Secret Server Qualys Integration Guide



Similar documents
Tenable for CyberArk

IBM Security QRadar SIEM Version MR1. Vulnerability Assessment Configuration Guide

Managing Qualys Scanners

FREQUENTLY ASKED QUESTIONS

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Installing and configuring Microsoft Reporting Services

GFI White Paper PCI-DSS compliance and GFI Software products

Active Directory Self-Service FAQ

Mobile Device Management Version 8. Last updated:

Setting Up Scan to SMB on TaskALFA series MFP s.

Netwrix Auditor. Administrator's Guide. Version: /30/2015

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Policy Compliance. Getting Started Guide. January 22, 2016

Introduction to the EIS Guide

IBM Security QRadar Version Vulnerability Assessment Configuration Guide IBM

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

Cloud Services ADM. Agent Deployment Guide

Contents. Platform Compatibility. GMS SonicWALL Global Management System 5.0

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

PineApp Surf-SeCure Quick

IIS, FTP Server and Windows

Owner of the content within this article is Written by Marc Grote

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

Secure Messaging Server Console... 2

Desktop Surveillance Help

FISMA / NIST REVISION 3 COMPLIANCE

How To - Implement Single Sign On Authentication with Active Directory

STARTER KIT. Infoblox DNS Firewall for FireEye

IBM Security QRadar Vulnerability Manager Version User Guide

IBM Security QRadar SIEM Version MR1. Administration Guide

Active Directory Management. Agent Deployment Guide

IBM. Vulnerability scanning and best practices

SANS Top 20 Critical Controls for Effective Cyber Defense

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

How To Set Up Chime For A Coworker On Windows (Windows) With A Windows 7 (Windows 7) On A Windows 8.1 (Windows 8) With An Ipad (Windows).Net (Windows Xp

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

NETWRIX EVENT LOG MANAGER

System Administration Training Guide. S100 Installation and Site Management

qliqdirect Active Directory Guide

How to Migrate to MailEnable using the Migration Console

PCI DSS 3.0 Compliance

How to Configure Active Directory based User Authentication

Active Directory Management. Agent Deployment Guide

For Active Directory Installation Guide

Immotec Systems, Inc. SQL Server 2005 Installation Document

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Kaseya 2. User Guide. Version 6.1

User Management Guide

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

HP Client Automation Standard Fast Track guide

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

IBM Security QRadar Vulnerability Manager Version User Guide IBM

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition

SOA Software API Gateway Appliance 7.1.x Administration Guide

Copyright 2013, 3CX Ltd.

2: Do not use vendor-supplied defaults for system passwords and other security parameters

CSN38:Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

CIFS Permissions Best Practices Nasuni Corporation Natick, MA

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Netwrix Auditor for Exchange

Advanced Configuration Steps

FTP Service Reference

Offline Scanner Appliance

Quest InTrust. Version 8.0. What's New. Active Directory Exchange Windows

K7 Business Lite User Manual

Getting Started Guide: Getting the most out of your Windows Intune cloud

An Overview of Samsung KNOX Active Directory-based Single Sign-On

File Share Navigator Online 1

Extreme Networks Security Vulnerability Assessment Configuration Guide

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

Secret Server Splunk Integration Guide

Managed Antivirus Quick Start Guide

Strengthen security with intelligent identity and access management

GRAVITYZONE HERE. Deployment Guide VLE Environment

LifeCyclePlus Version 1

Remote Monitoring Service - Setup Guide for InfraStruXure Central and StruxureWare 1 5

Installing and Configuring Guardium, ODF, and OAV

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

4. Getting started: Performing an audit

Secure Web Appliance. Reverse Proxy

Xerox Mobile Print Cloud

PI Cloud Connect Overview

Administration Guide. . All right reserved. For more information about Specops Password Sync and other Specops products, visit

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

How to Logon with Domain Credentials to a Server in a Workgroup

PowerBroker for Windows Desktop and Server Use Cases February 2014

MySQL Security: Best Practices

How to Secure a Groove Manager Web Site

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

DIGIPASS Authentication for GajShield GS Series

Management, Logging and Troubleshooting

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Transcription:

Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server for Authenticated Scans... 3 Setting up the Vault... 3 Creating Authentication Records... 6 Automatically Change Passwords After Each Scan... 8 Enable Password Changing on Check In... 9 Configure a Secret for Check Out... 9 Troubleshooting... 10 Best Practices... 10 Folders... 10 Groups... 11 SSL... 11 IP Address Restrictions... 11 Event Subscriptions / SIEM... 11 Next Steps... 11 Heartbeat and Remote Password Changing... 11 SIEM Integration... 11 Additional Information... 12 About Thycotic... 12 About Secret Server... 12

