10/16/2012 12:21:12 PM
Christoph H
Posts: 3
|
Hello
Are there any best practises or templates how to setup a folder structure for secrets as well as groups for persmissions to that folder?
Example: I am sure everywhere is a Helpdesk,groups of Networkers, Microsoft and Linux admins, Database admins, web admins, security guys, etc.
Schould folders be named by e.g. geolocation, with sub structures such as application, DB, OS, Network, etc.
and then assigne AD groups of the networkers, the helpdesk people, DB admins etc, to it?
Or are there other ideas?
How is this structure undermined by access requests to secrets of users?
Can that password requesting mechanism be deactivated?
Thanks
Christoph
|
|
|
0
• link
|
10/17/2012 1:06:31 PM
Nick D
Posts: 58
|
Glad you found that thread helpful. As far as the owner, yes there is a snowball effect. If you are an owner of a secret you can give ownership rights to someone else. We had a scenario where we didnt want to do this for a very important process at my company.
Basically, all secrets require an owner. No way around it. We have an internal application for our ecommerce site that requires key rotation. This key is simply a password. We had a requirement that no one ever know this key/password. So we developed an internal tool (although there are many free ones available) that would take 2 strings of text, combine them, and generate another string of text (hash). This final hash becomes the password for this internal eCommerce tool.
What we did was create 2 secrets in Secret Server. For simplicity lets call it "Super Secret #1" and "Super Secret #2". We gave 3 unique employees access to #1 and 3 other employees access to #2 (View/Read). Under no circumstance are the employees with access to #1 allowed to view #2 and vice versa. Since secrets require an owner, what we did was make a local user in secret server called "Phantom Owner". The password for phantom owner is unknown, as we just smashed all the button on the keyboard during creation. We then added the "Phantom Owner" to each of the secrets #1 and #2. Since no one knows the password to Phantom owner, no one can log in as that user to change the permissions on the secret. The only way to address this is by going into Unlimited Admin mode, which we built a very strong process around doing (internal process as well as roles, auditing, event subscriptions...etc).
This was a huge success for a major internal process we have.
have fun!
|
|
|
+1
• link
|
Secret Server 
Secret Server on Facebook 
Password Reset Server 
Group Management Server
Company 
Thycotic on Twitter