Unlimited Administration Mode

Overview

Unlimited administration mode is a feature designed to allow an administrator access to all secrets and folders in their Secret Server instance without explicit permission. This can be used in the instance a company has an emergency where access to a secret is needed when no users who have permission are available. Alternately, it can be used when company policies require administrators to have access to all information in the system.

An unlimited administrator in Secret Server has extensive capabilities, including access to all secrets and folders even without explicit permission. Here are some of the key capabilities and associated risks:

Capabilities and Risks

Unlimited admin mode is a double-edged sword and must be carefully managed:

Capabilities

Unlimited administrators have:

Complete Control: Access to all administrative features without restriction.
Access to All Secrets: Unlimited administrators can run Secret Server in unlimited administrator mode, which grants them access to all secrets and folders.
Audit and Reporting: Unlimited administrators can generate and view over 90 out-of-the-box reports to monitor privileged access and ensure proper password hygiene.
Break-the-Glass Capability: This feature is part of the disaster recovery capabilities, allowing emergency access to secrets in critical situations.
Secret Checkout Override: Unlimited administrators can access secrets even when they are checked out by another user, ensuring accountability and traceability of secret usage.

Risks and Mitigation

Risks

Unlimited admin mode exposes Secret Server to:

Potential for Abuse: With the ability to access all secrets, there is a risk that an unlimited administrator could misuse their privileges, intentionally or accidentally.
Security Gaps: Without proper monitoring and auditing, the extensive access granted to unlimited administrators could be exploited by bad actors if the administrator's credentials are compromised.
Insider Threats: An unlimited administrator could potentially become an insider threat if they decide to act maliciously or if their account is taken over by an external attacker.

Mitigation

To mitigate these risks, it is crucial to have robust monitoring, auditing, and alerting mechanisms in place. Secret Server provides features such as automatic email alerts for unlimited-administrator-mode access, detailed audit trails, and the ability to require dual control for certain actions to enhance security.

A user with the "Unlimited Administrator" role permission can view and edit all secrets in the system, regardless of permissions—if and only if the unlimited administration mode is enabled in the configuration settings—but the Unlimited Administrator role does not have permission to enable the mode. To enable unlimited administration mode, the Administer Configuration Unlimited Admin role permission is required. This provides dual control, ensuring no single user can enable unlimited administration mode. Of course, you can bypass this safeguard by simply assigning both roles to the same user.

The Unlimited Administrator Mode role permission is assigned to the Administrator role by default.

A banner alert, visible to all users, displays at the top of the Secret View page when unlimited administration mode is enabled.

The Administer Configuration Unlimited Admin was formerly called "Administer Unlimited Admin Configuration."

Enabling Unlimited Administration Mode

Ensure you have the Administer Configuration Unlimited Admin permission.
Click Settings on the main menu and select Configuration Search. The Search Configuration page appears.
Click the Unlimited Admin link. The Unlimited Admin page appears.
Click the Edit button.

We recommend administrators have specific permissions to folders and secrets and this mode is only used temporarily to assign the correct permissions.

Changes to the administration mode are logged in an audit grid. The grid shows the user, time of the change, and any notes made by the user.