We want to inform you about the release of a new Heimdal™ RC agent version, 3.1.0, that will be live starting next Tuesday, July 12th, 2022. The Heimdal™ Release Candidate Agent will be available for download in the dashboard (“Guide” section, “Download and install” tab), starting Thursday, July 14th, 2022, and deployed, on a roll-out basis, over the course of the coming weeks.
Heimdal™ Dashboard
- Granular Access Control List and Roles for enhanced product management
As part of our continuous efforts to offer more granular permissions to manage the Heimdal™ dashboard, we added a new set of claims (Accounts -> click a dashboard user email -> Access Control tab) allowing the dashboard users to have different types of access rights to each product module. The newly added claims are related to the options of having either view, edit/ perform actions or both types of access rights to the dashboard sections found under the “Products” section of the left–hand side dashboard menu and the same type of rights but to the Endpoint Settings area of the dashboard. On top of this, we also added a new set of claims for access rights management of the Active Clients piece of the Heimdal™ dashboard (“Manage Active Clients area”), allowing the user to either perform actions (Revoke, Delete, Apply to specific GP, etc.) or edit/ view the Custom columns area from the Active Clients grid
We also added the option to create custom roles that can be applied to the accounts pertaining to a customer.
The functionality is handled through the newly added claims, within the Accounts -> click a dashboard user email -> Access Control tab called:
- “View Custom Role Management area”
- “Full Control Custom Role Management area”
In Accounts, a newly created tab named “Custom Role Management” can be found, in which you have the option to Create/ Update/ Delete a role attached to the customer. After creating the role (s) in the Custom Role Management tab, you will have the possibility to add them to one or more specific account (s), from the Accounts tab.
A very important aspect of adding multiple roles is that the access rights are cumulative. That means that if one role has a specific claim disabled, and another has the same claim enabled when we are adding both roles to the account, the intended behavior is for the claim to be enabled.
We’ve also provided the possibility to automatically attach a role to users pertaining to Azure Active Directory synced groups for the customers that have the SAML 2.0 dashboard login enabled (Guide -> Customer settings tab). This can be achieved by going into the Accounts -> Custom Role Management tab, hitting the “Create New Role” button/ and then mentioning the role name, the AAD user group (s) to which it will be linked, and selecting the desired claims or editing an existing role from the earlier mentioned tab and linking it to the desired AAD user group(s).
When accessing the Accounts section, clicking a dashboard user email, and going to the “Account” tab, you will be informed of any custom roles that are automatically applied to that account based on Azure AD groups (see below screenshot), besides the manually added ones.
For the time being, this feature is accessible only to Reseller and Corp. Customers' account types.
- Creation of Custom Columns in the Active Clients, Standard view
This functionality represents another example of our permanent efforts to better the dashboard user experience. For this purpose, we have implemented, in the Management -> Active Clients -> Standard view, the ability to add up to 3 new custom columns in the corresponding table/ grid. The access to perform customization or just to view it, from the Standard View, will be established by a category of claims (Accounts -> click on a dashboard user email -> Access Control tab) called “Manage Active Clients area”. Not all users will be able to customize the view, but all the users will be able to view it (“View Active Clients Custom columns” claim default provisioned).
In case the dashboard users have the “Edit Active Clients Custom columns” claim enabled, they will be able to press the “Column Options” button (Management -> Active Clients -> Standard View) and edit the current structure of the grid. When pressed, it opens up a pop-up window (similar to the one from the next screenshot), pops up which will allow the user to reorder the columns, add up to 3 new columns, delete these newly added columns, and/ or customize their name. The “default” columns will not offer the option of changing their names or removing them, although the dashboard user is allowed to move them around and change their order (drag and drop). The Hostname column is pinned in place, always remaining the first one in the table.
The pop-up window contains an “Add” button, allowing the user to add a new custom column. These custom columns can have a custom name, can be deleted and their order can be changed. The pop-up will have an “OK” button (when pressed will save the new layout) and a “Cancel” one. When a new custom column is added to the grid, a horizontal scroll functionality will become active.
The data for the new customized columns can be added in two ways: either by manual insert (text field) or by importing a .csv file (“Import Custom data .*CSV file” functionality). When the addition of at least one new Custom column is detected, the “Import Custom data .*CSV file” field becomes active. The field has an info bubble next to it which, on mouse over, will display the following text: “This functionality enables you to import data to the custom columns. For a sample .csv click here”. We’ve also added the option to conduct searches based on the Custom column(s) name(s).
The new layout will be saved at the customer level (all the dashboard user accounts pertaining to that customer will be able to view/ edit the customized layout). The custom information, added in the Custom columns, will be also displayed in the Client Specifics view (when a hostname is clicked), General -> Machine info tab, under the newly added “Custom info” section.
- Ability to map Hostnames to Hostname Groups in Active Clients
This new feature consists of a mechanism that enables the dashboard user to map machines, which have the Heimdal™ Agent installed, to custom Hostname groups defined by the customer.
A new section was added to the Active Clients area of the dashboard, named “Hostname groups view” (displaying all the Hostname groups created by the customer).
Clicking on the “Create group” button will open a pop–up window in which the user can input a Group name and a Group description, in order to create a hostname group.
In order to add hostnames to a Hostname group, the dashboard user has to select at least one hostname from the Management -> Active Clients -> Standard view and apply the “Add to group” command from the “Select what action to take” drop-down list. Post hitting the command a modal window will appear, asking the dashboard user to mention the groups to which that/ those machine (s) need to be added to and either “Confirm” or “Cancel”. After confirming, the hostname(s) will be added to the selected group (s).
