Bringing Enterprise Password Management to the iPhone
While there are many iPhone password managers available for home and personal use, Secret Server Password Manager iPhone edition brings privileged password management to the IT professional. And it’s free! With an already-established password management platform, Secret Server iPhone provides the security and convenience needed for you to efficiently manage and track your organization’s most critical passwords from your phone and PC.
Here’s a look under the hood
The Secret Server Password Management iPhone app allows you to view, edit, and create Secrets for multiple accounts. You can also see which Secrets were recently accessed, add favorites, and lock the application with a pin code. If you lose your iPhone, you are still be able to access your Secrets from a computer because the application synchronizes with both Secret Server (installed) and Secret Server Online.
The applications that Apple delivers with the iPhone all share a consistent UI and provide an intuitive user experience, so we went to great lengths to emulate this in our application. For example, when you press a table cell and are brought to a new screen, you expect to see a button in the top left that returns you to the previous screen. You also expect certain animations and screen layouts in other familiar situations. One of the challenges of programming the Secret Server iPhone application was meeting these expectations while still providing a powerful web-based application.
What makes iPhone programming different from .NET programming is that you have to be more particular about performance and memory management. iPhones are far less powerful than servers, and large memory allocations should be avoided at all costs. For example, in our application the same memory block is used whenever a Secret is created or edited. This may make the code a little harder to read, but it provides a great boost in performance.
In conclusion, writing the iPhone application was a creative, challenging experience and introduced us to a new language, API, operating system, and way of thinking about code. I am very excited about the Secret Server Password Manager iPhone edition, and will be using it on my iPhone every day.
Have an iPhone? Sign up for the Secret Server Password Manager iPhone app Beta today!
The History of Searching in Secret Server
[UPDATE 1/21/2010] Search term seperators no longer include period (as version 5.1). They are space, semi-colon, backslash, foward slash, and hypen.
In the recent month, we’ve had a lot of questions about how searching works in Secret Server, so I thought now would be a good time to answer as many questions about searching as possible.
Searching pre 5.0
Before the 5.0 edition of Secret Server searching was fairly limited. The only thing you could search on was the Secret’s name. Over time, the Search criteria grew a little, but still this main limitation was always there. As soon as you wanted to search on the actual values in the secrets, you were out of luck. The ability to search by the values in a secret was one of our most requested features.
Technical Limitations
The Secret Server development team has always had a keen sense to what customers wanted, and we typically implement feature requests based on feedback. However, this particular feature had a lot of technical barriers to solve before it could be implemented.
The main barrier we had to deal with was the concept of Secret Server itself. Secret Server is designed to be as secure as possible, and one of the pieces of this design is full data encryption. All of the values of a secret, aside from its name, are stored in the database encrypted. This makes searching the database impossible. If we wanted to perform a search, we would have had to pull back every secret from the database, decrypt it, and then search it. This clearly wouldn’t work from a performance angle, and didn’t scale well.
Searching as of 5.0
We realized we wouldn’t be able to do real-time searches on secrets. The barrier still remained though, how do we search secrets and not expose sensitive information? Our solution was a hash based index table.
A What?
Many systems, such as Windows and search providers like Google keep a search index. When you search Google, you really aren’t searching the entire Internet all at once, you are searching a dictionary of content that Google has built over time. Secret Server does something similar. The trick is to build an index but also keep it secure.
Secret Server 5.0 has a background monitor, the Search Indexer, that looks for changed secrets, about every 60 seconds it queries the database looking for unindexed secrets or changes in secrets. When you create or modify a secret, we flag that secret to tell the Search Indexer to re-index it.
Security
The Search Indexer creates hashed terms from the values in a secret. More specifically for those technically interested, we use the HMAC-512 algorithm. A quick explanation of what this algorithm does is creates a one-way code. For example, if the word “book” was hashed, it would produce a unique output. However this output cannot be converted back into the original data, “book” in our case.
