Managing privileged passwords (those used by IT professionals) is an essential part of a credible data security policy, but it can be one of the most problematic. These passwords provide admin or root access to critical servers, infrastructure devices and applications. However, far too many businesses fail to enforce proceduresfor auditing and controlling their use.

Managing privileged passwords (those used by IT professionals) is an essential part of a credible data security policy, but it can be one of the most problematic. These passwords provide admin or root access to critical servers, infrastructure devices and applications. However, far too many businesses fail to enforce proceduresfor auditing and controlling their use.

Secret Server from Thycotic addresses these problems by providing a secure central repository for privileged passwords. Not only does it manage and audit all access and permissions, but it can automate password changes to comply with regulations. It also provides a recording function for viewing session activity.

Secret Server runs on any Windows platform from XP upwards and for testing we loaded it on a Server 2008 R2 system. Along with IIS, it requires an existing SQL Server database and we used the freely available SQL Express 2008 R2. The installation process and system requirements are very well documented. We created a new SQL database and user from the Management Studio as directed, and were up and running in under thirty minutes.

The web console is well designed and the use of widgets in its Dashboard allows it to be easily customised. Secrets define sensitive information, including usernames, passwords and details of the associated host. Creation is simplified using templates and Thycotic provides a good range of predefined options including AD, Cisco, SQL, LDAP and Unix accounts. You can also create custom templates with multiple fields for usernames, passwords, domains and so on.

Folders store and organise different categories of secrets to simplify management. Naturally, you'll want to manage and control access to specific secrets and Secret Server accounts are used to determine access levels and privileges. Secret Server integrates tightly with Active Directory and we used its discovery routine on our AD domain controller to import all users with administrative privileges.

You can also create local users, and in both cases, determine the roles each will play and their access levels.

Secret creation is a simple process as you pick a template and add the requested details to its fields. We were impressed with the levels of control that can be applied as you can request that the secret password is automatically changed using a format that complies with regulations. You can request that users are not allowed to see the password - they can access the resource via Secret Server but the password itself remains hidden. For critical systems or devices such as domain controllers or key routers, you can even request that the admin password is changed automatically after every user session.

Secret Server uses stiff security as all secrets are stored in the repository using AES-256 encryption. The DoubleLock feature in the Enterprise edition tightens this up even further with an extra encryption key that uses a second password. Secrets are accessed from the home page and each includes a Launcher that fires up the relevant application for the user. This method means there is no real need for them to even see the password.

Full audit trails are maintained so administrators can view all session activity and a valuable feature is the ability to see those sessions operated by employees that have since left the company; this allows the relevant passwords to be changed. The new recording feature adds extra levels of accountability as user sessions are retained as MPEG movies and they can be replayed as required.

Privileged accounts and passwords must be securely managed as they represent the keys to the kingdom for most businesses. Secret Server provides a powerful solution that ensures access is granted only to authorised users and that privileged passwords are changed in accordance with regulations. NC

Product: Secret Server 7.8
Supplier: Thycotic Software
Tel: 001 202 822 2144
Web site: www.thycotic.com
Price: From $4,000 (USD)