Secret Server: 10.7.000059 Release Notes

December 9, 2019

Note: The system requirements last changed with version 10.7.000000. See Secret Server Release Notes 10.7.000000 for details.

Upgrade Notes

  • Fixed an issue with Legacy SAML. Customers are encouraged to migrate to Secret Server's updated SAML if still using the Legacy version.
  • This release launches a new web password filler. To update your web password filler extension, go to the extension download site for your browser and platform.
  • Customers with multi-node environments using Advanced Session Recording will need to update all ASR agents after your Secret Server upgrade to take advantage of the RabbitMQ failover updates in this release. We recommend doing so, but not doing so will not impact current functionality. See the "RMQ Failover" note below and the Secret Server Advanced Session-Recording Agent Installation KBA.
  • Users will be directed to the dashboard Overview tab for their first login after upgrading.

New Features

Data Retention

Secret Server now allows administrators to permanently delete audit records for tables that either contain Personal Identifiable Information (PII) or tables that can grow large in enterprise environments. To configure these settings admins need to add the permission "Administer Data Retention" to the user's role and then the user can navigate to Admin > Data Retention. Only users with the "Unlimited Administrator" permission can assign this new permission.

Manual Rolling Upgrades

A new "Manual Rolling Upgrade" feature is available when upgrading from Secret Server version 10.7.000059 or above. Using this process, customers using clustered web nodes with a load balancer can experience little-to-no downtime during the upgrade process, but this process requires manual steps by an admin with Web node and database access.

RMQ Failover

Updated Secret Server to support durable exchanges for RabbitMQ (RMQ). This allows clustered site connectors to failover without impacting Secret Server's processing. Distributed engines will auto-update after Secret Server's upgrade to also support durable exchanges through RMQ.

Note: Older Advanced Session Recording Agents (ASRA) can be used with this version of Secret Server but ASRAs will not benefit from this change to failover handling. To include failover capability for ASRA an updated agent must be deployed.

Technical Details: The ExchangeDeclare logic in MessageQueue client was altered to attempt to create durable exchanges with logging. A durable exchange is automatically re-created if RabbitMQ restarts for any reason. Non-durable exchanges disappear when RMQ goes down and can only be re-created by some external action. If the new logic detects that creating the durable queue failed, it will log an error and attempt to create a non-durable queue.

Note: The presence of legacy non-durable exchanges can prevent the automatic creation of durable exchanges. See RabbitMQ Durable Exchanges

Time-Based One-Time Passwords (TOTP)

Added a new feature where Secret Server can now generate time-based one-time passwords (TOTP) for web secrets. This allows users to implement TOTP on shared secrets. Configuring secrets for TOTP begins at the secret template level.

Truncated Log Data

Added the ability to truncate table logs for several types of data that log to the "Status Message" table. These messages can contribute to excessive log data and slow performance. The option to truncate each message type is called "Days to Keep Operational Logs" and is under the "Advanced" sections on the following list of configuration pages. Minimum message retention time is one day and the default is 30 days. The logs include:

  • AdminDiscovery.aspx (Admin > Discovery)
  • AdminSearchIndexer.aspx (Admin > Search Indexer)
  • ConfigurationActiveDirectory.aspx (Admin > Active Directory)
  • ConfigurationPasswordChanging.aspx (Admin > Remote Password Changing)
  • ConfigurationSshProxy.aspx (Admin > Proxying)
  • ConnectWiseConfiguration.aspx (Admin > Folder Sync) Setting only available when using the "Database" Folder Synchronization Method on this page.

Technical details: A background task was added that scans the status message table every 12 hours and checks the status messages against configured values for how long they should be retained. These configured values were added to applicable UI pages.

Web Browser Plugins

The Web browser plugins for Secret Server were rebuilt with a new look and feel and now have additional browser and site support. These new plugins are available for:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft EdgeKeep Secret Name History
  • Opera

These features from the old browser plugins have been improved to allow more flexibility:

  • Create secrets
  • Select secret template
  • Generate complex password

Users can now authenticate to Secret Server directly from the Web plugin, including support for 2FA options, such as DUO. Log in via Secret Server is also available for users with single sign-on, SAML, or other multi-factor authentication mechanisms. Web plugins automatically identify manual entry of new credentials in a Web page and offer to save the credentials as a secret. There is also improved support for sites that use multi-page login mechanisms.

Enhancements

Advanced Session Recording

Added a new setting to disable keystroke data from advanced session recording metadata. The new setting is called "Default Keystroke Recording Configuration" and can be configured under Admin > Configuration > Session Recording > Configure Advanced Session Recording. Click Collection name to edit individual collection settings or agent settings. By default, advanced session recording keystrokes are enabled.

Remote Password Changing upon Regex-Defined Error

Added a new regex setting to automatically retry a remote password change (RPC) with a regenerated password if the original RPC failed due to a specific type of error.