This technique is used when creating indexes. Let’s say we have a secret with a field called “Server” with a value of “OFFICE\Webserver01″. When the search indexer got around to indexing this secret, it would create a hashed value of “office\webserver01″. Whenever we create hashed terms, we always convert it to lowercase so that searching isn’t case-sensitive. This search index record would become associated with the secret.
Now, when a user does a search, we use the same hash algorithm to compute the hash term of what you are searching for (again converted to lowercase). We when search our index table for a match.
What About Partial Matches?
When we have a term like “OFFICE\Webserver01″, we produce hashes of “pieces” of the word. In this case, we would also produce specific hashes for “office” and “webserver01″. Notice that we split on the letter “\”. The same happens when a search is performed. This way if you searched for “OFFICE\Webserver02″, it would still come back with the OFFICE\Webserver01″ because the “OFFICE” term still matched. We do this for other letters as well, that includes spaces, backslashes, slashes, periods, commas, and semicolons.
Search Index Modes
The Search Indexer has two modes. Standard, and Enhanced. So far, all of the behavior I have described has been the “Standard” mode. The Enhanced mode works very similarly, however it also produces three letter partials. Using out “OFFICE\Webserver01″ example, we produce our hashes normally, but we also produce the partials. We would add hashes for “OFF”, “FFI”, “FIC”, “ICE”, etc. This allows partial matches to return.
So Many Results
The implementation sounds correct, but it has some room for improvement. Note that I said we split the terms on periods. That means if you searched for “foo@test.com”, it would return everything that had “com” in it, and chances are there are a lot of results. The splitting on the period seems to be the biggest culprit for undesired results coming back. Once you throw the Enhanced mode into the mix, it gets even more complicated.
Looking Forward
Nothing has been set in stone in terms of changes and when it will be implemented, but we have been kicking around a lot of ideas. The immediate one might be to consider removing the period from the characters that we split on. Another idea was ranking the results. Secret Server right now always returns secrets sorted by their name. It would make more sense if we returned results in order of the number of hash terms that matched and if the name matched as well.
I hope that clarifies some of the mystery surrounding search. If you have any additional feedback or questions, be sure to drop by our forums and let us know!
– Kevin
Sneak Peek: PuTTY Launcher
One of a system administrator’s must-have items in his toolbox is PuTTY. PuTTY is a small, lightweight program that is perfect for telnet and SSH connections. It doesn’t require any installation, it’s just a single EXE file and you’re good to go.
A feature of Secret Server that I personally have always found extremely useful is the launching capability that we introduced with Remote Desktop. It’s very handy for starting Remote Desktop sessions. We decided to take it a step further and extend this functionality to PuTTY.
An initial obstacle that needed to be overcome was figuring out how to make sure PuTTY was on the client’s machine. The creators of PuTTY are generous, and fortunately they allow us to distribute PuTTY with Secret Server. Since the Remote Launcher capability is a Microsoft ClickOnce application, it seemed reasonable to distribute PuTTY with our application. This would avoid the need for users having to tell our application where to look for PuTTY, or us requiring that you have it in a certain location on the machine.
However, PuTTY is 500 kilobytes, and the initial application was a mere 12 kilobytes. 500K is small in today’s high tech world, but to reduce corporate bandwidth use, we only distribute it when you need it for the first time. That means when you make your first launch of PuTTY, we’ll download the application for you from your Secret Server installation, thus not needing an outside Internet connection, but after that it’s cached so you only need to download it once.
Once PuTTY is downloaded successfully, the application will automatically start already logged in at the prompt. For the first release of the PuTTY launcher, we will only support SSH.
If you want to see additional launchers built into Secret Server, make sure you stop by our forums and let us know!
– Kevin
Sneak Peek - Secret Server 5.0 and Searching Fields
Secret Server 5.0 is currently under development, and one of the features that we know for sure that will be in 5.0 is searching Secret Fields. This has been a popular request. We had several obstacles to achieve this, and we have implemented a solution that is secure but effective.
