Secret Server - Team Blog

One of the things that we did notice with Secret Server is that it does take what seems to be a long time for Secret Server to start up for the first time. This started happening in Secret Server 4.0. So, what exactly is going on?

Secret Server does some startup tasks for the first time. Namely, it starts up some background monitoring tasks for synchronizing Active Directory and the Remote Password changing features. There is one more though that takes up most of the time, and that is verifying all of the Strong Name signatures.

First, what is a Strong Name? When we release Secret Server, we send out all of the DLLs with a digital signature on all of the assemblies. Secret Server has multiple DLLs that talk to each other. Now, what's stopping someone with access to the server from dropping in a fake DLL that looks like ours, but it is also secretly emailing out information? Step in strong names. When the .NET Framework loads all of the assemblies for a particular application, it ensure that all of the assemblies have the strong name key that was used when it was compiled. If the Strong Name keys don't match, then the .NET Framework won't accept it. Since only Thycotic has the key, it cannot be faked.

This is a somewhat lengthy process for the .NET Framework, as it will also have to calculate checksums of the entire assembly as well. Not to mention that this entire process occurs for all 14 of the assemblies in Secret Server.

-- Kevin

Secret Server has supported a "Mobile Edition" for over a year now but it is always tricky making sure that it works correctly on all devices.

Our approach was to bake mobile support into the base product (ASP.NET based) so it simply scales down to the capability of the device.  That sounds simple but unfortunately it depends on making sure that functionality will work with all the limitations of various devices.

My own favorite BlackBerry 8820 does a reasonable job of helping me get to the password I need in emergencies but it is hardly a pleasant browsing experience.  In fairness, no browsing on the device is particularly pleasant since it is slow, struggles with most layouts and has a small screen.  That said, I love it dearly and browsing has never been a core requirement for me since email, contacts and calendar are definitely my most essential.

Today we had a customer ask about the Treo 700 so I tried out the emulator from the Palm website.  It seems to work fine with Secret Server and I was able to browse around and access passwords.

--Jonathan

This year Secret Server made its debut at FOSE, one of the leading government technology events in the nation.   The show is being held at the Walter E. Washington Convention Center which is situated only a few minutes away from our offices in downtown D.C.

Despite there being several hundred kiosks and lectures, Secret Server appears to be one of the few software products featured.  Many of the exhibitions are displaying hardware and energy saving innovations.  I think a lot of people have been pleasantly surprised to see a solution for password management.

Over the last couple of days, I and some of the other team members got a chance to interact with attendees and demonstrate some of the core functionality of Secret Server.  We have received a lot of enthusiasm and great feedback on the product thus far.

Today is the final day for FOSE. Come visit us at booth #100 located in the Security section.  Hope to see you there!

--Joseph

One of the questions that I sometimes get from customers is, "I want the information on the Secret View page to display in a system font". The reason for this is it makes it easier to distinguish between O's and zeros; and lower-case L's and capital I's.

This can easily be accomplished with CSS, and with since Secret Server 4.0 and up supports Themes, it is simple enough to add your own CSS to the default.css file.

Because of the way Copy to Clipboard works, all of the attributes that contain information are held in a custom attribute "t". This attribute is on the span elements and the text boxes when in edit mode. In theory, it should be as simple as this:

*[t]
{
    font-family:Consolas,System;
}

This is part of the CSS 2 specification, and the selector states "Any element with the attribute 't'." As expected, this works well with FireFox. This took care of the labels and the text boxes all-in-one. However, IE presented a bit of an issue. This simple solution didn't seem to work. It's not a secret to web developers that Trident, IE's rendering engine, is pretty buggy as far as rendering engines go. What surprised me more was that the IE 8 beta, the up-and-coming super-compliant version of IE, still did not take. What was strange that when using a simple test page, the attribute selector did work; so it is supported in IE 7 and 8. There just appears to be an issue with that particular page.

So the solution became a little more complex. A lot of the elements on the secret view page don't have classes or ID's at the moment, which makes applying CSS to just some of the elements a bit trickier. In the end, this is how it turned out:

And the CSS used to accomplish this that works in both IE and FireFox:

div#SecretViewDialog * td.SecretFieldCell span, * span#iSM li
{
    font-family:Verdana ! important;
    font-size:10pt ! important;
}

input.SecretViewTextbox, input.SecretPasswordTextbox, div#SecretViewDialog * span
{
    font-family:Consolas,System;
    font-size:11pt;
}

The font of my choice is Consolas, a nice font that makes it easy to distinguish characters. It is a free font for user's that own Visual Studio 2005 via download, and also ships with Visual Studio 2008.

