Implements Delinea Secret Server for PAM with vault configuration, RBAC policies, auto password rotation, session recording, and Active Directory/cloud integrations. For PAM deployments, credential vaults, and password automation.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 组织需要跨混合基础设施集中管理特权凭据
Implements Delinea Secret Server for PAM with secret vault configuration, RBAC policies, automated password rotation, session recording, and Active Directory/cloud integrations. For PAM deployment and credential vaulting.
Deploys Delinea Secret Server for PAM with vault config, RBAC policies, password rotation, session recording, and Active Directory/cloud integrations. For privileged credential management.
Deploys CyberArk Privileged Access Management to discover, safekeep, rotate, and monitor privileged credentials in enterprise infrastructure. Covers vault architecture, session isolation, rotation policies, and NIST 800-53 integration.
Share bugs, ideas, or general feedback.
不适用于标准终端用户密码管理;Delinea Secret Server 专为需要企业级控制的特权账户和共享账户凭据管理而设计。
安装和配置 Secret Server 应用服务器:
# 本地部署预安装检查
# 验证 IIS 是否安装了所需功能
Import-Module ServerManager
Install-WindowsFeature Web-Server, Web-Asp-Net45, Web-Windows-Auth, Web-Mgmt-Console
# 验证 SQL Server 连接
$sqlConn = New-Object System.Data.SqlClient.SqlConnection
$sqlConn.ConnectionString = "Server=sql01.corp.local;Database=master;Integrated Security=True"
$sqlConn.Open()
Write-Host "SQL Server 连接成功:$($sqlConn.ServerVersion)"
$sqlConn.Close()
# 创建 Secret Server 数据库
Invoke-Sqlcmd -ServerInstance "sql01.corp.local" -Query @"
CREATE DATABASE SecretServer
GO
ALTER DATABASE SecretServer SET RECOVERY FULL
GO
"@
# 下载并运行 Secret Server 安装程序
# 访问 https://thy.center/ss/link/SSDownload 获取最新版本
# 运行 setup.exe 并按照安装向导操作
# 安装后:配置应用程序池
Import-Module WebAdministration
Set-ItemProperty "IIS:\AppPools\SecretServer" -Name processModel.identityType -Value SpecificUser
Set-ItemProperty "IIS:\AppPools\SecretServer" -Name processModel.userName -Value "CORP\svc-secretserver"
定义密钥模板并组织库层次结构:
# 连接到 Secret Server API
$baseUrl = "https://pam.corp.local/SecretServer"
$creds = @{
username = "ss-admin"
password = $env:SS_ADMIN_PASSWORD
grant_type = "password"
}
$token = (Invoke-RestMethod "$baseUrl/oauth2/token" -Method POST -Body $creds).access_token
$headers = @{ Authorization = "Bearer $token" }
# 创建用于组织密钥的文件夹结构
$folders = @(
@{ folderName = "Windows 服务器"; parentFolderId = -1; inheritPermissions = $false },
@{ folderName = "Linux 服务器"; parentFolderId = -1; inheritPermissions = $false },
@{ folderName = "网络设备"; parentFolderId = -1; inheritPermissions = $false },
@{ folderName = "云账户"; parentFolderId = -1; inheritPermissions = $false },
@{ folderName = "服务账户"; parentFolderId = -1; inheritPermissions = $false },
@{ folderName = "数据库账户"; parentFolderId = -1; inheritPermissions = $false }
)
foreach ($folder in $folders) {
Invoke-RestMethod "$baseUrl/api/v1/folders" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($folder | ConvertTo-Json)
}
# 为数据库凭据创建自定义密钥模板
$template = @{
name = "数据库凭据"
fields = @(
@{ name = "服务器"; isRequired = $true; fieldType = "Text" },
@{ name = "端口"; isRequired = $true; fieldType = "Text" },
@{ name = "数据库"; isRequired = $true; fieldType = "Text" },
