Discovery
This section discusses some key best practices around using Secret Server's Discovery feature to find and manage accounts in your environment.
Discovery Workflow
While it may be tempting to immediately get started using discovery to get your accounts under control, there are a few things you can do ahead of time to make the enforcement of your organization's password policies more streamlined:
- Know which secret template you want to import accounts to. This can effect password changing and Launcher settings that are applied to your imported accounts.
- Have a folder structure established so you have folders appropriated for each type or category of discovered accounts.
- Apply a secret policy to the folders you import to.
Having these settings in place can save you the considerable amount of time it could take to have to re-organize all of your accounts and policies post-import.
Enterprise Deployment Considerations
We broadly recommend starting small and choosing specific objectives when working with discovery. If you are an organization that has 15 domains, for example, you may choose to first work with discovery within the domain you are most concerned about. Make the objectives even more specific where possible. An example first objective might be to configure discovery for finding all local administrator accounts on all your servers and creating discovery rules for ensuring that new servers have their password changed shortly after being built. Systems with internal elevated risk may also be a good place to start. Other examples are provided below.
Cloud Accounts
In more recent Secret Server versions, we support discovery of Google Cloud Platform Discovery service accounts, VM instances, and AWS Account Discovery.
Local Windows Accounts
How many local Windows accounts in your environment use the same password? Are they local admin accounts? Use discovery to quickly mitigate the risk of pass-the-hash attacks by finding all of your local Windows accounts and setting their passwords to unique, strong passwords managed by Secret Server. Where your admins previously had to remember one password to access all machines with local admin rights, they now have to remember zero passwords because they can use Secret Server to find the machine and launch an RDP session using the local admin account without ever knowing, copying, or typing the password.
Find Backdoor Accounts
Ensuring that users are not creating backdoor administrative accounts on Windows machines is very important as these can compromise general security as well as open the potential for a user to access a machine directly without being audited. By running discovery on a regular interval and having discovery rules alerting you when new accounts are found, you can ensure that users any new local Windows account being created are identified in addition to being either removed or brought into Secret Server.
Service Accounts
Many organizations do not know where their AD service accounts are being used across the network. By using discovery to scan your network, you can find all of the Windows services, application pools and scheduled tasks that are run by AD service accounts. Once these accounts are found and brought into Secret Server, having discovery run on a regular basis will find any new locations where the account is being used since they were added to Secret Server. With discovery rules, those additional dependencies can be automatically added to the existing secrets. We recommend making sure that the service account discovery has run before using Secret Server to change the service account password.
Unix Accounts
When scanning for Unix accounts, we recommend using SSH key validation, as discussed in the Security Hardening Guide. This ensures that you are only connecting and trying to authenticate to UNIX servers that have a valid and trusted SSH key.
ESX/ESXi accounts
Local accounts on ESX/ESXi systems should not change once the server is set up and configured. We recommend creating discovery rules that monitor your ESX/ESXi servers and email the proper teams to inform them of any new account found. These accounts really should not be created, so it is important to monitor them and ensure that no one is creating them maliciously.
