From da767aa222b53e9cd3abd86ad1feefbe9ee9ec8b Mon Sep 17 00:00:00 2001 From: Rick Roca Date: Tue, 16 Jan 2024 13:54:05 -0500 Subject: [PATCH 1/2] Adobe Sign Final Draft --- .../Discovery/AdobeSign Discovery.ps1 | 435 ++++++++++++++++++ .../AdobeSign/Discovery/readme.md | 258 +++++++++++ .../SecretServer/AdobeSign/Instructions.md | 137 ++++++ .../Adobe Sign Heartbeat Placeholder.ps1 | 1 + .../Adobe Sign RPC Placeholder.ps1 | 1 + .../AdobeSign/RemotePasswordChanger/readme.md | 105 +++++ .../Templates/Adobe Sign Account.xml | 130 ++++++ .../Templates/Adobe Sign Integration Key.xml | 112 +++++ .../AdobeSign/Templates/readme.md | 0 Scripts/SecretServer/AdobeSign/readme.md | 23 + 10 files changed, 1202 insertions(+) create mode 100644 Scripts/SecretServer/AdobeSign/Discovery/AdobeSign Discovery.ps1 create mode 100644 Scripts/SecretServer/AdobeSign/Discovery/readme.md create mode 100644 Scripts/SecretServer/AdobeSign/Instructions.md create mode 100644 Scripts/SecretServer/AdobeSign/RemotePasswordChanger/Adobe Sign Heartbeat Placeholder.ps1 create mode 100644 Scripts/SecretServer/AdobeSign/RemotePasswordChanger/Adobe Sign RPC Placeholder.ps1 create mode 100644 Scripts/SecretServer/AdobeSign/RemotePasswordChanger/readme.md create mode 100644 Scripts/SecretServer/AdobeSign/Templates/Adobe Sign Account.xml create mode 100644 Scripts/SecretServer/AdobeSign/Templates/Adobe Sign Integration Key.xml create mode 100644 Scripts/SecretServer/AdobeSign/Templates/readme.md create mode 100644 Scripts/SecretServer/AdobeSign/readme.md diff --git a/Scripts/SecretServer/AdobeSign/Discovery/AdobeSign Discovery.ps1 b/Scripts/SecretServer/AdobeSign/Discovery/AdobeSign Discovery.ps1 new file mode 100644 index 0000000..cf4ae3b --- /dev/null +++ b/Scripts/SecretServer/AdobeSign/Discovery/AdobeSign Discovery.ps1 @@ -0,0 +1,435 @@ +$args = @("Default","api.na1.adobesign.com", "3AAABLblqZhDgUgDAXcpI9wbn1uaA0L_EvnsFST0qfWWxyKZOB9R8m6txuMYii2rK9saXwv2RlFRUmA7icf5pYOpO6JK_AXbP","true","ServiceAccounts=CBJCHBCAABAADKXZhgQc1ZiSl3WydXp9KbAFLPdSF4Qm") +#region define variables +#Define Argument Variables + +[string]$DiscoveryMode = $args[0] +[string]$baseURL = $args[1] +[string]$api = "api/rest/v6" +[string]$accesstoken = $args[2] +[string]$pageSize = 100 +[boolean]$sAMLEnabled = [System.Convert]::ToBoolean($args[3]) +[string]$svcGroupNames = $args[4] + +#Script Constants +[string]$LogFile = "$env:Program Files\Thycotic Software Ltd\Distributed Engine\log\AdobeSign-Discovery.log" +[string]$LogFile = "C:\temp\AdobeSign-Discovery.log" +[int32]$LogLevel = 3 +[string]$logApplicationHeader = "Adobe Acrobat Sign Discovery" +[System.Collections.ArrayList]$users = New-Object System.Collections.ArrayList +[System.Collections.ArrayList]$adminAccounts = New-Object System.Collections.ArrayList +#endregion + +#region Error Handling Functions +function Write-Log { + [CmdletBinding()] + param ( + [Parameter(Mandatory)] + [ValidateSet(0,1,2,3)] + [Int32]$ErrorLevel, + [Parameter(Mandatory,ValueFromPipeline)] + [string]$Message + ) + # Evaluate Log Level based on global configuration + if ($ErrorLevel -le $LogLevel) { + # Format message + [string]$Timestamp = Get-Date -Format "yyyy-MM-ddThh:mm:sszzz" + switch ($ErrorLevel) { + "0" { [string]$MessageLevel = "INF0 " } + "1" { [string]$MessageLevel = "WARN " } + "2" { [string]$MessageLevel = "ERROR" } + "3" { [string]$MessageLevel = "DEBUG" } + } + # Write Log data + $MessageString = "{0}`t| {1}`t| {2}`t| {3}" -f $Timestamp, $MessageLevel,$logApplicationHeader, $Message + $MessageString | Out-File -FilePath $LogFile -Encoding utf8 -Append -ErrorAction SilentlyContinue + # $Color = @{ 0 = 'Green'; 1 = 'Cyan'; 2 = 'Yellow'; 3 = 'Red'} + # Write-Host -ForegroundColor $Color[$ErrorLevel] -Object ( $DateTime + $Message) + } +} +#endregion Error Handling Functions + + +#region Get All Users + #Create Headers + + function RetrieveUsers { + param( + [string] $cursor + ) + try { + + $headers = @{ + "Authorization" = "Bearer $accessToken" + } + + # Get full URL from baseUris + $uri = $baseUris.apiAccessPoint + + + # Get All Active Users + + + # Specify endpoint uri for Users + if ([string]::IsNullOrEmpty($cursor)) { + $uri = "$uri$api/users?pageSize=$pageSize" + } else { + $uri = "$uri$api/users?cursor=$cursor&pageSize=$pageSize" + } + + Write-Log -Errorlevel 0 -Message "Requesting Users form endpoint $uri" + + # Specify HTTP method + $method = "get" + + # Send HTTP request + $userObj = Invoke-RestMethod -Headers $headers -Method $method -Uri $uri + } + + catch { + $Err = $_ + Write-Log -ErrorLevel 0 -Message "Failed to retrieve User List" + Write-Log -ErrorLevel 2 -Message $Err.Exception + throw $Err.Exception + } + return $userObj + } + + + function RetrieveUserDetail { + param( + [Parameter(Mandatory)] + [string] $userId + ) + try { + + $headers = @{ + "Authorization" = "Bearer $accessToken" + } + + # Get full URL from baseUris + $uri = $baseUris.apiAccessPoint + + + # Get All Active Users + + + # Specify endpoint uri for Users + $uri = "$uri$api/users/$userId" + + Write-Log -Errorlevel 0 -Message "Requesting Users form endpoint $uri" + + # Specify HTTP method + $method = "get" + + # Send HTTP request + $userObj = Invoke-RestMethod -Headers $headers -Method $method -Uri $uri + } + + catch { + $Err = $_ + Write-Log -ErrorLevel 0 -Message "Failed to retrieve User List" + Write-Log -ErrorLevel 2 -Message $Err.Exception + throw $Err.Exception + } + return $userObj + } + #endregion + + +#region Service Account Functions + +function Get-GroupMembers { + param( + [Parameter(Mandatory,ValueFromPipeline)] + [string] $GroupId, + [string] $cursor + ) + try { + + $headers = @{ + "Authorization" = "Bearer $accessToken" + } + + # Get full URL from baseUris + $uri = $baseUris.apiAccessPoint + + + # Get All