Go to Admin > Remote Password Changing, click Advanced under the Configure Password Changers section. The new setting is Attempt Password Change with new password when error contains (regex). Edit it to provide the regex failure code that will trigger the automatic next password RPC.

Discovery

Added messaging for when computer or dependency scans do not run due to having no scanners configured for a discovery source.

Distributed Engine Offline Status

Updated the definition of distributed engines' offline status to be the configured heartbeat interval times three. For instance, if your heartbeat interval is configured at 5 minutes, the engine will report offline if Secret Server and the engine do not successfully communicate within a 15-minute time period. Engine online and offline states were also added to subscription actions to allow notification to admins when engine states change.

New User Interface

  • Redesigned the Admin landing space. Click Admin > "See All" to explore the new layout.

  • Redesigned Doublelock.

  • Added new "Recent Activity" section to the Home dashboard page to display recent activity at a glance.

  • Updated the Security Hardening tab in the Reports page.

  • Updated the IP Address Management pages under Admin.

  • Added custom logos. Added custom "full-sized" and "collapsed" logos for the new UI in Admin > Configuration under in the User Interface section.

  • Added dark mode theme option in the new UI. To change theme mode preferences, go to Account Settings > Color Mode. Options include Light Mode, Dark Mode, or Default (mode will update based on user's OS color mode settings).

  • Added a new setting to configure the inactivity time before the new UI goes into dark screen "sleep mode." To configure go to Admin > Configuration > User Experience > UI Inactivity Timeout.

  • Converted the Groups page to the new UI.

  • Updated error messaging in the new UI to display folder synchronization and deletion errors.

  • Updated the date picker to allow for future start dates and time selection without first adjusting the end date when requesting secret access. End dates are automatically adjusted to align with the start date +1 hour.

  • Updated grid downloads in the new UI to download according to new options. User options now include choices to download all data or specific rows of data, and specify date format. You can also choose time zone options of UTC, server time zones, or the local browser time zones.

    Note: for downloaded reports users' time zone options are limited to UTC or the server time zone.

  • Updated behavior of new UI so that clicking the "Select All" check box at the top of a secret grid selects all rows. Previously the check box selected only the items currently loaded on the page.

  • Added the "View Audit" button to the reports page of new UI.

  • Added the "Upgrade Available" banner to display in the new UI.

  • Added the ability to drag-and-drop child folders into the root folder. Folders will automatically re-order alphabetically in the left navigation pane.

    Note: This action is only allowed if users have the "Create root folder" permission and own folders that they are attempting to move.

  • Added folders to the "Shared With Me" page.

  • Added new inbox notifications including "getting started" notifications for new installs and administrator alerts when an instance is close to hitting licensing limits.

  • Added the ability to mark Inbox notifications as read or unread for most notification types.

  • Added the ability to browse by folder name using the URL format [SecretServerURL]/SecretServer/app/#/lookup?folderPath=[FolderName]. If multiple folders exist with the same name, this URL search schema only directs users to the first folder listed within the left navigation pane.

  • Updated Favorite star icons to remain in column view when the Name column is resized.

  • Expanded file-size allowance on file uploads. File uploads can now be up to 10 MB.

  • Grid results updated to auto-load 30 results instead of 15.

Licensing

A second distributed engine is now available, by default, for the local site.

Reports

  • Updated several reports to no longer show deleted secrets.
  • A new out-of-the-box report called "Secret Templates without an expiration field" was added to display any secret templates that have a password field but do not have an expiration field set.

Secret Template Import and Export

Updated secret template settings for importation and exportation to include:

  • Is Required?
  • Edit Requires
  • Hide on View
  • Secret template icon
  • Keep Secret Name History
  • Validate Password Requirements on Create/Edit
  • Field Slug Name
  • Type Description
  • One Time Password settings

The secret template settings that do not transfer include:

  • Launcher settings
  • Password changing settings
  • Session recording enabled
  • Associated secrets

SSH Proxy

  • Updated "connect as" to accept key-based SSH authentication without also requiring a manual password.

  • For SSH proxy sessions, added the option set:

    • Only record keystrokes
    • Only record video for sessions.

    By default new installs will only record keystrokes on SSH proxy sessions to preserve disk space. To configure this setting go to Admin > Configuration > Session Recording tab > Secret Server Proxy Session Recording. Edit the SSH Proxy Session Recording Options dropdown list. The options include:

    • Record keystrokes and video

    • Record keystrokes only

    • Record video only

    • Do not record

Verbose Logging

Added Verbose Logging for:

  • AWS password changers
  • AWS discovery scanner
  • ComPlus dependency scanner
  • PowerShell discovery scanner
  • Flat file discovery scanner
  • ODBC discovery scanner
  • SSH discovery scanner
  • ESX discovery scanner

Terminal

  • Added terminal instructions for how to view SSH proxy credentials in the new UI under Secret Options > Show SSH Terminal Details.
  • Removed restrictions from the allowed number of concurrent logins for SSH terminal. Previously, terminal logins were tied to the "Maximum concurrent logins per user" setting that establishes this number for UI-based users.
  • Added Unicode support for SSH command menu items (names and descriptions).
  • Added "clear" command to terminal.

