One Identity Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.
Audit log synchronization, archive, and purge (191603)
Audit log synchronization, archive, and purge has been enhanced. Appliance Administrators can configure Safeguard for Privileged Passwords to perform weekly maintenance, audit log purge, and audit log archiving. Navigate to Administrative Tools | Settings | Backup and Retention | Audit Log Maintenance.
Backup protection (191610)
For maximum backup protection, Appliance Administrators can configure backup protection which will encrypt all backups generated from all appliances in the cluster.
- Appliance (default): Backups are encrypted as a genuine Safeguard backup and can only be decrypted on a Safeguard appliance.
- Password: Backups are encrypted as a genuine Safeguard backup and can only be decrypted on a Safeguard appliance. In addition, backups are encrypted with the provided password. The password is required to restore the backup.
- GNU Privacy Guard (GPG) public key (RSA only): Backups are encrypted as a genuine Safeguard backup and can only be decrypted on a Safeguard appliance. In addition, when a backup is downloaded or archived it is encrypted with the provided GPG public key. The private key is required to unencrypt the backup prior to uploading to a Safeguard appliance.
Once set, future backups created manually or automatically are protected.
Safeguard for Privileged Passwords detects the attempted upload of an invalid backup. An audit event is created for the failed backup load with the error reasons which will include an invalid signature.
Backup protection is set on Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore then click Settings and select Backup Protection Settings.
Configure syslog servers that require TLS (191512)
Policy Security Administrators can configure the network protocol and syslog header type. For TCP (RCF 5424), you can specify TLS encryption and authentication (Client Certificate and Server Certificate).
- web client: Navigate to Settings| External Integration | Syslog.
- desktop client: Navigate to Administrative Tools | Settings | External Integration | Syslog.
Login notification and desktop client inactivity timeout (237174)
When configured by Appliance Administrators, login notifications are now displayed to all users prior to login. This requires users to consent to notifications and restrictions before they can log in. Be cautious in regards to including sensitive information in your login notification as it can be viewed by anyone without requiring authentication. The default is no login notification (access banner). For details, see:
- web client: Navigate to Settings| Safeguard Access | Messaging.
- desktop client: Navigate to Administrative Tools | Settings | Messaging | Login Notification.
Appliance Administrators can now specify an inactivity timeout for the desktop client application, similar to what exists with the web client application. The default for the new desktop client application inactivity timeout is 1440 minutes (24 hours), after which the user will automatically be logged out.
- web client: Navigate to Settings| Safeguard Access | Local Login Control.
- desktop client: Navigate to Administrative Tools | Settings | Safeguard Access | Login Control.
Specify domain controller for Active Directory (225824)
Appliance Administrators can identify which domain controllers to use with the Specify domain controllers selection. If not specified, Safeguard for Privileged Passwords uses the domain controllers recommended from a DNS and CLDAP ping, as usual. In the Safeguard for Privileged Passwords Administration Guide, see:
Security enhancements (234139)
Trusted Servers, CORS, and Redirects
An Appliance Administrator can restrict login redirects and Cross Origin Resource Sharing (CORS) requests to the specified list of IP addresses, host names (including DNS wildcards), and CIDR notation networks.
- web client: Navigate to Settings| External Integration | Trusted Servers, CORS and Redirects.
- desktop client: Navigate to Administrative Tools | Settings | External Integration | Trusted Servers, CORS and Redirects.
Secure token service login timeout
An Appliance Administrator can set select Enable Secure Token Service Login Timeout to set 15 minute expiration time for session based cookies used during login. Typically, a session based cookie does not expire and is deleted by the browser/user-agent when closed. Setting an expiration time adds security and can prevent some replay attacks.
web client: Navigate to Settings| Safeguard Access | Local Login Control.
- desktop client: Navigate to Administrative Tools | Settings| | Safeguard Access | Login Control.
SMTP authentication (191605)
Appliance Administrators can ensure only authenticated access is allowed to the mail server by configuring the SMTP client to support authentication. Authentication is set on Administrative Tools | Settings | External Integration | Email.
SSH algorithms (210503)
An Appliance Administrator can restrict the SSH algorithms that are negotiated between Safeguard for Privileged Passwords and managed assets.
- web client: Navigate to Settings| Appliance| SSH Algorithms .
- desktop client: Navigate to Administrative Tools | Settings | Appliance | SSH Algorithms .
Time zone handling updates (225573)
User Administrators control whether end users can set their time zone. Navigate to Settings | Safeguard Access | Time Zone and select or deselect the Allow users to modify their own time zone check box. The check box is selected by default.
The time zone of a user controls the time displayed in the user interface and Activity Center downloads. The Time Zone can be set in both the desktop client ( user avatar, My Account) and web client ( Dashboard Settings | General tab).
TLS audit event logging and debug logging (240492)
TLS audit event logs
You can enable the TLS audit event logging which is automatically sent to the debug logs (available via a Support Bundle). If a syslog server is configured, the TLS audit event logging will also go to the syslog server (cluster-wide).
TLS audit events include connection, closure, and failures. Failures include the reason, the initiator, and the target. For example, a certificate validation failure will include the initiator and the target. web client only: Navigate to Settings| External Integration | Syslog Events.
You can send debug logs to an existing syslog server. Debug logging is appliance specific.
web client only: Navigate to Settings | Appliance | Debug.
Undelete objects (244820)
- For more information, see Using the API.
- Set a policy with a time threshold to permanently delete objects that are in the "recycle bin" so they can be purged from the system
Administrator users can:
- Undelete objects they have accidentally deleted
- Permanently delete objects that have been deleted
The work is done via the API using these endpoints.
- https://<network address>/service/core/v3/Deleted/Assets
- https://<network address>/service/core/v3/Deleted/AssetAccounts
- https://<network address>/service/core/v3/Deleted/Users
Web client for Appliance Administrator (220279)
An Appliance Administrator can perform most activities on the web client without needing to install the Windows desktop client.
Changes to expired access requests (239692)
Administrators can now clear (Close or Acknowledge) access requests in the Pending Acknowledgment state. In addition, expired requests will be automatically cleared at a faster rate (approximately every hour).