Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Passwords 6.7 - Release Notes

Safeguard for Privileged Passwords Release Notes

Safeguard for Privileged Passwords 6.7

Release Notes

04 September 2020, 12:49

These release notes provide information about the Safeguard for Privileged Passwords 6.7 release.

If you are updating a Safeguard for Privileged Passwords version prior to this release, read the release notes for the version found at: One Identity Safeguard for Privileged Passwords Technical Documentation.

Release options

Safeguard for Privileged Passwords includes two release versions:

  • Long Term Support (LTS) maintenance release, version 6.0.7 LTS
  • Feature release, version 6.7

The versions align with Safeguard for Privileged Sessions. For more information, see Long Term Support (LTS) and Feature Releases.

About this release

Safeguard for Privileged Passwords Version 6.7 is minor feature release with new features, resolved issues, and known issues.

For more details, see:

NOTE: For a full list of key features in Safeguard for Privileged Passwords, see the Safeguard for Privileged Passwords Administration Guide.

About the Safeguard product line

The Safeguard for Privileged Passwords 3000 and 2000 Appliances are built specifically for use only with the Safeguard for Privileged Passwords privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system, and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management and shortening the time frame to value.

Safeguard for Privileged Passwords virtual appliances and cloud applications are also available. When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.

Safeguard privileged management software suite

Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.

The Safeguard products' unique strengths are:

  • One-stop solution for all privileged access management needs
  • Easy to deploy and integrate
  • Unparalleled depth of recording
  • Comprehensive risk analysis of entitlements and activities
  • Thorough Governance for privileged account

The suite includes the following modules:

  • Safeguard for Privileged Passwords automates, controls, and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
  • One Identity for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.

    Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers to integrate seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.

  • One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics, and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time, and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action and ultimately prevent data breaches.

    Figure 1: Privileged Sessions and Privileged Passwords

New features

Audit log synchronization, archive, and purge (191603)

Audit log synchronization, archive, and purge has been enhanced. Appliance Administrators can configure Safeguard for Privileged Passwords to perform weekly maintenance, audit log purge, and audit log archiving. Navigate to Administrative Tools | Settings | Backup and Retention | Audit Log Maintenance.

Backup protection (191610)

For maximum backup protection, Appliance Administrators can configure backup protection which will encrypt all backups generated from all appliances in the cluster.

  • Appliance (default): Backups are encrypted as a genuine Safeguard backup and can only be decrypted on a Safeguard appliance.
  • Password: Backups are encrypted as a genuine Safeguard backup and can only be decrypted on a Safeguard appliance. In addition, backups are encrypted with the provided password. The password is required to restore the backup.
  • GNU Privacy Guard (GPG) public key (RSA only): Backups are encrypted as a genuine Safeguard backup and can only be decrypted on a Safeguard appliance. In addition, when a backup is downloaded or archived it is encrypted with the provided GPG public key. The private key is required to unencrypt the backup prior to uploading to a Safeguard appliance.

Once set, future backups created manually or automatically are protected.

Safeguard for Privileged Passwords detects the attempted upload of an invalid backup. An audit event is created for the failed backup load with the error reasons which will include an invalid signature.

Backup protection is set on Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore then click Settings and select Backup Protection Settings.

Configure syslog servers that require TLS (191512)

Policy Security Administrators can configure the network protocol and syslog header type. For TCP (RCF 5424), you can specify TLS encryption and authentication (Client Certificate and Server Certificate).

  • web client: Navigate to  Settings| External Integration | Syslog.
  • desktop client: Navigate to Administrative Tools | Settings | External Integration | Syslog.

Login notification and desktop client inactivity timeout (237174)

When configured by Appliance Administrators, login notifications are now displayed to all users prior to login. This requires users to consent to notifications and restrictions before they can log in. Be cautious in regards to including sensitive information in your login notification as it can be viewed by anyone without requiring authentication. The default is no login notification (access banner). For details, see:

  • web client: Navigate to  Settings| Safeguard Access | Messaging.
  • desktop client: Navigate to Administrative Tools | Settings | Messaging | Login Notification.