Database SQL Indexes

Added new SQL indexes for the following areas:

  • Column LauncherSessionGuid on the Launcher Session Video (tbLauncherSessionVideoSegment)
  • Event Queue Monitor (tbEventQueue)
  • Expired Secret Monitor (tbSecretDependency table)
  • Folders (tbFolder, tbFolderGroupPermissions)
  • General Navigation (tbUserSession)
  • Launcher Activities (tbSecretSession)
  • Log In (tbUser)
  • Node Activation Check (tbNodeLicenseActivation)
  • Secret Log table (tbSecretLog)
  • System Reports (tbAuditUser, tbAuditSecret)

Unique Field Slug IDs

Added a new "Unique Field Slug" ID column for secret templates to allow users to create secrets with duplicate field names without compromising the ability to target each field name with a unique identifier for API calls.

User Variables for Scripting

Added the following user-based script variables to be used in API calls as arguments:

  • $SECRETSERVERUSERID
  • $SECRETSERVERUSERNAME
  • $SECRETSERVERDISPLAYNAME
  • $SECRETSERVEREMAILADDRESS

This allows, for example, that when a specific user runs a check-out hook, they can pass a user email, ID, username, or display name as a parameter into the script to use a check-out hooks and related AD functionality in Secret Server through the API.

API and Scripting

API General

Added a setting that allows users with view permission on a secret to get the secret's "autoChangeNextPassword" field in the API. This setting is enabled under Admin > Configuration > Permission Options. Set Allow View User To Retrieve Auto-Change Next Password to Yes.

New API Calls

  • Get one time password code and seconds: GET /one-time-password-code/{id}
  • Search secrets by URL: POST /secret-extensions/search-by-url
  • Get AutoFill values for URL by secret ID: POST /secret-extensions/autofill-values
  • Update secret field: PUT /secrets/{id}/fields/{slug}
  • Update secret: PUT /secrets/{id}/restricted
  • Get SSH Terminal details: POST /secrets/sshterminal
  • Get extended regex values by secret: GET /extended-fields/regex/{secretId}

Removed API Calls

  • Search app clients: GET /app-clients
  • Update secret: PUT /secrets/{id}
  • Update secret field: PUT /secrets/{id}/restricted/fields/{slug}

Integrations

  • Added support for Open ID Connect to integrate with Secret Server authentication.
  • Added Connection Manager as a tools option in the grid menu and under the Admin space in the new UI.

Performance Improvements

  • Added server-side paging to reports in the new UI to address performance issues when attempting to load reports with large numbers of records.

  • The new UI will no longer load the subfolders If a parent folder has more than 30 subfolders within it on the grid page. Instead, a folder picker will display above the folder's secrets that will allow users to select a specific subfolder.

  • Applied enhanced SQL querying logic on the groups pages so that environments with large groups no longer experience page timeouts when processing group data.

  • Improved the shutdown performance in distributed engine.

  • Removed the welcome widget from the dashboard on the classic UI due to page load issues in large environments.

  • Enhanced SQL query for the unlimited admin report to improve performance for large environments.

  • Added a new "use database paging" setting for the custom reports page. Database paging allows the database to load large reports more quickly. We recommend database paging if the query is expected to pull large amounts of data for the report. Implementing database paging may not work if the SQL query uses some keywords, including TOP, OPTION, INSERT, UNION, WITH, or aliases containing the word FROM.

    Example queries:

    • Works using database paging: SELECT * FROM tbSecret WHERE NAME LIKE 'Test%'

    • Does not work using database paging: SELECT TOP 10 * FROM tbSecret WHERE SecretName LIKE 'Test%'

Security

  • Updated PuTTY to version 0.73. Updated version addresses several PuTTY vulnerabilities, including one critical and two high severity items. CVE-2019-17067, CVE-2019-17068, CVE-2019-17069

  • Addressed a vulnerability with the SDK client account handler.

  • Fixed a permissions issue in the new UI where password requirements did not obey the "administer custom password requirements" permission.

  • Added audits and event subscriptions for viewing passphrases and SSH keys.

  • Addressed a Remote Code Execution (RCE) vulnerability that allowed parameter changes for an action without validating user permissions.

  • Resolved an issue for SSH scripts and SSH remote password changers where sensitive information was being written to log files:

    • SSH remote password changers will now only log the comment for each command as it runs.
    • SSH scripts will only log that they ran because they have no comment for each command.

