One Identity Safeguard for Privileged Sessions 6.12.0
One Identity Safeguard for Privileged Sessions 6.12.0
16 February 2022, 13:58
These release notes provide information about the One Identity Safeguard for Privileged Sessions release. For the most recent documents and product information, see One Identity Safeguard for Privileged Sessions - Technical Documentation.
NOTE: CVE-2021-44228, also named Log4Shell, is a Remote Code Execution (RCE) class vulnerability. The Apache Log4j library has been updated to version 2.17.1; therefore, SPS is protected against CVE-2021-44228 and against the following related vulnerabilities:
One Identity Safeguard for Privileged Sessions Version 6.12.0 is a release with new features and resolved issues. For details, see:
NOTE: For a full list of key features in One Identity Safeguard for Privileged Sessions, see Administration Guide.
The One Identity Safeguard Appliance is built specifically for use only with the Safeguard privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management -- and shortening the timeframe to value.
Safeguard privileged management software suite
Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.
The Safeguard products' unique strengths are:
One-stop solution for all privileged access management needs
Easy to deploy and integrate
Unparalleled depth of recording
Comprehensive risk analysis of entitlements and activities
Thorough Governance for privileged account
The suite includes the following modules:
- One Identity Safeguard for Privileged Passwords automates, controls and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
One Identity Safeguard for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.
Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.
One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action - and ultimately prevent data breaches.
New features in One Identity Safeguard for Privileged Sessions (SPS) version 6.12.0:
Using the Export audio option of Safeguard Desktop Player, you can export the input sound (coming from the audited user) and the output sound (received by the audited user) into .wav files.
The SPS and Starling join procedure has been simplified: from SPS 6.12.0, you do not need to copy the credential string that allows SPS to communicate with Starling. Navigate to Basic settings > Starling integration > Joining SPS to One Identity Starling.
As a part of the backup and restore procedure, the PAA database is saved to the db directory of the system backup. The PAA database stores the user baselines, which are processed by the analytics function. Depending on the size of the PAA database, the backup size may increase significantly.
Before SPS 6.12.0, when the LDAP, RADIUS or X.509 authentication method was configured, the admin user was always authenticated locally. No other users could log in with their local credentials.
Starting from SPS 6.12.0, you can configure multiple databases for login, thus it becomes necessary to select the correct database that will be used for authentication. To log in as the local admin user while the appliance is configured to use a different method, you need to click on the local login link on the login screen.
As a consequence of this change, all other local users can be authenticated using the local login link not just the admin user. To prevent unauthorized access, if the appliance is configured to use a login method that is different from local, the passwords of all non-admin local users are reset during the upgrade.
After the upgrade, if you want to re-enable login for the locked out non-admin local users, you can set a new password for them. As the local login is always active, the admin fallback option for the X.509 login is deprecated.
You can create and customize HTTP error templates to send users customized HTTP error messages. Besides the error messages that you can customize, you can set a name, color, and optionally a logo for the error page. Navigate to HTTP-specific settings > Customizing HTTP error templates.
From SPS 6.12.0, you can use Starling in an EU datacenter as well. To use Starling with SPS, you need a Starling organization and account within a United States or a European Union data center. Note that if you want to use Starling 2FA, you must use a United States data center (European Union data center is not yet supported). Navigate to Basic Settings > Starling Integration.
On the SPS UI, the following options have been moved from Basic Settings to Users & Access Control > Settings:
The login settings have been moved from Basic Settings to Users & Access Control > Settings to Basic Settings to Users & Access Control > Login Options. Under Login Options, the available login methods correspond to the respective authentication method:
RDP RemoteApp credential injection using the RemoteApp Launcher
The RemoteApp Launcher enables users the access they need to an application without revealing credentials and passwords. By using the RemoteApp Launcher, you can protect shared credentials and limit an end user’s access to an allowed or required application.
SPS offers context-sensitive help, which is used to display information about the user interface relative to the task a user performs.
There are different levels of context sensitivity that have been implemented in SPS.
When available, SPS opens the help topic for that screen. Instead of having the user browse through the help system to find the right topic, SPS can quickly and directly display the topic that corresponds to the screen.
To open a screen-level help, click I need help, when available.
When available, field-level help provides help text detailing the purpose and function of a field.
The following is an example of a field-level help where you can click How should I choose? and the help opens with more details about making the relevant destination settings.
Figure 1: Quick Connection Setup — Example of a field-level help
The SPP fetcher role is no longer an experimental feature.
You can display a banner with a configurable text on the web and console login screen of SPS. Navigate to Users & Access Control > Settings > Authentication banner.
Changes and improvements in SPS REST API Reference Guide version 6.12.0
- You can use templates to configure custom HTTP error pages.
- You can list basic information about One Identity Starling products that are integrated with SPS.
- You can test and upgrade SPS firmware.
- You can configure multiple login methods for SPS.