implementing-delinea-secret-server-for-pam

What this skill does

# Implementing Delinea Secret Server for PAM

## When to Use

- Organization needs centralized privileged credential management across hybrid infrastructure
- Compliance requirements mandate privileged access controls (SOX, PCI-DSS, HIPAA, NIST 800-53)
- Service accounts and shared credentials are stored in spreadsheets or plaintext files
- Need to implement automated password rotation for privileged accounts
- Require session recording and keystroke logging for privileged user activity
- Migrating from manual PAM processes to an enterprise vault solution

**Do not use** for standard end-user password management; Delinea Secret Server is designed for privileged and shared account credential management requiring enterprise-grade controls.

## Prerequisites

- Delinea Secret Server license (On-Premises or Cloud)
- Windows Server 2019/2022 for on-premises deployment with IIS and SQL Server
- Active Directory service account with read permissions for discovery
- SSL/TLS certificate for web interface encryption
- Network connectivity to target systems for password rotation
- PowerShell 5.1+ for automation scripts

## Workflow

### Step 1: Deploy Secret Server Infrastructure

Install and configure the Secret Server application server:

```powershell
# Pre-installation checks for on-premises deployment
# Verify IIS is installed with required features
Import-Module ServerManager
Install-WindowsFeature Web-Server, Web-Asp-Net45, Web-Windows-Auth, Web-Mgmt-Console

# Verify SQL Server connectivity
$sqlConn = New-Object System.Data.SqlClient.SqlConnection
$sqlConn.ConnectionString = "Server=sql01.corp.local;Database=master;Integrated Security=True"
$sqlConn.Open()
Write-Host "SQL Server connection successful: $($sqlConn.ServerVersion)"
$sqlConn.Close()

# Create Secret Server database
Invoke-Sqlcmd -ServerInstance "sql01.corp.local" -Query @"
CREATE DATABASE SecretServer
GO
ALTER DATABASE SecretServer SET RECOVERY FULL
GO
"@

# Download and run Secret Server installer
# Navigate to https://thy.center/ss/link/SSDownload for latest version
# Run setup.exe and follow the installation wizard

# Post-installation: Configure application pool
Import-Module WebAdministration
Set-ItemProperty "IIS:\AppPools\SecretServer" -Name processModel.identityType -Value SpecificUser
Set-ItemProperty "IIS:\AppPools\SecretServer" -Name processModel.userName -Value "CORP\svc-secretserver"
```

### Step 2: Configure Secret Templates and Folder Structure

Define secret templates and organize the vault hierarchy:

```powershell
# Connect to Secret Server API
$baseUrl = "https://pam.corp.local/SecretServer"
$creds = @{
    username = "ss-admin"
    password = $env:SS_ADMIN_PASSWORD
    grant_type = "password"
}
$token = (Invoke-RestMethod "$baseUrl/oauth2/token" -Method POST -Body $creds).access_token
$headers = @{ Authorization = "Bearer $token" }

# Create folder structure for organizing secrets
$folders = @(
    @{ folderName = "Windows Servers"; parentFolderId = -1; inheritPermissions = $false },
    @{ folderName = "Linux Servers"; parentFolderId = -1; inheritPermissions = $false },
    @{ folderName = "Network Devices"; parentFolderId = -1; inheritPermissions = $false },
    @{ folderName = "Cloud Accounts"; parentFolderId = -1; inheritPermissions = $false },
    @{ folderName = "Service Accounts"; parentFolderId = -1; inheritPermissions = $false },
    @{ folderName = "Database Accounts"; parentFolderId = -1; inheritPermissions = $false }
)

foreach ($folder in $folders) {
    Invoke-RestMethod "$baseUrl/api/v1/folders" -Method POST -Headers $headers `
        -ContentType "application/json" -Body ($folder | ConvertTo-Json)
}

# Create custom secret template for database credentials
$template = @{
    name = "Database Credential"
    fields = @(
        @{ name = "Server"; isRequired = $true; fieldType = "Text" },
        @{ name = "Port"; isRequired = $true; fieldType = "Text" },
        @{ name = "Database"; isRequired = $true; fieldType = "Text" },
        @{ name = "Username"; isRequired = $true; fieldType = "Text" },
        @{ name = "Password"; isRequired = $true; fieldType = "Password" },
        @{ name = "Connection String"; isRequired = $false; fieldType = "Notes" }
    )
}
Invoke-RestMethod "$baseUrl/api/v1/secret-templates" -Method POST -Headers $headers `
    -ContentType "application/json" -Body ($template | ConvertTo-Json -Depth 3)
```

