Secret Server: 10.8.000000 Release Notes

April 3, 2020

Note: The system requirements last changed with version 10.7.000000. See Secret Server Release Notes 10.7.000000 for details.

Upgrade Notes

  • RMQ Helper was updated to install the latest RMQ version (3.8.2). See https://docs.thycotic.com/rabbitmq-helper/.
  • Enabled the "port scan enable" configuration by default for discovery scanners.

New Features and Enhancements

RDP Proxy

Secret Server now includes an RDP proxy that facilitates third-party session management tools without exposing connection credentials. RDP proxy also enables optional keystroke recording for an RDP session without the need for the advanced session recording agent.

Event Pipelines

  • Pipelines provide event-driven process automation within Secret Server. Users and administrators can save time by creating tailored workflows which are triggered automatically by events affecting secrets within Secret Server. Pipelines can be applied broadly across Secret Server or restricted by folder, secret template, group, site, or a combination of these and other criteria. For example, a pipeline could be configured to automatically change the password on an Active Directory secret when heartbeat fails.
  • Infinite loops: By default, pipelines are configured to consider any event that executes five tasks within five minutes from the same trigger as an infinite loop. For example, "secret edit" is selected as a pipeline trigger, and "remote password change" is selected as the task. After the first edit is made on a secret, an RPC is triggered. Every time the RPC completes, a new edit is triggered, which, in turn, triggers another RPC. If this happens five times within five minutes, then an infinite loop is declared. If the RPC is slow, taking more than five minutes for five password changes to occur, then an infinite loop is not declared. In this case, use the "configuration advanced" page to change "event pipelines infinite loop time (minutes)" to a longer time.

Session Recording

Can now record multiple windows, including child processes, when session recording. Some applications used for session management open multiple GUI windows at once or launch child processes to render the session to the user. Secret Server can now record more than the main window of the parent process to ensure all user activity during a session is captured.

Web Password Filler

Note: This section covers the release notes for Web Password Filler (WPF) version 2.0.0, which is released with Secret Server 10.8.

This release includes updates for the following web browsers:

  • Chrome
  • Mozilla Firefox
  • Edge (Chromium version)
  • Opera

Enhancements:

  • Web session recording is now supported in the WPF (please see the below section on Web Session Recording).
  • Improved support for the refresh token. We improved the refresh token to better support SAML-configured Secret Server environments, and the WPF is updated to use this improved token. This also makes better use of the timeout settings for the SAML token. Secret Server
  • Added timing restriction to the refresh button on the "sign in as" pop-up window in the WPF. This is to limit the number of calls that can be made in a 10-second time frame from going back to Secret Server to update the list of secrets.
  • Added a new feature to match URLs by exact path. This option looks at the domain value in the URL and will only list secrets that have an exact match. During Web session recording, this option exactly matches the values between // and the first / in the URL. For example, in http://Company.Sub.Primary.Domain.TopDomain/subsite it matches Company.Sub.Primary.Domain.TopDomain.
  • Improved support for sites that have second-level subdomains in the URL, such as sites that have ".co.uk" or ".online.com.
  • Added handling when fetching secrets from Secret Server for common second-level subdomains when filtering for applicable secrets on a website.

Bug fixes:

  • Fixed an issue that returned a 500 error in the background when users tried to save a new secret (using WPF) when the new user interface is disabled in Secret Server. Secret Server.
  • Fixed an issue that did not display the "Add Accounts to Secret Server" dialog if you entered credentials (that are not in a secret) into a site and try to automatically save it as a secret when "personal folders" are disabled for the Secret Server instance.
  • Fixed an issue where not all folders were being returned when adding a secret, if the user had access to more than 1,000 folders.

Web Session Recording

  • Added web session recording to the WPF browser extension. If a Web secret is configured for recording, WPF will now record the web session and display a recording icon at the top of the tab. Any additional Web browser tabs that are opened from that session (provided they stay on URLs that require recording) will also be recorded. All recordings will be available in Secret Server.
  • If Web session recording is configured to run for a site, but the site prevents the recording icon from being placed in the browser tab's title bar, the WPF instead displays a pop-up message that the session is being recorded.

Connection Manager

Added two new settings for Connection Manager users on the Admin > Connection Manager page. Users with the "administer configuration" permission can modify these settings:

  • Allow local connections
  • Allow Connection Manager to save Secret Server user passwords

Note: These configuration options require Connection Manager 1.2 or later.

Integrations

  • Added support for Devolutions Remote Desktop Manager integration, which allows users to retrieve passwords from Secret Server directly within Remote Desktop Manager. See https://updates.thycotic.net/secretserver/documents/SS-INTG-Devolutions.pdf. Secret Server
  • Added support for WitFoo Precinct to integrate with SS, which allows users to view incident or event logs. See https://updates.thycotic.net/secretserver/documents/SS-INTG-Witfoo.pdf.

Smartcard Authentication

Added support for CAC/PIV smartcards pass-through authentication for RDP launchers.

