One Identity Safeguard for Privileged Sessions 5.7.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

Preface

Welcome to the One Identity Safeguard for Privileged Sessions 5 F7 Administrator Guide!

This document describes how to configure and manage the One Identity Safeguard for Privileged Sessions (SPS). Background information for the technology and concepts used by the product is also discussed.


Was this topic helpful?

[Select Rating]



Summary of changes

Version 5 F6 - 5 F7
Changes in product:
  • The System Monitor now displays statistics about the amount of logs ingested. For details, see The structure of the web interface.
  • You can now choose to upload a certificate chain when configuring a remote syslog server to send system log messages to. For details, see Configuring system logging.
  • When you want to create a backup or archive policy on SPS instances that are nodes in a cluster, you can choose to include the node ID in the path to the relevant directory name to prevent cluster nodes from backing up data to the same location, and so overwriting each other's data. For details, see Data and configuration backups and Archiving and cleanup.
  • It is now possible to promote a node to become the Central Management node of a cluster and to add nodes to a cluster using the web interface of One Identity Safeguard for Privileged Sessions. For details, see Building a cluster.
  • When you have uploaded a configuration synchronization plugin, it is now possible to enable the plugin through the web interface of One Identity Safeguard for Privileged Sessions. For details, see Using a configuration synchronization plugin
  • SPS now provides information about the status of configuration synchronization. For details, see Monitoring the status of nodes in your cluster.
  • The script used for exporting and importing the configuration of One Identity Safeguard for Privileged Sessions through the console has been updated. For details, see Exporting and importing the configuration of SPS using the console
  • It is now possible to turn any search query or statistics into a subchapter that can be included in reports. You can define reports about the monitored traffic in a more flexible and easy-to-use way than was possible before. For details, see Creating report subchapters from search queries.
  • When you have a cluster of nodes set up, you can now search all session data recorded by all nodes in the cluster on a single node. For details, see Searching session data on a central node in a cluster.

  • When setting up log ingestion, you can now choose to resolve server and client names in the incoming log messages to IP addresses. For details, see Ingesting logs with SPS. In addition, you can also view the logs of the log adapter plugin(s) and syslog instance(s) configured for log ingestion. For details, see Viewing logs on SPS.
  • The RPC API is deprecated as of version 5 F7 of SPS and will be removed in an upcoming feature release. For detail, see The SPS RPC API.

Changes in documentation:
Version 5 F5 - 5 F6
Changes in product:
  • When you have a set of two or more One Identity Safeguard for Privileged Sessions instances in your deployment, you now have the possibility to join them into a cluster, and manage them from one central location. You can monitor their status and update their configuration centrally. For details, see Managing Safeguard for Privileged Sessions clusters.

  • In the Search interface, it is now possible to use the flow view for a quick visualization of the session activities. For details, see Using the Search interface.

  • It is now possible to specify an accuracy level for Optical Character Recognition (OCR). For details, see Configuring the internal indexer.

Version 5 F4 - 5 F5
Changes in product:
  • It is now possible to specify the base DN of LDAP subtrees for users and for groups separately. Specifying a sufficiently narrow base for the LDAP subtrees can speed up LDAP operations. For details, see Managing SPS users from an LDAP database and Authenticating users to an LDAP server.

  • You now have the option to configure connection policies with near real-time indexing priority, meaning that you can start indexing sessions while they are still ongoing. This requires that you configure your indexers with the appropriate settings and capabilities. For details, see Configuring the internal indexer and Configuring the external indexer.

  • It is now possible to use a hardware security module (HSM) or a smart card to store the decryption keys required for decrypting audit trails when using an external indexer. For details, see Indexing audit trails.

  • In the Search interface, it is now possible to display statistics, analyze data using Privileged Account Analytics, and use the timeline for a quick time range selection. For details, see Using the Search interface.

  • The documentation of the obsolete Audit Player application has been removed from the document. For the documentation of the Safeguard Desktop Player application, see Safeguard Desktop Player User Guide.

Version 5 F3 - 5 F4
Changes in product:
Changes in documentation:
Version 5 F2 - 5 F3
Changes in product:
  • SPS's RESTful API has been enhanced with the following new functionalities:

  • In order to better integrate PSM with Privileged Account Analytics, some architectural changes have been introduced. For more information, see REST API Reference Guide.

  • Enabling TLS-encryption in an RDP connection policy has been simplified. When the connection is encrypted, SPS has to show a certificate to the peer. You can define the type of certificate to show to the peers. For details, see Enabling TLS-encryption for RDP connections.

  • You can now configure the required minimum version of the default web listener. The default setting is TLS 1.2. For details, see Configuring user and administrator login addresses.

  • You can now select the depth of indexing: lightweight and full indexing. Lightweight indexing is now enabled by default, you only have to configure it if you want full indexing. Lightweight indexing is faster than full indexing, and indexes only Command and Window title events. It does not index any other screen content (for example, text that is displayed in a terminal or that appears in an RDP window). For details, see Configuring the internal indexer.

  • RDP 4 and RDP 5 have been removed from Creating and editing protocol-level RDP settings.

  • The Audit Player application can now replay audit trails that contain graphical X11 sessions (the contents of the X11 Forward channel of the SSH protocol). For further details, see .

  • Plugin configuration files in debug bundle: When creating debug bundles for troubleshooting purposes, PSM now includes the configuration files of any plugins installed. For details, see "Collecting logs and system information for error reporting" in the Administration Guide.

Changes in documentation:
Version 5 F1 - 5 F2
Changes in product:
  • It is now possible to set the Maximum Transmission Unit (MTU) per VLAN interface. For more information, see Basic settings and Managing logical interfaces.

