http://www.thycotic.com/forums/messages.aspx?TopicID=459 Thycotic Community - Secret Server - How to make a protected folder? - Messages en-us http://blogs.law.harvard.edu/tech/rss Jitbit AspNetForum Mon, 20 Aug 2012 12:51:14 GMT Mon, 20 Aug 2012 12:51:14 GMT http://www.thycotic.com/forums/messages.aspx?TopicID=459
To clarify this even more, you could remove that ability from the admin also (make changes to ROLES).

The key is to separate the duties as much as possible, but make sure that no one person has the ability to ever recover.]]> Mon, 20 Aug 2012 12:51:14 GMT http://www.thycotic.com/forums/messages.aspx?TopicID=459
This way, when the admin changes the roles so that someone has both the rights to make SS in unlimited admin mode and also be an unlimited admin, people will know about it.

For example, this is the case for me personally. I am the global admin of all SS here, but by role is called something like "Full Admin without the ability to enable UA". I have the ability to modify my role to make it so i can do that, but if i do, a lot of people here are going to know about it and be very unhappy.

Another thing we also do, that i encourage, is include any administrative changes to SS in your corporate RFA/Change Control Process for exposure. For my company, if we have to make any admin changes I need to file a Change Control ticket (which documents the when, who, what, and how). It requires specific authorized individuals to "approve" my request before I can perform it.

We rely heavily on Secret Server here for not only as a password wallet, but have it configured to be used as a repository for some very important key rotation procedures. The confidentiality of the solution while very important is only as good as the integrity of it. In other words, why should someone store something super confidential in it when there is a way someone else could get access to it? I've been able to address that with many different configurations.]]> Mon, 20 Aug 2012 12:49:15 GMT http://www.thycotic.com/forums/messages.aspx?TopicID=459 Tue, 14 Aug 2012 16:21:51 GMT http://www.thycotic.com/forums/messages.aspx?TopicID=459
1.) I encourage this on all SS installs. Separate the roles of both Enabling Unlimited Admin mode and Unlimited Admin from a user. Configure SS to require that one (or more) people are the only ones that can enable Unlimited Admin mode but not be an Unlimited Admin. The opposite for the Unlimited Admin, they shouldnt be able to put SS in Unlimited Admin mode. This prevents a single person from having the ability to flip the god switch.
2.) Setup event subscriptions/notifications that email all users of SS when Unlimited Admin mode is enabled.
3.) Direct all users to the appropriate report(s) that show what an Unlimited Admin did while that mode is enabled.

Feature Request!! It's been mentioned before, but it would be nice to have the ability to customize these email alerts so we can point people to URL's (and other text). i.e. Unlimited Admin mode was enabled by xyz person, to see what the Unlimited Admin performed while in this mode please visit <a href="https://path_to_secret-server_report">https://path_to_secret-server_report</a> (or something like this)

4.) Flag all Secrets owned by you to alert you when viewed/modified.

5.) and finally, as a general rule of thumb for my business, dont store personal information in a corporate SS implementation Sure, having the above measures in place can help assure you always know when someone accesses your info, but it will never prevent it. Use a personal password manager instead, there are plenty of them out there. Thycotic even offers an online version that you can pay for (though there are free alternatives for individual use),]]> Tue, 14 Aug 2012 10:35:31 GMT http://www.thycotic.com/forums/messages.aspx?TopicID=459
Any advice for this? I could see limiting permissions to just my account and maybe having a notification if any admin user viewed my folders?]]> Tue, 14 Aug 2012 10:23:13 GMT