Step 4: Security Best Practices

As you start using Secret Server, we strongly recommend configuring the following security settings. While these re optionl, setting them is a a best practice.

Local Admin Account Best Practices

Even if you plan to Active Directory and Secret Server Overview to log into Secret Server, chances are you will need to use this account again. This is the first account you created during the installation process. Keep this account secure and avoid being locked out of Secret Server by following these suggestions:

  • Store the credentials in a secure location that you can access if you lose all access to Secret Server.

  • Enable the Allow Users to Reset Forgotten Passwords setting to provide a way of resetting the password if account is locked out or if the password is forgotten:

    1. Select Admin > Configuration. The Configuration page appears.

    2. Click the Local User Passwords tab to locate the setting.

    3. Click the Edit button to edit the setting.

    4. Click the Save button when finished.

This requires having an SMTP server configured.

  • Configure the other Local User Passwords settings to enforce your password requirements, expiration, password history, and other password policies.

SSL (HTTPS) Best Practice

We recommend requiring SSL access to Secret Server. This requires setting up an SSL certificate for the website, preferably with a domain certificate. However, if you don't have a certificate, see Installing Self-Signed SSL Certificates. Once you have your certificate:

  1. Configure the HTTPS binding for your Secret Server website using the certificate you choose.

  2. Ensure your certificate is trusted on the Secret Server users' machines. See Trusting an SSL Certificate on a Client Machine for instructions.

  3. Enable Force HTTPS/SSL on the Security tab of the Secret ServerConfiguration settings.