Secret Server PowerShell Module

This is a PowerShell module for working with Thycotic Secret Server's web services. If you use this module, check in every so often, there will be regular updates.

This is a quick and dirty implementation based on my environment's configuration. Contributions to improve this would be more than welcome!

Some caveats:

• We do not go out of the way to cover a variety of templates or customizations to templates. Contributions welcome. This is on my list but low priority.
• A number of shortcuts have been taken given that this is a fast publish. Addressing these is on my list.
  • Limited testing, limited validation of edge case scenarios
  • Limited error handling
  • Limited comment based help and examples (some may be outdated)
  • Limited explanation for configuring your environment to use functions that rely on T-SQL.

#Functionality

Search for secrets without triggering an audit:

Extract Secure String password and PSCredential credential object from secrets:

Find folders:

Find templates:

Create new secrets:

Change existing secrets:

Find permissions for a secret:

List secret audit activity:

Get Secret Activity directly from the database:

Get connected:

#Prerequisites

• You must be using Windows PowerShell 3 or later on the system running this module
• You must enable Secret Server Web Services ahead of time. See product documentation for instructions.
• You must enable Integrated Windows Authentication for Secret Server. This may change. See product documentation for instructions.
• We serialize a default Uri and proxy to SecretServerConfig.xml in the module path - you must have access to that path for this functionality
• The account running these functions must have appropriate access to Secret Server
• For the T-SQL commands, I assume you can delegate privileges and create a secure way to invoke these. Consider running these from a constrained, delegated endpoint to avoid unnecessary privileges in the Secret Server database.
• Module folder downloaded, unblocked, extracted, available to import

#Instructions

#One time setup:
    #Download the repository
    #Unblock the zip file
    #Extract SecretServer folder to a module path (e.g. $env:USERPROFILE\Documents\WindowsPowerShell\Modules\)

#Each PowerShell session
    Import-Module SecretServer  #Alternatively, Import-Module "\\Path\To\SecretServer"

#List commands in the module
    Get-Command -Module SecretServer

#Get help for a command
    Get-Help New-SSConnection -Full

#Optional one time step: Set default Uri, create default proxy
    Set-SecretServerConfig -Uri https://FQDN.TO.SECRETSERVER/winauthwebservices/sswinauthwebservice.asmx
    New-SSConnection #Uses Uri we just set by default

#Get help for Get-Secret
    Get-Help Get-Secret -Full

#List a summary of all secrets
    Get-Secret

#Convert stored secret to a credential object you can use in a variety of scenarios
    $Credential = (Get-Secret -SearchTerm SVC-WebCommander -as Credential ).Credential
    $Credential

    <#
        UserName : My.Domain\SVC-WebCommander
        Password : System.Security.SecureString
    #>

#List commands that directly hit the SQL database
    Get-Command -Module SecretServer -ParameterName ServerInstance |
        Where {$_.Name -notlike "*SecretServerConfig"}

Changelog

• 03/24/2016 Changes by Ryan Bushe
  • NEW: Connect-SecretServer Prompts you for credentials and includes support for connecting with RADIUS
  • NEW: Copy-SSPassword Using Get-Secret as the backend will prompt the user to select a specific secret and copy the password to the users clip board
  • UPDATE: Added use of Token when supplied or in the SecretServerConfig for all functions using Secret Server's web services
  • UPDATE: Restructured the layout of the functions and used ConvertTo-Module to build the module file for faster loading
  • UPDATE: Made settings final include the current user name for use by multiple users
  • UPDATE: Moved file initialization into Get-SecretServerConfig
  • UPDATE: Moved proxy initialization into Connect-SecretServer

Aside

On an aside, if you don't have a password management solution in place, definitely take a look at Secret Server.

I've been impressed with the product, documentation, and support. It's one of those products that just works, and works well. If you're a non-profit, you'll save a bit...

Project Status, 1/17/2016: I no longer work with or have access to Secret Server. Feel free to fork this or use it as needed, but there will likely be no further development, barring external contributions.