Active Users + + + # Specify endpoint uri for Users + if ([string]::IsNullOrEmpty($cursor)) { + $uri = "$uri$api/groups/$GroupId/users?pageSize=$pageSize" + } else { + $uri = "$uri$api/groups/$GroupId//users?cursor=$cursor&pageSize=$pageSize" + } + + Write-Log -Errorlevel 0 -Message "Requesting Users form endpoint $uri" + + # Specify HTTP method + $method = "get" + + # Send HTTP request + $userObj = Invoke-RestMethod -Headers $headers -Method $method -Uri $uri + } + + catch { + $Err = $_ + Write-Log -ErrorLevel 0 -Message "Failed to retrieve User List" + Write-Log -ErrorLevel 2 -Message $Err.Exception + throw $Err.Exception + } + return $userObj + } + +function get-svcAccountUsers{ + <# + .SYNOPSIS + This Function returns a list of Service Account users + + .DESCRIPTION + This Function returns a list of Admin users that are members of + Service Account Groups are passed in as a comma seperated list of Group Names that Identify Service Account Users. + + .EXAMPLE + An example: Service Team=0ee39126-67d5-4e2c-93cc-a78f32ccc78d + + #> + try { + Write-Log -Errorlevel 0 -Message "Retrieving List of Service Account Users" + ##Create Roles Array + + If ($svcGroupNames) + { + ### Create Array of Serice Account Groups + $svcGroupArray = $svcGroupNames.split(",").split("=")[1] + #Clear Parametwr List + + $svcUsers = @() + + + foreach($Group in $svcGroupArray ) + { + + $more = $true + $cursor = $null + while ($true -eq $more) { + if ($null -eq $cursor) { + $results =Get-GroupMembers -GroupId $Group + } else { + $results =Get-GroupMembers -GroupId $Group -cursor $cursor + } + + foreach ($groupUser in $results) { + $svcUsers += $groupUser.userInfoList.id + + } + + #Check to see if anymore pages of results + $pageObj = $userObj.page + if ($null -ne $pageObj.curor) { + $more = $true + $cursor = $pageObj.curor + } else { + $more =$false + } + } + + + Write-Log -ErrorLevel 0 -Message "Sueccessfully found $($svcUsers.Count) Service Accounts" + + + } + + } +} +catch { + $Err = $_ + Write-Log -ErrorLevel 0 -Message "Failed to retrieve admin User List" + Write-Log -ErrorLevel 2 -Message $Err.Exception + throw $Err.Exception + } + return $svcUsers +} + + function isSvcAccount{ + param( + [Parameter(Mandatory,ValueFromPipeline)] + [string]$userId + + + ) + + try + { + + + foreach ($svcAcctUser in $global:svcAccountUsers) + { + if($svcAcctUser -eq $userId) + { + $isSvcAcct = $true + return $isSvcAcct + } + else + { + $isSvcAcct = $false + } + + } + } + catch + { + $Err = $_ + Write-Log -ErrorLevel 0 -Message "Check if Service Acct Failed" + Write-Log -ErrorLevel 2 -Message $Err.Exception + throw $Err.Exception <#Do this if a terminating exception happens#> + } + + Return $isSvcAcct +} +#endregion + +#region Base URIs + #Create Headers + try { + + $headers = @{ + "Authorization" = "Bearer $accessToken" + #"Accept" = "application/json, application/xml" + #"Content-Type" = "application/json, application/xml" + } + + Write-Log -Errorlevel 0 -Message "Obtaining List of URIs" + # Get Base URIs + + + # Specify endpoint uri for Users + $uri = "$baseUrl/$api/baseUris" + + # Specify HTTP method + $method = "get" + + # Send HTTP request + $baseUris = Invoke-RestMethod -Headers $headers -Method $method -Uri $uri +} + +catch { + $Err = $_ + Write-Log -ErrorLevel 0 -Message "Failed to retrieve baseUris" + Write-Log -ErrorLevel 2 -Message $Err.Exception + throw $Err.Exception +} +#endregion + +$tenantUrl = $baseUris.webAccessPoint + +#region Build User List +Write-Log -Errorlevel 0 -Message "Obtaining List of Users" +$userObj = RetrieveUsers + +$usersList = $userObj.userInfoList +foreach ($user in $usersList) { + $object = New-Object -TypeName PSObject + $object | Add-Member -MemberType NoteProperty -Name tenant-url -Value $tenantUrl + $object | Add-Member -MemberType NoteProperty -Name Username -Value $user.email + $object | Add-Member -MemberType NoteProperty -Name id -Value $user.id + $object | Add-Member -MemberType NoteProperty -Name admin -Value $user.isAccountAdmin + $userDetailobj = RetrieveUserDetail($user.id) + $object | Add-Member -MemberType NoteProperty -Name accountType -Value $userDetailobj.accountType + $object | Add-Member -MemberType NoteProperty -Name status -Value $userDetailobj.status + [void] $users.add($object) + +} +$pageObj = $userObj.page +while ($null -ne $pageObj.nextCursor) { + $userObj = RetrieveUsers($pageObj.nextCursor) + + $usersList = $userObj.userInfoList + foreach ($user in $usersList) { + $object = New-Object -TypeName PSObject + $object | Add-Member -MemberType NoteProperty -Name tenant-url -Value $tenantUrl + $object | Add-Member -MemberType NoteProperty -Name Username -Value $user.email + $object | Add-Member -MemberType NoteProperty -Name id -Value $user.id + $object | Add-Member -MemberType NoteProperty -Name admin -Value $user.isAccountAdmin + $userDetailobj = RetrieveUserDetail($user.id) + $object | Add-Member -MemberType NoteProperty -Name accountType -Value $userDetailobj.accountType + $object | Add-Member -MemberType NoteProperty -Name status -Value $userDetailobj.status + [void] $users.add($object) + } + $pageObj = $userObj.page + +} + +#end region + + +#region Main Process +<# + if Discovery Mode is set to default, only retreive local administrators will be run +#> + +$adminAccounts = New-Object System.Collections.ArrayList +$adminuser = New-Object -TypeName PSObject + +try { + #region Find Account Admins + + if($DiscoveryMode -eq "Advanced"){ + $global:svcAccountUsers = get-svcAccountUsers + } + $adminUsers = $users.Clone() + foreach ($adminuser in $adminUsers) { + $isFound = $false + $adminuser = $adminuser.PSObject.Copy() + if (($true -eq $sAMLEnabled) -and ($adminuser.admin -eq $true) -and ($adminuser.status -ne "INACTIVE") ) { + Write-Log -ErrorLevel 3 -Message "Adding Admin Account - $($adminuser.email)" + if($DiscoveryMode -eq "Advanced") { + $adminuser | Add-Member -MemberType NoteProperty -Name Account-Admin -Value $true + $adminuser | Add-Member -MemberType NoteProperty -Name Local-Account -Value $true + } + $isFound = $true + } elseif ($false -eq $sAMLEnabled) { + if($DiscoveryMode -eq "Advanced"){ + $adminuser | Add-Member -MemberType NoteProperty -Name Account-Admin -Value $false + $adminuser | Add-Member -MemberType NoteProperty -Name Local-Account -Value $true + } + $isFound = $true + } else { + if($DiscoveryMode -eq "Advanced"){ + $adminuser | Add-Member -MemberType NoteProperty -Name Account-Admin -Value $false + $adminuser | Add-Member -MemberType NoteProperty -Name Local-Account -Value $false + } + } + + #region Advanced Discovery + if($DiscoveryMode -eq "Advanced"){ + $isSvcAccount = isSvcAccount -userId $adminuser.id + if ($true -eq $isSvcAccount) { + $adminuser | Add-Member -MemberType NoteProperty -Name Service-Account -Value $true + $isFound = $true + } else { + $adminuser | Add-Member -MemberType NoteProperty -Name Service-Account -Value $false + } + } + + if ($true -eq $isFound) { + $adminuser.PSObject.Properties.Remove("id") + $adminuser.PSObject.Properties.Remove("admin") + $adminuser.PSObject.Properties.Remove("accountType") + $adminuser.PSObject.Properties.Remove("status") + [void] $adminAccounts.Add($adminuser) + } + } + +} +catch { + $Err = $_ + Write-Log -ErrorLevel 0 -Message "Account Discovery-Filtering failed" + Write-Log -ErrorLevel 2 -Message $Err.Exception + throw $Err.Exception +} +#endregion Main Process +return $adminAccounts + + diff --git a/Scripts/SecretServer/AdobeSign/Discovery/readme.md b/Scripts/SecretServer/AdobeSign/Discovery/readme.md new file mode 100644 index 0000000..253ee80 --- /dev/null +++ b/Scripts/SecretServer/AdobeSign/Discovery/readme.md @@ -0,0 +1,258 @@ +# Adobe Acrobat Sign Account Discovery + + + +## Create Discovery Source + + + +### Create Adobe Sign Scan Template + + + +- Log in to Secret Server Tenant + +- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates** + +- Click **Create Scan Template** + +- Fill out the required fields with the information + +- **Name:** (Example: Adobe Sign Tenant) + +- **Active:** (Checked) + +- **Scan Type:** Host + +- **Parent Scan Template:** Host Range + +- **Fields** + +- Change HostRange to **tenant-url** + +- Click Save + +- This completes the creation of the Adobe Sign Scan Template Creation + + + +### Create Account Scan Template + + + +- Log in to Secret Server Tenant + +- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates** + +- Click **Create Scan Template** + +- Fill out the required fields with the information + +- **Name:** (Example: Adobe Sign Account) + +- **Active:** (Checked) + +- **Scan Type:** Account + +- **Parent Scan Template:** Account(Basic) + +- **Fields** + +- Change Resource to **tenant-url** + +- Add field: Account-Admin (Leave Parent and Include in Match Blank) + +- Add field: Local-Admin (Leave Parent and Include in Match Blank) + +- Add field: Group-Admin (Leave Parent and Include in Match Blank) + +- Add field: Service-Account (Leave parent and Include in Match Blank) + +- Click Save + +- This completes the creation of the Account Scan Template Creation + +### Create Discovery Script + + + +- Log in to Secret Server Tenant + +- Navigate to**ADMIN** > **Scripts** + +- Click on **Create Script** + +- Fill out the required fields with the information from the application registration + +- Name: ( example Adobe Sign Account Scanner) + +- Description: (Enter something meaningful to your Organization) + +- Active: (Checked) + +- Script Type: Powershell + +- Category: Discovery Scanner + +- Merge Fields: Leave Blank + +- Script: Copy and paste the Script included in the file [AdobeSign Discovery.ps1](./AdobeSign%20Discovery.ps1) + +- Click Save + +- This completes the creation of the Account Discovery Script + + + +### Create Adobe Sign Tenant Scanner + + + +- Log in to Secret Server Tenant + +- Navigate to **ADMIN** > **Discovery** > **Configuration** > + +- Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners** + +- Click **Create Scanner** + +- Fill out the required fields with the information + +- **Name:** > Adobe Sign Tenant Scanner + +- **Description:** (Example - Base scanner used to discover Adobe Sign) + +- **Discovery Type:** Host + +- **Base Scanner:** Manual Input Discovery + +- **Input Template**: Discovery Source + +- **Output Template:**: Adobe Sign Tenant (Use Temaplte that Was Created in the [Adobe Sign Scan Template Section](#create-adobe-sign-scan-template)) + +- Click Save + +- This completes the creation of the Adobe Sign Tenant Scanner + + + +### Create Adobe Sign Account Scanner + + + +- Log in to Secret Server Tenant + +- Navigate to **ADMIN** > **Discovery** > **Configuration** > + +- Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners** + +- Click **Create Scanner** + +- Fill out the required fields with the information + +- **Name:** (Example - Adobe Sign Account Scanner) + +- **Description:** (Example - Discovers Adobe Sign accounts according to configured privileged account template ) + +- **Discovery Type:** Accounts + +- **Base Scanner:** PowerShell Discovery Create Discovery Script + +- **Allow OU Import**: Yes + +- **Input Template**: Adobe Sign Tenant (Use Temaplte that Was Created in the [Adobe Sign Scan Template Section](#create-saas-scan-template)) + +- **Output Template:**: Adobe Sign Account (Use Template that Was Created in the [Create Account Scan Template Section](#create-account-scan-template)) + +- **Script:** Adobe Sign Account Scanner (Use Script Created in the [Create Discovery Script Section](#create-discovery-script)) + +- **Script