-- Kevin

Here is a new feature coming in Secret Server 4.1 - it is the visual keyboard and is a configurable option for the login screen. 

It is designed to thwart malware such as keyloggers which could be running on a public computer and could capture your password if you entered it using the keyboard.  The visual keyboard uses a different random alternate character set each time it is loaded - this means that when you click "a" it may type "3" in the password textbox - the garbled password is reconstituted on the server side when you login.  By using a garbled password then the HTTP POST back to the server if even further protected (and should be protected again by using SSL on your Secret Server installation).

Look for more sneak peeks soon as we approach the release date for Secret Server 4.1 which will be 3/14/2008 - specifically there will screenshots of the new role-based security and the launcher (launch Remote Desktop from Secret Server!).

--Jonathan

With the new release of Windows Server 2008, we wanted to make sure that Secret Server is always able to use the latest technology. So, we set out to prove that Secret Server would work on Windows Server 2008. To take it even further, we wanted to see it work on the 64-bit platform. So how did Secret Server do?

We're excited to say that yes, Secret Server does work on Windows Server 2008 x64 Edition. Here was our setup:

- Windows Server 2008 Enterprise x64 Edition (IIS 7.0)
- SQL Server 2005 Developer x64 Edition
- Secret Server 4.0.000003.

There are a few things to note before Secret Server will function properly. IIS 7.0 had some ground breaking changes with the way it integrates with ASP.NET 2.0. Unfortunately, Secret Server currently cannot support this. This is called "Integrated Managed Pipeline Mode". Secret Server currently will only work properly with IIS's Pipeline mode configured to "Classic". Fortunately, this isn't a problem at all. It is really as simple as changing the Application Pool that Secret Server is in to use Classic Pipeline.

While Secret Server is functional in this environment, we can't officially support it yet; there are a few features of Secret Server that are problematic due to the new environment. The immediate one is a lack of support for IPv6 for the IP Address Restrictions, which we will be addressing in a release in the near future. This is due to the fact that the IPv6 protocol is installed by default on Windows Server 2008. The same problem arises when the IPv6 protocol is installed on a previous version of Windows.

We still have a lot of testing to do on Windows Server 2008. We want to make sure that Secret Server works just as well as it always has on previous versions of Windows Server. Once we have finished our testing process, and resolved any issues that arose, we will be able to officially support the Windows Server 2008 x64 and x86 platform.

In the near future, we will be testing Secret Server against the up-and-coming SQL Server 2008.

Some users who are currently using eWallet and other single user password managers want to migrate to an enterprise solution. This will give them the benefit of tracking and managing all privileged passwords in a company.

We are currently working with one customer to produce a tool that will allow a user to migrate from eWallet to Secret Server as painlessly as possible.

Here is a movie showing the migration tool in action: http://www.thycotic.com/movies/secretserver/ewallet/ewallet.html 

If you are interested in this tool please contact support.

-- Kevin

Here is a teaser trailer showing automatic opening of Remote Desktop from a secret in Secret Server.

Watch movie (Remote Desktop from Internet Explorer)

Watch movie (Remote Desktop from Firefox)

There are some technical difficulties in getting Remote Desktop to work like this since it encrypts the password in the .rdp file in a machine/user specific way.

This feature is unlikely to be ready for the Secret Server 4.0 release but should come in an update soon after.

--Jonathan

We are happy to announce that Secret Server 4.0 is scheduled for release on December 21st.

One of the features that is often requested is the ability to search a folder *and* its sub-folders. Starting in 4.0, this feature will be available. On the home page, there will be a checkbox in the search region that will allow you to search in a folder's children. Also, the performance of searching has been improved by reducing some of the logic needed.

One of the other features that we will be in 4.0 is inherited permissions for folders. With the confusion of how folder permissions currently work, we think this will allow users to better manage their secrets while also working more as expected (more like operating system permissions). Starting in 4.0, you can optionally inherit permissions from parent folders, and a secret can now inherit permissions from a folder. Say, if you choose to have a secret inherit permissions from it's folder, it will also get the permissions from that folder, and all of it's parents. If the parents' folder permission changes, the new permissions will reflect on that secret.

Secret Server 4.0 is shaping up to be the biggest release of Secret Server yet, and we're excited about the cool new features!