After adding hostnames to a group, you can go to the “Hostname groups”, click on a group in the grid and view its details. The group details page will allow you to edit the group name and description, remove hostnames from the group, and delete the group:
When hitting the “Delete Group” button or deleting a hostname from a Hostname group, the dashboard user will get a pop–up window asking them if they would like to perform the action or cancel it.
In order to map a Group Policy to be synced to one of the created Hostname groups, the group name must be set in the AD Computer Group field of that particular Group Policy.
Not all the dashboard users will be able to create and/ or edit groups (including adding/ removing hostnames to and from the groups), this access right is governed by the Accounts -> click on a dashboard user email -> Access Control tab, “Edit Hostname groups” claim, but all the dashboard users will be able to view them (“View Hostname groups” claim default provisioned).
Heimdal™ Endpoint Detection, Firewall:
- Firewall Predefined Rules
We added a new section in Endpoint Settings -> Endpoint Detection -> Firewall tab, called “Firewall Predefined Rules”, a section from which you can select, based on a predefined list of groups, which predefined rule you want to enable/ disable in the Heimdal™ Firewall module.
These firewall groups are mapped in order to provide network connectivity for Microsoft Windows programs and services and the user cannot alter them. The “Show details” button, from the “Details” column, when pressed, provides extra details regarding the predefined rules (info that is not present in the grid).
- Allocation of firewall rules to local Active Directory computer groups
When creating/ editing a Firewall rule (Endpoint Settings -> Endpoint Detection -> Firewall, Add New Rule/ Edit) we added a new section called “AD Groups” in which you can select one or more Local Active Directory computer groups and apply firewall rules specifically to those (based on the following IP types: public/ private/ both).
Considering the creation and update mechanism for the Local AD Computer Groups, up to 24 hours might be required until a new/ updated AD Computer Group will be visible.
Heimdal™ Privileges & App. Control, Privileged Access Management:
- Ability to use local token verification when offline or online for PAM escalations
This feature provides a mechanism that enables the Heimdal™ Agent to request a dashboard-generated PIN in order to allow elevation of end users, thus enhancing the security of the module.
It comprises two new checkboxes, found in the Endpoint Settings -> Privileges & App Control -> Privileged Access Management -> Run as Administrator and Administrator Session areas of the dashboard, called “Local token elevation” and “Approval via Dashboard when online”.
When "Local token elevation" is enabled, a new setting called "Approval via Dashboard when online" becomes available.
In the Management -> Active Clients -> click on a hostname -> Privileges & App Control -> Privileged Access Mgmt., Client Specifics area of the dashboard, a new button has been added for generating a token. When clicked, a popup showing the token and its remaining lifetime (the PIN code refreshes every 60 seconds) is displayed.
Depending on how the feature is set up (reason for elevation required or not), the user will be prompted to input the PIN code when requesting elevation (screenshots from the Heimdal™ agent below).
In case the PIN code is wrong, an error message “Invalid token!” is displayed in the earlier pictured pop–up windows.
Depending on the configuration, the pin prompt will be shown at different points:
- if "Local token elevation" is selected, but "Approval via Dashboard when online" is not enabled, the pin prompt will show up for elevations, regardless if the end user is online or offline;
- if "Local token elevation" is selected and "Approval via Dashboard when online" is enabled, the pin prompt will not show up if the machine is connected to the internet and in this case, the elevation will be treated as Approval via Dashboard.
PAM shortcut in GUIless Heimdal™ Agent
This feature adds a mechanism meant to differentiate between elevating users on multi-user sessions on Windows servers and normal PAM endpoint elevations. It adds, to the Windows Start menu, a new Windows Presentation Foundation application called Heimdal.AdminPrivilege.SessionElevator, when the Admin Privilege service is started and it detects it is running on Windows Server.
When the application is launched, the elevation process is started, according to the Endpoint Setting, and Group Policy setup, showing the “Require reason” window and all the corresponding pop–up screens.
Other enhancements & fixes:
- “Slimmed down” Heimdal™ Agent
This enhancement, conducted to the Heimdal™ agent, saves computing power and provides better performance on/ to the machines on which our agent is installed. We’ve streamlined the mode in which the Heimdal™ products’ Windows Services operate, in the sense that not needed services (corresponding to products/ modules disabled in the Group Policies) are no longer installed by default or are uninstalled in case a currently enabled product/ module is disabled. However, there are 4 services that will be running permanently, regardless of the GP settings: ClientHost, UptimeChecker, MonitorService, and UpdateService.
- Follow-up report for Extended Detection and Response customers
Our XDR customers will be delighted with the new “Follow-up XDR” report, which showcases, over a 90-day time frame, a synthesis of the most important data from the Extended Detection and Response customers’ environments: Active Clients status, Group Policies status, Product/ module risk levels, etc.
- Linux 3rd party patch management and Operating System Updates statistics added to the TPE & Vulnerability Management Interval report
This enhancement is related to the addition to the TPE & Vulnerability Management Interval report, found in the Accounts ->click on a dashboard user email -> Account, Reports section of the dashboard, of the relevant statistics related to Linux 3rd party patch management and Operating System updates.
- Improved Category blocking feeds
Our Threat Prevention Endpoint & Network categorization mechanism has been improved, the enhancement is reflected in the “Block by category” functionality.
If you need help with anything, don’t hesitate to contact corpsupport@heimdalsecurity.com.