Safeguard for Privileged Passwords Release Notes
Safeguard for Privileged Passwords 6.0 LTS
Release Notes
16 June 2020, 09:36
These release notes provide information about the Safeguard for Privileged Passwords 6.0 LTS release.
Planning future release options
This release is the first Long Term Support (LTS) release, Safeguard for Privileged Passwords version 6.0 LTS.
Upcoming releases of Safeguard for Privileged Passwords will have Long Term Support (LTS) Release or Feature Release version numbering. The versions align with Safeguard for Privileged Sessions. For more information, see Long Term Support (LTS) and Feature Releases.
About this release
|
CAUTION: The embedded sessions module was removed in Safeguard for Privileged Passwords 6.0 LTS. Organizations must join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback. Please contact your Account Manager if you are currently using the embedded sessions module to discuss upgrading to 6.0 LTS including implementation of the Safeguard for Privilege Sessions appliance or virtual appliance. |
Safeguard for Privileged Passwords Version 6.0 LTS is major release with new features and
resolved issues.
The new features include:
- SPP embedded sessions module removed and SPS join complete (191547)
- Support for the Safeguard for Privileged Passwords 3000 Appliance (191553)
NOTE: No upgrade is needed for Safeguard for Privileged Passwords 2000 Appliance users.
For more details on the features and resolved issues, see:
NOTE: For a full list of key features in Safeguard for Privileged Passwords, see the Safeguard for Privileged Passwords Administration Guide.
About the Safeguard product line
The Safeguard for Privileged Passwords Appliance is built specifically for use only with the Safeguard for Privileged Passwords privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system, and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management and shortening the time frame to value.
Safeguard for Privileged Passwords virtual appliances and cloud applications are also available. When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.
Safeguard privileged management software suite
Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.
The Safeguard products' unique strengths are:
- One-stop solution for all privileged access management needs
- Easy to deploy and integrate
- Unparalleled depth of recording
- Comprehensive risk analysis of entitlements and activities
- Thorough Governance for privileged account
The suite includes the following modules:
- Safeguard for Privileged Passwords automates, controls, and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
-
One Identity for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.
Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers to integrate seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.
-
One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics, and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time, and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action and ultimately prevent data breaches.
Figure 1: Privileged Sessions and Privileged Passwords
New features
|
CAUTION:The embedded sessions module was removed in Safeguard for Privileged Passwords 6.0 LTS. Organizations must join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback. Please contact your Account Manager if you are currently using the embedded sessions module to discuss upgrading to 6.0 LTS including implementation of the Safeguard for Privilege Sessions appliance or virtual appliance. |
SPP embedded sessions module removed (191547)
The embedded sessions module has been removed with Safeguard for Privileged Passwords 6.0 LTS. For uninterrupted service, organizations must join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback.
See the Safeguard for Privileged Passwords Administration Guide:
- Session Appliances with SPS join
- Appendix C: SPP and SPS sessions appliance join guidance
Support for the Safeguard for Privileged Passwords 3000 Appliance (191553)
NOTE: No upgrade is needed for Safeguard for Privileged Passwords 2000 Appliance users.
The Safeguard for Privileged Passwords 3000 Appliance is available with the latest security updates and trusted certificate updates/revocations.
- Appliance Administrators can factory reset to a recent Safeguard for Privileged Passwords version to get the appliance back up and running on the latest version.
- Government agencies and their contractors can rely on the 3000 Appliance to meet common criteria for purchase approval with no need for exceptions.
Functionality includes:
- Default password rules are enhanced for better security including symbols, length, and so on.
- The same certificates as the Safeguard for Privileged Passwords 2000 appliance are used.
- Twitter and Facebook internal platforms are removed in favor of the open source custom platform versions. If in use, the platforms become Other, Other.
Session recordings
Before patching to the 3000 Appliance, move any SPP embedded sessions recordings from local SPP to an archive server. For details, see SPP and SPS sessions appliance join guidance, Step 1: Prepare for the join.
AWS to run in cloud (191525)
Safeguard for Privileged Passwords can be run in the cloud using Amazon Web Services (AWS).
For instructions, see the Safeguard for Privileged Passwords Administration Guide:
- Using the cloud
- Using AWS
Management web kiosk available for cloud platforms
The Management web kiosk is available via HTTPS port 9337 for cloud platforms.
|
CAUTION:The Management web kiosk is available via HTTPS port 9337 for cloud platforms (including AWS and Azure). The Management web kiosk gives access to functions without authentication, such as pulling a support bundle or rebooting the appliance. In AWS, all ports are denied unless explicitly allowed. To deny access to port 9337, the port should be left out of the firewall rules. If the port is used, firewall rules should allow access to targeted users. |
See also:
Resolved issues
Issues addressed by this release follow.
Table 1: General resolved issues
An approver can click a link in the email to approve/deny request. |
227573 |
In the web client, an Approver can view one access request to approve or deny a request. |
227453 |
Backup and restore documentation was updated. |
227452 |
A session recorded while Safeguard for Privileged Passwords is in Offline Workflow mode can be replayed. |
227143 |
Removing user as partition owner resets the user back to the previous ownerships. |
225806 |
SPS initiated SSH sessions works from AA plugin after SPP upgrade from 2.10 to 2.11. |
225421 |
Changed the .rdp temp file name to include the asset and account name. |
223817 |
If you have a single node SPS cluster where the Central Management node is also the Search Master, SPP will be unable to launch sessions. There has to be at least one SPS appliance in the cluster that is capable of recording sessions. See the SPS Administration Guide, Managing Safeguard for Privileged Sessions (SPS) clusters. |
223712 |
AS400 check and change succeeds. |
222020 |
Creating backups works as designed. |
220387 |
Added KB article 313918: Why does the ‘Launch’ button on Safeguard’s Web Interface not initiate the session as expected? |
220245 |
SPS join works with SpsInteractive Service credentials. |
219188 |
Documentation was added for:
- The procedure to change the IP address of a clustered SPP appliance
- Considerations when SPP and SPS are joined and the IP address of either the SPS cluster master (Central Management role) or the SPP primary appliance are changed.
For more information, see the Safeguard for Privileged Passwords Administration Guide, Networking. |
218270 |
Creating an archive server with SSH key works through test connection through archive backup. |
218022 |
In the web UI, the approver sees Request Available in green. |
217759 |
Safeguard for Privileged Passwords can import accounts using a .csv file if asset name is capitalized |
216931 |
Discovering accounts runs efficiently. |
215940 |
Entitlement report lists entitlements when running the report against the linked accounts or assets. |
215689 |
Customers can replay session videos recorded and archived from the embedded sessions module and the external SPS sessions feature. |
201046 |
The headers on requests were updated for vulnerability scan results. |
200486 188719 |
AS400 starting task works as designed. |
200383 |
Schedule reports attachments can be sent as a .csv file. |
198007 |
Changed UTC to local time in email template for email notifications. |
188650 |
The temporary .rdp file name now includes Asset and Account information in the naming convention. |
187954 |