Welcome to the One Identity Safeguard for Privileged Sessions 5 LTS Administrator Guide!
This document describes how to configure and manage the One Identity Safeguard for Privileged Sessions (SPS). Background information for the technology and concepts used by the product is also discussed.
Chapter 1, Introduction describes the main functionality and purpose of the One Identity Safeguard for Privileged Sessions.
Chapter 2, The concepts of SPS discusses the technical concepts and philosophies behind SPS.
Chapter 3, The Welcome Wizard and the first login describes what to do after assembling SPS — it is a step-by-step guide for the initial configuration.
Chapter 4, Basic settings describes the basic configuration settings of SPS.
Chapter 5, User management and access control discusses the authentication, authorization, and accounting settings of the users accessing SPS.
Chapter 6, Managing SPS provides detailed description on managing SPS as a host.
Chapter 7, General connection settings discusses general connection configuration settings.
Chapter 8, HTTP-specific settings describes configuration settings available only for the HTTP protocol.
Chapter 9, ICA-specific settings describes configuration settings available only for the ICA protocol.
Chapter 10, RDP-specific settings describes configuration settings available only for the RDP protocol.
Chapter 11, SSH-specific settings describes configuration settings available only for the SSH protocol.
Chapter 12, Telnet-specific settings describes configuration settings available only for the Telnet protocol.
Chapter 13, VMware Horizon View connections describes how to use SPS to control and audit VMware Horizon View connections.
Chapter 14, VNC-specific settings describes configuration settings available only for the Virtual Networking (VNC) protocol.
Chapter 16, Browsing and replaying audit trails on SPS describes how to browse the various types of log messages and audit trails on SPS and exactly what kind of information do they contain.
Chapter 17, Advanced authentication and authorization techniques describes how to configure gateway authentication and four-eyes authorization for the connections.
Chapter 19, The SPS RPC API discusses the details of accessing SPS with the RPC API.
Chapter 21, SPS scenarios discusses common scenarios for SPS.
Chapter 22, Troubleshooting SPS describes troubleshooting and maintenance procedures of One Identity Safeguard for Privileged Sessions (SPS).
Appendix A, Configuring external devices describes scenarios about configuring external devices to redirect selected traffic to SPS.
Appendix B, Using SCP with agent-forwarding provides solutions for using scp with agent-forwarding.
Appendix E, Open source licenses includes the open source licenses and attributions applicable to One Identity Safeguard for Privileged Sessions.
This chapter introduces the One Identity Safeguard for Privileged Sessions (SPS) in a non-technical manner, discussing how and why is it useful, and what additional security it offers to an existing IT infrastructure.
One Identity Safeguard for Privileged Sessions (SPS) is a part of One Identity's Privileged Access Management solution. SPS is a device that controls, monitors, and audits remote administrative access to servers. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use SPS — it integrates smoothly into the existing infrastructure.
SPS logs all administrative traffic (including configuration changes, executed commands, and so on) into audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. In case of any problems (server misconfiguration, database manipulation, unexpected shutdown), the circumstances of the event are readily available in the audit trails, thus the cause of the incident can be easily identified. The recorded audit trails can be displayed like a movie – recreating all actions of the administrator. All audit trails can be indexed, enabling fast forwarding during replay, searching for events (for example mouse clicks, pressing the Enter key) and texts seen by the administrator. Reports and automatic searches can be configured as well. To protect the sensitive information included in the communication, the two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys, thus sensitive information like passwords are displayed only when necessary.
SPS has full control over the SSH, RDP, Telnet, TN3270, TN5250, Citrix ICA, and VNC connections, giving a framework (with solid boundaries) for the work of the administrators. The most notable features of SPS are the following:
Disable unwanted channels and features (for example TCP port forwarding, file transfer, VPN, and so on)
Enforce the use of the selected authentication methods (password, publickey, and so on)
Require out-of-band authentication on the SPS gateway
Enforce four-eyes authorization with real-time monitoring and auditing capabilities
Audit the selected channels into encrypted, timestamped, and digitally signed audit trails
Retrieve group memberships of the user from an LDAP database
Verify the hostkeys and host certificates of the accessed servers