Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Sessions 6.8.1 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
The Welcome Wizard and the first login Basic settings
Supported web browsers and operating systems The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving and cleanup Using plugins Forwarding data to third-party systems Joining to One Identity Starling
User management and access control Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) RPC API The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS) Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Preface

Welcome to the One Identity Safeguard for Privileged Sessions 6.8.1 Administrator Guide.

This document describes how to configure and manage the One Identity Safeguard for Privileged Sessions (SPS). Background information for the technology and concepts used by the product is also discussed.

Summary of changes

Version 6.7 - 6.8
Changes in product:
  • From the Search interface, for data recorded by SPS, you can view session events and alerts on a timeline, and search in the contents of the audit trail. The Timeline tab replaces the now deprecated Events, Alerts, and Contents tabs.

    For more information, see Viewing session details for data recorded by SPS.

  • The user interface for creating and downloading reports, including report chapters and subchapters, have been redesigned. The new reporting workflow simplifies the process of creating and downloading reports, and it provides a better user experience.

    For more information, see Reports.

  • You can use trust stores that store the certificate chains of trusted certificate authorities (CA) to verify the certificates in TLS connections. You can add and edit custom trust stores in the newly created Basic Settings > Trust Stores page.

    For more information, see Verifying certificates with Certificate Authorities using trust stores.

  • SPS now checks if the random generator creates the same byte sequence.

    For more information, see System related traps.

  • SPS now supports usernames both in user principal name (UPN) and down-level logon name formats for RDP and RDG connections (such as username@domain and DOMAIN\username).

    For more information, see Usernames in RDP connections.

  • The Cluster Management window of the SPS user interface has been reworked to provide better visual differentiation between the procedures of creating a new cluster and joining to an existing cluster. The changes affect the user interface only, and have no impact on the functionality of the cluster management feature.

    For more information, see Managing Safeguard for Privileged Sessions (SPS) clusters

  • The Pointing device biometrics and Typing biometrics options in Content Policies have been deprecated. You can still use these options in Indexer Policies.

    For more information, see Configuring the internal indexer.

  • The list of supported key exchange (KEX) algorithms for SSH have been updated with the supported Elliptic-curve Diffie–Hellman (ECDH) algorithms.

    For more information, see Supported encryption algorithms.

  • Starting from 6.8.0, the default protocol-level settings for RDP connections have changed and NLA is now enabled by default in the RDP setting policies.

    Due to this change:

    • The default RDP setting is now default_nla, where NLA is enabled.

    • The RDP setting, which was previously called default has been renamed to legacy_default.

    • RDP 4-style authentication is now cleared by default.

    NOTE: If you are upgrading from an SPS version earlier than 6.8.0, and you have an existing RDP setting named legacy_default or default_nla, you must rename it before upgrade.

    For more information, see Creating and editing protocol-level RDP settings.

Version 6.6 - 6.7
Changes in product:
  • Algorithm settings in SPS have been extended with the host key algorithm to comply with current security standards.

    For more information, see Host key algorithms.

  • From the PDF output of reports, you can now quickly access each session on the Search interface.

    For more information, see Report output.

  • In card view, you can add additional search fields to the Search interface. This allows quick visualization of your preferred fields from the main page of the Search interface for each session.

    For more information, see Adding custom fields to the card view.

  • During boot, SPS performs an integrity check and displays if a firmware is tainted or corrupted.

    For more information, see The structure of the web interface.

  • You can now check and report if there were indexed audit trails where the Optical Character Recognition (OCR) engine failed.

    For more information, see Monitoring the status of the indexer services.

  • From the Search interface, you can now view session details for data recorded by SPP.

    For more information, see Viewing session details for data recorded by SPP.

  • You can now view encrypted screenshots in the Search interface by uploading the necessary encryption keys to your keystore. SPS does not store your encryption keys but your keys are now stored in your browser.

    For more information, see Viewing encrypted screenshots.

  • During agent-forwarding, the Ed25519 and ECDSA user keys are also accepted.

    For more information, see Relayed authentication methods.

