Stats
Actions
Tags
Implements Delinea Secret Server for PAM with vault configuration, RBAC policies, auto password rotation, session recording, and Active Directory/cloud integrations. For PAM deployments, credential vaults, and password automation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:implementing-delinea-secret-server-for-pamThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- 组织需要跨混合基础设施集中管理特权凭据
不适用于标准终端用户密码管理;Delinea Secret Server 专为需要企业级控制的特权账户和共享账户凭据管理而设计。
安装和配置 Secret Server 应用服务器:
# 本地部署预安装检查
# 验证 IIS 是否安装了所需功能
Import-Module ServerManager
Install-WindowsFeature Web-Server, Web-Asp-Net45, Web-Windows-Auth, Web-Mgmt-Console
# 验证 SQL Server 连接
$sqlConn = New-Object System.Data.SqlClient.SqlConnection
$sqlConn.ConnectionString = "Server=sql01.corp.local;Database=master;Integrated Security=True"
$sqlConn.Open()
Write-Host "SQL Server 连接成功:$($sqlConn.ServerVersion)"
$sqlConn.Close()
# 创建 Secret Server 数据库
Invoke-Sqlcmd -ServerInstance "sql01.corp.local" -Query @"
CREATE DATABASE SecretServer
GO
ALTER DATABASE SecretServer SET RECOVERY FULL
GO
"@
# 下载并运行 Secret Server 安装程序
# 访问 https://thy.center/ss/link/SSDownload 获取最新版本
# 运行 setup.exe 并按照安装向导操作
# 安装后:配置应用程序池
Import-Module WebAdministration
Set-ItemProperty "IIS:\AppPools\SecretServer" -Name processModel.identityType -Value SpecificUser
Set-ItemProperty "IIS:\AppPools\SecretServer" -Name processModel.userName -Value "CORP\svc-secretserver"
定义密钥模板并组织库层次结构:
# 连接到 Secret Server API
$baseUrl = "https://pam.corp.local/SecretServer"
$creds = @{
username = "ss-admin"
password = $env:SS_ADMIN_PASSWORD
grant_type = "password"
}
$token = (Invoke-RestMethod "$baseUrl/oauth2/token" -Method POST -Body $creds).access_token
$headers = @{ Authorization = "Bearer $token" }
# 创建用于组织密钥的文件夹结构
$folders = @(
@{ folderName = "Windows 服务器"; parentFolderId = -1; inheritPermissions = $false },
@{ folderName = "Linux 服务器"; parentFolderId = -1; inheritPermissions = $false },
@{ folderName = "网络设备"; parentFolderId = -1; inheritPermissions = $false },
@{ folderName = "云账户"; parentFolderId = -1; inheritPermissions = $false },
@{ folderName = "服务账户"; parentFolderId = -1; inheritPermissions = $false },
@{ folderName = "数据库账户"; parentFolderId = -1; inheritPermissions = $false }
)
foreach ($folder in $folders) {
Invoke-RestMethod "$baseUrl/api/v1/folders" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($folder | ConvertTo-Json)
}
# 为数据库凭据创建自定义密钥模板
$template = @{
name = "数据库凭据"
fields = @(
@{ name = "服务器"; isRequired = $true; fieldType = "Text" },
@{ name = "端口"; isRequired = $true; fieldType = "Text" },
@{ name = "数据库"; isRequired = $true; fieldType = "Text" },
@{ name = "用户名"; isRequired = $true; fieldType = "Text" },
@{ name = "密码"; isRequired = $true; fieldType = "Password" },
@{ name = "连接字符串"; isRequired = $false; fieldType = "Notes" }
)
}
Invoke-RestMethod "$baseUrl/api/v1/secret-templates" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($template | ConvertTo-Json -Depth 3)
设置跨环境自动发现特权账户:
# 配置 Active Directory 发现源
$adDiscovery = @{
name = "企业 AD 发现"
discoverySourceType = "ActiveDirectory"
active = $true
settings = @{
domainName = "corp.local"
friendlyName = "企业域"
discoveryAccountId = 12 # 服务账户密钥 ID
ouFilters = @(
"OU=Servers,DC=corp,DC=local",