Secret Server and Qualys Cloud Platform The Qualys cloud platform provides tools for organizations to scan and report on vulnerabilities within their networks. The cloud solution can scan externally accessible sites or devices, and an appliance can also be deployed to the internal network to access those devices. The Qualys suite delivers a full set of tools for addressing PCI compliance mandates, malware detection, and Zero-Day risk analysis. Secret Server is an on-premises web-based password vault used throughout the world to help organizations properly manage privileged account passwords. Secret Server allows users to control access and automate password changes for a variety of enterprise resources such as servers, databases, network devices, and applications. With auditing throughout the application and role-based access control (RBAC) on all information and features within the system, organizations can easily deploy Secret Server to be more secure, reduce labor costs, adopt password best practices and satisfy audit requirements. AUTHENTICATED VS. UNAUTHENTICATED SCANNING Unauthenticated security scanning means that only media available without authenticating to the target will be scanned. Unauthenticated scans reveal general configuration issues such as open ports, code errors, or improperly defined permissions. While these are important targets for a proper security scan, when users sign in, the experience is often more complicated. Features available to authenticated users could include deeper access to internal data, systems, and networks. In contrast, Authenticated security scanning means that a specific user credential has been assigned to allow greater access to the target when scanning. These are important distinctions because access to resources can vary greatly depending on the level of access granted with authentication. Systems or applications hit with targeted attacks can benefit greatly with authenticated scanning. This is due to the greater access given to users and especially administrative users (who have greater capability to modify or even delete data). WHAT ARE THE ADVANTAGES? Authenticated testing is much more thorough and is often able to find more issues than unauthenticated. An authenticated test has access to more sensitive data such as registry keys, file shares, or services. Unauthenticated testing alone will not simulate targeted attacks on your application or system, and is therefore unable to find a wide range of possible issues. Unauthenticated testing will not find internal compliance issues; authenticated scanning is required by Qualys for compliance scans. The ability to automatically change passwords after use in authenticated scanning, which is important in protecting against Pass-the-Hash attacks.

Storing passwords in the cloud makes it difficult to keep records up to date with actual password values; storing passwords in an on-premises tool allows real-time management of password rotation. Bridge the gap between Security and Operations teams by combining authenticated scanning practices with password policy best practice. Integrating Secret Server for Authenticated Scans Administrators can add credentials to the Qualys tool for use in trusted scans without the use of a password management solution. Qualys can also use Secret Server as a repository for the accounts used for authenticated scanning. Using Secret Server means that all the credentials used for authenticated scans will be stored securely on-premises and will not leave the network. SETTING UP THE VAULT To use Secret Server, an administrator must configure it as a Vault within Qualys by specifying a URL and credentials to access the on-premises Secret Server instance. Instead of adding username/password credentials for use in trusted scans, the administrator can point to named records that are stored in Secret Server. Qualys will retrieve the credentials from Secret Server at scan time for trusted scans. The first step is to add a new Authentication Vault in Qualys. To do so, navigate to the Authentication tab and select Authentication Vaults from the New menu (Figure 1). Select Thycotic Secret Server from the list of vaults. Enter the following access information for your Secret Server site: URL This is the URL for Secret Server web services. Ensure that web services are enabled in your Secret Server instance by clicking Configuration from the Administration menu and enabling web services. Add /sswebservices/sswebservice.asmx to your Secret Server URL to obtain the URL for the web services: https://yoursecretserver/sswebservices/sswebservice.asmx If you do not have SSL enabled, web services can be accessed on http, but that is not advisable for production systems. The vault is accessed from the scan agent, so the Secret Server website must be reachable from the Qualys scanner appliance, not the Qualys cloud instance. User Name The user account for accessing Secret Server. This can either be local Secret Server account, or an Active Directory account. User accounts can be created in Secret Server from the Users section of the Administration menu (Figure 3). Password The password for the account accessing Secret Server. Domain This is only required if the account used for accessing Secret Server is a domain account. If it is, enter the FQDN of the domain, i.e. office.corp.com.

Figure 1 Adding Authentication Vaults

Figure 2 Adding a Secret Server Vault Figure 3 Qualys Secret Server User Account

CREATING AUTHENTICATION RECORDS Once the authentication vault has been configured, individual authentication credentials can be configured to retrieve their passwords from Secret Server. To create an Authentication Record (Windows, Unix, Oracle, Oracle Listener, MS SQL Server, and IBM DB2 authentication vault integration is supported by Qualys today), select the record type from the New menu in the Authentication tab. The Authentication Vault configuration requires three additional details to retrieve the password: Vault Type This should be set to Thycotic Secret Server Vault Title This is the name of the previously created Authentication Vault record in Qualys. Secret Name This is the Secret record in Secret Server that contains the accounts password. The Secret Name must match exactly the corresponding Secret Name in Secret Server (see Figure 5). Figure 4 Windows Authentication Vault Record

Note Ensure that the Secret Name exactly matches the name specified in Qualys. In addition to creating a Secret with the correct password for the credential used for authenticated scanning, the Qualys user account must be granted at least View access to the Secret. Click Share to view the permissions on the Secret. In this case the Secret inherits permissions from the folder settings, which is generally a best practice. View the folder level permissions by editing the folder the Secret is in. Once the Secret is configured with the proper permission, Qualys can use it in scans. Run a scan that uses that authentication record to verify that everything is working end-to-end. Figure 5 Secret

Figure 6 Secret Permissions Figure 7 Folder Level Permissions AUTOMATICALLY CHANGE PASSWORDS AFTER EACH SCAN You can leverage Secret Server s Check Out feature to ensure that passwords used for authenticated scanning are changed after use. This is an important measure in protecting your privileged accounts from Pass-the-Hash attacks, because it means that the password hash stored in each machine from use during scanning will no longer be valid once the password has been changed in Active Directory. Check Out with Change Password on Check In means that the password for your domain account will be changed automatically after scanning is complete. Note Check Out requires Enterprise or Enterprise Plus edition.