@{ name = "用户名"; isRequired = $true; fieldType = "Text" },
@{ name = "密码"; isRequired = $true; fieldType = "Password" },
@{ name = "连接字符串"; isRequired = $false; fieldType = "Notes" }
)
}
Invoke-RestMethod "$baseUrl/api/v1/secret-templates" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($template | ConvertTo-Json -Depth 3)
设置跨环境自动发现特权账户:
# 配置 Active Directory 发现源
$adDiscovery = @{
name = "企业 AD 发现"
discoverySourceType = "ActiveDirectory"
active = $true
settings = @{
domainName = "corp.local"
friendlyName = "企业域"
discoveryAccountId = 12 # 服务账户密钥 ID
ouFilters = @(
"OU=Servers,DC=corp,DC=local",
"OU=Workstations,DC=corp,DC=local"
)
}
scanInterval = 86400 # 24 小时
}
Invoke-RestMethod "$baseUrl/api/v1/discovery" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($adDiscovery | ConvertTo-Json -Depth 3)
# 为 Windows 服务器配置本地账户发现
$localDiscovery = @{
name = "Windows 本地账户发现"
discoverySourceType = "Machine"
active = $true
settings = @{
machineType = "Windows"
accountScanTemplate = "Windows 本地账户"
dependencyScanTemplate = "Windows 服务"
}
}
Invoke-RestMethod "$baseUrl/api/v1/discovery" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($localDiscovery | ConvertTo-Json -Depth 3)
# 将发现的账户导入为密钥
# 发现运行后,审查并导入找到的账户
$discoveredAccounts = Invoke-RestMethod "$baseUrl/api/v1/discovery/status" -Headers $headers
Write-Host "已发现 $($discoveredAccounts.totalAccounts) 个账户"
Write-Host " - 域管理员:$($discoveredAccounts.domainAdmins)"
Write-Host " - 本地管理员:$($discoveredAccounts.localAdmins)"
Write-Host " - 服务账户:$($discoveredAccounts.serviceAccounts)"
配置带复杂度要求的自动密码轮换:
# 创建密码轮换策略
$rotationPolicy = @{
name = "高安全性 30 天轮换"
rotationIntervalDays = 30
passwordRequirements = @{
minimumLength = 24
maximumLength = 32
requireUpperCase = $true
requireLowerCase = $true
requireNumbers = $true
requireSymbols = $true
allowedSymbols = "!@#$%^&*()-_=+[]{}|;:,.<>?"
}
rotationType = "AutoChange"
autoChangeSchedule = @{
changeType = "RecurringSchedule"
recurrenceType = "Monthly"
dayOfMonth = 1
startTime = "02:00"
}
}
Invoke-RestMethod "$baseUrl/api/v1/remote-password-changing/configuration" -Method POST `
-Headers $headers -ContentType "application/json" -Body ($rotationPolicy | ConvertTo-Json -Depth 4)
# 为 Windows 账户配置远程密码更改(RPC)
$rpcConfig = @{
secretId = 100 # 目标密钥
autoChangeEnabled = $true
autoChangeNextPassword = $true
privilegedAccountSecretId = 50 # 用于执行更改的账户
changePasswordUsing = "PrivilegedAccount"
}
Invoke-RestMethod "$baseUrl/api/v1/secrets/100/remote-password-changing" -Method PUT `
-Headers $headers -ContentType "application/json" -Body ($rpcConfig | ConvertTo-Json)
# 配置心跳监控以验证凭据有效性
$heartbeat = @{
enabled = $true
intervalMinutes = 60
onFailure = "SendAlert"
alertEmailGroupId = 5
}
Invoke-RestMethod "$baseUrl/api/v1/secrets/100/heartbeat" -Method PUT `
-Headers $headers -ContentType "application/json" -Body ($heartbeat | ConvertTo-Json)
为特权访问会话启用会话录制:
# 启用会话录制策略
$sessionPolicy = @{
name = "完整录制策略"
recordSessions = $true
recordKeystrokes = $true
recordApplications = $true
maxSessionDurationMinutes = 480
requireComment = $true
requireTicketNumber = $true
ticketSystemId = 1 # ServiceNow 集成
settings = @{
videoCodec = "H264"
videoQuality = "High"
captureInterval = 1000 # 毫秒
storageLocation = "\\\\fileserver\\SSRecordings"
