Dear Heimdal Partner and Customer,
We would like to inform you that two new versions of the Heimdal dashboard, Release Candidate version 4.3.4 (same scope as 4.3.3 RC plus the PEDM “Primary user” feature) and Production 4.3.6 are now live.
Starting Friday, Sep. 6th, 2024, the new Heimdal RC and Heimdal Prod. agents will be available for download in the dashboard's "Guide" section under the "Download and Install" tab. They will be deployed on a roll-out basis over the course of the coming weeks.
Here are the main features and improvements rolling in with the new 4.3.6 Prod.:
Heimdal Dashboard
Alternative mechanism available for Azure Active Directory synchronization
Starting with the 4.3.6 Production release, we are offering customers an alternative Azure Active Directory synchronization mechanism, which considers set user-based access rules/ permissions and is recommended for enterprises that have very strict compliance norms and regulations.
This new mechanism allows dashboard users to register, on the Microsoft Azure portal, a “dedicated” application, in which they can granularly define the level of access and use that app. for AAD sync purposes, by providing an extra set of parameters, namely the Client Id and Secret Value of the application, alongside the already required Tenant Id.
To use this alternative sync mechanism, the dashboard user needs to access the Guide section of the Heimdal dashboard -> Customer settings -> Azure AD & SAML setup tab, where the two new input boxes “Client ID” and “Secret Value” have been added.
Note: The two new fields are not mandatory (if left empty, the AAD sync mechanism will work as it works today).
If the new info is filled in, we will use the application for which the Client ID and Secret Value were provided. A dedicated URL, which will redirect the dashboard user to a Knowledge Base article, describing how to register an app. on the Microsoft Azure portal, can be found in the bottom section of the Azure AD & SAML setup page (“Heimdal Azure App. registration guide”).
If the Client ID and/ or Secret Value info are not correct, when trying to search and select an AAD group, the following error will be displayed.
Allow Microsoft (Azure Login) authentication only for dashboard login
Following the same train of thought - increased compliance - we’ve implemented a new functionality in the Guide -> Customer settings -> Azure AD & SAML tab, called “Allow Microsoft authentication only”. If enabled (the checkbox is alterable only if the “Log in to the Heimdal Dashboard using SAML 2.0” feature is enabled), it will restrict dashboard users to logging in only by using the Azure login method.
In case the dashboard users attempt logging in through the conventional “credentials” method, they will get an error message.
Heimdal Threat Prevention Endpoint and Network
DNS over HTTPS (DoH) for DNS Security - Network
This natural addition, post the introduction of the DoH functionality for DNS Security – Endpoint (formerly known as Threat Prevention Endpoint), in the fall of 2022 (3.2.0 Release), allows your organization to be one step ahead of the curve, as DoH represents a game changer and constitutes the essence of DNS protection (a safer yet more private/ stealthier manner for navigating the Internet). The functionality encrypts domain name system traffic by passing all DNS queries through a Hypertext Transfer Protocol Secure encrypted session. It consists of a new check box called “DNS over HTTPS Server” which can be found in Network Settings -> DNS Security area of the Heimdal dashboard. It sits under the “HybridDNS” tickbox, which secures the internal network DNS traffic by providing filtering capabilities on the customer’s own local DNS server, rather than forwarding the DNS queries to Heimdal’s DNS Security – Network resolvers and is alterable (enable/ disable) only if the former is enabled. When enabled, all DNS queries will be resolved via the set DoH server (when the check box is ticked, a text field, where the DoH server domain or IP should be mentioned, will become available), except the queries related to the server itself.
DoH is here to mitigate the risk of DNS spoofing and man-in-the-middle (MitM) attacks in your IT environment, ensuring, as a default standard, that the session between the browser and the DNS server is encrypted and that nobody can alter the resolution request results and point the end user's browser toward a malicious website.
Heimdal Patch & Asset Management
Pie chart and matrix data clickable for Patch & Assets Windows OS
With the purpose of providing enhanced reporting capabilities in an intuitive and user-friendly manner, we’ve made the Pie charts and Matrixes’ data, from the Windows OS, Stats views, pertaining to the 3rd Party Patch Management and OS Updates sub-modules, clickable. Post switching the toggle to Stats view (in the corresponding Windows OS, Patch & Asset Management views), you will now be able to click on the info displayed in the CVSS/ Severity pie chart graphs and/ or the “By release date” matrixes and, by doing that, you will be redirected to a pre-filtered view (date range and severity/ CVSS) where you can visualize only the 3rd party patches and/ or OS updates that fall under that specific selection.
Heimdal Endpoint Detection
New Device Info notification for Firewall incompatibilities between Windows GPO and Heimdal GP
In order to prevent any cybersecurity mishaps and strengthen even more the security posture of your organization, we’ve introduced a new Device Info (formerly known as Active Clients) notification. This notification informs the dashboard users that their Firewall is not handled by the Heimdal Agent, as it is currently handled by a Local Policy that was configured via Active Directory. Due to how the Windows Firewall functions, when an endpoint is configured via Local Policy, it makes it unable for the Heimdal Agent to perform an isolation action. In order to avoid inconsistencies regarding the status of a machine that was isolated, but due to the old Firewall flow, was displayed in the Heimdal dashboard as isolated, we’ve added a new notification plus a new icon that highlights visually that the outcome of the action might not be the expected one. The new icon will be displayed in the Unified Endpoint Management > Device Info -> Standard and Hardware views, in the Status column of the corresponding tables. When selecting to view the computer issues details, a new notification is also displayed, informing the user that “There are incompatibilities between GPO (Windows) Firewall set-up and Heimdal Firewall (GP) settings!”. This icon and notification appear only if the Heimdal Agent detects that the Firewall on the machine is handled by a Local Policy.
Creation of a “Heimdal RD” profile in the Isolation Allowlist Rules
A new Isolation Allowlist profile option has been added in the Heimdal Firewall Group Policy area (Endpoint Settings -> Endpoint Detection -> Firewall tab, Isolation Allowlist Rules section), allowing the dashboard users to opt for a quick addition of a new profile, Heimdal RD and thus being able to connect, with the Heimdal Remote Desktop product, to isolated machines.
Note: In order for the setting to take effect, the isolation profile needs to be enabled in the GP, PRIOR to the isolation event taking place.
If the Isolation Profile is enabled and a machine isolation is triggered via any of the available methods, a new Firewall rule is added in the Windows Firewall.
Heimdal Privileges & App. Control
“Primary user” PEDM functionality
This new functionality allows our Heimdal users to define a “Primary user” per Windows hostname and allow only that user to request elevated privileges. A new checkbox, called “Primary user”, was added in Endpoint Settings -> Privileges & App Control -> Privilege Elevation and Delegation Management tab. Once enabled, the option will allow only the primary user to request any admin privileges on that specific machine and will start collecting information (over 30 days’ timeframes) about each user that logs in on that specific machine, in order to determine the primary user, based on the selected settings.
After enabling the checkbox, two new sub checkboxes will be displayed (at least one of the options has to be selected, in order to successfully update the GP):
• “Primary user based on AAD” - will set the Primary User to be the one defined in the Microsoft Azure AD configuration. This info will be retrieved through an API call, if available, and will automatically set that user as the “Primary User”;
• “Primary user based on first login” - will set the Primary User to be the username that is the first non-admin one to log in on each machine that is part of the GP where the feature is enabled, no matter if it is a local or a domain account.
Note: If both options are enabled, the AAD settings will prevail over the first-login mechanism, when it comes to determining the Primary user.
In the PEDM product pages (Products -> Privileges & App Control -> PEDM) we’ve split the existing views into 2 tabs: PEDM (containing the previously available views) and a brand-new tab called “Primary User Management”.
In the newly created tab, a grid, containing information about endpoints and their primary users, will be displayed.