Compliance and User Data

Personally Identifiable Information (PII) for inactive user data in Secret Server can now be anonymized to help organizations meet compliance regulations for GDPR.

Roles

  • Added a new role permission, "session recording auditor," which allows a user to audit session recordings but not access the corresponding secrets.

  • Added a new user role, "view secret password history," that allows users to have access to a password without granting them access to the password history. Users with edit or owner permissions on a secret who do not have this new role will be able to view and update the current secret password but will not be able to view previous passwords on the secret.

    Note: User roles that previously had the "view secret" permission will automatically gain "view secret password history" during the upgrade process.

Discovery

Added an extensible discovery "run as" privilege credential. Users can now specify a secret for the default credentials for running all PowerShell scripts on a site. This allows sites in different data centers to have different default credentials. This applies to remote password changing, checkout hooks, and discovery PowerShell scripts. If you want a specific secret checkout hook, secret password changer, or discovery scanner to use different credentials, you can still provide credentials in those areas, which take precedence over the secret set for the site. See Discovery.

Performance Improvements

  • Redesigned the "secret dependencies" page. Updates include database paging and filtering to fix page load performance issues in the new UI.

  • The audit REST API was improved to increase performance when viewing the secret audit log in the new UI

  • Added optimizations to improve secret search performance with very large secret sets. These include modifications to the secret list page, folder secret listings, search terms and other filters, the secret picker, and REST API endpoints. Endpoint improvements include options to not automatically count matching secrets and a method to count matching secrets rather than returning the set, both designed to remediate the overhead of secret filter set paging.

    Note: The optimizations may cause issues when upgrading, so they are not on by default. They may also cause issues with extremely long secret names (400+ characters). Please contact technical support for more information if you believe you might benefit from the optimizations.

  • Altered the MS SQL Server collation used for secret name search to improve performance. As a result, secret names starting with numeric values now return before secret names starting with symbols. An advanced setting (contact Delinea Support) is available to revert this back to the original sort order at the cost of some of the performance gains.

Security

  • Fixed an issue where a local user could log in to the Secret Server SSH terminal despite an expired password.

  • Fixed a reflected cross-site scripting (XSS) vulnerability.

  • Extended the default HSTS max age to one year and extended it to cover subdomains.

  • Fixed a cross-site scripting (XSS) issue.

  • Fixed an issue preventing a security header from being returned in certain locations within the application.

  • Secret Server no longer allows any cross origin (CORS) calls.

API

  • The rest API documentation has a new look and feel, including a table of contents.

  • Added 67 new endpoints. See The REST Web Services API Reference and Download for details.

  • Added the ability to autogenerate API clients for PS, C#, Java, Postman, and Insomnia.

  • Added PATCH API call methods, which are designed to update only values that are passed through the call. New object types include:

    /secrets/{id}/email/secrets/{id}/general/secrets/{id}/security-checkout/secrets/{id}/security-general

    An example of a PATCH call is:

    PATCH/secrets/{id}/general{{secretPolicy: 1}}

    or more descriptive:

    PATCH/secrets/{id}/general{{secretPolicy: {value: 1, dirty: true}}}

Logging

  • Added verbose logging for:

    • Active Directory password changers
    • SQL Server password changers
    • MySQL password changers
    • Oracle password changers
    • Sybase password changers
    • LDAP Privileged password changers
    • Mainframe password changers
    • Windows password changers
    • SSH password changers
    • AppPool dependency
    • SSH dependency
    • SQL dependency
    • PowerShell dependency
    • ComPlus dependency
    • FlatFile password changers
    • ScheduledTask password changers
    • WindowsService password changers

  • Added a correlation ID to every request generated by new UI pages. This ID is tracked by the API and is included in the server log when relevant. To get the IDs, users can go to the new UI diagnostics page to download a log of all HTTP requests made within the past two days.

  • Updated error handling to process unknown errors as "UnknownError." Previously unknown errors logged as "LoginFailed."

Cloud

  • Fixed a caching issue where discovery scanning sometimes did not find an existing organizational unit (OU) for SSC instances.
  • Significantly improved shutdown and restart times for engines connected to SSC.
  • Added a new configuration setting to allow SSC admins to opt non-admin users out of seeing the SSC upgrade notification banner before a release. Access this "display maintenance message To administrators only" setting at Admin > Configuration > General tab > User Experience.
  • Removed the legacy Web Password Filler bookmarklet.

General

  • Updated the layout for configuration pages to include more details about page sections.
  • Removed options such as "import secrets" and "launcher tools" from the grid icon menu. All menu items are available from the admin page.
  • Redesigned the "user preferences" page. Click the profile icon in the upper right, and then select User Preferences.
  • Added actions that allow a user to cancel an existing request in the request log grid.
  • Added auditing for changes made to discovery source pages.
  • Application requests made from the API can now be approved or denied on the inbox page.
  • Added a checkbox to the settings of the scheduled task and Windows service scanners to use NETBIOS name instead of UPN when matching domains.
  • On secrets that require both check out and comment, users are no longer required to submit two comments. We combined the check out and comment prompts.
  • Added a "next password reveal" audit for secrets that are manually updated with a next password.
  • Converted active templates to new UI.