  • During an SSH session, a key exchange is now done regularly and automatically.

    For more information, see Supported encryption algorithms.

  • The Splunk forwarder is deprecated as of Safeguard for Privileged Sessions(SPS) 6.7 and will be removed in an upcoming release. One Identity recommends using the universal SIEM forwarder instead.

    For more information, see Using the universal SIEM forwarder.

  • In RDP, do not use the @ character as an inband data separator but use alternative characters, for example, the % character.

  • When you configure the location of the LDAP server, that is, the IP address or hostname and the port number, you can now use a Service record (SRV record), which is a type of information record in the DNS that maps the name of a service to the DNS name of the server.

    For more information, see Authenticating users to an LDAP server.

  • The restore process has been clarified as you cannot restore from an older release to a newer release. Also, you must ensure that you have enough free space to restore.

    For more information, see Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data.

Version 6.5 - 6.6
Changes in product:
  • SPS now supports the ECDSA 256 (ecdsa-sha2-nistp256) SSH host key, which is a variant of the Digital Signature Algorithm (DSA).

    For more information, see Setting the SSH host keys of the connection.

  • You can now easily query the available server-side host keys or create a new one.

    For more information, see Server host keys and Manually adding the host key of a server.

  • The Basic Settings > Plugins page has been renewed, and now contains more detailed information about the plugins.

    You can now also verify the integrity of the plugins that you have uploaded.

    For more information, see Using plugins.

  • Audit data access rules allow you to restrict users to access audit data only for sessions for which they are granted permission. When creating a new rule, you can now use a preview to ensure that the search query returns relevant results.

    For more information, see Creating rules for restricting access to search audit data.

  • You can now click each alert and event on the Search interface to view a corresponding screenshot.

    For more information, see Viewing session details.

  • MSSQL query and server responses are now indexed and can be searched using the Search interface. You can download the relevant audit trail, open using the Safeguard Desktop Player, and export as CSV or PCAP format.

Version 6.4 - 6.5
Changes in product:
  • You can now restrict users to access audit data only for sessions for which they are granted permission.

    For more information, see Creating rules for restricting access to search audit data.

  • The following menu items have been renamed. Note that there is no functionality change.

    Old name New name
    AAA Users & Access Control
    Group Management Local User Groups
    Access Control Appliance Access
    Permission Query Access Rights Report

    Accounting

    Configuration History

    Permissions settings for user groups under <Protocol name> Control > Connections > Access Control > Permission have also been renamed from Search&Authorize to Follow&Authorize and Search to Follow.

  • The User idle timeout option has been added to ICA, RDP, SSH, Telnet and VNC Control > Settings. If no user activity is detected, it terminates the session after the configured time has passed since the last user activity.

  • A new, experimental SPP fetcher role has been added to the Cluster management roles. It fetches the workflow from SPP. The fetched data can be viewed on the Search interface.

    Caution:

    This is an EXPERIMENTAL feature. It is documented, but the performance impact on production systems has not been determined yet. Therefore this feature is not yet covered by support. However, you are welcome to try it (preferably in non-production systems) and if you have any feedback, send it to feedback-sps@oneidentity.com.

    For more information, see Cluster roles

  • NOT FETCHED has been added as a new status to Basic Settings > Cluster management > Cluster management status.

    For more information, see Monitoring the status of nodes in your cluster

  • Starting from SPS versions 6.0.4 and 6.5.0, certificates with SHA1-based signatures are no longer trusted for Active Directory or LDAP authentication.

    For more information, see Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database

  • The RDP login screen now allows you to paste text-based clipboard contents. It also provides a warning if Caps Lock is on.

    For more information, see Usernames in RDP connections.

  • SPS now checks if the Certificate Revocation List (CRL) has expired and that the CRL has been signed by the same Certificate Authority (CA).

    For more information, see Verifying certificates with Certificate Authorities.

  • If there is a gateway authentication or authorization failure due to an AA plugin, the reason of the failure is displayed in the Details tab of the Search interface.