Each row will display a unique hostname, the primary user set on that machine and the source from where the primary user was defined – if it was configured from Azure AD or was the first logged in user, the AAD Primary user (if it was previously configured in Azure AD), the username with the highest number of logins, on that machine, during the last 30 days (“Most logins user”) and an “Action” column, containing a drop-down list, at hostname level, displaying all users that logged in on that machine in the last 30 days will be displayed (selecting an user from this drop-down will update the primary user for that specific hostname). When the dashboard user selects at least one row/ entry (multiple entries can also be selected), a “Select what action to take” drop-down list will be displayed, the user having the possibility to select the ”Unassign primary user” action.
Post clicking on the action a confirmation modal window will be displayed, showing the hostname(s) and corresponding user(s) which will be unassigned as primary user(s):
The “Action” column drop-down lists allow you to manually choose which users are mapped to each hostname. The drop-downs contain all the users that have been logging in on each machine during the last 30 days:
When one of the users is selected, a pop-up window will appear, displaying the hostname, the old primary user selection and the new one, asking you to confirm if you want to update the assignment. Clicking cancel will abort the operation.
The entries from this grid can be sorted ascending/descending by any column except the Action one; also, a search bar will give the possibility to filter the entries by any column (except the number of logins for the most active user and the way that the Primary User was set). The stats from the page header will display at customer level: the number of primary users configured in Azure AD (“AAD primary users”), the number of primary users configured based on the first login on each machine (“First login primary users”), the number of logins for each primary user for each machine (“Most logins primary users”) and the number of hostnames that do not have any primary users configured yet (“Unassigned hostnames”).
On the agent side, we will restrict the possibility of requesting any admin privileges (“Run as administrator” or “Administrator session”) only to the user that is configured as the “Primary User”.
Note: In case there are any WIP elevations in use on that machine, while a new Primary User info is received, all of them will be terminated immediately and the “Elevate” button from the agent will be grayed out. Also, the “Run with Admin Privileges” option from the context menu, used for file elevations, will be removed.
In case the feature is enabled and non-primary users, in a scenario where one of these non-primary users wants to request a file elevation, in case the “Disable Windows Consent” option is enabled in Endpoint settings, the custom consent window will display the following message:
Heimdal Email Protection
Option for IT admin to view and edit the End user console Allow and Blocklists
We’ve further enhanced the functionalities related to the End User Console and the way that IT Admins are able to interact with the “personal” Allowlist and Blocklists.
In this regard, a new table has been added to the "Allowlist, Blocklist, and Greylist" tab from the Network Settings -> Email Protection -> Email Security tab. This table contains all user-level (personal) rules found in the End User Console and displays both Allowlist and Blocklist rules.
Users having access to the Network Settings will be able to edit or delete rules from this grid (the grid is visible only if the "User Quarantine Report by Email" and "End User Console" checkboxes are ticked, under the Quarantine Settings tab, when editing an existing domain).
When it comes to editing, the only allowed action is switching a rule's type between Allowlist and Blocklist. This operation will also be reflected on the respective tables from the End User Console.
Also, when a rule is deleted from this table, for a particular email account, it will also be deleted from the End User Console of that specific account.
Additionally, under Products -> Email Protection -> Email Security -> Details, Inbound and Outbound grids, Details column, dashboard users now have the option to create Allowlist/ Blocklist rules either at personal or global (domain) levels.
If the user selects the “Personal” option, a new End User Console rule will be created (and also displayed in the new table under the Allowlist, Blacklist, and Greylist section in Network Settings).
Other improvements & fixes
Enhancement of "Select GP" dropdown functionality
With the release, we’ve added the “Select GP” dropdown list in other product grids: Next-Gen Antivirus & MDM, XTP, Ransomware Encryption Protection Endpoint, PEDM, and Zero-trust Execution Protection.
Windows Edition available in the Device Info -> Clients Specifics -> Device Info tab
This new info has been added to the earlier mentioned tab, as well as in the corresponding API responses and .csv downloadable files.
The Edition info is also present in the hover text displayed when placing the mouse over the “OS” info from the Device Info Standard view.