"OU=Workstations,DC=corp,DC=local"
)
}
scanInterval = 86400 # 24 小时
}
Invoke-RestMethod "$baseUrl/api/v1/discovery" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($adDiscovery | ConvertTo-Json -Depth 3)
# 为 Windows 服务器配置本地账户发现
$localDiscovery = @{
name = "Windows 本地账户发现"
discoverySourceType = "Machine"
active = $true
settings = @{
machineType = "Windows"
accountScanTemplate = "Windows 本地账户"
dependencyScanTemplate = "Windows 服务"
}
}
Invoke-RestMethod "$baseUrl/api/v1/discovery" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($localDiscovery | ConvertTo-Json -Depth 3)
# 将发现的账户导入为密钥
# 发现运行后,审查并导入找到的账户
$discoveredAccounts = Invoke-RestMethod "$baseUrl/api/v1/discovery/status" -Headers $headers
Write-Host "已发现 $($discoveredAccounts.totalAccounts) 个账户"
Write-Host " - 域管理员:$($discoveredAccounts.domainAdmins)"
Write-Host " - 本地管理员:$($discoveredAccounts.localAdmins)"
Write-Host " - 服务账户:$($discoveredAccounts.serviceAccounts)"
配置带复杂度要求的自动密码轮换:
# 创建密码轮换策略
$rotationPolicy = @{
name = "高安全性 30 天轮换"
rotationIntervalDays = 30
passwordRequirements = @{
minimumLength = 24
maximumLength = 32
requireUpperCase = $true
requireLowerCase = $true
requireNumbers = $true
requireSymbols = $true
allowedSymbols = "!@#$%^&*()-_=+[]{}|;:,.<>?"
}
rotationType = "AutoChange"
autoChangeSchedule = @{
changeType = "RecurringSchedule"
recurrenceType = "Monthly"
dayOfMonth = 1
startTime = "02:00"
}
}
Invoke-RestMethod "$baseUrl/api/v1/remote-password-changing/configuration" -Method POST `
-Headers $headers -ContentType "application/json" -Body ($rotationPolicy | ConvertTo-Json -Depth 4)
# 为 Windows 账户配置远程密码更改(RPC)
$rpcConfig = @{
secretId = 100 # 目标密钥
autoChangeEnabled = $true
autoChangeNextPassword = $true
privilegedAccountSecretId = 50 # 用于执行更改的账户
changePasswordUsing = "PrivilegedAccount"
}
Invoke-RestMethod "$baseUrl/api/v1/secrets/100/remote-password-changing" -Method PUT `
-Headers $headers -ContentType "application/json" -Body ($rpcConfig | ConvertTo-Json)
# 配置心跳监控以验证凭据有效性
$heartbeat = @{
enabled = $true
intervalMinutes = 60
onFailure = "SendAlert"
alertEmailGroupId = 5
}
Invoke-RestMethod "$baseUrl/api/v1/secrets/100/heartbeat" -Method PUT `
-Headers $headers -ContentType "application/json" -Body ($heartbeat | ConvertTo-Json)
为特权访问会话启用会话录制:
# 启用会话录制策略
$sessionPolicy = @{
name = "完整录制策略"
recordSessions = $true
recordKeystrokes = $true
recordApplications = $true
maxSessionDurationMinutes = 480
requireComment = $true
requireTicketNumber = $true
ticketSystemId = 1 # ServiceNow 集成
settings = @{
videoCodec = "H264"
videoQuality = "High"
captureInterval = 1000 # 毫秒
storageLocation = "\\\\fileserver\\SSRecordings"
retentionDays = 365
}
}
Invoke-RestMethod "$baseUrl/api/v1/secret-policy" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($sessionPolicy | ConvertTo-Json -Depth 3)
# 为 RDP 会话配置会话启动器
$rdpLauncher = @{
launcherType = "RDP"
enableRecording = $true
enableDualControl = $true
approverGroupId = 10 # 安全团队组
connectAsSecretId = 100
settings = @{
useSSL = $true
restrictedEndpoints = @("192.168.1.0/24")
inactivityTimeout = 30 # 分钟
}
}
Invoke-RestMethod "$baseUrl/api/v1/launchers" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($rdpLauncher | ConvertTo-Json -Depth 3)
# 配置双重控制/审批工作流
$approvalWorkflow = @{
name = "Tier-0 账户审批"