-- Kevin

Back in Secret Server 3.0, we added bulk operations to make it easier to deal with lots of secrets.  Typical example - I need to add our network administrators to these 100 passwords with View permission.  This can be easily accomplished using the "Add Share" option at the bottom of the search grid on the home page.

What happens if I accidentally added the wrong network administrators group and now I need to remove their View permission from the 100 secrets.  This is where "Edit Share" comes in.

I recorded a short movie that shows removing "Edit" and "Share" permissions for one group (Administrators) from two secrets.

Watch movie

Add Share - use this to safely add new permissions for View, Edit or Share for a group or user.  It will not affect their existing permissions.  So if a user has View, Edit and you just Add Share 'View' then they will still have View and Edit.

Edit Share - use this option to replace permissions for certain users or groups. There is currently a bug that prevents you from removing all permissions for a user or group but that will be fixed in the next release.

NOTE:  The Edit Share does not show existing permissions on your selected secrets.  We have struggled with how to make such a user interface make sense since some of your secrets will have some permissions and some won't.  It seems difficult to know how to present this in a way that isn't confusing.  If you have any ideas - please post them to the forums.

--Jonathan

One of the most requested features in Secret Server is theming. I have seen several customers skin Secret Server to fit their company's colors and logo. The only down side to that is, when Secret Server is updated, all of those nice changes were lost. A feature that we will be releasing soon is Custom Themes. It goes beyond just changing the style and images. We designed it to allow the administrator to create their own themes for Secret Server. The Administrator has the choice of allowing users to specify their own theme, or force a global theme. Here is a sample theme that we have been playing around with to prove that anything is possible!

We don't plan on actually shipping Secret Server with this theme :-)

-- Kevin

On November 16^th we will be releasing a minor update for Secret Server. This update includes:

• Ignoring the selected folder if the folder panel is collapsed when performing a search from the home screen.
• Changing the import tool to allow duplicates if explicitly allowed. There will now be a checkbox called "Ignore Duplicates" that allows you to import secrets even if a secret with the same name already exists.
• Some Active Directory Synchronization fixes. Recently a bug was discovered that may solve a large portion of the remaining active directory synchronization issues. As some may know, there have been some issues with Active Directory that we have been identifying and fixing. The particular issue we will we resolving is where some of the usernames contain certain characters, such as a comma or a backslash. Unfortunately, our development platform, the .NET Framework 1.1, has somewhat limited LDAP support. So the data that the Active Directory server returns to us is "raw". In this case, we need to parse and handle this data properly. The second issue we are resolving is in the case that the Active Directory query returns more than 1500 results it only returns the top 1500 results.

This update does not include the migration to the .NET 2.0 Framework. This minor update will still be using the current version of the framework.

-- Kevin

Recently the development team has been migrating Secret Server from the .NET Framework 1.1 to 2.0. What is the .NET Framework? It is the core technology that Secret Server is built on top of. So, what does this mean for Secret Server users?

• The new framework offers several performance enhancements, which means more efficiency and a more light-weight application on the server.
• The developers can now leverage new technology and tools, making development more rapid. This means we can write features quicker while still producing a solid product.
• Secret Server will now be using the latest, cutting-edge technology. As technology continues to advance, so will Secret Server.

The migration has been complete for the most part. There is no official or estimated date as to when Secret Server will officially support the new platform. We are currently ironing the final details, and ensuring that the migration to it will be as smooth as possible. As more details develop, we will be sure to keep everyone informed.

-- Kevin

Once a Secret Type is wired up to its Password Type (Windows Account, AD Account, SQL Server Login or new in 3.2 - Unix Account), then turn on Remote Password Changing in Administration and create a secret.  I have created a new secret for a SQL Server login and set it to be Autochanged.

The "Expire Now" button appears and clicking it will cause the secret to be autochanged to a new randomly generated password within 1 minute.

It has now been changed to a new password.

This feature allows you to quickly change a password on a secret while also reaching out to the server and changing the password there.  This can be coupled with the Report User Audit to automatically expire all secrets that an employee has viewed - for example if the employee has just left the company.

--Jonathan

Secret Server now has a fully documented step-by-step installation process from start to finish of installing a SQL Server, IIS, ASP.NET, and all required components. The installation is available in a PDF Format, and will walk you through all of the requirements. The guide includes everything you need to know to get Secret Server up and running with your server.

Get it here: http://www.thycotic.com/articles/secretserver/installation.pdf

Contact Us if you have any other installation questions.

-- Kevin