  • In addition to displaying upgrade logs and boot messages on the local console, SPS now shows information about the upgrade and reboot processes on the web interface, too. For details, see Managing SPS and Managing SPS.

  • You can now configure Certificate Revocation Lists (CRLs) to be included in certificates. For further details, see Signing certificates on-the-fly.

Changes in documentation:
Version 5 LTS - 5 F1
Changes in product:

Was this topic helpful?

[Select Rating]



Feedback

Any feedback is greatly appreciated, especially on what else this document should cover. General comments, errors found in the text, and any suggestions about how to improve the documentation is welcome at documentation@balabit.com.


Was this topic helpful?

[Select Rating]



Introduction

This chapter introduces the One Identity Safeguard for Privileged Sessions (SPS) in a non-technical manner, discussing how and why is it useful, and what additional security it offers to an existing IT infrastructure.

The major benefits of SPS

One Identity Safeguard for Privileged Sessions (SPS) is part of the One Identity Safeguard solution, which in turn is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, SPS is a privileged session management solution which provides industry-leading access control, session recording and auditing to prevent privileged account misuse and accelerate forensics investigations.

SPS is a quickly deployable enterprise device, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.

SPS has full control over the SSH, RDP, Telnet, TN3270, TN5250, Citrix ICA, and VNC connections, giving a framework (with solid boundaries) for the work of the administrators. The most notable features of SPS are the following:

CENTRAL POLICY ENFORCEMENT

SPS acts as a centralized authentication and access-control point in your IT environment which protects against privileged identity theft and malicious insiders. The granular access management helps you to control who can access what and when on your critical IT assets.

PREVENTION OF MALICIOUS ACTIVITIES

SPS monitors privileged user sessions in real-time and detects policy violations as they occur. In case of detecting a suspicious user activity (for example entering a destructive command, such as the "rm"), SPS can send you an alert or immediately terminate the connection.

GREATER ACCOUNTABILITY (DETERRANCE)

SPS audits "who did what", for example on your database- or SAP servers. Aware of this, your employees will do their work with a greater sense of responsibility leading to a reduction in human errors. By having an easily interpreted, tamper-proof record in encrypted, timestamped, and digitally signed audit trails, finger-pointing issues can be eliminated.

FASTER, COST-EFFECTIVE COMPLIANCE AUDITS

SPS makes all user activity traceable by recording them in high quality, tamper-proof and easily searchable audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. The movie-like audit trails ensure that all the necessary information is accessible for ad-hoc analyses or audit reports.

LOWER TROUBLESHOOTING & FORENSICS COSTS

When something wrong happens, everybody wants to know the real story. Analyzing thousands of text-based logs can be a nightmare and may require the participation of external experts. The ability to easily reconstruct user sessions allows you to shorten investigation time and avoid unexpected cost.

Application areas
Fastest return to value and extremely low TCO

SPS is a turnkey network appliance - its implementation and configuration is fast and simple. Compared to competitors, there is no need to purchase and install any additional software (for example, Windows or MS SQL servers) or hardware to have SPS fully functioning. Full implementation typically takes only 3-5 days! No need for long and costly professional services for implementation and customization. After deployment, SPS operates in the background like a black box of an airplane - there is no need for any extra workload to operate it.

Independent, agentless device

Compared to agent-based solutions, there is no need for installing and updating agents on clients or servers, eliminating unnecessary maintenance and potential security issues. As a host independent gateway, SPS can control and monitor access to any type of systems incl. all Windows/UNIX/Linux servers, mainframes, network devices, security devices, web-based applications or thin client environments, such as VMware Horizon View (formerly known as VMware View), Citrix Virtual Apps (formerly known as Citrix XenApp) or Citrix Virtual Desktops (formerly known as Citrix XenDesktop).

Transparent, “router-like” operation

As a proxy gateway, SPS can operate as a router in the network – invisible to the user and to the server. As a transparent solution, SPS requires minimal changes to the existing network. Also, since it operates on the network level, users can keep using the client applications they are familiar with, and do not have to change their work processes, unlike jump host solutions.

Granular access control

Since SPS has full access to the inspected traffic, security managers can granularly control who can access what and when on the servers. For example, they can selectively permit or deny access to protocol channels: enable terminal sessions in SSH, but disable port-forwarding and file transfers, or enable desktop access for RDP, but disable file sharing. In addition, SPS supports real-time shadowing allowing an authorizer to follow the administrator's session in real-time and terminate his/her connection in case of detecting a policy violation.

Real-time prevention of malicious activities

SPS can monitor transferred content in real time and can send alerts or even block connections if a certain pattern is detected in the traffic. Predefined patterns can be a risky command in a text-oriented protocol or a suspicious application in a graphical connection. This command and application level policy can prevent malicious user activities as they happen instead of just recording or reporting them.

Industry-leading session recording and auditing

SPS is the leading session auditing solution on the market offering Optical Character Recognition (OCR) capabilities to log ALL data about privileged actions in graphical user interfaces as well as text-based protocols. SPS can support and audit file transfers, as well. All data is recorded into searchable movie-like audit trails, making it easy to find relevant information in forensics or troubleshooting situations. In case of any problems (server misconfiguration, database manipulation, unexpected shutdown), the circumstances of the event are readily available in the audit trails, thus the cause of the incident can be easily identified. Auditors can do free-text searches in the content of text-based and graphical sessions. They can search for EVERY events (for example, mouse clicks, pressing Enter) and texts seen by the user. To protect the sensitive information included in the communication, the two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys, thus sensitive information like passwords are displayed only when necessary.


Was this topic helpful?

[Select Rating]



Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

Please note our Privacy Policy recently changed to support GDPR. You may read it here. Continuing to use our website indicates you have accepted the new policy.