Arguments:** + +```PowerShell + +$[1]$search-mode $[1]$tenant-url $[1]$access-token $[1]$saml-enabled $[1]$service-account-group + +``` + +- Click Save + +- This completes the creation of the Adobe Sign Account Scanner + + + +### Create Discovery Source + + + +- Navigate to **Admin | Discovery | Discovery Sources** + +- Click **Create** drop-down + +- Click **Empty Discovery Source** + +-Enter the Values below + +- **Name:** (example: Adobe Sign Test Tenant) + +- **Site** (Select Site Where Discovery will run) + +- **Source Type** Empty + +- Click Save + +- Click Cancel on the Add Flow Screen + +- Click **Add Scanner** + +- Find the SaaS Tenant Scanner or the Scanner Created in the [Create Adobe Sign Tenant Scanner Section](#create-abode-sign-tenant-scanner) and Click **Add Scanner** + +- Select the Scanner just Ceated and Click **Edit Scanner** + +- In the **lines Parse Format** Section Enter the Source Name (example: Adobe Sign Test Tenant) + +- Click **Save** + + + +- Click **Add Scanner** + +- Find the Adobe Sign Account Scanner or the Scanner Creatted in the [Create ServiceNow Account Scanner Section](#create-adobe-sign-account-scanner) and Click **Add Scanner** + +- Select the Scanner just Ceated and Click **Edit Scanner** + +- Click **Edit Scanner** + +- Click the **Add Secret** Link + +- Search for the Privoleged Account Secret created in the [Overview.md file](../Overview.md) + +- Check the Use Site Run As Secret Check box to enable it + +**Note Default Site run as Secret has to be setup in the Site configuration if not already configured. + +See the [Setting the Default PowerShell Credential for a Site](https://docs.delinea.com/online-help/secret-server/authentication/secret-based-credentials-for-scripts/index.htm?Highlight=site) Section in the Delinea Documentation + +- Click Save + +- Click on the Discovery Source yab and Click the Active check box + +- This completes the creation of theDiscovery Source + + + + +### Next Steps + + + +The ServiceNow configuration is now complete. The next step is to run a manual discovery scan. + +- Navigate to **Admin | Discovery** + +- Click the **Run Discovery Noe** (Dropdon) and select **Run Discovery Now** + +- Click on the **Network view** Button in the upper right corner + +- Click on the newly created discovery source + +- Click the **Domain \ Cloud Accounts** yab to view the discovered accounts \ No newline at end of file diff --git a/Scripts/SecretServer/AdobeSign/Instructions.md b/Scripts/SecretServer/AdobeSign/Instructions.md new file mode 100644 index 0000000..e40c672 --- /dev/null +++ b/Scripts/SecretServer/AdobeSign/Instructions.md @@ -0,0 +1,137 @@ +Adobe Acrobat Sign Connector base configuration + + + +This connector provides the following functions + + + +- Discovery of Local Accounts +- Discovery of Account Admin Accounts +- Discovery of Service Accounts + + + +Follow the Steps below to complete the base setup for the Connector. + + + +## Prepare Authentication + + + +## Adobe Sign Integration Key + + + +This connector utilizes Adobe Sign integration key to authenticate API calls. + + + +Follow the instruction to create and Integration Key. + + + +[here] (https://helpx.adobe.com/sign/kb/how-to-create-an-integration-key.html) + +​ + +### Prerequisites + + + +- Access to a Adobe Sign instance with administrative privileges. + +- A generated Adobe Sign Integration Key + + + +## Creating secret template for Adobe Sign Accounts + + + +### Adobe Sign User Account Template + + + +The following steps are required to create the Secret Template for ServiceNow Users: + + + +- Log in to the Delinea Secret Server (If you have not already done so) + +- Navigate to Admin / Secret Templates + +- Click on Create / Import Template + +- Click on Import. + +- Copy and Paste the XML in the [Adobe Sign Account.xml File](./Templates/Adobe%20Sign%20Account.xml) + +- Click on Save + +- This completes the creation of the User Account template + + + +### Adobe Sign Integration Key Template + + + +The following steps are required to create the Secret Template for Adobe Sign Integration Key: + + + +- Log in to the Delinea Secret Server (If you have not already done so) + +- Navigate to Admin / Secret Templates + +- Click on Create / Import Template + +- Click on Import. + +- Copy and Paste the XML in the [Adobe Sign Integration Key.xml File](./Templates/Adobe%20Sign%20Integration%20Key.xml) + +- Click on Save + +- This completes the creation of the Integration Key template + + + + +## Create Secret in Secret Server for the Adobe Sign Privileged Account + +- Log in to the Delinea Secret Server (If you have not already done so) + +- Navigate to Secrets + +- Click on Create Secret + +- Select the template created in the earlier step [Above](#adobe-sign-integration-key-template). + +- Fill out the required fields with the information from the application registration + +- Secret Name (for example Adboe Sign API Account ) + +- tenant-url (Adobe Sign base url with no training slash ex. https://api.na1.adobesign.com) + +- Search Mode (Default mode searches for Account Admin & Local Accounts. Advanced Mode searches for Service Account as well as Account Admin and Local Accounts) + +- SAML-Enabled (True or False value if SAML is enabled in your Adobe Sign instance. When SAML is disabled all accounts are Local Accounts. When SAML is enabled only the Accounts with the role of Account Admin will be Local Accounts.) + +- Service-Group (Add a comma separated group name/Group id key value pair what contains Service Accounts) +Example: + - ServiceAccounts=CBJCHBCAABAADKXZhgzxczxxczdXp9KbAFLPdSF4Qm + - ServiceAccounts=CBJCHBCAABAADKXZhgzxczxxczdXp9KbAFLPdSF4Qm ,ServiceAccounts2=AADKXZhgzxczxxczdXp9KbAFLPdSF4 + +- Click Create Secret + +- This completes the creation