Configuring Authentication and Login
The way that Secret Server authenticates interactive users depends on the type Secret Server of authentication that your organization has configured. Secret Server can use both Local Accounts and/or Active Directory Domain Accounts for authentication into Secret Server.
Local Authentication
A local user account is stored and managed by Secret Server. To successfully authenticate a local user must login with a matching username and password. When using local login, user credentials are checked against the internal authorized users’ database.
To create, edit, or remove a local user account you must navigate to Admin | Users and locate any users whose Domain is listed as "Local" or Create New users.
Domain Authentication
A domain user account is stored and managed by Secret Server, but subject to changes made in Active Directory. To successfully authenticate a user must login with an Active Directory account that exists in Secret Server with matching Secret Server credentials. When using domain login, the TOE (Secret Server) initiates an authentication request to the external domain controller (Active Directory) using LDAP over TLS, and only allows access after receiving a successful result message.
For more information on syncing Secret Server with Active Directory credentials see section 7.1 Configuring Active Directory Sync
Account Lockout Configuration
To access any information or functionality within Secret Server, users must login with correct local or domain credentials. To comply with Common Criteria regulations, Secret Server must be configured to prevent repeated unsuccessful attempts at logging in. Account Lockouts are used for this purpose. Configurable by the Secret Server Administrator, an account becomes inaccessible after a limited number of unsuccessful authentication attempts until an Administrator unlocks the user’s account.
To configure settings for Account Lockouts, navigate to Admin > Configuration > Login tab, then click Edit and adjust the number for Maximum Login Failures. Default for this setting is five attempts.
To Unlock a user’s account, navigate to Admin > Users > Select the User and click Edit. Change the value for “Locked Out” from Yes to No, then click Save.
Lockout Window
Secret Server is programmed with a default Lockout Window of 60 minutes. This means that once a user has locked out their account, they will be able to login with the correct credentials after a period of one hour has passed. Account lockouts are designed to prevent brute force attacks.
How to Disable “Allow Remember Me” during Logins
By default, the Secret Server installer will disable the “Allow Remember Me” caching feature during logins, however, to ensure this is feature is disabled, navigate to Admin > Configuration > Login tab, and verify that the first setting “Allow Remember Me” is set to No. If this is set to Yes, Edit the page and uncheck the toggle, then Save. Audits for this setting are logged under Admin > Configuration > General tab, by clicking the View Audit button. To filter log results, search for “AllowRememberMe” in the search bar.
Configuring the Login Banner
To configure the Login Banner, navigate to Admin > Configuration > Login tab, scroll to the bottom of the page and click the Login Policy Agreement button, then Edit and check the Enable Login Policy and Force Login Policy boxes.
Enabling these boxes will 1) Reveal the User’s Policy Agreement on the Login page, and 2) Force users to Agree to the policy when logging into Secret Server.
How to Modify the Login Banner Messaging
To modify the display text from this Login Policy Agreement, go to Secret Server’s Web Server and open File Explorer. Navigate to a text file called “policy.txt” (default file path location is C:\inetpub\wwwroot\SecretServer\policy.txt)
Open this file in Notepad and adjust the text according to your organization’s policy requirements, then Save. The default text reads as follows:
Access to this system is restricted to authorized users. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all secrets may be modified, copied, audited, inspected, and disclosed to company management, law enforcement personnel, and other authorized individuals.
I understand that I am responsible for protecting the confidentiality of company secrets and will comply with the company Information Security Policy. Unauthorized or improper use of this system may result in administrative disciplinary action, civil and/or criminal penalties. By continuing to Login, I am indicating my awareness of and consent to these terms and conditions of use.
** CLOSE THIS SITE IMMEDIATELY if you do not agree to these conditions **
Configuring Session Timeouts
To configure Session Timeouts, navigate to Admin > Configuration > General tab, click Edit. Under the User Experience section, check the Force Inactivity Timeout check box, then adjust the number of minutes of inactivity before an active session in Secret Server will timeout and force users to login again. Click on the Save button to save your changes.
Configuring IP Address Restrictions
To configure IP address restrictions, navigate to Admin > More… > IP Addresses and click Create New. Then provide the IP Address User/Network Name and the IP Address Range, click Save.
IP address restrictions can then be set at a user-level by navigating to Admin | Users and clicking on a user name, then click Change IP Restrictions and click on the Restriction checkbox for the restriction(s) you would like to enable for that user. Save changes.
To restrict group access into Secret Server by a specific IP address or IP address range, simply configure your IP address or range as listed above, then navigate to Admin > Groups > Create New. Select all employees or groups of employees to impose this restriction on and move left into the Members box. Click Save. Next click the button Change IP Restrictions and check the box for your desired IP Address/Range. Save changes to apply. Now users will now be restricted from accessing Secret Server outside of the designated IP Address Range.