Enable Password Changing on Check In To verify that Password Changing on Check In is enabled, use the following instructions: 1. Navigate to Remote Password Changing from the ADMIN menu. 2. If Enable Password Changing on Check In is set to No or doesn t appear, click Edit and ensure that the Enable Remote Password Changing and Enable Password Changing on Check In check boxes are both selected. 3. Click Save. Figure 8 Remote Password Changing settings Configure a Secret for Check Out Enable Check Out with Change Password on Check In to ensure that the password for your privileged account is changed after each use. To do so, use the following steps: 1. Find your privileged account Secret and click View. 2. Click the Security tab and then click Edit. 3. Select the Require Check Out check box, and then select the Change Password On Check In check box as well. 4. Click Custom, and enter a period of time that you estimate will allow enough time for authenticated scanning to complete. 5. Click Save. Figure 9 Enabling Check Out for a Secret

Troubleshooting If the authenticated scan is failing, or isn t finding the Secret there are a few settings to check to make sure the integration is configured correctly: Are web services enabled? Web services in Secret Server must be enabled for this integration to function. Check the web services status from the Configuration section of the Administration menu. Is Secret Server accessible? The URL defined when setting up the authentication vault must be accessible by the Qualys appliance. Ensure proper DNS settings and firewall rules are in place to allow access from the appliance to Secret Server web services. Are permissions and security settings configured correctly? The Qualys user needs at least read access to the Secret. Note If certain security settings are in place, such as Approval for Access, and Hide Launcher Password the user will need elevated access. Other settings such as DoubleLock will prevent the Qualys account from accessing the Secret. If a Secret is configured for Check Out, Secret Server will automatically check out the Secret to the Qualys user. Check audit trails To help determine whether the Qualys account is correctly accessing Secret Server and the stored credential, check the audit on the Qualys user to see if it is logging in successfully from the appliance and view the audit on the Secret to see if there are view records which will show that the Secret was actually accessed. Best Practices Folders Permissions in Secret Server are similar to NTFS, and are assigned at the Secret or folder level. To make maintenance simple going forward, a standard model is to place all the credentials needed for scanning in a separate folder that the security team can manage. Give the Qualys Secret Server account read-only access to the folder and it will automatically gain access to new credentials added to the folder for scanning. In the example screenshots in this guide, the ScanAdmin Secret is placed in the Scan Credentials folder, which an admin and the Qualys user account have access to.

Groups If there are multiple authentication vaults set up in Qualys with separate user accounts for accessing Secret Server, it is recommended to assign all of them to a local Secret Server group to simplify permission management moving forward. SSL Ensure that Secret Server is configured to force connections over HTTPS. This can be verified by clicking the Security Hardening tab from the Reports section of Secret Server. IP Address Restrictions Secret Server allows whitelisting of IP address ranges to restrict where accounts can log in from. For the Qualys Secret Server account, it is recommended to only allow it access from the Qualys agent appliance to help prevent misuse of the account. Event Subscriptions / SIEM Configure email or SIEM alerts to get notified if the Qualys account gets locked out of fails to login to the vault. This can indicate the password was updated in Active Directory or Secret Server without updating the Qualys Authentication Vault record. For more information on alerts refer to the user guide and the syslog integration guide. Next Steps HEARTBEAT AND REMOTE PASSWORD CHANGING Automatically manage privileged credentials for security and compliance. Secret Server can regularly change the passwords used for scanning, and verify the password is correct, which increases security and lowers the administrative burden of authenticated scanning. SIEM INTEGRATION Correlate privileged account usage with network activity. Since Secret Server audits named user access to generic accounts, and can log audits, a SIEM tool can provide information of what named user was using a privileged or generic account on the network.

Additional Information ABOUT THYCOTIC Thycotic creates intuitive, reliable, IT security solutions that empower companies to remove the complexities associated with proper control and monitoring of privileged accounts. An Inc. 5000 company, Thycotic is recognized as the fastest growing, privately held PAM provider in the USA. Rated #1 in customer satisfaction and trusted by over 100,000 IT professionals worldwide including members of the Fortune 500, enterprises, government agencies, technology firms, universities, non-profits, and managed service providers. ABOUT SECRET SERVER Secret Server privileged identity and password management vaults, monitors, audits and automates privileged accounts across a company s entire IT infrastructure and is designed to reduce internal and external threats, improve security and restrict user access. For more information, visit the Thycotic website.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information