ManageEngine named a Challenger in the 2023 Gartner ® Magic Quadrant ™ for Privileged Access Management. Read full report.
New Feature
Security Hardening Dashboard
Introducing the Security Hardening Dashboard—an innovative feature designed to offer comprehensive insights into the security postures of both the PAM360 application and server, bolstered by a dynamic security score. This centralized dashboard acts to administrators as a powerful tool to swiftly implement the best practices, fortifying the entire PAM360 environment. Encompassing application, server, user status reports, and security hardening scores, this all-in-one toolkit serves as a valuable resource for maximizing the security potential of PAM360.
Refer to the help documentation to know more about the dashboard in detail!
Enhancement
PAM360 now supports the Hebrew language.
Behavioral Change
In previous versions, periodic password export schedules persisted in Resource Groups despite specific scenarios, such as when the option to export passwords to an encrypted HTML file was disabled globally or for specific users, or when password export was disabled for 'Resource Groups' in 'Export/Offline Access'. With the 6520 upgrade, this behavior will be rectified to align with its intended functionality. After the upgrade, if the mentioned export choices are enabled, users must enable the corresponding schedule through the 'User Created Schedules' window to restart the schedule.
Bug Fixes
Security Fixes
Enhancements
Bug Fixes
Security Fixes
New Feature
Smart Login
We have introduced a convenient login method in PAM360: Smart Login via QR code. The feature allows
effortless login to PAM360 by scanning the QR code displayed on the PAM360 webpage using the PAM360
mobile application (Settings >> Smart Login). This direct login method streamlines the process
with a passwordless authentication, thus significantly reducing login effort.
Note: To use this functionality, users should upgrade PAM360 web and mobile applications to the following versions as applicable.
New Integration
Integrate PAM360 with 800+ Business Applications Now via Zoho Flow!
PAM360 integration with Zoho Flow empowers users to deploy workflow automation across 800+ business
applications, majorly focusing on HR and IT Service Management (ITSM). The integration lets swift user
onboarding/offboarding of users to/from recruitment/ATS systems to PAM360, thus seamlessly bridging the
HR and ITSM functionalities of an organization.
With this integration, a designated PAM360 REST API user can effortlessly craft custom workflows in Zoho Flow, connecting PAM360 to an extensive range of applications within Zoho Flow using its dedicated APIs, which perform pivotal actions such as user creation, group management, account control, and privileged resource sharing in automated workflow triggers.
Read our help documentation to know more about this integration, and real-time scenarios in detail.
Enhancements
Bug Fixes
Security Fix
Enhancements
Bug Fixes
Security Fix
A custom audit filter created by one user could be deleted by other users due to a security vulnerability, which has been fixed in this release.
Enhancements
REST API
Bug Fix
Enhancement
Behavioral Changes
When implementing the LDAP user import enhancement, several behavioral changes occur:
Bug Fixes
New Feature
Application Scaling using External PostgreSQL Cluster
For continuous and uninterrupted workflow with a day-to-day growing user base, increased API workloads,
user traffic, etc., we introduce an additional scalability function in PAM360 by which users can use
their external PostgreSQL cluster as the backend database.
Feature Highlights
Enhancements
Upgrade
The JRE (Java Runtime Environment) used in PAM360 has been upgraded from version 1.8.0_252 to 1.8.0_372.
Bug Fixes
Security Fixes
Enhancement
Earlier, during bidirectional transfer of files through SFTP in PAM360, connections could be established through local accounts only. Hereafter, users can utilize the domain account or the logged-in account (AD/Azure AD) credentials to establish the connections. This enhancement paves way for flexible and secure file transfers.
New Features
Note: If you are already using an SSL agent for SSH/SSL-related operations, it's required to reinstall the agent for these new integrations to work seamlessly.
Enhancements
Upgrade
The java script framework - jQuery used in PAM360 has now been updated to version 3.6.0.
Behavior Change
Users can now maintain the following certificates at a count of five in the PAM360's centralized SSL repository without affecting the available number of keys in the license:
Bug Fixes
Security Fixes
New Feature
Policy-Based Access Privilege Using Zero Trust Approach
Introducing our Policy-Based Access Privilege feature - an advanced security model designed to minimize
the risk of cyber-attacks and data breaches by eliminating the concept of trust. This is achieved by
calculating the trust scores of users and resources continuously in a dynamic manner using conditional
and predefined parameters with an assist from respective installed agents. This decisive action ensures
that only authorized users/devices have access to the critical privileged resources in an organization.
How Does this Feature Work in Real-Time?