Bug Fixes

  • Fixed an issue to Web Password Filler to have the URL encoding match what is configured in the secret. Issue related to handling of ampersands contained in the launcher URL.
  • Fixed an issue where request access emails did not send to some approvers.
  • Fix to address accuracy of login time stamps when using SAML Active Directory Federated Services.
  • Fixed an issue where copying custom reports sometimes did not allow a user to save.
  • Fixed an issue where some secrets did not display when picking associated secrets for a secret policy or event subscription. Associated secrets on secret policy edit will now default to not filtering by password type configured on the template. The "show all" button will also no longer filter by this setting.
  • Fixed an issue where folder permissions could be changed via REST API despite the "inherit permissions from parent" setting being enabled. Changes to folder inheritance through the API will now be reflected in the UI and will be messaged in the API.
  • Added a new advanced configuration advanced setting, OffloadRunNowToDifferentNode. If true, offloads the "run now" commands to nodes with background worker enabled. This only applies if Secret Server nodes have different RabbitMQ site connectors.
  • Fixed an issue where filter parameters were ignored when using filter.searchField in the API method. Users are now able to perform partial searches through the API.
  • Fixed an issue where users with edit permission on a folder were unable to perform the "convert template" bulk operation on secrets they owned within that folder.
  • Fixed an issue where deleted engines were still shown on the engine status widget.
  • Fixed an issue where RADIUS two-factor authentication access challenge prompts did not work with Integrated Windows Authentication.
  • Fixed an issue where the time format in the secret access request form page did not match the default time format in Admin > Configuration.
  • Fixed an issue in the new UI where the dependencies tab was not displayed correctly.
  • Added a notification message when a secret is forced to check in by another user.
  • Fix made for RPC password changes getting stuck in the processing state, after disabling RPC.
  • Fixed an issue where a folder name is truncated to 50 characters when imported via XML.
  • Fixed an issue where the audit log showed duplicate view instances for secrets
  • Fixed an issue where Unicode characters would display as question marks on the SSH proxy session data page.
  • Enhanced search logic so that an exact match for folder or secret name will appear first in the search results list.
  • Fixed an issue where proxied sessions (RDP or SSH) did not properly terminate if session recording was previously disabled for the secret.
  • Fixed an issue where the "inherit permission from folder" setting was disabled when sharing a newly created secret in the old UI.
  • Fixed an issue where other users' personal sub-folders were still visible to users who did not have View permissions on them despite the "require view permission on specific folder for visibility" setting being enabled. This only occurred on the Admin > Folder Permissions & Audit page.
  • Fixed an issue where different time zones were shown when editing the RPC settings of a secret.
  • Fix made to address error when attempting to export diagnostic logs which resulted in incomplete records.
  • Fixed the "value cannot be null" error message after clearing a report filter.
  • Fixed an issue where the POST /secret-templates/generate-password/{secretfieldId} endpoint did not properly handle password fields.
  • Fixed an issue where the web password filler could not login local users through SAML authentication.
  • On the security hardening report page, increased the maximum size of the zero-information disclosure message.
  • Fixed an issue where AD sync processed a disabled domain.
  • Updated the distributed engine "processing" status query to exclude inactive secrets in its data count on the SiteView.aspx page.
  • Fixed an issue where duplicate secrets could be linked to a discovery scanner.
  • Fixed an issue where edits to a dependency modal did not save.
  • Fixed an issue where the "automatic user management" setting did not re-enable Integrated Windows Authentication (IWA) users properly.
  • Fixed an issue with attaching files while creating a new secret that had check-out or require comment enabled.
  • Fixed an issue with the REST API POST /secret-templates/ endpoint, which did not work.
  • Fixed an issue in folders that contain over 30 sub-folders where clicking to maximize the folder list threw an error.
  • Fixed an issue where converting a secret template failed after modifying the secret template without first saving the template.
  • Fixed an issue in the new UI where require approval logic on a secret policy blocked users from creating secrets in a folder where the policy was assigned.
  • Fixed a new UI issue where copying a secret template failed when using the Internet Explorer browser.
  • Fixed an application error message when secret access was revoked by its owner, while another user was attempting to check it out.
  • Fixed inaccuracies displayed in "last accessed" and "created" column data in secret grids.
  • Fixed an issue in the way IP addresses in URL fields were indexed and how indexed searching was conducted. Searching by partial IP address now correctly matches against URL fields for any substring of the IP address, as long as the search term starts with a whole octet of the field.
  • Fixed a display issue for drop-down grid menus in the new UI.
  • Fixed an issue when sharing a secret where a message incorrectly stated that the user would no longer be owner of the secret.
  • Fixed an issue where duplicate groups populated when selecting from the "add Group/user" dropdown on the Admin > Groups page.
  • Secret folder tree expansion is no longer lost when editing a folder.