December 9, 2019
Note: The system requirements last changed with version 10.7.000000. See that version's release notes for details.
Secret Server now allows administrators to permanently delete audit records for tables that either contain Personal Identifiable Information (PII) or tables that can grow large in enterprise environments. To configure these settings admins need to add the permission "Administer Data Retention" to the user's role and then the user can navigate to Admin > Data Retention. Only users with the "Unlimited Administrator" permission can assign this new permission. See the "Data Retention" section in the Secret Server Administration Guide.
A new "Manual Rolling Upgrade" feature is available when upgrading from Secret Server version 10.7.000059 or above. Using this process, customers using clustered web nodes with a load balancer can experience little-to-no downtime during the upgrade process, but this process requires manual steps by an admin with Web node and database access. See the Minimizing Upgrade Downtime KBA.
Updated Secret Server to support durable exchanges for RabbitMQ (RMQ). This allows clustered site connectors to failover without impacting Secret Server's processing. Distributed engines will auto-update after Secret Server's upgrade to also support durable exchanges through RMQ.
Note: Older Advanced Session Recording Agents (ASRA) can be used with this version of Secret Server but ASRAs will not benefit from this change to failover handling. To include failover capability for ASRA an updated agent must be deployed. See the Secret Server Advanced Session-Recording Agent Installation KBA.
Technical Details: The ExchangeDeclare logic in MessageQueue client was altered to attempt to create durable exchanges with logging. A durable exchange is automatically re-created if RabbitMQ restarts for any reason. Non-durable exchanges disappear when RMQ goes down and can only be re-created by some external action. If the new logic detects that creating the durable queue failed, it will log an error and attempt to create a non-durable queue.
Note: The presence of legacy non-durable exchanges can prevent the automatic creation of durable exchanges. See RabbitMQ Durable Exchanges
Added a new feature where Secret Server can now generate time-based one-time passwords (TOTP) for web secrets. This allows users to implement TOTP on shared secrets. Configuring secrets for TOTP begins at the secret template level. See the Secret Server Administration Guide.
Added the ability to truncate table logs for several types of data that log to the "Status Message" table. These messages can contribute to excessive log data and slow performance. The option to truncate each message type is called "Days to Keep Operational Logs" and is under the "Advanced" sections on the following list of configuration pages. Minimum message retention time is one day and the default is 30 days. The logs include:
Go to the Secret Server Administration Guide and search for "Days to Keep Operational Logs" to see all the locations where this can be configured.
Technical details: A background task was added that scans the status message table every 12 hours and checks the status messages against configured values for how long they should be retained. These configured values were added to applicable UI pages.
The Web browser plugins for Secret Server were rebuilt with a new look and feel and now have additional browser and site support. These new plugins are available for:
These features from the old browser plugins have been improved to allow more flexibility:
Users can now authenticate to Secret Server directly from the Web plugin, including support for 2FA options, such as DUO. Log in via Secret Server is also available for users with single sign-on, SAML, or other multi-factor authentication mechanisms. Web plugins automatically identify manual entry of new credentials in a Web page and offer to save the credentials as a secret. There is also improved support for sites that use multi-page login mechanisms.
See the Web Password Filler section of the Secret Server Administration Guide for more information.
Added a new setting to disable keystroke data from advanced session recording metadata. The new setting is called "Default Keystroke Recording Configuration" and can be configured under Admin > Configuration > Session Recording > Configure Advanced Session Recording. Click Collection name to edit individual collection settings or agent settings. By default, advanced session recording keystrokes are enabled. See the Secret Server Administration Guide.
Added a new regex setting to automatically retry a remote password change (RPC) with a regenerated password if the original RPC failed due to a specific type of error.
Go to Admin > Remote Password Changing, click Advanced under the Configure Password Changers section. The new setting is Attempt Password Change with new password when error contains (regex). Edit it to provide the regex failure code that will trigger the automatic next password RPC. See the Secret Server Administration Guide.
Added messaging for when computer or dependency scans do not run due to having no scanners configured for a discovery source.
Updated the definition of distributed engines' offline status to be the configured heartbeat interval times three. For instance, if your heartbeat interval is configured at 5 minutes, the engine will report offline if Secret Server and the engine do not successfully communicate within a 15-minute time period. Engine online and offline states were also added to subscription actions to allow notification to admins when engine states change. See the Event Subscriptions section in the Secret Server Administration Guide.
Redesigned the Admin landing space. Click Admin > "See All" to explore the new layout.
Redesigned Doublelock. See the DoubleLock section in the Secret Server Administration Guide.
Added new "Recent Activity" section to the Home dashboard page to display recent activity at a glance.
Updated the Security Hardening tab in the Reports page.
Updated the IP Address Management pages under Admin.
Added custom logos. Added custom "full-sized" and "collapsed" logos for the new UI in Admin > Configuration under in the User Interface section.
Added dark mode theme option in the new UI. To change theme mode preferences, go to Account Settings > Color Mode. Options include Light Mode, Dark Mode, or Default (mode will update based on user's OS color mode settings).
Added a new setting to configure the inactivity time before the new UI goes into dark screen "sleep mode." To configure go to Admin > Configuration > User Experience > UI Inactivity Timeout.
Converted the Groups page to the new UI.
Updated error messaging in the new UI to display folder synchronization and deletion errors.
Updated the date picker to allow for future start dates and time selection without first adjusting the end date when requesting secret access. End dates are automatically adjusted to align with the start date +1 hour.
Updated grid downloads in the new UI to download according to new options. User options now include choices to download all data or specific rows of data, and specify date format. You can also choose time zone options of UTC, server time zones, or the local browser time zones.
