Trusted Servers, CORS, and Redirects
You can restrict login redirects and Cross Origin Resource Sharing (CORS) requests to a specified list of IP addresses, host names (including DNS wildcards), and CIDR notation networks. By default, a single asterisk (*) means there are no restrictions. This will allow you to easily join multiple Safeguard for Privileged Passwords appliances together to form a cluster. In addition, you will also be able to link to a Safeguard for Privileged Sessions appliance. However, as a best practice, you should change or delete this value after configuring your cluster. It is recommended to set it to the empty string to prevent external CORS requests and login redirects to unknown servers. Or, set it to a list of known servers that integrate with the Safeguard API.
One or more values can be separated by a space, comma, or new line. Do not include the scheme, port, or path. The maximum length for the setting is 512 characters, including separators. Example values and additional details can be seen in the following table.
Table 222: Value detail
|
IPv4
No reverse DNS lookup will be performed. No scheme or port values are considered. |
10.5.33.37
192.168.0.2 |
|
IPv6
No reverse DNS lookup will be performed. No scheme or port values are considered. |
2001:0db8:85a3:0000:0000:8a2e:0370:7334
2001:0db8:85a3:0:0:8a2e:0370:7334
2001:db8::1:0:0:1
2001:db8::2:1
2001:db8::1 |
|
DNS/Host Names
Case insensitive match. No scheme or port values are considered. If using Internationalized Domain Names (IDN), you must also manually include the punycode equivalent. |
spp.contoso.corp
primary.spp.contoso.corp
widget.contoso.corp
widget |
|
DNS Wildcards
Only one level to the wildcard is allowed, just like SSL certificates. No scheme or port values are considered. If using Internationalized Domain Names (IDN), you must also manually include the punycode equivalent. |
*.spp.contoso.corp
*.contoso.corp |
|
CIDR Notation
Any DNS or host name values being validated will have DNS lookup performed to see if any resolved IP addresses are contained within any of the specified CIDR networks. No scheme or port values are considered. |
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
76.240.155.0/24
fd12:3456:789a:1::/64
fd00::/8 |
|
Allow All
A single asterisk, no other values allowed. |
* |
|
Allow None
Delete all values and leave as the empty string. |
|
Considerations:
- When adding a new node to the Safeguard for Privileged Passwords cluster, the node’s host name or IP address must be specified in this list, or enter a single asterisk to allow all.
- When linking Safeguard for Privileged Sessions to Safeguard for Privileged Passwords, the host name or IP address of the Safeguard for Privileged Sessions appliance must be specified in this list, or enter a single asterisk to allow all.
- As a best practice, after clustering (or if using just a single appliance/VM), change the setting value to the empty string or a list of integration applications you wish to allow.
To set up Trusted Servers, CORS and Redirects:
- Go to Trusted Servers, CORS and Redirects:
web client: Navigate to 
External Integration | Trusted Servers, CORS and Redirects.
desktop client: Navigate to Administrative Tools | Settings | External Integration | Trusted Servers, CORS and Redirects.
Refresh: Update the information displayed.
- In Allow Hosts, enter the list of IP addresses, host names (including DNS wildcards), and CIDR notation networks. As mentioned above, the default is a single asterisk (*) which means there are no restrictions.
- Click OK (desktop client) or Save (web client).
Password Management settings
desktop client only
Use the Password settings to define the profile configuration settings, including account password rules and password check and change schedules, which can then be used in profile definitions.
Navigate to Administrative Tools | Settings | Password Management.
Table 223: Profile settings
| Account Password Rules |
Where you define the complexity rules used by Safeguard for Privileged Passwords when constructing new passwords during an automatic account password change |
| Change Password |
Where you define the rules Safeguard for Privileged Passwords uses to reset account passwords |
| Check Password |
Where you define the rules Safeguard for Privileged Passwords uses to verify account passwords |
|
Password sync groups |
Where you define the password sync groups and associated accounts so Safeguard for Privileged Passwords can synchronize passwords across accounts |
Account Password Rules
desktop client only
Navigate to Administrative Tools | Settings | Password Management | Account Password Rules.
Account password rules govern the construction of a new password created by Safeguard for Privileged Passwords during an automatic account password change. You can create rules governing the allowable account passwords, such as:
Navigate to Administrative Tools | Settings | Password Management | Account Password Rules.
Use these toolbar buttons to manage your account password rules.
Table 224: Account Password Rules: Toolbar
 Add Account Password Rule |
Add an account password complexity rule. For more information, see Adding an account password rule. |
 Delete Selected |
Remove the selected rule. |
| Refresh |
Update the list of account password rules. |
 Edit |
Modify the selected rule. |
 Copy |
Clone the selected rule. |
Adding an account password rule
desktop client only
It is the responsibility of the Asset Administrator, or a partition's delegated administrator, to configure account password complexity rules.