The search works by Secret Server creating an index catalog for search terms for each and every secret. This runs as a background process. Secret Server will then start indexing all existing Secrets in your installation, and maintain indexes for secrets as they are changed.
The indexing service allows two different modes of indexing. The standard mode, which allows you to search on whole words. The Extended Indexing option allows searching on part of a word with a precision of 3 characters. For example, "sec" would make a field with the value of "Secret", as would "secre".
Stay tuned for more features coming in Secret Server 5.0!
– Kevin
Why does Secret Server take so long to start up?
One of the things that we did notice with Secret Server is that it does take what seems to be a long time for Secret Server to start up for the first time. This started happening in Secret Server 4.0. So, what exactly is going on?
Secret Server does some startup tasks for the first time. Namely, it starts up some background monitoring tasks for synchronizing Active Directory and the Remote Password changing features. There is one more though that takes up most of the time, and that is verifying all of the Strong Name signatures.
First, what is a Strong Name? When we release Secret Server, we send out all of the DLLs with a digital signature on all of the assemblies. Secret Server has multiple DLLs that talk to each other. Now, what’s stopping someone with access to the server from dropping in a fake DLL that looks like ours, but it is also secretly emailing out information? Step in strong names. When the .NET Framework loads all of the assemblies for a particular application, it ensure that all of the assemblies have the strong name key that was used when it was compiled. If the Strong Name keys don’t match, then the .NET Framework won’t accept it. Since only Thycotic has the key, it cannot be faked.
This is a somewhat lengthy process for the .NET Framework, as it will also have to calculate checksums of the entire assembly as well. Not to mention that this entire process occurs for all 14 of the assemblies in Secret Server.
– Kevin
Secret Server on the Treo 700
Secret Server has supported a "Mobile Edition" for over a year now but it is always tricky making sure that it works correctly on all devices.
Our approach was to bake mobile support into the base product (ASP.NET based) so it simply scales down to the capability of the device. That sounds simple but unfortunately it depends on making sure that functionality will work with all the limitations of various devices.
My own favorite BlackBerry 8820 does a reasonable job of helping me get to the password I need in emergencies but it is hardly a pleasant browsing experience. In fairness, no browsing on the device is particularly pleasant since it is slow, struggles with most layouts and has a small screen. That said, I love it dearly and browsing has never been a core requirement for me since email, contacts and calendar are definitely my most essential.
Today we had a customer ask about the Treo 700 so I tried out the emulator from the Palm website. It seems to work fine with Secret Server and I was able to browse around and access passwords.
–Jonathan
Secret Server at FOSE 2008
This year Secret Server made its debut at FOSE, one of the leading government technology events in the nation. The show is being held at the Walter E. Washington Convention Center which is situated only a few minutes away from our offices in downtown D.C.
Despite there being several hundred kiosks and lectures, Secret Server appears to be one of the few software products featured. Many of the exhibitions are displaying hardware and energy saving innovations. I think a lot of people have been pleasantly surprised to see a solution for password management.
Over the last couple of days, I and some of the other team members got a chance to interact with attendees and demonstrate some of the core functionality of Secret Server. We have received a lot of enthusiasm and great feedback on the product thus far.
Today is the final day for FOSE. Come visit us at booth #100 located in the Security section. Hope to see you there!
–Joseph
Giving Secret View a System Font
One of the questions that I sometimes get from customers is, "I want the information on the Secret View page to display in a system font". The reason for this is it makes it easier to distinguish between O’s and zeros; and lower-case L’s and capital I’s.
This can easily be accomplished with CSS, and with since Secret Server 4.0 and up supports Themes, it is simple enough to add your own CSS to the default.css file.