Note: for downloaded reports users' time zone options are limited to UTC or the server time zone.
Updated behavior of new UI so that clicking the "Select All" check box at the top of a secret grid selects all rows. Previously the check box selected only the items currently loaded on the page.
Added the "View Audit" button to the reports page of new UI.
Added the "Upgrade Available" banner to display in the new UI.
Added the ability to drag-and-drop child folders into the root folder. Folders will automatically re-order alphabetically in the left navigation pane.
Note: This action is only allowed if users have the "Create root folder" permission and own folders that they are attempting to move.
Added folders to the "Shared With Me" page.
Added new inbox notifications including "getting started" notifications for new installs and administrator alerts when an instance is close to hitting licensing limits.
Added the ability to mark Inbox notifications as read or unread for most notification types.
Added the ability to browse by folder name using the URL format
[SecretServerURL]/SecretServer/app/#/lookup?folderPath=[FolderName]. If multiple folders exist with the same name, this URL search schema only directs users to the first folder listed within the left navigation pane.
Updated Favorite star icons to remain in column view when the Name column is resized.
Expanded file-size allowance on file uploads. File uploads can now be up to 10 MB.
Grid results updated to auto-load 30 results instead of 15.
A second distributed engine is now available, by default, for the local site.
Updated secret template settings for importation and exportation to include:
The secret template settings that do not transfer include:
See the Can I import or export data between Secret Servers? KBA for more information.
Updated "connect as" to accept key-based SSH authentication without also requiring a manual password.
For SSH proxy sessions, added the option set:
By default new installs will only record keystrokes on SSH proxy sessions to preserve disk space. To configure this setting go to Admin > Configuration > Session Recording tab > Secret Server Proxy Session Recording. Edit the SSH Proxy Session Recording Options dropdown list. The options include:
Record keystrokes and video
Record keystrokes only
Record video only
Do not record
See the Session Recording section in the Secret Server Administration Guide.
Added Verbose Logging for:
Added new SQL indexes for the following areas:
Added a new "Unique Field Slug" ID column for secret templates to allow users to create secrets with duplicate field names without compromising the ability to target each field name with a unique identifier for API calls. See the Secret Template Field Types section in the Secret Server Administration Guide.
Added the following user-based script variables to be used in API calls as arguments:
This allows, for example, that when a specific user runs a check-out hook, they can pass a user email, ID, username, or display name as a parameter into the script to use a check-out hooks and related AD functionality in Secret Server through the API. See the "Checkout Hooks" section in the Secret Server Administration Guide.
Added a setting that allows users with view permission on a secret to get the secret's "autoChangeNextPassword" field in the API. This setting is enabled under Admin > Configuration > Permission Options. Set Allow View User To Retrieve Auto-Change Next Password to Yes.
Added server-side paging to reports in the new UI to address performance issues when attempting to load reports with large numbers of records.
The new UI will no longer load the subfolders If a parent folder has more than 30 subfolders within it on the grid page. Instead, a folder picker will display above the folder's secrets that will allow users to select a specific subfolder.
Applied enhanced SQL querying logic on the groups pages so that environments with large groups no longer experience page timeouts when processing group data.
Improved the shutdown performance in distributed engine.
Removed the welcome widget from the dashboard on the classic UI due to page load issues in large environments.
Enhanced SQL query for the unlimited admin report to improve performance for large environments.
Added a new "use database paging" setting for the custom reports page. Database paging allows the database to load large reports more quickly. We recommend database paging if the query is expected to pull large amounts of data for the report. Implementing database paging may not work if the SQL query uses some keywords, including TOP, OPTION, INSERT, UNION, WITH, or aliases containing the word FROM.
Works using database paging:
SELECT * FROM tbSecret WHERE NAME LIKE 'Test%'
Does not work using database paging:
SELECT TOP 10 * FROM tbSecret WHERE SecretName LIKE 'Test%'
Updated PuTTY to version 0.73. Updated version addresses several PuTTY vulnerabilities, including one critical and two high severity items. CVE-2019-17067, CVE-2019-17068, CVE-2019-17069
Addressed a vulnerability with the SDK client account handler.
Fixed a permissions issue in the new UI where password requirements did not obey the "administer custom password requirements" permission.
Added audits and event subscriptions for viewing passphrases and SSH keys.
Addressed a Remote Code Execution (RCE) vulnerability that allowed parameter changes for an action without validating user permissions.
Resolved an issue for SSH scripts and SSH remote password changers where sensitive information was being written to log files:
Note: If you manually test an SSH script or password changer, the full output will still be shown for debugging purposes, because you just entered the credentials yourself.
Resolved a URL redirection vulnerability.
Added configurable parameter quoting for custom launchers.
Resolved three cross-site scripting (XSS) vulnerabilities.
Fixed an XML external entity (XXE) injection vulnerability.
Removed user information that was returned in an API call.
Added auditing for changes made to the session recording configuration page on the Admin > Configuration > Session Recording tab.
Added auditing for test script actions in the Custom Command Edits section in the Admin > Scripts pages.
Added auditing to the Admin > Configuration > Ticket System tab. Audits are logged under Admin > Configuration > General tab > View Audit.
Updated missing secure cookie attributes when "Force HTTPS" is enabled.
New installs running 10.7.000059 or later will now automatically apply zero information disclosure.
Added SHA1 and SHA256 hashes for protocol handler.
All Delinea DLLs and EXEs are now signed with the Delinea Software certificate including distributed engine, advanced session recording agent, and MemoryMQ applications.