Appliance Administrators can now specify an inactivity timeout for the desktop client application, similar to what exists with the web client application. The default for the new desktop client application inactivity timeout is 1440 minutes (24 hours), after which the user will automatically be logged out.

  • web client: Navigate to  Settings| Safeguard Access | Local Login Control.
  • desktop client: Navigate to Administrative Tools | Settings | Safeguard Access | Login Control.

Specify domain controller for Active Directory (225824)

Appliance Administrators can identify which domain controllers to use with the Specify domain controllers selection. If not specified, Safeguard for Privileged Passwords uses the domain controllers recommended from a DNS and CLDAP ping, as usual. In the Safeguard for Privileged Passwords Administration Guide, see:

  • Management tab (add asset)
  • Adding identity and authentication providers

Security enhancements (234139)

Trusted Servers, CORS, and Redirects

An Appliance Administrator can restrict login redirects and Cross Origin Resource Sharing (CORS) requests to the specified list of IP addresses, host names (including DNS wildcards), and CIDR notation networks.

  • web client: Navigate to  Settings| External Integration | Trusted Servers, CORS and Redirects.
  • desktop client: Navigate to Administrative Tools | Settings | External Integration | Trusted Servers, CORS and Redirects.

For more information, see the Administration Guide, Trusted Servers, CORS and Redirects.

Secure token service login timeout

An Appliance Administrator can set select Enable Secure Token Service Login Timeout to set 15 minute expiration time for session based cookies used during login. Typically, a session based cookie does not expire and is deleted by the browser/user-agent when closed. Setting an expiration time adds security and can prevent some replay attacks.

  • web client: Navigate to  Settings| Safeguard Access | Local Login Control.

  • desktop client: Navigate to Administrative Tools | Settings| | Safeguard Access | Login Control.

For more information, see the Administration Guide, Login Control.

SMTP authentication (191605)

Appliance Administrators can ensure only authenticated access is allowed to the mail server by configuring the SMTP client to support authentication. Authentication is set on Administrative Tools | Settings | External Integration | Email.

SSH algorithms (210503)

An Appliance Administrator can restrict the SSH algorithms that are negotiated between Safeguard for Privileged Passwords and managed assets.

  • web client: Navigate to  Settings| Appliance| SSH Algorithms .
  • desktop client: Navigate to Administrative Tools | Settings | Appliance | SSH Algorithms .

Time zone handling updates (225573)

User Administrators control whether end users can set their time zone. Navigate to Settings | Safeguard Access | Time Zone and select or deselect the Allow users to modify their own time zone check box. The check box is selected by default.

The time zone of a user controls the time displayed in the user interface and Activity Center downloads. The Time Zone can be set in both the desktop client ( user avatar, My Account) and web client ( Dashboard Settings | General tab).

TLS audit event logging and debug logging (240492)

TLS audit event logs

You can enable the TLS audit event logging which is automatically sent to the debug logs (available via a Support Bundle). If a syslog server is configured, the TLS audit event logging will also go to the syslog server (cluster-wide).

TLS audit events include connection, closure, and failures. Failures include the reason, the initiator, and the target. For example, a certificate validation failure will include the initiator and the target. web client only: Navigate to  Settings| External Integration | Syslog Events.

Debug logs

You can send debug logs to an existing syslog server. Debug logging is appliance specific.

web client only: Navigate to Settings | Appliance | Debug.

Undelete objects (244820)

Safeguard for Privileged Passwords Administrators can:

  • Restore objects that have been accidentally deleted
  • Set a policy with a time threshold to permanently delete objects that are in the "recycle bin" so they can be purged from the system

Administrator users can:

  • Undelete objects they have accidentally deleted
  • Permanently delete objects that have been deleted

The work is done via the API using these endpoints.

  • https://<network address>/service/core/v3/Deleted/Assets
  • https://<network address>/service/core/v3/Deleted/AssetAccounts
  • https://<network address>/service/core/v3/Deleted/Users
  • https://<network address>/service/core/v3/Deleted/PurgeSettings

Web client for Appliance Administrator (220279)

An Appliance Administrator can perform most activities on the web client without needing to install the Windows desktop client.

Changes to expired access requests (239692)

Administrators can now clear (Close or Acknowledge) access requests in the Pending Acknowledgment state. In addition, expired requests will be automatically cleared at a faster rate (approximately every hour).

See also:

Resolved issues

Issues addressed by this release follow.

Table 1: General resolved issues
Resolved issue

Issue ID

Web client now allows releasing SSH key with a session request.

235825

Desktop client now allows releasing SSH key with a session request.

235707

When pressing the show button during a user supplied access request, the connection string and credentials don’t disappear.

248560

An Asset Based request using User Supplied (My Credential) will no longer attempt to change the password or SSH key when a user supplied request is checked in.

249332

Safeguard for Privileged Passwords connects to Oracle 18c.

247599

Using the SPS host name to launch a session works correctly.

244542

The Safeguard Appliance Selection Algorithm selects the most fit SPS node.

244045

SSH Key rotation is performed when the ChangeSshKeyAfterCheckIn is set to true in the access policy.

243576

GET AssetGroups returns Assets.SshHostKey and Assets.SshHostKeyFingerprint data.

242942

Account Discovery Rules are evaluated in order.

242618

The charset response header was made consistent. The (charset=utf-8 is standard across all APIs.

242364

If an SPS_Initiated connection policy is selected when creating an access request, the assets associated by that request will not display. The session-related access policy assigned to SPS_Initiated is filtered out. A connection policy other that SPS_Initiated must be selected to create an Access Request for the asset.

242024

View Live Sessions button on the Dashboard is now correctly displaying as available for Auditors.

241808

A check box is available to change the password or SSH key after the user checks it back in. This check box is selected by default. Navigate to Administrative Tools | Entitlements | Access Request Policies | (create or edit a policy). The check boxes are: Change password after check-in and Change SSH key after check-in.

240577

If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.

240150
Safeguard for Privileged Sessions initiated RDP session works.

240079

When adding an asset, on the Connections tab, Safeguard for Privileged Passwords discovers the SSH host key of discovered assets even if you selected None as the service account credential type.

240015

Administrators can clear (Close or Acknowledge) access requests in the Pending Acknowledgment state.

239692

Can delete subscribers that were not created by the current user.

239371

New Inactive User Logged Out audit event type available in the Activity Center.

This issue was resolved as part of the Safeguard for Privileged Passwords 6.7 feature: Security enhancements (234139).

239132

External Federation metadata import works. 239032

Session request available time is refreshed in desktop client.

237250

Radius NAS configuration is supported.

236629

The Enable Secure Token Service Login Timeout can be set on Settings| | Safeguard Access | Login Control.(desktop client). The default is 15 minutes.

This issue was resolved as part of the Safeguard for Privileged Passwords 6.7 feature: Security enhancements (234139).

230572

You can restrict login redirects and Cross Origin Resource Sharing (CORS) requests to a specified list of IP addresses, host names (including DNS wildcards), and CIDR notation networks.

This issue was resolved as part of the Safeguard for Privileged Passwords 6.7 feature: Security enhancements (234139). For more information, see the Administration Guide, Trusted Servers, CORS and Redirects.

230569

230359

Able to backup and archive successfully without error. 228123

Can add MS SQL named instance.

200348

SMTP configuration includes the ability to add authentication to the SMTP server. Authentication is set on Administrative Tools | Settings | External Integration | Email.

This issue was resolved as part of the Safeguard for Privileged Passwords 6.7 feature: SMTP authentication (191605).

191303
The range for Token Lifetime correctly reflects 10 minutes to 28,800 minutes (20 days). 189259
Profiles for an Active Directory Asset can be changed.

188723

While joining, the maintenance status from the replica now takes into account all data streams when calculating the completion percentage.

188714

In the Activity Center, Play is available when the RDP session connects and is not available if the RDP session fails to connect.

187971

In the Web client, description is now displayed on the Asset and Account pickers in the Access Request dialogs.

249953

Desktop client, description is now displayed on the Asset and Account pickers in the Access Request dialogs.

188130

Outils libre-service
Base de connaissances
Notifications et alertes
Support produits
Téléchargements de logiciels
Documentation technique
Forums utilisateurs
Didacticiels vidéo
Flux RSS
Nous contacter
Obtenir une assistance en matière de licence
Support Technique
Afficher tout
Documents connexes