    Note: If you manually test an SSH script or password changer, the full output will still be shown for debugging purposes, because you just entered the credentials yourself.

  • Resolved a URL redirection vulnerability.

  • Added configurable parameter quoting for custom launchers.

  • Resolved three cross-site scripting (XSS) vulnerabilities.

  • Fixed an XML external entity (XXE) injection vulnerability.

  • Removed user information that was returned in an API call.

  • Added auditing for changes made to the session recording configuration page on the Admin > Configuration > Session Recording tab.

  • Added auditing for test script actions in the Custom Command Edits section in the Admin > Scripts pages.

  • Added auditing to the Admin > Configuration > Ticket System tab. Audits are logged under Admin > Configuration > General tab > View Audit.

  • Updated missing secure cookie attributes when "Force HTTPS" is enabled.

  • New installs running 10.7.000059 or later will now automatically apply zero information disclosure.

  • Added SHA1 and SHA256 hashes for protocol handler.

  • All Delinea DLLs and EXEs are now signed with the Delinea Software certificate including distributed engine, advanced session recording agent, and MemoryMQ applications.

Bug Fixes

  • Fixed an issue where creating folders through the API failed to set a secret policy.
  • Fixed a memory leak issue where leaving Mac launcher sessions open for extended periods of time consumed increasing amounts of memory on the machine hosting the session. This issue was incorrectly believed to be fixed in the Secret Server version 10.7.000002 release.
  • Fixed an issue where an access approval email link did not work if Integrated Windows Authentication (IWA) and two-factor authentication were enabled.
  • Fixed an issue where Unix secrets were not reported in the "Password Last Changed" report because the Unix Account template did not have a password expiration field by default. Unix password fields are now set to expire at 30 days by default.
  • Fixed an issue where pressing Enter with the cursor in the Search bar on the Discovery Network View page would open the create rule dialog.
  • Fixed an issue where new users were not adequately loading in the dropdown option for subscribers in the "discovery rule alerts" setting if users increased from under 40 to over 40 users.
  • Added clear error and validation in entering credentials for a discovery scanner.
  • Fixed an issue where localized language customization did not apply to some product pages due to default cache keys or inconsistent HtmlHelper methods implemented on those pages.
  • Fixed a bug where some pages in the old UI did not follow customized headers from CSS stylesheets.
  • Fixed an issue where extended search terms were not applied for URLs. Updated BookmarkletSecretSearcher so that it will not do extended hashes on URLs that might result in many erroneous matches. For instance, facebook.com would match face.org.
  • Fixed issue where non-AD discovery sources (ESX, PowerShell) would not match dependencies with domain to an existing AD Domain. If the dependency scan item has a field called "domain," it will attempt to map to an existing domain.
  • Fixed a bug where the REST API "daysUntilExpiration" field returned a blank value when calling for a secret summary.
  • Added a query to resolve sort ordering issues for dependency numbering.
  • Fixed an issue in the new UI where deleted secrets remained on display on the favorites widget in the home tabs.
  • Fixed a "bad token" error on login for mobile apps (Windows Desktop, iOS, or Android) for local users.
  • Fixed an issue where SSH keystroke data was not searchable from the session playback page due to proxy session data not being correctly hashed in the database.
  • Fixed a ticketing system bug where the option to require users to either provide a ticket number or a comment for requesting access incorrectly required both a comment and a ticket number to access the secret. This issue existed when requesting access to the secret through the UI, workflows, or terminal.
  • Fixed a bug where hashed terms were intermittently slow to return search results in the new UI.
  • Fixed a rendering issue for the group edit page when using the IE browser.
  • Fixed a localization issue in the SSH command menus where setting non-English as the global or user preference threw an exception when trying to save a secret policy.
  • Fixed an issue where an "object disposed" exception was thrown when navigating away from the new UI soon after application pools were recycled. This occurred because of an incorrect re-use of a service that is for processing the first Web request to the application.
  • Fixed a bug in the new UI where personalized preferences for launcher settings on a secret were not allowing users with view access to save.
  • Fixed a bug where custom columns on grids in the new UI occasionally tried to display the same column twice and threw an error.
  • Fixed an issue where a syslog header was missing the hostname when logging from an engine.
  • Fixed an issue where Duo authentication was not checking for valid fallback device options when the configured "default device" failed to authenticate.
  • Updated the "find new dependencies" feature to be available to users with edit permissions on the secret. Previously the new UI required users to have owner permissions.
  • Resolved a timing issue where secrets with scheduled password changes enabled would get erroneous heartbeat fails due to remote password change (RPC) expiration and heartbeat occurring at the same time. Now heartbeats are skipped for an interval of five minutes before and after a scheduled password change to allow password change completion before heartbeat is attempted.