### Step 3: Configure Discovery and Account Onboarding

Set up automated discovery of privileged accounts across the environment:

```powershell
# Configure Active Directory discovery source
$adDiscovery = @{
    name = "Corporate AD Discovery"
    discoverySourceType = "ActiveDirectory"
    active = $true
    settings = @{
        domainName = "corp.local"
        friendlyName = "Corporate Domain"
        discoveryAccountId = 12  # Service account secret ID
        ouFilters = @(
            "OU=Servers,DC=corp,DC=local",
            "OU=Workstations,DC=corp,DC=local"
        )
    }
    scanInterval = 86400  # 24 hours
}
Invoke-RestMethod "$baseUrl/api/v1/discovery" -Method POST -Headers $headers `
    -ContentType "application/json" -Body ($adDiscovery | ConvertTo-Json -Depth 3)

# Configure local account discovery for Windows servers
$localDiscovery = @{
    name = "Windows Local Account Discovery"
    discoverySourceType = "Machine"
    active = $true
    settings = @{
        machineType = "Windows"
        accountScanTemplate = "Windows Local Account"
        dependencyScanTemplate = "Windows Service"
    }
}
Invoke-RestMethod "$baseUrl/api/v1/discovery" -Method POST -Headers $headers `
    -ContentType "application/json" -Body ($localDiscovery | ConvertTo-Json -Depth 3)

# Import discovered accounts as secrets
# After discovery runs, review and import found accounts
$discoveredAccounts = Invoke-RestMethod "$baseUrl/api/v1/discovery/status" -Headers $headers
Write-Host "Discovered $($discoveredAccounts.totalAccounts) accounts"
Write-Host "  - Domain Admins: $($discoveredAccounts.domainAdmins)"
Write-Host "  - Local Admins: $($discoveredAccounts.localAdmins)"
Write-Host "  - Service Accounts: $($discoveredAccounts.serviceAccounts)"
```

### Step 4: Implement Password Rotation Policies

Configure automated password rotation with complexity requirements:

```powershell
# Create password rotation policy
$rotationPolicy = @{
    name = "High-Security 30-Day Rotation"
    rotationIntervalDays = 30
    passwordRequirements = @{
        minimumLength = 24
        maximumLength = 32
        requireUpperCase = $true
        requireLowerCase = $true
        requireNumbers = $true
        requireSymbols = $true
        allowedSymbols = "!@#$%^&*()-_=+[]{}|;:,.<>?"
    }
    rotationType = "AutoChange"
    autoChangeSchedule = @{
        changeType = "RecurringSchedule"
        recurrenceType = "Monthly"
        dayOfMonth = 1
        startTime = "02:00"
    }
}
Invoke-RestMethod "$baseUrl/api/v1/remote-password-changing/configuration" -Method POST `
    -Headers $headers -ContentType "application/json" -Body ($rotationPolicy | ConvertTo-Json -Depth 4)

# Configure Remote Password Changing (RPC) for Windows accounts
$rpcConfig = @{
    secretId = 100  # Target secret
    autoChangeEnabled = $true
    autoChangeNextPassword = $true
    privilegedAccountSecretId = 50  # Account used to perform the change
    changePasswordUsing = "PrivilegedAccount"
}
Invoke-RestMethod "$baseUrl/api/v1/secrets/100/remote-password-changing" -Method PUT `
    -Headers $headers -ContentType "application/json" -Body ($rpcConfig | ConvertTo-Json)

# Configure heartbeat monitoring to verify credential validity
$heartbeat = @{
    enabled = $true
    intervalMinutes = 60
    onFailure = "SendAlert"
    alertEmailGroupId = 5
}
Invoke-RestMethod "$baseUrl/api/v1/secrets/100/heartbeat" -Method PUT `
    -Headers $headers -ContentType "application/json" -Body ($heartbeat | ConvertTo-Json)
```

### Step 5: Configure Session Recording and Monitoring

Enable session r