retentionDays = 365
}
}
Invoke-RestMethod "$baseUrl/api/v1/secret-policy" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($sessionPolicy | ConvertTo-Json -Depth 3)
# 为 RDP 会话配置会话启动器
$rdpLauncher = @{
launcherType = "RDP"
enableRecording = $true
enableDualControl = $true
approverGroupId = 10 # 安全团队组
connectAsSecretId = 100
settings = @{
useSSL = $true
restrictedEndpoints = @("192.168.1.0/24")
inactivityTimeout = 30 # 分钟
}
}
Invoke-RestMethod "$baseUrl/api/v1/launchers" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($rdpLauncher | ConvertTo-Json -Depth 3)
# 配置双重控制/审批工作流
$approvalWorkflow = @{
name = "Tier-0 账户审批"
requireApproval = $true
approvers = @(
@{ groupId = 10; requiredApprovals = 1 }
)
accessRequestExpirationMinutes = 60
notifyOnApproval = $true
notifyOnDenial = $true
}
将 Secret Server 事件连接到安全监控:
# 配置 Syslog 转发到 SIEM
$syslogConfig = @{
enabled = $true
syslogServer = "siem.corp.local"
port = 514
protocol = "TLS"
facility = "Auth"
severity = "Informational"
events = @(
"SecretView", "SecretEdit", "SecretCreate", "SecretDelete",
"PasswordChange", "PasswordChangeFailure",
"SessionStart", "SessionEnd",
"LoginFailure", "LoginSuccess",
"PermissionChange", "ApprovalRequest"
)
}
Invoke-RestMethod "$baseUrl/api/v1/configuration/syslog" -Method PUT -Headers $headers `
-ContentType "application/json" -Body ($syslogConfig | ConvertTo-Json -Depth 2)
# 生成合规报告
$report = @{
reportType = "PasswordCompliance"
dateRange = @{
startDate = (Get-Date).AddDays(-30).ToString("yyyy-MM-dd")
endDate = (Get-Date).ToString("yyyy-MM-dd")
}
filters = @{
folderIds = @(1, 2, 3, 4, 5, 6)
includeSubFolders = $true
}
}
$reportResult = Invoke-RestMethod "$baseUrl/api/v1/reports" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($report | ConvertTo-Json -Depth 3)
# 显示合规摘要
Write-Host "PAM 合规报告"
Write-Host "====================="
Write-Host "密钥总数: $($reportResult.totalSecrets)"
Write-Host "轮换合规: $($reportResult.rotationCompliant) ($($reportResult.rotationCompliancePct)%)"
Write-Host "心跳健康: $($reportResult.heartbeatHealthy) ($($reportResult.heartbeatHealthyPct)%)"
Write-Host "密码超龄 > 90 天: $($reportResult.passwordAgeViolations)"
Write-Host "孤儿账户: $($reportResult.orphanedAccounts)"
| 术语 | 定义 |
|---|---|
| 特权访问管理(PAM) | 通过凭据保管和会话管理来控制、监控和审计对关键系统和数据的提升访问的安全框架 |
| 密钥(Secret) | 库中存储的凭据或敏感数据项,包括密码、SSH 密钥、API 令牌和证书 |
| 远程密码更改(RPC) | 无需人工干预,根据定义的策略连接到目标系统轮换密码的自动化机制 |
| 心跳(Heartbeat) | 定期检查以验证存储的凭据与目标系统的一致性,确保库内容保持同步和可用 |
| 双重控制(Dual Control) | 在授予对高度敏感密钥的访问权限之前,需要第二个授权用户批准的安全机制 |
| 发现(Discovery) | 跨 Active Directory、服务器和网络设备自动扫描基础设施,识别特权账户、服务账户和依赖关系 |
| 会话录制(Session Recording) | 捕获完整的特权会话活动,包括视频、键盘输入和应用程序使用情况,用于审计和取证审查 |
背景:一个组织将 500+ 个共享管理员凭据存储在 Excel 电子表格和密码保护文档中。审计人员将此标记为需要在 90 天内整改的关键发现。
处理方式:
注意事项:
DELINEA SECRET SERVER PAM 部署报告
=============================================
环境: 混合(本地 + Azure)
版本: Secret Server 11.6
部署模式: 本地(高可用性)
库统计
密钥总数: 1,247
Windows 凭据: 523
Linux/SSH 密钥: 312
数据库账户: 198
网络设备: 87
云 API 密钥: 127
密码轮换状态
自动更改已启用: 1,089 / 1,247 (87.3%)
轮换合规: 1,056 / 1,089 (97.0%)
心跳健康: 1,198 / 1,247 (96.1%)
轮换失败(30 天):12
会话管理
活跃会话: 23
录制会话(30 天):4,567
平均会话时长: 22 分钟
审批请求(30 天):189(174 已批准,15 已拒绝)
发现结果
扫描系统: 2,340
发现账户: 3,891
已入库: 1,247 (32.1%)
待审查: 892
合规性
SOX 控制满足: 12/12
PCI-DSS 要求: 8/8
密码超龄违规: 3(整改中)