

2008-03-27T23:54:47Z

One of the questions that I sometimes get from customers is, "I want the information on the Secret View page to display in a system font". The reason for this is it makes it easier to distinguish between O's and zeros; and lower-case L's and capital I's.

This can easily be accomplished with CSS, and with since Secret Server 4.0 and up supports Themes, it is simple enough to add your own CSS to the default.css file.

Because of the way Copy to Clipboard works, all of the attributes that contain information are held in a custom attribute "t". This attribute is on the span elements and the text boxes when in edit mode. In theory, it should be as simple as this:

*[t]
{
font-family:Consolas,System;
}

This is part of the CSS 2 specification, and the selector states "Any element with the attribute 't'." As expected, this works well with FireFox. This took care of the labels and the text boxes all-in-one. However, IE presented a bit of an issue. This simple solution didn't seem to work. It's not a secret to web developers that Trident, IE's rendering engine, is pretty buggy as far as rendering engines go. What surprised me more was that the IE 8 beta, the up-and-coming super-compliant version of IE, still did not take. What was strange that when using a simple test page, the attribute selector did work; so it is supported in IE 7 and 8. There just appears to be an issue with that particular page.

So the solution became a little more complex. A lot of the elements on the secret view page don't have classes or ID's at the moment, which makes applying CSS to just some of the elements a bit trickier. In the end, this is how it turned out:

And the CSS used to accomplish this that works in both IE and FireFox:

div#SecretViewDialog * td.SecretFieldCell span, * span#iSM li
{
font-family:Verdana ! important;
font-size:10pt ! important;
}

input.SecretViewTextbox, input.SecretPasswordTextbox, div#SecretViewDialog * span
{
font-family:Consolas,System;
font-size:11pt;
}

The font of my choice is Consolas, a nice font that makes it easy to distinguish characters. It is a free font for user's that own Visual Studio 2005 via download, and also ships with Visual Studio 2008.

-- Kevin

Secret Server 4.1 coming - visual keyboard

2008-02-24T20:31:14Z

Here is a new feature coming in Secret Server 4.1 - it is the visual keyboard and is a configurable option for the login screen.

It is designed to thwart malware such as keyloggers which could be running on a public computer and could capture your password if you entered it using the keyboard. The visual keyboard uses a different random alternate character set each time it is loaded - this means that when you click "a" it may type "3" in the password textbox - the garbled password is reconstituted on the server side when you login. By using a garbled password then the HTTP POST back to the server if even further protected (and should be protected again by using SSL on your Secret Server installation).

Look for more sneak peeks soon as we approach the release date for Secret Server 4.1 which will be 3/14/2008 - specifically there will screenshots of the new role-based security and the launcher (launch Remote Desktop from Secret Server!).

--Jonathan

Secret Server on Windows Server 2008 x64

2008-02-07T16:36:13Z

With the new release of Windows Server 2008, we wanted to make sure that Secret Server is always able to use the latest technology. So, we set out to prove that Secret Server would work on Windows Server 2008. To take it even further, we wanted to see it work on the 64-bit platform. So how did Secret Server do?

We're excited to say that yes, Secret Server does work on Windows Server 2008 x64 Edition. Here was our setup:

- Windows Server 2008 Enterprise x64 Edition (IIS 7.0)
- SQL Server 2005 Developer x64 Edition
- Secret Server 4.0.000003.

There are a few things to note before Secret Server will function properly. IIS 7.0 had some ground breaking changes with the way it integrates with ASP.NET 2.0. Unfortunately, Secret Server currently cannot support this. This is called "Integrated Managed Pipeline Mode". Secret Server currently will only work properly with IIS's Pipeline mode configured to "Classic". Fortunately, this isn't a problem at all. It is really as simple as changing the Application Pool that Secret Server is in to use Classic Pipeline.

While Secret Server is functional in this environment, we can't officially support it yet; there are a few features of Secret Server that are problematic due to the new environment. The immediate one is a lack of support for IPv6 for the IP Address Restrictions, which we will be addressing in a release in the near future. This is due to the fact that the IPv6 protocol is installed by default on Windows Server 2008. The same problem arises when the IPv6 protocol is installed on a previous version of Windows.

We still have a lot of testing to do on Windows Server 2008. We want to make sure that Secret Server works just as well as it always has on previous versions of Windows Server. Once we have finished our testing process, and resolved any issues that arose, we will be able to officially support the Windows Server 2008 x64 and x86 platform.

In the near future, we will be testing Secret Server against the up-and-coming SQL Server 2008.

Migrating from eWallet

2007-12-17T16:23:47Z

Some users who are currently using eWallet and other single user password managers want to migrate to an enterprise solution. This will give them the benefit of tracking and managing all privileged passwords in a company.

