Preface
Welcome to the One Identity Safeguard for Privileged Sessions 6.7 Administrator Guide.
This document describes how to configure and manage the One Identity Safeguard for Privileged Sessions (SPS). Background information for the technology and concepts used by the product is also discussed.
Summary of changes
Version 6.6 - 6.7
Changes in product:
-
Algorithm settings in SPS have been extended with the host key algorithm to comply with current security standards.
For more information, see Host key algorithms.
-
From the PDF output of reports, you can now quickly access each session on the Search interface.
For more information, see Report output.
-
In card view, you can add additional search fields to the Search interface. This allows quick visualization of your preferred fields from the main page of the Search interface for each session.
For more information, see Adding custom fields to the card view.
-
During boot, SPS performs an integrity check and displays if a firmware is tainted or corrupted.
For more information, see The structure of the web interface.
-
You can now check and report if there were indexed audit trails where the Optical Character Recognition (OCR) engine failed.
For more information, see Monitoring the status of the indexer services.
-
From the Search interface, you can now view session details for data recorded by SPP.
For more information, see Viewing session details for data recorded by SPP.
-
You can now view encrypted screenshots in the Search interface by uploading the necessary encryption keys to your keystore. SPS does not store your encryption keys but your keys are now stored in your browser.
For more information, see Viewing encrypted screenshots.
-
During agent-forwarding, the Ed25519 and ECDSA user keys are also accepted.
For more information, see Relayed authentication methods.
-
During an SSH session, a key exchange is now done regularly and automatically.
For more information, see Supported encryption algorithms.
-
The Splunk forwarder is deprecated as of Safeguard for Privileged Sessions(SPS) 6.7 and will be removed in an upcoming release. One Identity recommends using the universal SIEM forwarder instead.
For more information, see Using the universal SIEM forwarder.
-
In RDP, do not use the @ character as an inband data separator but use alternative characters, for example, the % character.
-
When you configure the location of the LDAP server, that is, the IP address or hostname and the port number, you can now use a Service record (SRV record), which is a type of information record in the DNS that maps the name of a service to the DNS name of the server.
For more information, see Authenticating users to an LDAP server.
-
The restore process has been clarified as you cannot restore from an older release to a newer release. Also, you must ensure that you have enough free space to restore.
For more information, see Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data.
Version 6.5 - 6.6
Changes in product:
-
SPS now supports the ECDSA 256 (ecdsa-sha2-nistp256) SSH host key, which is a variant of the Digital Signature Algorithm (DSA).
For more information, see Setting the SSH host keys of the connection.
-
You can now easily query the available server-side host keys or create a new one.
For more information, see Server host keys and Manually adding the host key of a server.
-
The Basic Settings > Plugins page has been renewed, and now contains more detailed information about the plugins.
You can now also verify the integrity of the plugins that you have uploaded.
For more information, see Using plugins.
-
Audit data access rules allow you to restrict users to access audit data only for sessions for which they are granted permission. When creating a new rule, you can now use a preview to ensure that the search query returns relevant results.
For more information, see Creating rules for restricting access to search audit data.
-
You can now click each alert and event on the Search interface to view a corresponding screenshot.
For more information, see Viewing session details.
-
MSSQL query and server responses are now indexed and can be searched using the Search interface. You can download the relevant audit trail, open using the Safeguard Desktop Player, and export as CSV or PCAP format.
Version 6.4 - 6.5
Changes in product:
-
You can now restrict users to access audit data only for sessions for which they are granted permission.
For more information, see Creating rules for restricting access to search audit data.
-
The following menu items have been renamed. Note that there is no functionality change.
Old name New name AAA Users & Access Control Group Management Local User Groups Access Control Appliance Access Permission Query Access Rights Report Accounting
Configuration History
Permissions settings for user groups under <Protocol name> Control > Connections > Access Control > Permission have also been renamed from Search&Authorize to Follow&Authorize and Search to Follow.
-
The User idle timeout option has been added to ICA, RDP, SSH, Telnet and VNC Control > Settings. If no user activity is detected, it terminates the session after the configured time has passed since the last user activity.
-
A new, experimental SPP fetcher role has been added to the Cluster management roles. It fetches the workflow from SPP. The fetched data can be viewed on the Search interface.
Caution: This is an EXPERIMENTAL feature. It is documented, but the performance impact on production systems has not been determined yet. Therefore this feature is not yet covered by support. However, you are welcome to try it (preferably in non-production systems) and if you have any feedback, send it to feedback-sps@oneidentity.com.
For more information, see Cluster roles
-
NOT FETCHED has been added as a new status to Basic Settings > Cluster management > Cluster management status.
For more information, see Monitoring the status of nodes in your cluster
-
Starting from SPS versions 6.0.4 and 6.5.0, certificates with SHA1-based signatures are no longer trusted for Active Directory or LDAP authentication.
For more information, see Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database
-
The RDP login screen now allows you to paste text-based clipboard contents. It also provides a warning if Caps Lock is on.
For more information, see Usernames in RDP connections.
-
SPS now checks if the Certificate Revocation List (CRL) has expired and that the CRL has been signed by the same Certificate Authority (CA).
For more information, see Verifying certificates with Certificate Authorities.
Version 6.3 - 6.4
Changes in product:
-
One Identity Safeguard for Privileged Sessions (SPS) now supports the MSSQL protocol.
For more information, see MSSQL-specific settings.
-
The value range of Disconnect clients when disks are: x percent used field in Basic Settings > Management > Disk space fill up prevention is now limited to 50-98 percent.
For more information, see Preventing disk space fill-up.
-
After the release of SPS version 6.4, installation packages of the external indexer application can only be downloaded from the SPS web interface.
-
Unicode characters for password encrypted private keys are now supported.
For more information, see Replaying encrypted audit trails in your browser.
-
The Asian language package is included in the basic license.
-
The SPS user interface has changed. The change includes the main menu, user menu, and about page.
For more information, see The structure of the web interface.
-
When verifying certificates with Certificate Authorities, DER format Certificate Revocation Lists are now accepted too, in addition to PEM format CRLs.
-
SPS now supports the Ed25519 SSH host key.
For more information, see SSH host keys.
Version 6.2 - 6.3
Changes in product:
-
Configuring the internal indexer has been updated.
For more information, see Configuring the internal indexer.
-
CEF messages, JSON messages and JSON_CIM messages have been updated.
For more information, see CEF messages, JSON messages, JSON_CIM messages.
Changes in documentation:
-
The Virtual disk resize section has been simplified in the Installation Guide.
For more information, see "Modifying the disk size of a SPS virtual appliance" in the Installation Guide.
Version 6.1 - 6.2
Changes in product:
-
If you do not specify the username or the address in nontransparent SSH and Telnet connections, One Identity Safeguard for Privileged Sessions (SPS) displays an interactive prompt where you can enter the username and the server address.
-
Kerberos-based authentication in SSH sessions has been improved.
For more information, see Kerberos authentication settings.
-
Transferring files between the target server and the client host using the Clipboard can now be audited. The transferred files can be extracted from the audit trail using a command-line tool.
For more information, see "Export files from an audit trail after RDP file transfer through clipboard or disk redirection" in the Safeguard Desktop Player User Guide.
Changes in documentation:
-
Section Using SPS with SPP has been restructured and extended with information about sessions-initiated workflows.
For more information, see Using SPS with SPP.
-
Section Collecting logs and system information of the boot process for error reporting has been added to the document.
For more information, see Collecting logs and system information of the boot process for error reporting.
Version 6.0 - 6.1
Changes in product:
-
Trend analysis allows you to use the timeline to find changes over time.
For more information, see Specifying time ranges.
-
The Search interface has been extended with the Basic view, which allows you to select the filters that you need from the appropriate columns.
For more information, see Using search filters.
-
Creating a new authentication policy on SSH has been simplified.
For more information, see Creating a new authentication policy.
-
The WebSocket channel is now supported.
For more information, see Supported HTTP channel types.
Changes in documentation:
-
The document has been updated with information about how you can configure your SPS cluster to enable Configuration synchronization without a central search or Central search with configuration synchronization.
For more information, see Managing a cluster with configuration synchronization without central search and Managing a cluster with central search configuration and configuration synchronization.
-
Added information about joining your One Identity Safeguard for Privileged Passwords (SPP) deployment to your One Identity Safeguard for Privileged Sessions (SPS) deployment.
For more information, see Using SPS with SPP.
Introduction
This section introduces One Identity Safeguard for Privileged Sessions (SPS) in a non-technical manner, discussing how and why is it useful, and what additional security it offers to an existing IT infrastructure.
Topics:
The major benefits of One Identity Safeguard for Privileged Sessions (SPS)
One Identity Safeguard for Privileged Sessions (SPS) is part of the One Identity Safeguard solution, which in turn is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, SPS is a privileged session management solution which provides industry-leading access control, session recording and auditing to prevent privileged account misuse and accelerate forensics investigations.
SPS is a quickly deployable enterprise device, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.
SPS has full control over the SSH, RDP, Telnet, TN3270, TN5250, Citrix ICA, and VNC connections, giving a framework (with solid boundaries) for the work of the administrators. The most notable features of SPS are the following:
Central policy enforcement
SPS acts as a centralized authentication and access-control point in your IT environment which protects against privileged identity theft and malicious insiders. The granular access management helps you to control who can access what and when on your critical IT assets.
Prevention of malicious activities
SPS monitors privileged user sessions in real-time and detects policy violations as they occur. In case of detecting a suspicious user activity (for example entering a destructive command, such as the "rm"), SPS can send you an alert or immediately terminate the connection.
Greater accountability (deterrance)
SPS audits "who did what", for example on your database- or SAP servers. Aware of this, your employees will do their work with a greater sense of responsibility leading to a reduction in human errors. By having an easily interpreted, tamper-proof record in encrypted, timestamped, and digitally signed audit trails, finger-pointing issues can be eliminated.
Faster, cost-effective compliance audits
SPS makes all user activity traceable by recording them in high quality, tamper-proof and easily searchable audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. The movie-like audit trails ensure that all the necessary information is accessible for ad-hoc analyses or audit reports.
Lower troubleshooting and forensics costs
When something wrong happens, everybody wants to know the real story. Analyzing thousands of text-based logs can be a nightmare and may require the participation of external experts. The ability to easily reconstruct user sessions allows you to shorten investigation time and avoid unexpected cost.