Because of the way Copy to Clipboard works, all of the attributes that contain information are held in a custom attribute "t". This attribute is on the span elements and the text boxes when in edit mode. In theory, it should be as simple as this:
*[t]
{
font-family:Consolas,System;
}
This is part of the CSS 2 specification, and the selector states "Any element with the attribute ‘t’." As expected, this works well with FireFox. This took care of the labels and the text boxes all-in-one. However, IE presented a bit of an issue. This simple solution didn’t seem to work. It’s not a secret to web developers that Trident, IE’s rendering engine, is pretty buggy as far as rendering engines go. What surprised me more was that the IE 8 beta, the up-and-coming super-compliant version of IE, still did not take. What was strange that when using a simple test page, the attribute selector did work; so it is supported in IE 7 and 8. There just appears to be an issue with that particular page.
So the solution became a little more complex. A lot of the elements on the secret view page don’t have classes or ID’s at the moment, which makes applying CSS to just some of the elements a bit trickier. In the end, this is how it turned out:
And the CSS used to accomplish this that works in both IE and FireFox:
div#SecretViewDialog * td.SecretFieldCell span, * span#iSM li
{
font-family:Verdana ! important;
font-size:10pt ! important;
}
input.SecretViewTextbox, input.SecretPasswordTextbox, div#SecretViewDialog * span
{
font-family:Consolas,System;
font-size:11pt;
}
The font of my choice is Consolas, a nice font that makes it easy to distinguish characters. It is a free font for user’s that own Visual Studio 2005 via download, and also ships with Visual Studio 2008.
– Kevin
Secret Server 4.1 coming - visual keyboard
Here is a new feature coming in Secret Server 4.1 - it is the visual keyboard and is a configurable option for the login screen.
It is designed to thwart malware such as keyloggers which could be running on a public computer and could capture your password if you entered it using the keyboard. The visual keyboard uses a different random alternate character set each time it is loaded - this means that when you click "a" it may type "3" in the password textbox - the garbled password is reconstituted on the server side when you login. By using a garbled password then the HTTP POST back to the server if even further protected (and should be protected again by using SSL on your Secret Server installation).
Look for more sneak peeks soon as we approach the release date for Secret Server 4.1 which will be 3/14/2008 - specifically there will screenshots of the new role-based security and the launcher (launch Remote Desktop from Secret Server!).
–Jonathan
Secret Server on Windows Server 2008 x64
With the new release of Windows Server 2008, we wanted to make sure that Secret Server is always able to use the latest technology. So, we set out to prove that Secret Server would work on Windows Server 2008. To take it even further, we wanted to see it work on the 64-bit platform. So how did Secret Server do?
We’re excited to say that yes, Secret Server does work on Windows Server 2008 x64 Edition. Here was our setup:
- Windows Server 2008 Enterprise x64 Edition (IIS 7.0)
- SQL Server 2005 Developer x64 Edition
- Secret Server 4.0.000003.
There are a few things to note before Secret Server will function properly. IIS 7.0 had some ground breaking changes with the way it integrates with ASP.NET 2.0. Unfortunately, Secret Server currently cannot support this. This is called "Integrated Managed Pipeline Mode". Secret Server currently will only work properly with IIS’s Pipeline mode configured to "Classic". Fortunately, this isn’t a problem at all. It is really as simple as changing the Application Pool that Secret Server is in to use Classic Pipeline.
While Secret Server is functional in this environment, we can’t officially support it yet; there are a few features of Secret Server that are problematic due to the new environment. The immediate one is a lack of support for IPv6 for the IP Address Restrictions, which we will be addressing in a release in the near future. This is due to the fact that the IPv6 protocol is installed by default on Windows Server 2008. The same problem arises when the IPv6 protocol is installed on a previous version of Windows.
We still have a lot of testing to do on Windows Server 2008. We want to make sure that Secret Server works just as well as it always has on previous versions of Windows Server. Once we have finished our testing process, and resolved any issues that arose, we will be able to officially support the Windows Server 2008 x64 and x86 platform.
In the near future, we will be testing Secret Server against the up-and-coming SQL Server 2008.