Resource Kit 24.1.1 Release Notes

May 23, 2024

Requirements

Requires BeyondTrust Password Safe version 24.1.1 or later release.

New features and enhancements

• Updated Platform SDK to support Password Safe 24.1.1
  • Platform plugins updated to use .NET 8

Notes

• The SHA-256 signature is: a4ff16e52d5e322cfeae3e96f03d45554833f151ea7bf939139fa1da0cd63936
• This release is available to download for BeyondTrust customers at https://beyondtrustcorp.service-now.com/csm.

May 23, 2024

Requirements

• We recommend a restart after this update.

New features and enhancements

• This release bundles version 24.1.0.1426 of the BeyondTrust Discovery Agent. Corresponding release notes are available on the BeyondInsight and Password Safe Release Notes page.
• All components and services using .NET 6/7 have been updated to .NET 8.
  • .NET hosting bundle v8.0.4 is included.

Issues resolved

• None

Notes

• Direct upgrades to 24.1.1.1843 are supported from all previous versions.
• BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
• The MD5 signature is: 4C6EDD2EBF8EB69258D77A383FD85E35
• The SHA-1 signature is: 09DACD5B2D8C551F08179A7C61900A631D2F48AF
• The SHA-256 signature is: 6C0D31BF6B72A1129DE0A021878089566FA655C299E8A6EC8F5879285F55C670

May 23, 2024

Requirements:

• There is a product dependency on having the .NET 8 Hosting package installed.
• A reboot of the system may be required.

New features and enhancements:

• Updated the scanner to .NET 8.
• Added support for scanning IPv6 targets.
• Added an external configuration file for secondary SSH prompts.
• Added logging of remote agent extension and plug-in versions.
• Added support for the enumeration of scheduled tasks for Linux. This includes support for servicectl, CRON, and AT jobs.
• Added a new runtime option to all the Windows Domains to be used instead of the DNS Domain for the Workgroup/Domain Name asset field.

Issues resolved:

• Resolved a scenario where a scan fails to complete when connecting to the target's registry. Changed the default value for the remote registry connect timeout to 60 seconds.
• Resolved a scenario where a scan fails to complete due to inability to acquire the Yum command lock on Linux targets.
• Resolved a condition which could cause a failure to cache the Domain information.
• Resolved an exception which could occur when special characters are included in JSON data.

Known issues:

• The installation dialogs have string substitutions errors.
• This release depends on having the .NET 8 hosting package pre-installed. If the .msi installer is run without the prerequisite .NET 8, the scanner is left in an uninstalled state. The .exe installer must be used in this situation to ensure that the proper .NET package is installed. A reboot of the system may be required.

Notes:

• Direct upgrades to this version are supported from versions 20.1.0 and later releases.
• This release is available by download from the BeyondTrust Client Portal at https://www.beyondtrust.com/support/.
• The MD5 signature is: 297e9a5d6a53472a206c906effe13342
• The SHA-1 signature is: c6a8a41bb1fac9520809d9db8856f8fb9660df47
• The SHA256 (exe) signature is: 74116cda6b6e1513dac0a9db1afef3637e6c2a69ca5b90b3ee2376469d3ec6ff
• The SHA256 (msi) signature is: 1d98dc75afe75dbb61079c8b777ac13b1edb7ab3b52cdd148952fe3fbc96ede2

May 23, 2024

Requirements

• Requires .NET 4.7.2 or later
• Requires IIS to be enabled on host

New features and enhancements

• Added Subscription for Endpoint Privilege Management: Data Collection Bundle
• Added Subscription for Endpoint Privilege Management: Web Policy Editor Bundle

Issues resolved

None

Known issues

None

BeyondInsight and Password Safe 24.1.1 release notes

May 23, 2024

New features and enhancements

Configuration

• SAML Configuration has been updated so that incoming SAML communications (Assertions, Response) can no longer be signed using SHA1 by the Identity Provider (IdP). This is disabled for security purposes.

ℹ️

Note

Incoming SAML communications (Assertions, Response) must be signed using SHA-256 or higher by the IdP. SHA1 is no longer be accepted.Ensure your IdP has been updated in BeyondInsight accordingly.
Failure to update your IdP prior to upgrading BeyondInsight and Password Safe to version 24.1.1 may prevent users from logging in using SAML.

• Added a new option to the Configuration page: Identity Security Insights > Connect to Identity Security Insights.
  • Enabling this connector key allows Password Safe to forward discovery scan events to Identity Security Insights. This provides visibility into possible attack paths, identity-based threats, and identity hygiene issues.

Developer Platform

• All components and services using .NET 6/7 have been updated to .NET 8.

Analytics & Reporting

• Added a Retrieval Reason column to the Password Safe > Activity report to display the comments for any release request listed in the report.

Password Safe

• Changed API Authentication Failure email notification logic so that new deployments of BeyondInsight and Password Safe do not send email notifications when API authentication failures occur.
• Updated the bundled ECM Password Safe Plugin to version 24.1.2.
• Added Change Password after Release and Enable API Access options to the Disable at Rest onboarding Smart Rule action.

Password Safe Cloud

• Renamed the Update column on Resource Broker grids to Update Available.
• Added links to release notes in the Update Available column on Resource Brokers grids, for resource brokers that can be updated or are being updated.
• Added a DNS Name filter to the Resource Zones > Brokers grid when accessing that area from a specific resource broker.

Issues resolved

• Resolved a foreign key constraint issue with the daily sync job (relating to the Change Queue fact table and Managed Account dimension table).
  • Now, the sync job handles the data in a way that avoids this constraint issue.
• Increased security around Smart Rule editing.
• Resolved an issue where updating an existing SAML configuration prompted the user to include the IdP certificate.
  • Now, the certificate is only required on the Create page.
• Resolved an issue in the Web Policy Editor, where sometimes a Save button appeared on the policy editing page, which caused the editor to hang when used.
  • Now, only the appropriate Save & Unlock button appears, and the editor works without hanging.
• Resolved an issue in the Activation Key generated command line text that prevented OAuth communications with Endpoint Privilege Management agents in Password Safe Cloud environments.
  • New users created using the API now respect the TOTP Two-Factor Authentication restrictions as set in BeyondInsight configuration, the same as manually created users do.
• Resolved an issue affecting proper generation of user audits of Secrets Safe activity.
• IP and X-Forwarded-For authentication rules are now evaluated on every API call instead of only on authentication/sign-in.
• Resolved an issue with the IP Allow List, where attempting to enable network restrictions would fail if at least one resource broker exists that has not yet been upgraded to at least version 24.1.0.
• Resolved an issue with the IP Allow List where, upon resource broker validation, if a large number of resource brokers were not in the allow list, the notification message was taking up the entire screen.
  • The notification message has been adjusted and scrollbars added for proper visibility.
• Improved the performance for Managed Account onboarding Smart Rules for some scenarios.
• Resolved an issue where a Secrets Safe secret could not be deleted if the ownership is assigned to Entire Team.
• Resolved an issue where upgrades from versions 23.1.1 and earlier would reset the TOTP configuration settings.
• Resolved an issue where a Password Mismatch email notification was incorrectly sent when a Password Test failed against a Windows system because it was unreachable or failed to connect.
• Resolved an issue where scans were not updating the IP address for managed systems when the IP address is reverted to a previous IP.
• Resolved an issue where the Events grid in Managed Account Advanced Details was slow to populate.
• Resolved an issue where Smart Rule processing would fail due to propagation actions being applied to accounts that were not inserted into the database.
  • Now, managed accounts that are not onboarded do not cause the propagation action to fail.
• Increased the timeout for HttpClient used to proxy Endpoint Privilege Management requests.
  • Now, exports from Privilege Management Reporting within BeyondInsight succeed even with very large data sets.

Known issues

• When establishing a connection between the Workforce Passwords extension and your Password Safe instance, if there is a space at the end of the URL in the extension, a DNS address could not be found error occurs.
  • Workaround: Avoid adding any extra spaces at the end of the URL when using the Workforce Passwords extension. This issue is being resolved for an upcoming release.

ℹ️

Note

Issues discovered after release can be found within our product Knowledge Base.

Notes

• Direct upgrades to 24.1.1 are supported from BeyondInsight versions 22.2 or later releases.
• BeyondInsight 24.1.1 supports SQL Server 2016 SP2 or higher.
• This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
• The MD5 signature is: cfee455464f5589b49d2143872441f55
• The SHA-1 signature is: 1bdcef294a47e6e201a62b5edaafcd435d3deaab
• The SHA-256 signature is: ce70c722ba9c99e4b3e791a94eef88d5ce8b22ef6cebe286c0ac0c7f9abf2756

Deprecation notice

BeyondInsight 24.1.1 still supports the following features that are planned to be removed in upcoming releases:

• Team Passwords Public API Endpoints: Planned for the 24.2 release. You must update scripts to use the corresponding Secrets Safe API endpoints.
• Analytics & Reporting > Clarity: Clarity and related reports and configuration. Release to be determined.
• About > BeyondInsight Analysis: Release to be determined.

May 7, 2024

Requirements

• BeyondTrust ECM v1.6Ms.0+

New features and enhancements

This is a maintenance release and does not include any new features or enhancements.

Issues resolved

• Resolved an issue in which recently used external endpoints were not being returned.
• Resolved an issue in which available credentials were not being returned when using U-Series Appliance deployed ECMs.

Notes

• This maintenance release replaces any usage of v24.1.1.
• Supports upgrades from any prior release.
• This release will be included as part of the U-Series Appliance image for the BeyondInsight and Password Safe 24.1.1 maintenance release.

May 2, 2024

Requirements

• We recommend a restart after this update.

New features and enhancements:

• There are no new features or enhancements.

Issues resolved:

• None

Notes:

• Direct upgrades to 24.1.0.1832 are supported from all previous versions.
• .NET Core hosting bundle updated from 6.0.27 to 6.0.29.
• .NET hosting bundle updated from 7.0.17 to 7.0.18.
• BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
• This release bundles version 23.2.1.1376 of the BeyondTrust Discovery Scanner. Corresponding release notes are available here: https://www.beyondtrust.com/docs/release-notes/beyondinsight-password-safe/index.htm.
• The MD5 signature is: 85A942B8C48018EFCEBC806511BCB2C8
• The SHA-1 signature is: 5F9E8677C1E44EA8BC7E9E7CA4E04259B430B2FC
• The SHA-256 signature is: 1DEFE3988932DCFFF2B70B0E2CCE919A60F7D188A129930D972B8F50ABEFD1D3

May 2, 2024

Requirements

• We recommend a restart after this update.

New features and enhancements:

• There are no new features or enhancements.

Issues resolved:

• None

Notes:

• Direct upgrades to 23.3.0.1794 are supported from all previous versions.
• .NET Core hosting bundle updated from 6.0.27 to 6.0.29.
• .NET hosting bundle updated from 7.0.16 to 7.0.18.
• BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
• This release bundles version 23.2.1.1375 of the BeyondTrust Discovery Scanner. Corresponding release notes are available here: https://www.beyondtrust.com/docs/release-notes/beyondinsight-password-safe/index.htm.
• The MD5 signature is: 2076D89FCC094FA9DFAF49C6BE6FD624
• The SHA-1 signature is: B9CDDA7677F9F5926F077F68C8DFAFA03553E5D8
• The SHA-256 signature is: 5ADC6430A6DF97751E3BAF77570C81C8014388D7C2994BB2904ED2EB2188A5EA

April 25, 2024

Requirements

• .NET 8.0.0 or later (available through BT Updater via Supporting Software SUPI subscription)
• SUPI 3.2 (available through BT Updater)
• BeyondInsight 24.1

New features and enhancements:

•  The Configuration Wizard now includes configuration for Endpoint Privilege Management (EPM) use cases. The appliance management software maintains the EPM features during new installations and upgrades. EPM features have been added to the Feature Selection screen of the Configuration Wizard, and the feature questionnaire has been updated to assist with enabling these new features. The new EPM features are:
  • Endpoint Privilege Management Event Collector
  • Privilege Management Reporting (PMR)
  • Endpoint Privilege Management Database Access
  • Endpoint Privilege Management Web Policy Editor (WPE)
•  Updated the Feature Configuration screen of the Configuration Wizard:
  • Endpoint Privilege Management tab added for configuring EPM database settings
  • SQL Server Feature tab updated to include SQL login accounts for the EPM Event Event Collector and the PMR Report Reader
• Updated the Appliance Feature Configuration page in the console to include the configuration of EPM features:
  • Endpoint Privilege Management Event Collector
  • Privilege Management Reporting (PMR)
  • Endpoint Privilege Management Database Access
  • Endpoint Privilege Management Web Policy Editor (WPE)
  • Modified SQL Server Database feature to include SQL login accounts for the EPM Event Event Collector and the PMR Report Reader
• Added ability to recognize and onboard existing EPM installation:
  • On service startup, check to see if the EPM features (DB, WPE, PMR) are already installed and configured.
  • Allow Admin to enable and disable SQL accounts.
  • Create script to create and delete an SQL user to allow PMR installation.
• Added support for EPM in Business Continuity:
  • Implemented High Availability support for EPM database
  • Included backup and restore support for EPM database
  • Included Cold Spare support for EPM database
  • Upgraded the pre-condition check for EPM to check account names
• Updated service monitoring and log files to include EPM:
  • Included service monitoring and notifications
  • Included log files for EPM events
  • Added EPM components to the Installed Software page
• UX improvement was made to update related saved credentials when a password is changed:
  • Update EPM credentials when a password is changed.
  • Update BeyondInsight saved credentials when a password is changed.
• Updated the appliance health monitoring service to be aware of the High Availability feature and to send applicable notifications for services being monitored in a pair.
• Created separate features for the BeyondInsight Manager Engine and Web Console.
• Updated appliance health monitoring to consider High Availability status when determining service health.
• BeyondInsight Single Sign-On Improvements:
  • When using the SSO feature to connect to another appliance, an error can be triggered and the token passed in the URL query string.
• Made improvements to account creation in the Configuration Wizard:
  • Better handling of special characters.
  • Restrict the administrator username from being used as the appliance admin account.
• Updates made to prevent 'Pending File Rename' message on cloud appliances.
• Updates made to ensure BeyondInsight certificates are created with the proper permissions.
• U-Series: .NET 6 upgraded to .NET 8.
• Added ability to export log files in intervals smaller than one hour.
• Improvements made to post-deploy script warning message:
  • Display post-deploy log
  • Allow user to re-kick off post-deploy script
  • Set image to fire the new post-deploy scripts
• Updated code in Backup and Restore to send IP addresses into call to determine local vs remote.
• Improvements made to show BeyondInsight for Unix & Linux (BIUL) status on the passive appliance in a High Availability pair. This prevents the setup from failing when BITS jobs are not being processed.
• Updates made to keep password policies in sync with BeyondInsight when changing passwords.
• Update made to Proxy Server configuration to allow each appliance to have it's own proxy server (vs. global solution setting in BeyondInsight).

Issues resolved:

• Resolved an issue where Dark Mode theme didn't stay saved after logout in all browsers.
  • A decision was made to have the Login page always load as light mode.
• Renamed the Security and Compliance > Administrator Credentials page to Security and Compliance > Account Management.
• Resolved an issue where, when socket communication is interrupted, some configuration steps did not show a complete status.
• Resolved several Backup and Restore defects.
• Resolved a layout issue on the Integrations > Email page in the console.
• Resolved a Configuration Wizard issue where screens were not complying with the min 1280 x 800 resolution. The screens now look as intended.
• Resolved an issue with appliance credentials where each credential description was behaving like a clickable link. This no longer occurs.
• Resolved a text case issue for the Internet Connections step in the Configuration Wizard.
• Resolved an issue where it was not possible to update BeyondInsight Credentials. Updates are now working as intended.
• Limited the number of notifications displayed in the console to 10,000. More than that may cause the page to not load.
• Resolved an issue where the High Availability page showed a random date if the heartbeat sync did not complete after a failover.
• Resolved an issue where dependency details were missing for the BIUL feature. These details are now available.
• Resolved a PMSMC (PBSMC) typo in Features Editor log.
• Resolved an issue where a section on the Local Computer Policy page showed the click finger but the section was not clickable.
• Resolved an issue where power options were not able to interact with the Reboot only if an update is pending a reboot option if the resolution was set to a lower value.
• Resolved an issue where, when the SQL Server service was set to OFF, the Appliance Features Configuration and Service Status pages were slower to load.
• Resolved an issue with Cold Spare where the notification email for a scheduled restore read Manual restore completed. The notification now read Scheduled restore triggered at (date).
• Resolved an issue where the log file export default Start Date is in the past and returns an error when saving the configuration. This no longer occurs.
• Resolved an issue where the letter case on action buttons was inconsistent on the IP Settings page. One button was all caps and the other had the first letter of each word capitalized. Both buttons now have the first letter of each word capitalized.
• Resolved an issue where the Copy Text button for API Key Registration box had an oversized click area which overlapped with the clear text X button. There is no longer an overlap.
• Resolved a formatting alignment issue with the bars at top of the Proxy Server page.
• Resolved an issue where validation messages did not reflect valid characters when updating credentials for the appliance.
• Resolved a Configuration Wizard issue where the BeyondInsight password was not recognizing exclamation points and some other non-alphanumeric characters as special characters.
• Resolved a Configuration Wizard issue where the page didn't recognize that the password met complexity requirements and did not proceed to the next step.
• Resolved an issue where the BT Updater password had different length requirements for characters on the appliance UI and Configuration Wizard.
• Resolved an issue where the SQL user passwords had different length requirements for characters on the appliance UI and Configuration Wizard.
• Resolved a Configuration Wizard issue where the Next button disabled when the user returned to the User Credential page.
• Resolved an Administrator Credentials issue with BT Updater Credentials & SQL Server Database Password where toast error messages were missing.
• Resolved an issue where backup failed because the data was too large for ZIP file format.
• Replaced Database Password with TCP/IP Database Connections for the SQL Server Feature in the Configuration Wizard.
• Cannot resume High Availability pairing if you upgrade U-Series to 4.1 before the pairing was complete in 4.0.
• Resolved a High Availability issue where services on the secondary did not start back up after TURN OFF HA was used on the primary.
• Resolved a High Availability issue where setup failed when BITS jobs were not being processed.
• Resolved an issue to show BIUL status on the passive appliance in an HA Pair.
• Resolved an issue with the 2022 Azure U-Series appliance where the user was receiving notification to reboot the appliance after logging in to the appliance dashboard.

Known issues:

• EPM Event Collector Service is missing from the log download page or log export page if there are no log files present.
• EPM/PMR High Availability requires that the source EPM accounts match on each appliance. Accounts require manual intervention to rename.
  • Workaround: Users need to manually create the EPM/PMR SQL Users in the database on the secondary node.
• Last Pass can interfere with the Deployment and Configuration Wizard.
  •  Workaround: Disable or log out of Last Pass or configure the appliance in incognito mode in the browser so that the browser extensions are not interfering with the wizard.
• When changing the EPM Database credentials on the host machine and remote collector password, if the EPM Database Access feature is turned off and then on, the user has to enter and confirm their password every time.
• The beyondtrust_user account is locked out after changing the Auth SQL Server password.
• Appliance self-signed certificate does not have subject alternate name (which does not support HSTS). For Chrome 58 and later, only the subjectAlternativeName extension (not commonName) is used to match the domain name and site certificate.

Notes:

• Security Management Appliance Installer 4.2 is dependent on BeyondInsight 24.1.
• Security Management Appliance package in BT Updater is dependent on BeyondInsight 24.1.
• This update is available through BT Updater or as a manual installer from the download tool.

April 23, 2024

Requirements:

• BeyondTrust ECM v1.6.0+

New features and enhancements:

• Added support for wildcard searches when retrieving endpoints to be presented as External Jump Items.
• Added support for the inclusion of availability information on managed accounts returned for the list of credentials presented to the user for injection.

Notes:

• Certified for GA
• Supports upgrades from any prior release