requireApproval = $true
approvers = @(
@{ groupId = 10; requiredApprovals = 1 }
)
accessRequestExpirationMinutes = 60
notifyOnApproval = $true
notifyOnDenial = $true
}
将 Secret Server 事件连接到安全监控:
# 配置 Syslog 转发到 SIEM
$syslogConfig = @{
enabled = $true
syslogServer = "siem.corp.local"
port = 514
protocol = "TLS"
facility = "Auth"
severity = "Informational"
events = @(
"SecretView", "SecretEdit", "SecretCreate", "SecretDelete",
"PasswordChange", "PasswordChangeFailure",
"SessionStart", "SessionEnd",
"LoginFailure", "LoginSuccess",
"PermissionChange", "ApprovalRequest"
)
}
Invoke-RestMethod "$baseUrl/api/v1/configuration/syslog" -Method PUT -Headers $headers `
-ContentType "application/json" -Body ($syslogConfig | ConvertTo-Json -Depth 2)
# 生成合规报告
$report = @{
reportType = "PasswordCompliance"
dateRange = @{
startDate = (Get-Date).AddDays(-30).ToString("yyyy-MM-dd")
endDate = (Get-Date).ToString("yyyy-MM-dd")
}
filters = @{
folderIds = @(1, 2, 3, 4, 5, 6)
includeSubFolders = $true
}
}
$reportResult = Invoke-RestMethod "$baseUrl/api/v1/reports" -Method POST -Headers $headers `
-ContentType "application/json" -Body ($report | ConvertTo-Json -Depth 3)
# 显示合规摘要
Write-Host "PAM 合规报告"
Write-Host "====================="
Write-Host "密钥总数: $($reportResult.totalSecrets)"
Write-Host "轮换合规: $($reportResult.rotationCompliant) ($($reportResult.rotationCompliancePct)%)"
Write-Host "心跳健康: $($reportResult.heartbeatHealthy) ($($reportResult.heartbeatHealthyPct)%)"
Write-Host "密码超龄 > 90 天: $($reportResult.passwordAgeViolations)"
Write-Host "孤儿账户: $($reportResult.orphanedAccounts)"
| 术语 | 定义 |
|---|---|
| 特权访问管理(PAM) | 通过凭据保管和会话管理来控制、监控和审计对关键系统和数据的提升访问的安全框架 |
| 密钥(Secret) | 库中存储的凭据或敏感数据项,包括密码、SSH 密钥、API 令牌和证书 |
| 远程密码更改(RPC) | 无需人工干预,根据定义的策略连接到目标系统轮换密码的自动化机制 |
| 心跳(Heartbeat) | 定期检查以验证存储的凭据与目标系统的一致性,确保库内容保持同步和可用 |
| 双重控制(Dual Control) | 在授予对高度敏感密钥的访问权限之前,需要第二个授权用户批准的安全机制 |
| 发现(Discovery) | 跨 Active Directory、服务器和网络设备自动扫描基础设施,识别特权账户、服务账户和依赖关系 |
| 会话录制(Session Recording) | 捕获完整的特权会话活动,包括视频、键盘输入和应用程序使用情况,用于审计和取证审查 |
背景:一个组织将 500+ 个共享管理员凭据存储在 Excel 电子表格和密码保护文档中。审计人员将此标记为需要在 90 天内整改的关键发现。
处理方式:
注意事项:
DELINEA SECRET SERVER PAM 部署报告
=============================================
环境: 混合(本地 + Azure)
版本: Secret Server 11.6
部署模式: 本地(高可用性)
库统计
密钥总数: 1,247
Windows 凭据: 523
Linux/SSH 密钥: 312
数据库账户: 198
网络设备: 87
云 API 密钥: 127
密码轮换状态
自动更改已启用: 1,089 / 1,247 (87.3%)
轮换合规: 1,056 / 1,089 (97.0%)
心跳健康: 1,198 / 1,247 (96.1%)
轮换失败(30 天):12
会话管理
活跃会话: 23
录制会话(30 天):4,567
平均会话时长: 22 分钟
审批请求(30 天):189(174 已批准,15 已拒绝)
发现结果
扫描系统: 2,340
发现账户: 3,891
已入库: 1,247 (32.1%)
待审查: 892
合规性
SOX 控制满足: 12/12
PCI-DSS 要求: 8/8
密码超龄违规: 3(整改中)
npx claudepluginhub killvxk/cybersecurity-skills-zhImplements Delinea Secret Server for PAM including vault configuration, role-based access policies, automated password rotation, session recording, and Active Directory/cloud integration.
Implements Delinea Secret Server for PAM with secret vault configuration, RBAC policies, automated password rotation, session recording, and Active Directory/cloud integrations. For PAM deployment and credential vaulting.
Deploys Delinea Secret Server for PAM with vault config, RBAC policies, password rotation, session recording, and Active Directory/cloud integrations. For privileged credential management.