    For more information, see Viewing session details for data recorded by SPS.

Version 6.3 - 6.4
Changes in product:
  • One Identity Safeguard for Privileged Sessions (SPS) now supports the MSSQL protocol.

    For more information, see MSSQL-specific settings.

  • The value range of Disconnect clients when disks are: x percent used field in Basic Settings > Management > Disk space fill up prevention is now limited to 50-98 percent.

    For more information, see Preventing disk space fill-up.

  • After the release of SPS version 6.4, installation packages of the external indexer application can only be downloaded from the SPS web interface.

  • Unicode characters for password encrypted private keys are now supported.

    For more information, see Replaying encrypted audit trails in your browser.

  • The Asian language package is included in the basic license.

  • The SPS user interface has changed. The change includes the main menu, user menu, and about page.

    For more information, see The structure of the web interface.

  • When verifying certificates with Certificate Authorities, DER format Certificate Revocation Lists are now accepted too, in addition to PEM format CRLs.

  • SPS now supports the Ed25519 SSH host key.

    For more information, see SSH host keys.

Version 6.2 - 6.3
Changes in product:
Changes in documentation:
Version 6.1 - 6.2
Changes in product:
Changes in documentation:
Version 6.0 - 6.1
Changes in product:
  • Trend analysis allows you to use the timeline to find changes over time.

    For more information, see Specifying time ranges.

  • The Search interface has been extended with the Basic view, which allows you to select the filters that you need from the appropriate columns.

    For more information, see Using search filters.

  • Creating a new authentication policy on SSH has been simplified.

    For more information, see Creating a new authentication policy.

  • The WebSocket channel is now supported.

    For more information, see Supported HTTP channel types.

Changes in documentation:

Introduction

This section introduces One Identity Safeguard for Privileged Sessions (SPS) in a non-technical manner, discussing how and why is it useful, and what additional security it offers to an existing IT infrastructure.

Topics:

The major benefits of One Identity Safeguard for Privileged Sessions (SPS)

One Identity Safeguard for Privileged Sessions (SPS) is part of the One Identity Safeguard solution, which in turn is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, SPS is a privileged session management solution which provides industry-leading access control, session recording and auditing to prevent privileged account misuse and accelerate forensics investigations.

SPS is a quickly deployable enterprise device, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.

SPS has full control over the SSH, RDP, Telnet, TN3270, TN5250, Citrix ICA, and VNC connections, giving a framework (with solid boundaries) for the work of the administrators. The most notable features of SPS are the following:

Central policy enforcement

SPS acts as a centralized authentication and access-control point in your IT environment which protects against privileged identity theft and malicious insiders. The granular access management helps you to control who can access what and when on your critical IT assets.

Prevention of malicious activities

SPS monitors privileged user sessions in real-time and detects policy violations as they occur. In case of detecting a suspicious user activity (for example entering a destructive command, such as the "rm"), SPS can send you an alert or immediately terminate the connection.

Greater accountability (deterrance)

SPS audits "who did what", for example on your database- or SAP servers. Aware of this, your employees will do their work with a greater sense of responsibility leading to a reduction in human errors. By having an easily interpreted, tamper-proof record in encrypted, timestamped, and digitally signed audit trails, finger-pointing issues can be eliminated.

Faster, cost-effective compliance audits

SPS makes all user activity traceable by recording them in high quality, tamper-proof and easily searchable audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. The movie-like audit trails ensure that all the necessary information is accessible for ad-hoc analyses or audit reports.

Lower troubleshooting and forensics costs

When something wrong happens, everybody wants to know the real story. Analyzing thousands of text-based logs can be a nightmare and may require the participation of external experts. The ability to easily reconstruct user sessions allows you to shorten investigation time and avoid unexpected cost.

Outils libre-service
Base de connaissances
Notifications et alertes
Support produits
Téléchargements de logiciels
Documentation technique
Forums utilisateurs
Didacticiels vidéo
Flux RSS
Nous contacter
Obtenir une assistance en matière de licence
Support Technique
Afficher tout
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation