PowerBroker Password Safe Version 6.6 New and Updated Features BeyondTrust PowerBroker Password Safe automates privileged password and privileged session management, providing secure access control, auditing, alerting and recording for any privileged account from local or domain shared administrator, to a user s personal admin account, to service, operating system, network device, database (A2DB) and application (A2A) accounts even SSH keys, cloud and social media accounts. By improving the accountability and control over privileged access IT organizations can reduce security risks and achieve compliance objectives. With Password Safe, customers can: Secure and control privileged passwords to close critical security gaps and reduce risk Monitor, audit and report on activity to achieve compliance requirements Automate password request and approval processes to simplify administration and improve security Gain greater insights on their security environments through integration with the BeyondInsight IT Risk Management platform PowerBroker Password Safe version 6.6 improves on key features and capabilities in session management, adaptive workflow, and password management with unmatched levels of security, scalability and control. BeyondTrust info@beyondtrust.com www.beyondtrust.com
New Features Secure Password Update Proxy for Unix and Linux BeyondTrust PowerBroker Password Safe in conjunction with PowerBroker for Unix & Linux now offers the capability to change passwords on Unix and Linux hosts without the need for a functional account on each host. Leveraging remote command execution, PowerBroker for Unix & Linux will change managed account passwords on any remote system under its control. Setup is simple just use the system elevation feature to point all requests to the Password Update Proxy (pbrun jumphost). Policy Rules in PowerBroker for Unix and Linux allow password updates to be securely passed to managed end points. 2
Custom Attributes for Managed Accounts Custom attributes have long been available for Assets. In PowerBroker Password Safe v6.6, you can you apply custom attributes to managed accounts also. Custom attributes can be set from Smart Rules or via the API; once applied, they can be leveraged as a filter for Smart Groups to allow unordered lists of managed accounts to be created. Rather than create completely different attributes, we have made custom attributes for assets generic such that they can be applied to managed accounts. This means that accounts can be filtered or set via Smart Rule. Protect Passwords with Copy to Clipboard Rather than display passwords by default, Password Safe now obfuscates the password and allows users to copy the password to the clipboard by default. This prevents screen-scraping malware from capturing passwords and adds an additional layer of security by passing the password directly to the paste buffer thus ensuring that the password is never displayed on the screen. The password may be revealed for instances where pasting credentials is not supported. 3
Other Enhancements General Replay sessions from any node Managed Account Password Test via PBW Agent Enable SYSDBA privilege for an Oracle Functional Account Password Safe user portal additional language support for German, French (Canada), French (France) Added keystroke recording performance improvements Added "LANG=en_US;" to custom platforms Added "Set Attributes on each account" Smart Rule Action for Managed Accounts Added Attribute Assigned Smart Rule filter for Managed Accounts Changed Session Monitoring Window Position to no longer default to center of the screen Added Active Directory Functional Account Test improvements using UPN account names Post Release password changes processing improvements Removed the Change Password feature for PBPS web portal local users Improved auditing for changes to Managed Systems, Managed Accounts, Password Complexity rules Added support for Managed Account password test via the PBW Agent Added login security improvements Added a new configuration landing page with search capability Added the ability to select an organization to the user profile section for a multiple organization Added Asset Grid Improvements Added Support Package creation improvements Added Asset Purge Improvements Added the ability to clone directory queries Added the ability to sort directory queries Added a catch all Smart Group for assets not belonging to of any other Smart Groups Added the ability for multiple organizations to use one scanner 4
Added ability to export groups to SailPoint Added UI improvements to the User Groups Added UI improvements to the credentials screen Added the ability to disable AD/LDAP/Local BI user login by user Added the ability to scan multiple Oracle databases using a single Oracle credential Added auditing for login/logout events and changes to security settings for local users Added auditing for adding new AD users Added Radius login improvements Added support for Radius auto-failover Replaced Asset Kind with Asset Type in Smart Rule Asset Attribute. Analytics & Reporting Added the ability to save scheduled reports to a network share Added Entitlement by User report Added the Database User Report Added Last Login Date column to Asset User Account List Added data and performance improvements to PowerBroker Password Safe reports Added PowerBroker Password Safe user cluster data 5
API Enhancements New APIs for Session Control & Quarantine User Quarantine Quarantined users cannot sign-in to the API, and newly quarantined users will have any existing sessions terminated within a configurable time limit. POST Users/{id}/Quarantine - Quarantines the User referenced by ID. All /Users/ response bodies include property IsQuarantined:bool Session Control Lock all active Sessions by Managed Account ID. POST ManagedAccounts/{managedAccountID}/Sessions/Lock Lock all active Sessions by Managed System ID. POST ManagedSystems/{managedSystemID}/Sessions/Lock Terminate an active Session POST Sessions/{sessionID}/Terminate -. Terminate all active Sessions by Managed Account ID. POST ManagedAccounts/{managedAccountID}/Sessions/Terminate Terminate all active Sessions by Managed System ID. POST ManagedSystems/{managedSystemID}/Sessions/Terminate Request Control Terminate all active Requests by Managed Account ID POST ManagedAccounts/{managedAccountID}/Requests/Terminate - Terminate all active Requests by Managed System ID POST ManagedSystems/{managedSystemID}/Requests/Terminate - Terminate all active Requests by Requestor User ID. POST Users/{userID}/Requests/Terminate - New APIs Immediately process a Smart Rule by ID 6
POST SmartRules/{id}/Process - Queue Credential changes for all active Managed Accounts for a Managed System. POST ManagedSystems/{systemId}/ManagedAccounts/Credentials/Change - API Enhancements SSH Key Enforcement Mode support Response body now contains enforcement mode for SSH host keys: SshKeyEnforcementMode: o 0 - None o 1 Auto - Auto Accept Initial Key o 2 Strict - Manually Accept Keys POST Assets/{assetId}/ManagedSystems GET ManagedSystems, GET ManagedSystems/{id}, GET Assets/{assetId}/ManagedSystems, GET FunctionalAccounts/{id}/ManagedSystems, POST Assets/{assetId}/ManagedSystems Ticket System support GET TicketSystems - Returns a list of Ticket Systems. POST Requests, POST Aliases/{id}/Requests, POST RequestSets New Request body properties: o TicketSystemID - ID of the ticket system. If omitted then default ticket system will be used. o TicketNumber - Number of associated ticket. Can be required if ticket system is marked as required in the global options. 7
GET Sessions, GET Sessions/{id} - ManagedSystemID added to response body POST ManagedSystems/{systemID}/ManagedAccounts - New request body property: NextChangeDate NextChangeDate (date format: YYYY-MM-DD) UTC date when next scheduled password change will occur. If the NextChangeDate + ChangeTime is in the past, password change will occur at the nearest future ChangeTime. Performance Improvements Keystroke recording and managed session initialization POST ManagedSystems/{id}/ManagedAccounts GET Sessions, GET Sessions/{id} Other API Changes Deprecated GET Workgroups/{name} - superseded by new API: GET Workgroups?name={name} Deprecated GET Workgroups/{workgroupName}/Assets/{assetName} - superseded by new API: GET Workgroups/{workgroupName}/Assets?name={name} Deprecated DELETE Workgroups/{workgroupName}/Assets/{asetName} - superseded by new API: DELETE Workgroups/{workgroupName}/Assets?name={name} Deprecated GET Aliases/{name} - superseded by new API: GET Aliases?name={name} Deprecated PUT Workgroups/{workgroupName}/Assets/{assetName}/ManagedSystems/ManagedAccou nts/{accountname}/credentials - superseded by new API: PUT Credentials?workgroupName={workgroupName}&assetName={assetName}&accountNa me={accountname} IIS module WebDAV no longer interferes with API HttpRequests. 8
About BeyondTrust BeyondTrust is a global security company that believes preventing data breaches requires the right visibility to enable control over internal and external risks. We give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Account Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your organization goes. BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including over half of the Fortune 100. To learn more about BeyondTrust, please visit www.beyondtrust.com. 9