We are currently working with one customer to produce a tool that will allow a user to migrate from eWallet to Secret Server as painlessly as possible.

Here is a movie showing the migration tool in action: http://www.thycotic.com/movies/secretserver/ewallet/ewallet.html

If you are interested in this tool please contact support.

-- Kevin

Remote Desktop - peek into the future ...

2007-12-13T06:28:43Z

Here is a teaser trailer showing automatic opening of Remote Desktop from a secret in Secret Server.

Watch movie (Remote Desktop from Internet Explorer)

Watch movie (Remote Desktop from Firefox)

There are some technical difficulties in getting Remote Desktop to work like this since it encrypts the password in the .rdp file in a machine/user specific way.

This feature is unlikely to be ready for the Secret Server 4.0 release but should come in an update soon after.

--Jonathan

Secret Server 4.0

2007-12-07T21:50:00Z

We are happy to announce that Secret Server 4.0 is scheduled for release on December 21st.

One of the features that is often requested is the ability to search a folder *and* its sub-folders. Starting in 4.0, this feature will be available. On the home page, there will be a checkbox in the search region that will allow you to search in a folder's children. Also, the performance of searching has been improved by reducing some of the logic needed.

One of the other features that we will be in 4.0 is inherited permissions for folders. With the confusion of how folder permissions currently work, we think this will allow users to better manage their secrets while also working more as expected (more like operating system permissions). Starting in 4.0, you can optionally inherit permissions from parent folders, and a secret can now inherit permissions from a folder. Say, if you choose to have a secret inherit permissions from it's folder, it will also get the permissions from that folder, and all of it's parents. If the parents' folder permission changes, the new permissions will reflect on that secret.

Secret Server 4.0 is shaping up to be the biggest release of Secret Server yet, and we're excited about the cool new features!

-- Kevin

Bulk Operation "Edit Share" explained

2007-12-04T12:40:40Z

Back in Secret Server 3.0, we added bulk operations to make it easier to deal with lots of secrets. Typical example - I need to add our network administrators to these 100 passwords with View permission. This can be easily accomplished using the "Add Share" option at the bottom of the search grid on the home page.

What happens if I accidentally added the wrong network administrators group and now I need to remove their View permission from the 100 secrets. This is where "Edit Share" comes in.

I recorded a short movie that shows removing "Edit" and "Share" permissions for one group (Administrators) from two secrets.

Watch movie

Add Share - use this to safely add new permissions for View, Edit or Share for a group or user. It will not affect their existing permissions. So if a user has View, Edit and you just Add Share 'View' then they will still have View and Edit.

Edit Share - use this option to replace permissions for certain users or groups. There is currently a bug that prevents you from removing all permissions for a user or group but that will be fixed in the next release.

NOTE: The Edit Share does not show existing permissions on your selected secrets. We have struggled with how to make such a user interface make sense since some of your secrets will have some permissions and some won't. It seems difficult to know how to present this in a way that isn't confusing. If you have any ideas - please post them to the forums.

--Jonathan

Secret Server to support theming in 4.0

2007-11-16T21:41:00Z

One of the most requested features in Secret Server is theming. I have seen several customers skin Secret Server to fit their company's colors and logo. The only down side to that is, when Secret Server is updated, all of those nice changes were lost. A feature that we will be releasing soon is Custom Themes. It goes beyond just changing the style and images. We designed it to allow the administrator to create their own themes for Secret Server. The Administrator has the choice of allowing users to specify their own theme, or force a global theme. Here is a sample theme that we have been playing around with to prove that anything is possible!

We don't plan on actually shipping Secret Server with this theme :-)

-- Kevin

Minor Update on 11/16

2007-11-13T04:03:40Z

On November 16^th we will be releasing a minor update for Secret Server. This update includes:

Ignoring the selected folder if the folder panel is collapsed when performing a search from the home screen.
Changing the import tool to allow duplicates if explicitly allowed. There will now be a checkbox called "Ignore Duplicates" that allows you to import secrets even if a secret with the same name already exists.
Some Active Directory Synchronization fixes. Recently a bug was discovered that may solve a large portion of the remaining active directory synchronization issues. As some may know, there have been some issues with Active Directory that we have been identifying and fixing. The particular issue we will we resolving is where some of the usernames contain certain characters, such as a comma or a backslash. Unfortunately, our development platform, the .NET Framework 1.1, has somewhat limited LDAP support. So the data that the Active Directory server returns to us is "raw". In this case, we need to parse and handle this data properly. The second issue we are resolving is in the case that the Active Directory query returns more than 1500 results it only returns the top 1500 results.

This update does not include the migration to the .NET 2.0 Framework. This minor update will still be using the current version of the framework.

-- Kevin