API and Extensibility
APIs and built-in extensibility features are one of the best ways to improve the automation and flexibility of Secret Server and address novel use cases. PAM Maturity relies on the consistent handling of credentials across your organization. Using the API is a great way to enforce consistency, without additional administrative overhead.
Features like event pipelines can help to organize secrets and users, as well as tweak some settings that are not enforced via policy. Additionally, you can discover and manage new device types using extensible discovery or custom password changers. This section covers some high-level best practices for these features and how best to employ them in your environment.
Running PowerShell with Secret Server
Secret Server's extensible features almost all use PowerShell from the Web servers or distributed engines to execute code. Create a service account for these tasks and store it in a secure location with the other Secret Server service accounts. Documentation for our APIs and Scripting components can be found in our Knowledge Base.
PowerShell Runspaces
Runspaces are instances of the PowerShell engine within a process. They define the context a PowerShell runs in and preserve session state using variables and functions that you define, including modules that you load.
For scripts executing on the local or default site, Secret Server generates a runspace to localhost on the Web server (Web site processing) or distributed engine (engine processing or Secret Server Cloud). For scripts running against a specified site, any engine associated to that site may run the script and accomplish the work. This means any dependent configurations need to be made across all Web servers or engines within a site.
This runspace is generated using a specified secret credential in all cases. The credentials used are critical in the operations of PowerShell in Secret Server and a least-permissioned approach should be used.
A domain account, that is, a member of the "remote management users" or "local admin" groups, on the engines or Web servers will have enough permissions to generate the runspace Secret Server needs to execute code. Further restrictions to deny interactive log on can be applied; however, it is important to know what account to use for a least-permissions approach.
You can simplify the assignment of the privileged account in individual locations in Secret Server by specifying a "site run as" secret. This is a default secret for PowerShell running that prevents you from having to manually associate the secret in each place it is used. We highly recommend to configuring this setting on each site under the site's settings.
CredSSP
CredSSP is an authentication mechanism that is designed to delegate credentials across multiple sessions in PowerShell. By default, the runspace uses CredSSP authentication. This is not ideal as there are some security concerns with CredSSP. It is generally better to disable CredSSP authentication under all used sites, and instead implicitly pass credentials into the scripts. CredSSP does have dependent configurations that are required before it can be used.
However, If CredSSP is required, be very explicit with your delegate computer list. Allowlisting this option with an asterisk (*) may seem easy, but it allows an attacker to scale horizontally across your network.
API
The API is a powerful tool for improving automation and flexibility of your Secret Server deployment. Automation tools can pull dynamic credentials from the vault or leverage the API to create new secrets as part of an automation pipeline.
If your organization does not have script experts to improve your PAM program's flexibility, Delinea Professional Services can help to scope and create custom integrations to address your use cases. Contact your account manager or customer success manager to engage professional services.
API Authentication
Carefully consider your authentication strategy for the API when automating workflows. Authentication strategies that do not require hard coding a password into a configuration or script file are preferred. Secret Server Provides a few mechanisms to accomplish this:
Software Development Kit
The Secret Server Software Development Kit (SDK) is a mechanism to authenticate machines to a Secret Server instance, without having to pass implicit credentials into the system for each set of calls. To ensure proper RBAC, the SDK is associated to a specific API user in Secret Server. On the local system, once the SDK is initialized, it leverages DPAPI to encrypt the config files, tying it to the user who initialized it. You can use multiple SDK instances on the same machine; however, each instance needs its own directory.
Integrated Windows Authentication
You can enable Integrated Windows Authentication (IWA) in IIS to use native Windows authentication for API user authentication. This allows the domain to supply authentication between the Web server and Secret Server. This is a great option to remove credentials and automate authentication for automation processes in your environment.
Event Pipelines
Event Pipelines are a powerful feature that configures tasks that run based on triggers and filters. If scripting is not an option for you, pipelines can be a script-free way to accomplish a lot of what the API provides. You can use event pipelines to build the core automation of a mature PAM deployment.