Welcome to the One Identity Safeguard for Privileged Sessions 6.0 Administrator Guide.
This document describes how to configure and manage the One Identity Safeguard for Privileged Sessions (SPS). Background information for the technology and concepts used by the product is also discussed.
Support for the Search (classic) interface is deprecated. One Identity recommends using the Search interface instead. For more information, see Using the Search interface.
In the Search interface, it is now possible to use the Alerts tab to view content policy alerts triggered in the session. For more information, see Viewing session details.
LDAP authentication settings have been enhanced and simplified. For more information, see Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database.
It is now possible to search in the contents of the audit trails for trails of graphical sessions created and indexed with SPS 6.0. Also SPS does not store data for in-session search and you need to download the audit trail to search in the contents of the trail. For more information, see Searching in the contents of audit trails.
The documentation of the obsolete Search (classic) interface has been moved to an appendix. For the documentation of the Search interface, see Using the Search interface.
X.509 host certificates and DSA host keys are not supported in SSH and have been removed from the document.
It is now possible to run backup policies more than once a day. For more information, see Creating a backup policy using Rsync over SSH, Creating a backup policy using SMB/CIFS, and Creating a backup policy using NFS.
You can now export the search results into a comma-separated values (CSV) file from the Search page. For more information, see Using the Search interface.
You can now uniformly set the TLS security settings of HTTP, RDP, Telnet, and VNC connections, including the permitted ciphers and TLS versions on the <Protocol> Control > Settings pages.
To ensure the security of your sessions, SSL encryption is not supported anymore, only TLS 1.0 and later.
For more information, see Creating and editing protocol-level VNC settings, Creating and editing protocol-level RDP settings, Creating and editing protocol-level Telnet settings, and Creating and editing protocol-level HTTP settings.
The process of using core and boot firmware options when upgrading a high availability SPS cluster to a newer firmware version has been simplified. For more information, see Upgrading a high availability One Identity Safeguard for Privileged Sessions (SPS) cluster.
When using X.509 certificates to authenticate on the SPS web interface, SPS can now extract the name of the user from the UserPrincipalName field of the certificate. For more information, see Authenticating users with X.509 certificates.
It is now possible to assign users to access sessions only for connections for which they are granted permission. For more information, see Assigning search privileges.
It is now possible to use an external Signing CA plugin. For more information, see Signing certificates on-the-fly.
Session tags allow you to get basic information about the session and its contents at a glance. For more information, see Viewing session details.
Multiple administrators can access the SPS web interface simultaneously, but only one of them can modify the configuration. It is now possible for other administrators to continue as read-only. For more information, see Multiple users and locking.
It is now possible to add additional group-membership attributes using the Check the user DN in these groups options. For more information, see Authenticating users to an LDAP server.
SPS can now distinguish the audited HTTP requests and responses based on the session cookies of web applications. For details, see Creating and editing protocol-level HTTP settings.
SPS has been extended with the Splunk forwarder, which allows you to automatically send file-based data to Splunk.
Use the Splunk forwarder if you need to analyze or make changes to the data before you forward it, or you need to control where the data goes based on its contents. For more information, see Using the Splunk forwarder .
SPS has been extended with the universal SIEM forwarder, which allows you to automatically send file-based data to Splunk, ArcSight, or other third-party systems, in a format that your SIEM can understand.
Use the universal SIEM forwarder if you need a less resource-heavy solution. For more information, see Using the universal SIEM forwarder .
SPS can now be configured to check out passwords from the built-in or external credential stores, such as One Identity Safeguard for Privileged Passwords, and play them in during a connection using the TN3270 protocol.
The Basic Settings > Local Services > Required minimum version of encryption protocol option is removed as of One Identity Safeguard for Privileged Sessions ( SPS ) version 6.0.4 .
Regardless of the TLS version you configured previously, SPS will uniformly use TLS version 1.2. This change might have the effect that using old (likely unsupported) browsers, it will not be possible to access the web interface of SPS .
Searching for group memberships is now case insensitive.
When you have a cluster of nodes set up, you can now search all session data recorded by all nodes in the cluster on a single node. For details, see Searching session data on a central node in a cluster .
The RPC API is deprecated as of version 5 F7 of SPS and will be removed in an upcoming feature release. For detail, see The One Identity Safeguard for Privileged Sessions (SPS) RPC API .
When you have a set of two or more One Identity Safeguard for Privileged Sessions instances in your deployment, you now have the possibility to join them into a cluster, and manage them from one central location. You can monitor their status and update their configuration centrally. For details, see Managing Safeguard for Privileged Sessions (SPS) clusters .
In the Search interface, it is now possible to use the flow view for a quick visualization of the session activities. For details, see Using the Search interface .
It is now possible to specify an accuracy level for Optical Character Recognition (OCR). For details, see Configuring the internal indexer .
It is now possible to specify the base DN of LDAP subtrees for users and for groups separately. Specifying a sufficiently narrow base for the LDAP subtrees can speed up LDAP operations. For details, see Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database and Authenticating users to an LDAP server .
You now have the option to configure connection policies with near real-time indexing priority, meaning that you can start indexing sessions while they are still ongoing. This requires that you configure your indexers with the appropriate settings and capabilities. For details, see Configuring the internal indexer and Configuring the external indexer .
It is now possible to use a hardware security module (HSM) or a smart card to store the decryption keys required for decrypting audit trails when using an external indexer. For details, see Configuring a hardware security module (HSM) or smart card to integrate with external indexer .
In the Search interface, it is now possible to display statistics, analyze data using Privileged Account Analytics, and use the timeline for a quick time range selection. For details, see Using the Search interface .
The documentation of the obsolete Audit Player application has been removed from the document. For the documentation of the Safeguard Desktop Player application, see Safeguard Desktop Player User Guide .
Using the Search interface has been added to the document.
Configuring RDP banners has been documented in Creating and editing protocol-level RDP settings .
The steps describing how to recover from a split brain situation have been clarified. For more information, see Recovering from a split brain situation .
The screenshots and descriptions in Status history and statistics have been updated.
The open source licenses that apply to certain components of SPS have been consolidated into Third-party contributions .
The documentation of the obsolete Audit Player application has been moved to an appendix. For the documentation of the Safeguard Desktop Player application, see Safeguard Desktop Player User Guide .
Uploading decryption keys to the external indexer has been updated.
SPS 's RESTful API has been enhanced with the following new functionalities:
New content endpoint: /api/audit/sessions/<session-id>/content. It enables you to search in the contents of individual connections. For details, see "Searching in connection content" in the REST API Reference Guide
Filter events: The filtering functionality is now added to the api/audit/sessions/<session-id>/events endpoint, too. You can now search in the events of individual connections. For more information, see "Session events" in the REST API Reference Guide.
In order to better integrate SPS with Privileged Account Analytics, some architectural changes have been introduced. For more information, see REST API Reference Guide .
Enabling TLS-encryption in an RDP connection policy has been simplified. When the connection is encrypted, SPS has to show a certificate to the peer. You can define the type of certificate to show to the peers. For details, see Enabling TLS-encryption for RDP connections .
You can now configure the required minimum version of the default web listener. The default setting is TLS 1.2. For details, see Configuring user and administrator login addresses .
You can now select the depth of indexing: lightweight and full indexing. Lightweight indexing is now enabled by default, you only have to configure it if you want full indexing. Lightweight indexing is faster than full indexing, and indexes only Command and Window title events. It does not index any other screen content (for example, text that is displayed in a terminal or that appears in an RDP window). For details, see Configuring the internal indexer .
RDP 4 and RDP 5 have been removed from Creating and editing protocol-level RDP settings .
The Audit Player application can now replay audit trails that contain graphical X11 sessions (the contents of the X11 Forward channel of the SSH protocol). For further details, see "Replay X11 sessions" in the Safeguard Desktop Player User Guide .
Plugin configuration files in support bundle: When creating support bundles for troubleshooting purposes, SPS now includes the configuration files of any plugins installed. For details, see "Collecting logs and system information for error reporting" in the Administration Guide .
Added description of scbAMQPError to Traffic related traps .
It is now possible to set the Maximum Transmission Unit (MTU) per VLAN interface. For more information, see Network settings and Managing logical interfaces .
In addition to displaying upgrade logs and boot messages on the local console, SPS now shows information about the upgrade and reboot processes on the web interface, too. For details, see Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown and Upgrade checklist .
You can now configure Certificate Revocation Lists (CRLs) to be included in certificates. For further details, see Signing certificates on-the-fly .
Added description of how to configure the IPMI interface from the BIOS. For details, see Configuring the IPMI interface from the BIOS and Configuring the IPMI interface from the BIOS after losing IPMI password .
Added section explaining limitation when using the TN5250 protocol with IBM iSeries Access for Windows. For detailed information, see Limitations of using TN5250 protocol with IBM iSeries Access for Windows .
Added explanation of why audit trails could have the Indexing (queued / all) status in the Waiting for processing section. For more information, see Monitoring the status of the indexer services .
It is now possible to create customized configuration instances of Credential Store and Authentication and Authorization (AA) plugins if the plugin .zip file includes an optional sample configuration file. For more information, see Using a custom Credential Store plugin to authenticate on the target hosts and Using a custom Authentication and Authorization plugin to authenticate on the target hosts .
You can now customize the configuration of the syslog-ng application that is running on SPS . For details, see Customize system logging in One Identity Safeguard for Privileged Sessions (SPS) .
This section introduces One Identity Safeguard for Privileged Sessions (SPS) in a non-technical manner, discussing how and why is it useful, and what additional security it offers to an existing IT infrastructure.
One Identity Safeguard for Privileged Sessions (SPS) is part of the One Identity Safeguard solution, which in turn is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, SPS is a privileged session management solution which provides industry-leading access control, session recording and auditing to prevent privileged account misuse and accelerate forensics investigations.
SPS is a quickly deployable enterprise device, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.
SPS has full control over the SSH, RDP, Telnet, TN3270, TN5250, Citrix ICA, and VNC connections, giving a framework (with solid boundaries) for the work of the administrators. The most notable features of SPS are the following:
SPS acts as a centralized authentication and access-control point in your IT environment which protects against privileged identity theft and malicious insiders. The granular access management helps you to control who can access what and when on your critical IT assets.
SPS monitors privileged user sessions in real-time and detects policy violations as they occur. In case of detecting a suspicious user activity (for example entering a destructive command, such as the "rm"), SPS can send you an alert or immediately terminate the connection.
SPS audits "who did what", for example on your database- or SAP servers. Aware of this, your employees will do their work with a greater sense of responsibility leading to a reduction in human errors. By having an easily interpreted, tamper-proof record in encrypted, timestamped, and digitally signed audit trails, finger-pointing issues can be eliminated.
SPS makes all user activity traceable by recording them in high quality, tamper-proof and easily searchable audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. The movie-like audit trails ensure that all the necessary information is accessible for ad-hoc analyses or audit reports.
When something wrong happens, everybody wants to know the real story. Analyzing thousands of text-based logs can be a nightmare and may require the participation of external experts. The ability to easily reconstruct user sessions allows you to shorten investigation time and avoid unexpected cost.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center