SECRET SERVER FEATURE: Secure Vault and Password Manager
Protect enterprise privileged
accounts with military-grade security
Overview of Secure Vault and Password Manager:
Automation of complex tasks is crucial for administrators and DevOps teams to eliminate human error and allow an organization to scale. Many applications require passwords or keys in order to access third-party APIs, databases, or external resources. Any complex automation build-out will require access to passwords or keys to call APIs and access data.
By integrating custom and third-party applications with Secret Server, you can avoid built-in application credentials and ensure proper control and management.
AES 256 Encryption
AES 256-bit encryption is the strongest encryption available for enterprise password management software and provides unsurpassed security.
In addition to at-rest encryption of secrets, Secret Server can also be used with SQL Server Transparent Data Encryption (TDE) for further data protection. SSL/TLS can be enforced on all connections to ensure end-to-end encryption.
Secret Server generates a unique encryption key during installation. This key is encrypted and kept in the encryption.config file or managed by an HSM. The combination of this file and your Secret Server database allows you to reconstitute your system at any point.
Login Password Protection
Secret Server hashes and salts local user passwords using a randomly generated salt and the PBKDF2-HMAC-SHA256 hashing algorithm. Active Directory logins authenticate directly against the domain and their passwords aren’t stored in the Secret Server database.
Multi-factor is an authentication method based on something you know (a password) and something you have (a one-time token). Multi-factor authentication ensures that even if a password is stolen, a malicious user can’t use it to access Secret Server. It also assists in rapid account recovery.
You can use a variety of multi-factor authentication solutions, including your existing authentication infrastructure, to authenticate users before granting them access to Secret Server.
Duo Security supports push notifications directly to a user’s phone, as well as hardware tokens such as YubiKey. If the user’s app or token isn’t available, they can also receive a phone call or text message for out-of-band authentication.
Google Authenticator or any soft token app that supports TOTP (Microsoft Authenticator, Duo, Amazon MFA) can also be used. Soft tokens are a free and quick way to add additional security to your login process if no commercial multi-factor solution is available.
Secret Server also supports any multi-factor provider that provides a RADIUS interface, an industry-standard implementation supported by most multi-factor providers.
Learn more about Multi-factor Authentication
IP Address Restrictions
You can control the locations and networks from which users can gain access by configuring Secret Server to be accessible only by IP addresses within a specified range. This allows you to limit access to Secret Server to users who are “on network” and not accessing through VPN, etc.
Secret Server management features help you get started quickly and scale easily as you add more systems, users, and secrets.
Folders and Permissions
As your organization grows and you add secrets to your vault, Secret Server’s folder structure will help you stay organized. With folders, multiple teams can use a central vault while having access only to areas appropriate for them.
There isn’t a one-size-fits-all answer for how to organize your privileged passwords. Secret Server’s customizable folder structure allows you to set up access controls based on what makes sense for your organization. For example, you can organize folders based on:
- Geographical locations
- Business units
- Different IT teams like DBAs, UNIX admins and Windows Server admins.
You can nest folders at multiple levels to manage using a structure that suits you best.
Permissions can be assigned for folders, sub-folders, and secrets. For example, each user can be assigned a default personal folder where they can keep commonly used passwords such as website logins for support sites, API keys for developers, or assigned product licenses.
Folder management can be automated through the API for custom integrations with CMDB’s or IAM systems that need dynamic folder workflows.
IT departments must protect sensitive files such as network diagrams, license files, and SSL certificates while ensuring they are easily accessible to the right users. With Secret Server’s file attachments feature you can upload sensitive files and they will be encrypted and stored along with other privileged accounts. RBAC and permissions mean you have granular control over who can download and view attached files.
Active Directory Integration and SSO
Many organizations invest heavily in Active Directory to ensure users have a single identity across the organization. Leveraging your existing Active Directory groups and logins helps you quickly roll out Secret Server, reduce management overhead, and improve adoption.
Active Directory integration gives administrators a simple and effective way to automatically grant and revoke access to Secret Server with tools and policies that are already in place. By assigning access based on security groups you won’t have to manually grant permissions every time a new admin needs access. By granting rights based on domain security groups, you can ensure that when a user changes roles their rights in Secret Server also change appropriately.
Active Directory integration enables users to sign in with their normal domain account to gain access to privileged accounts, such as their domain administrator credential.
Microsoft also provides additional Single Sign On (SSO) and security options that Secret Server can leverage. With Integrated Windows Authentication or ADFS, you can provide SSO to Secret Server.
There may be some cases where Active Directory isn’t feasible due to separation of duties, environments under tight control, or where there is no domain. In those situations, Secret Server does have its own user and group store and capabilities, and group membership changes can be delegated across teams to limit overhead.
Regardless of which user authentication methodology is right for your environment, you will be able to make use of Security Assertion Markup Language (SAML) for SSO.
IT departments are seldom starting from scratch when they implement Secret Server. Users are already storing passwords in spreadsheets, personal password managers, and text files. You can get all users on board quickly by importing existing passwords from other apps.
Secret Server’s Import feature simplifies integration with current and legacy systems and allows users to easily add large numbers of secrets, or passwords, from an CSV or XML file. As secrets are batch-imported by template, multiple types of input data must be imported in several batches.
You can use our migration tool to import passwords from third-party password managers. You can also do custom scripting with Secret Server’s API web services to build out an import process from a third-party or in-house application.
Web and Mobile Devices
Secret Server is a web-based application that can be accessed via any platform. The four major web browsers—Internet Explorer, Firefox, Safari and Chrome—are fully supported.
Secret Server has native apps for iPhone and Android. These mobile apps can be installed and configured in minutes.