IMPORTANT:
Some Unix systems silently truncate passwords to their maximum allowed length. For example, Macintosh OS X only allows a password of 128 characters. If an Asset Administrator creates a profile with an Account Password Rule that sets the password length to 136 characters, when Safeguard for Privileged Passwords changes the password for an account governed by that profile, the asset's operating system truncates the new password to the allowable length and does not return an error; however, the full 136-character password is stored in Safeguard for Privileged Passwords. This causes the following issues:
To add an account password rule
- Navigate to Administrative Tools | Settings | Password Management | Account Password Rules.
- Click
Add Account Password Rule to open the Account Password Rule dialog.
- Browse to select the partition.
- Enter a Name for the account password rule (up to 50 characters).
- Enter a Description for the account password rule (up to 255 characters).
-
Set the password requirements.
-
Password Length: Set a range for the password allowable length from three to 255 characters. The default is 8 to 64 characters. The maximum length must be equal to or greater than the sum of minimum characters required in the following steps. For example, if the password must have two uppercase letters, two lowercase letters, and two numeric characters, the minimum Password Length must be six. Note that a diacritical letter is one character.
- First Character Type: Choose one of the following:
- All: Alphabetical, numeric, or symbols
- Alphanumeric: Alphabetical or numeric
- Alphabetic: Only alphabetical characters
- Last Character Type: Choose one of the following:
- All: Alphabetical, numeric, or symbols
- Alphanumeric: Alphabetical or numeric
- Alphabetic: Only alphabetical characters
- Repeated Characters: Choose one of the following:
- Allow repeated characters: Any letters, numbers, or symbols can be repeated in any order, including consecutively.
- No consecutive repeated characters: No letter, number, or symbol can be repeated after itself. You can restrict the number of consecutively repeated characters later by uppercase letters, lowercase letters, numbers, symbols, or a combination of those.
- No repeated characters: All letters, numbers, or symbols can only be used once in the password.
-
Allow Uppercase: Select to allow uppercase (capital) letters. In the desktop client, click Advanced, as needed.
- Require a Minimum of Uppercase Characters: Enter a number to identify the least number of uppercase letters required. To allow but not require uppercase letters, set this value at zero.
- Limit Consecutively Repeated Uppercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated uppercase letters. You must enter a Maximum Allowed Characters value of one or more.
- Exclude these Uppercase Characters: Enter any uppercase characters you want to exclude from the password. This field is case-sensitive.
- Allow Lowercase: Select to allow lowercase (small) letters. In the desktop client, click Advanced, as needed.
- Require a Minimum of Lowercase Characters: Enter a number to identify the least number of lowercase letters required. To allow but not require lowercase letters, set this value at zero.
- Limit Consecutively Repeated Lowercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated lowercase letters. You must enter a Maximum Allowed Characters value of one or more.
- Excluded these Lowercase Characters: Enter any lowercase characters you want to exclude from the password. This field is case sensitive.
-
Limit Consecutively Repeated Alpha Characters: To set the number of repeated lowercase or uppercase letters combined, enter the Maximum Allowed Characters.
For example, if you set the Max Allowed at 2 then you can not have more than two alphabet characters next to each other in the password. Using this example, Ab1Cd2EF is valid but AbC1d2EF is not because it has three alphabet characters in a row.
- Allow Numeric Character (0-9): Select to allow numeric characters in the password. In the desktop client, click Advanced, as needed.
- Require a Minimum of Numeric Characters: Enter a number to identify the amount of numbers required in a password. To allow but not require numbers, set this value at zero.
- Limit Consecutively Repeated Numeric Characters: Select the check box to limit the number of consecutively repeated numeric characters. You must enter a Maximum Allowed Characters value of one or more.
- Exclude these Numeric Characters: Enter any numeric characters you want to exclude from the password. This field is case sensitive.
-
Allow Symbols (e.g. @ # $ % &): Select this check box to allow characters that are printable ASCII characters. These often include: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | : ; " ' < > , . ? /
In the desktop client, click Advanced, as needed.
- Require a Minimum of Symbols: Enter a number to identify the least number of symbols required. To allow but not require symbols, set this value at zero.
- Limit Consecutively Repeated Symbols: If you allowed repeated characters earlier, select the check box to limit the number of symbols that can repeat consecutively. You must enter a Maximum Allowed Characters value of one or more.
- Set the following:
- Valid Symbols: Select this option to enter allowable special characters. Enter the allowable symbols in the Symbol List text box.
- Invalid Symbols: Select this option to enter prohibited special characters. Enter the prohibited symbols in the Symbol List text box.
- Click Test Rule to check the rules set.
- When the rules are complete, click OK.