of a secret in Secret Server for the Adobe Sign Privilaged Account + + + +## Next Steps + + + +Once the tasks above are completed you can now proceed to create a [Discovery Scanner](./Discovery/readme.md) \ No newline at end of file diff --git a/Scripts/SecretServer/AdobeSign/RemotePasswordChanger/Adobe Sign Heartbeat Placeholder.ps1 b/Scripts/SecretServer/AdobeSign/RemotePasswordChanger/Adobe Sign Heartbeat Placeholder.ps1 new file mode 100644 index 0000000..6d92385 --- /dev/null +++ b/Scripts/SecretServer/AdobeSign/RemotePasswordChanger/Adobe Sign Heartbeat Placeholder.ps1 @@ -0,0 +1 @@ +return $true \ No newline at end of file diff --git a/Scripts/SecretServer/AdobeSign/RemotePasswordChanger/Adobe Sign RPC Placeholder.ps1 b/Scripts/SecretServer/AdobeSign/RemotePasswordChanger/Adobe Sign RPC Placeholder.ps1 new file mode 100644 index 0000000..8d63ae9 --- /dev/null +++ b/Scripts/SecretServer/AdobeSign/RemotePasswordChanger/Adobe Sign RPC Placeholder.ps1 @@ -0,0 +1 @@ +return $true \ No newline at end of file diff --git a/Scripts/SecretServer/AdobeSign/RemotePasswordChanger/readme.md b/Scripts/SecretServer/AdobeSign/RemotePasswordChanger/readme.md new file mode 100644 index 0000000..093a7b8 --- /dev/null +++ b/Scripts/SecretServer/AdobeSign/RemotePasswordChanger/readme.md @@ -0,0 +1,105 @@ +# Adobe Sign Remote Password changer + +The steps below show how to Set up and configure a Adobe Sign Remote Password Changer. + +If you have not already done, so, please follow the steps in the **Instructions.md Document** found [Here](../Instructions.md) + +## Disclaimer +**Currently, Adobe Sign does not support remote password changing for user accounts. The scripts provided here are placeholders to enable the functionality within and for Discovery.** + +## Create Scripts + +### Remote Password Changer Script + +- Log in to Secret Server Tenant +- Navigate to **ADMIN** > **Scripts** +- Click on **Create Script** +- Fill out the required fields + - **Name**: ( example Adobe Sign Remote Password Changer) + - **Description**: (Enter something meaningful to your Organization) + - **Active** (Checked) + - **Script Type**: Powershell + - **Category**: Password Changing + - **Merge Fields**: Leave Blank + - **Script**: Copy and paste the Script included in the file [Adobe Sign RPC Placeholder.ps1](./Adobe%20Sign%20RPC%20Placeholder.ps1) + - Click Save + - This completes the creation of the Remote Password Changing Script + +### Heartbeat Script + +- Log in to Secret Server Tenant +- Navigate to **ADMIN** > **Scripts** +- Click on **Create Script** +- Fill out the required fields + - **Name**: ( example Adobe Sign Heartbeat) + - **Description**: (Enter something meaningful to your Organization) + - **Active** (Checked) + - **Script Type**: Powershell + - **Category**: Heartbeat + - **Merge Fields**: Leave Blank + - **Script**: Copy and paste the Script included in the file [Adobe Sign Heartbeat Placeholder.ps1](./Adobe%20Sign%20Heartbeat%20Placeholder.ps1) + - Click Save + - This completes the creation of the Adobe Sign Heartbeat Script + +## Create Password Changer + +- Log in to Secret Server Tenant (if not alreday logged in) +- Navigate to **ADMIN** > **Remote Password Changing** +- Click on Options (Dropdown List) and select ***Configure Password Changers** +- Click on Create Password Changer +- Click on **Base Password Changer** (Dropdown List) and Select PowerShell Script +- Enter a Name (Example - Adobe Sign Remote Password Changer ) +- Click Save + - Under the **Verify Password Changed Commands** section, Enter the following information: + - **PowerShell Script** (DropdownList) Select PowerShell Script or the Script that was Creted in the [Heartbeat](#heartbeat-script) Section + - **Script Args**: + ``` ``` + - Click **Save** + +- Under the **Password Change Commands** Section, Enter the following information: + - **PowerShell Script** (DropdownList) Select PowerShell Script or the Script that was Creted in the [remote-password-changer-script](#remote-password-changer-script) Section + - **Script Args**: + ``` ``` +- Click **Save** +- This completes the creation of the Remote Password Changer + +## Update Adobe Sign User template + +- Log in to Secret Server Tenant (if not alreday logged in) +- Navigate to **ADMIN** > **Secret Templates** +- Find and Select the Adobe Sign User Template created in the [Instructions.md Document](../Instructions.md) + - Select the **Mapping** Tab + - In the **Password Changing** section, click edit and fill out the following + - **Enable RPC** Checked + - **RPC Max Attempts** 12 + - **RPC Interval Hours** 8 + - **Enable Heartbeat** Checked + - **Heartbeat Interval Hours** 4 + - **Password Type to use** Select **Adobe Sign Remote Password Changer** or the Password Changer created in the [Create Password Changer Section](#create-password-changer) +- In the **Password Type Fields** Section, fill out the following + - **Domain** workspace-url + - **Password** Password + - **Username** Username +- Click Save +- This completes the Update Adobe Sign User template section + +## Update Remote Password Changer + +- Log in to Secret Server Tenant (if not alreday logged in) +- Navigate to **ADMIN** > **Remote Password Changing** +- Click on Options (Dropdown List) and select **Configure Password Changers** +- Select the Adobe Sign Remote Password Changer or the Password Changer created in the [create-password-changer](#create-password-changer) section +- Click **Configure Scan Template at the bottom of the page** +- Click Edit +- Click the **Scan Template to use** (Dropdown List) Select the Adobe Sign User template created in the [Instructions.md Document](../Instructions.md) +- Map the following fields that appear after the selection + - **workspace-url** -> Domain + - **Username** -> username + - **Password** -> password + - Leave all other fields blank +- Click Save +- This completes the Update Remote Password Changer section + + + + diff --git a/Scripts/SecretServer/AdobeSign/Templates/Adobe Sign Account.xml b/Scripts/SecretServer/AdobeSign/Templates/Adobe Sign Account.xml new file mode 100644 index 0000000..2361341 --- /dev/null +++ b/Scripts/SecretServer/AdobeSign/Templates/Adobe Sign Account.xml @@ -0,0 +1,130 @@ + +Adobe Sign Account +true + + +Tenant-url +Tenant-url +Tenant-url +true +false +false +false + +false + +-1 +2147483647 +false +2 +false +tenant-url +false + + +email +The name associated with the password. +email +true +false +false +false + +false + +-1 +2147483647 +false +2 +false +email +false + + +Password +The password used to access Information +Password +true +false +true +false + +false + +-1 +2147483647 +false +2 +false +password +false + + +Account-Admin +Determines if the User is a Account Admin as per the discovery Criteria +Account-Admin +true +false +false +false + +false + +-1 +2147483647 +false +2 +false +account-admin +false + + +Group-Admin +This indicates if the account is a group admin account as determined by the Discovery Criteria +Group-Admin +true +false +false +false + +false + +-1 +2147483647 +false +2 +false +group-admin +false + + +Service-Account +Determines if the User is a Service Account per the Discovery criteria +Service-Account +true +false +false +false + +false + +-1 +2147483647 +false +2 +false +service-account +false + + +30 +0 +fa-cogs + + + + +false +false + + \ No newline at end of file diff --git a/Scripts/SecretServer/AdobeSign/Templates/Adobe Sign Integration Key.xml b/Scripts/SecretServer/AdobeSign/Templates/Adobe Sign Integration Key.xml new file mode 100644 index 0000000..48739e3 --- /dev/null +++ b/Scripts/SecretServer/AdobeSign/Templates/Adobe Sign Integration Key.xml @@ -0,0 +1,112 @@ + + + Adobe Sign Integration Key + true + + + Tenant Url + + Tenant Url + true + false + false + false + + false + + -1 + 2147483647 + false + 2 + false + tenant-url + false + + + Access Token + + Access Token + true + false + true + false + + false + + -1 + 2147483647 + false + 2 + false + access-token + false + + + Search Mode + "Advanaced" value searchs for Group Administrators and Service Accounts + Search Mode + true + false + false + false + + false + + -1 + 2147483647 + false + 2 + false + search-mode + false + + + SAML-Enabled + Local Accounts get determined based on whether or not SAML is enabled + SAML-Enabled + true + false + false + false + + false + + -1 + 2147483647 + false + 2 + false + saml-enabled + false + + + Service Account Group + Name of Service Accounts Group. Only used if Search Mode is set to Advanced + Service Account Group + true + false + false + false + + false + + -1 + 2147483647 + false + 2 + false + service-account-group + false + + + 90 + 0 + fa-cogs + + + + + false + false + + \ No newline at end of file diff --git a/Scripts/SecretServer/AdobeSign/Templates/readme.md b/Scripts/SecretServer/AdobeSign/Templates/readme.md new file mode 100644 index 0000000..e69de29 diff --git a/Scripts/SecretServer/AdobeSign/readme.md b/Scripts/SecretServer/AdobeSign/readme.md new file mode 100644 index 0000000..ceb813c --- /dev/null +++ b/Scripts/SecretServer/AdobeSign/readme.md @@ -0,0 +1,23 @@ +# Adobe Acrobat Sign Delinea Secret Server Integration + + + +This package is designed to discover Adobe Acrobat Sign Accounts. It will provide detailed instructions and the necessary Scripts to perform these functions. Before beginning to implement any of the specific processes it is a requirement to perform the tasks contained in the instructions.md document which can be found [Here](./Instructions.md) + + + +## Functionality + + + +- Discovery of Local accounts including the ability to determine Admin, Service and Local accounts (in Advanced Mode) + + + +NOTE - Adobe Sign does not support Remote Password changing or Heartbeat. There is a placeholder script along with instructions that can be used to create a "Place holder/Mock" password changer that will allow the importing of discovered accounts. + +# Disclaimer + + + +The provided scripts are for informational purposes only and are not intended to be used for any production or commercial purposes. You are responsible for ensuring that the scripts are compatible with your system and that you have the necessary permissions to run them. The provided scripts are not guaranteed to be error-free or to function as intended. The end user is responsible for testing the scripts thoroughly before using them in any environment. The authors of the scripts are not responsible for any damages or losses that may result from the use of the scripts. The end user agrees to use the provided scripts at their own risk. Please note that the provided scripts may be subject to change without notice. \ No newline at end of file From 9ed31b7587db1ef546b151747e508d0035dc554f Mon Sep 17 00:00:00 2001 From: Rick Roca Date: Tue, 16 Jan 2024 14:45:53 -0500 Subject: [PATCH 2/2] Add Report section to Discovery --- .../AWS/AWS-IAM Users/Discovery/readme.md | 320 ++++++++++++++---- 1 file changed, 250 insertions(+), 70 deletions(-) diff --git a/Scripts/SecretServer/AWS/AWS-IAM Users/Discovery/readme.md b/Scripts/SecretServer/AWS/AWS-IAM Users/Discovery/readme.md index 812399a..fc4aeee 100644 --- a/Scripts/SecretServer/AWS/AWS-IAM Users/Discovery/readme.md +++ b/Scripts/SecretServer/AWS/AWS-IAM Users/Discovery/readme.md @@ -1,134 +1,314 @@ # AWS IAM User Discovery + Add Disclaimer + ## Create Discovery Source + + This scanner can help perform an Scan for Windows Systems based off an IP address range. + + ### Create AWS Tenant Scan Template + + - Log in to Secret Server Tenant -- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates** + +- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates** + - Click **Create Scan Template** + - Fill out the required fields with the information - - **Nmae:** (Evxample: AWS Tenant) - - **Active:** (Checked) - - **Scan Type:** Host - - **Parent Scan Template:** Host Range - - **Fields** - - Change HostRange to **tenant-url** - - Click Save - - This completes the creation of the Saas Scan Template Creation - + +- **Nmae:** (Evxample: AWS Tenant) + +- **Active:** (Checked) + +- **Scan Type:** Host + +- **Parent Scan Template:** Host Range + +- **Fields** + +- Change HostRange to **tenant-url** + +- Click Save + +- This completes the creation of the Saas Scan Template Creation + + ### Create Account Scan Template + + - Log in to Secret Server Tenant -- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates** + +- Navigate to **ADMIN** > **Discovery** > **Configuration** > **Scanner Definition** > **Scan Templates** + - Click **Create Scan Template** + - Fill out the required fields with the information - - **Nmae:** (Evxample: AWS IAM User) - - **Active:** (Checked) - - **Scan Type:** Account - - **Parent Scan Template:** Account(Basic) - - **Fields** - - Change Resource to **tenant-url** - - Add field: Admin-Account (Leave Parent and Include in Match Blank) - - Add field: Service-Account (Leave Parent and Include in Match Blank) - - Add field: Local-Account (Leave Parent and Include in Match Blank) - - Click Save - - This completes the creation of the Account Scan Template Creation - + +- **Nmae:** (Evxample: AWS IAM User) + +- **Active:** (Checked) + +- **Scan Type:** Account + +- **Parent Scan Template:** Account(Basic) + +- **Fields** + +- Change Resource to **tenant-url** + +- Add field: Admin-Account (Leave Parent and Include in Match Blank) + +- Add field: Service-Account (Leave Parent and Include in Match Blank) + +- Add field: Local-Account (Leave Parent and Include in Match Blank) + +- Click Save + +- This completes the creation of the Account Scan Template Creation + ### Create Discovery Script + + - Log in to Secret Server Tenant + - Navigate to**ADMIN** > **Scripts** + - Click on **Create Script** + - Fill out the required fields with the information from the application registration - - Name: ( example -AWS IAM User Scaner) - - Description: (Enter something meaningful to your Orgabization) - - Active: (Checked) - - Script Type: Powershell - - Category: Discovery Scanner - - Merge Fields: Leave Blanck - - Script: Copy and paste the Script included in the file [AWS IAM User Discovery.ps2](./AWS%20IAM%20User%20Discovery.ps1) - - Click Save - - This completes the creation of the Local Account Discovery Script + +- Name: ( example -AWS IAM User Scaner) + +- Description: (Enter something meaningful to your Orgabization) + +- Active: (Checked) + +- Script Type: Powershell + +- Category: Discovery Scanner + +- Merge Fields: Leave Blanck + +- Script: Copy and paste the Script included in the file [AWS IAM User Discovery.ps2](./AWS%20IAM%20User%20Discovery.ps1) + +- Click Save + +- This completes the creation of the Local Account Discovery Script + + ### Create AWS Tenant Scanner + + - Log in to Secret Server Tenant -- Navigate to **ADMIN** > **Discovery** > **Configuration** > - - Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners** - - Click **Create Scanner** - - Fill out the required fields with the information - - **Name:** > AWS Tenant Scanner - - **Description:** (Example - Base scanner used to discover SaaS applications) - - **Discovery Type:** Host - - **Base Scanner:** Host - - **Input Template**: Manual Input Discovery - - **Output Template:**: AWS Tenant (Use Temaplte that Was Created in the [SaaS Scan Template Section](#create-aws-tenant-scan-template - - Click Save - - This completes the creation of the AWS Tenant Scanner + +- Navigate to **ADMIN** > **Discovery** > **Configuration** > + +- Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners** + +- Click **Create Scanner** + +- Fill out the required fields with the information + +- **Name:** > AWS Tenant Scanner + +- **Description:** (Example - Base scanner used to discover SaaS applications) + +- **Discovery Type:** Host + +- **Base Scanner:** Host + +- **Input Template**: Manual Input Discovery + +- **Output Template:**: AWS Tenant (Use Temaplte that Was Created in the [SaaS Scan Template Section](#create-aws-tenant-scan-template + +- Click Save + +- This completes the creation of the AWS Tenant Scanner + + ### Create AWS IAM User Scanner + + - Log in to Secret Server Tenant -- Navigate to **ADMIN** > **Discovery** > **Configuration** > - - Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners** - - Click **Create Scanner** - - Fill out the required fields with the information - - **Name:** (Example - AWS IAM User Scanner) - - **Description:** (Example - Discovers AWS IAM Users according to configured privileged account template ) - - **Discovery Type:** Account - - **Base Scanner:** PowerShell Discovery Create Discovery Script - - **Input Template**: AWS Tenant (Use Temaplte that Was Created in the [AWS Tenant Scan Template Section](#create-aws-tenant-scan-template)) - - **Output Template:**: AWS IAM User (Use Temaplte that Was Created in the [AWS IAM Usert Scan Template Section](#create-account-scan-template)) - - **Script:** ServiceNow Local Account Scanner (Use Script Created in the [Create Discovery Script Section](#create-discovery-script)) - - **Script Arguments:** - ``` powershell - "IAMUser-Advanced" $[1]$AccessKey $[1]$SecretKey $[1]$Admin-Criteria $[1]$SVC-Account-Criteria - ``` - - Click Save - - This completes the creation of the ServiceNow Account Scanner + +- Navigate to **ADMIN** > **Discovery** > **Configuration** > + +- Click **Discovery Configuration Options** > **Scanner Definitions** > **Scanners** + +- Click **Create Scanner** + +- Fill out the required fields with the information + +- **Name:** (Example - AWS IAM User Scanner) + +- **Description:** (Example - Discovers AWS IAM Users according to configured privileged account template ) + +- **Discovery Type:** Account + +- **Base Scanner:** PowerShell Discovery Create Discovery Script + +- **Input Template**: AWS Tenant (Use Temaplte that Was Created in the [AWS Tenant Scan Template Section](#create-aws-tenant-scan-template)) + +- **Output Template:**: AWS IAM User (Use Temaplte that Was Created in the [AWS IAM Usert Scan Template Section](#create-account-scan-template)) + +- **Script:** ServiceNow Local Account Scanner (Use Script Created in the [Create Discovery Script Section](#create-discovery-script)) + +- **Script Arguments:** + +``` powershell + +"IAMUser-Advanced" $[1]$AccessKey $[1]$SecretKey $[1]$Admin-Criteria $[1]$SVC-Account-Criteria + +``` + +- Click Save + +- This completes the creation of the ServiceNow Account Scanner + + ### Create Discovery Source + + - Navigate to **Admin | Discovery | Configuration** + - Click **Create** drop-down + - Click **Empty Discovery Source** + -Enter the Values below - - **Name:** (example: AWS Tenant) - - **Site** (Select Site Where Discovery will run) - - **Source Type** Empty + +- **Name:** (example: AWS Tenant) + +- **Site** (Select Site Where Discovery will run) + +- **Source Type** Empty + - Click Save + - Click Cancel on the Add Flow Screen + - Click **Add Scanner** + - Find the AWS Tenant Scanner or the Scanner Creatted in the [Create AWS Tenant Scanner Section](#create-aws-tenant-scanner) and Click **Add Scanner** + - Select the Scanner just Ceated and Click **Edit Scanner** + - In the **lines Parse Format** Section Enter the Source Name (example: AWS Tenant) + - Click **Save** + + - Click **Add Scanner** -- Find the ServiceNow Local Account Scanner or the Scanner Creatted in the [Create SWS IAM User Scanner Section](#create-aws-iam-user-scanner) and Click **Add Scanner** + +- Find the ServiceNow Local Account Scanner or the Scanner Creatted in the [Create SWS IAM User Scanner Section](#create-aws-iam-user-scanner) and Click **Add Scanner** + - Select the Scanner just Ceated and Click **Edit Scanner** + - Click **Edit Scanner** + - Click the **Add Secret** Link + - Search for the AWS Service Account Secret created in the [instructions.md file](../Instructions.md) + - Check the Use Site Run As Secret Check box to enable it - **Note Default Site run as Secret had to ne setup in the Site configuration. - See the [Setting the Default PowerShell Credential for a Site](https://docs.delinea.com/online-help/secret-server/authentication/secret-based-credentials-for-scripts/index.htm?Highlight=site) Section in the Delinea Documentation + +**Note Default Site run as Secret had to ne setup in the Site configuration. + +See the [Setting the Default PowerShell Credential for a Site](https://docs.delinea.com/online-help/secret-server/authentication/secret-based-credentials-for-scripts/index.htm?Highlight=site) Section in the Delinea Documentation + - Click Save + - Click on the Discovery Source yab and Click the Active check box + - This completes the creation of theDiscovery Source + + ### Next Steps - The AWS configuration is now complete. The next step is to run a manual discovery scan. -- Navigate to **Admin | Discovery** + + +The AWS configuration is now complete. The next step is to run a manual discovery scan. + +- Navigate to **Admin | Discovery** + - Click the **Run Discovery Noe** (Dropdon) and select **Run Discovery Now** -- Click on **Network view** + +- Click on **Network view** + - Find the newly cretaed discocvery source and Users + + +## Optional Report + + + +In this section, There are instructions on how to create an optional report to display user information found in the discovery. + + + +- Login to Secret Server Tenant (If you have not already done so) + +- Navigate to the Reports module +- click on the New Report Button +- Fill in the following values: + - Name: The name of the Discovery Source you just Created in the [Create Discovery Source ](#create-discovery-source) Section + - Description: (Enter something meaningful to your organization) + - Category: Select the Section where you would like the report to appear (ex. Discovery Scan) + - Report SQL: Copy and Paste the SQL Query below + ***Note** " You must replace the WHERE d.DiscoverySourceId = 32 value with the Discovery Source ID of the Discovery source you are reporting on. You can find this by opening up the Discovery source and finding the ID in the URL + + +``` SQL + +SELECT + +d.[ComputerAccountId] + +,d.[CreatedDate] + +,d.[AccountName] AS [Username] + +,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Tenant-url' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Domain] + +,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Admin-Account' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Is Admin] + +,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Service-Account' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Is Service Acount] + +,MIN(CASE JSON_VALUE([adata].[value],'$.Name') WHEN 'Local-Account' THEN JSON_VALUE([adata].[value],'$.Value') END) AS [Is Service Acount] + +FROM tbComputerAccount AS d + +CROSS APPLY OPENJSON (d.AdditionalData) AS adata + +INNER JOIN tbScanItemTemplate AS s ON s.ScanItemTemplateId = d.ScanItemTemplateId + +WHERE d.DiscoverySourceId = 32 + +GROUP BY d.ComputerAccountId, d.AccountName, d.CreatedDate + + + +``` +- Click Save +You will now find this report under the section you chose in the Category field. \ No newline at end of file