This new feature allows administrators to implement policy-based access privileges based on the trust
score methodology. It is achieved by installing user/resource agents on relevant devices, defining
parameters and weightage values, and creating access policies for the respective user/resource group.
Post the access policy configuration, the access policies are associated with the respective resource
groups via static resource groups. Further, with the above configuration, access privileges are granted
to the users or restricted based on the configured access policy conditions and criteria.
Salient Feature Highlights
Read our help documentation to know more about this feature, configurations, and real-time scenarios in detail.
Bug Fixes
Security Fixes
In this build, issues that allowed the following unauthorized privileged access to the users have been found and fixed:
Similar to the above fixes, we have fixed 16 such issues that led to unauthorized privileged access.
Bug Fixes
New Feature
HTTPS Gateway Server
We have introduced HTTPS Gateway Server, a feature that allows users to launch privileged HTTPS
connections to internal and external websites that are not directly accessible from the end-user
devices. PAM360 acts as an intermediary proxy and establishes connections with those devices.
The feature works by adding HTTPS-based web links to the resources configured under HTTPS Gateway in Auto Logon Helper. Once configured by the administrators, users can access those websites directly from the PAM360 interface via HTTPS Gateway connection, thus allowing organizations to provide secure privileged access to the internal or external web applications. The relevant details are captured under the Audit section.
See our documentation for more details about this feature and its configuration.
Enhancement
Security Notification
The PAM360 web console will display an in-product notification after each security release reminding the
administrators to upgrade the product.
New Feature
Support for New Two-Factor Authenticators
We have introduced the following authentication services in PAM360:
Enhancements
MSP Edition
REST API
Behavior Changes
Upgrade
This version of PAM360 comes with the upgraded third-party framework used for HTML5-based RDP and SSH gateway features.
Bug Fixes
Security Fix
Prior to this version, the PAM360 agent communicated with the PAM360 server without determining the validity of its SSL certificate in the following aspects, thus increasing the risk of external exploitation:
From now on, the PAM360 agent will check if a valid SSL certificate is installed on the PAM360 server before initiating communication, thereby boosting security.
Bug Fixes
New Feature
Self-Service Privilege Elevation for Linux
We are glad to introduce Self-Service Privilege Elevation (agent-based) for the Linux resources in
PAM360. This feature allows administrators to configure privileged commands, thus allowing
non-privileged users to execute them with an elevated privilege. The privileged commands can be
associated with specific accounts and resources as configured by the administrator.
Feature Highlights:
Key Benefits:
Please go ahead and read our help documentation to know more about Self-Service Privilege Elevation capabilities in Linux.
Bug Fix
In build 5900, users could not launch remote connections to endpoints using the AD and Azure AD account credentials. This issue has now been fixed.
Security Fix
In build 5900, a stored XSS issue occurred via the commands added in command groups while accessing query reports. This issue has been fixed in this build.
New Feature
SSH Command Control (Filtering)
We are delighted to announce SSH Command Control (Filtering) in the SSH-privileged remote sessions of
PAM360. This feature allows administrators to configure authorized command sets for the end users to use
in their SSH-privileged remote sessions. The command sets can be associated with specific accounts,
resources, and resource groups that get delegated to end users.
Feature Highlights:
Key Benefits:
Excited to know more about configuring and using this feature? Please go ahead and read our help documentation.
Bug Fixes
Enhancement
PAM360 now supports OAuth 2.0 authentication for SMTP-based email communications using Microsoft Exchange Online to provide a secure channel for the outbound emails from PAM360. Users can configure Microsoft Exchange Online as the mail server through which PAM360 sends email notifications. During the setup, PAM360 verifies the connection with Microsoft Exchange Online using the Tenant ID, Client ID, and Client Secret value taken from the Microsoft Azure portal. This mechanism eliminates the need for users to provide account credentials to authenticate the notification emails. Users can choose Microsoft Exchange Online under 'Admin >> Settings >> Mail Server Settings' to activate OAuth 2.0 authentication for all emails sent from PAM360.
Security Fix
A SQL injection vulnerability (CVE-2022-47523) in our internal framework, which would have allowed all PAM360 users to access the backend database, has been addressed and fixed.
New Features
Enhancements
Upgrade
The internal security framework has been upgraded to the latest version to reduce the occurrence of vulnerabilities and bolster overall security.
Bug Fixes
A third-party library has been upgraded in PAM360.
Some bug fixes and enhancements have been done.
Upgrade
The Apache Commons Text jar has been upgraded from version 1.8 to 1.10.0.
Security Fixes
Bug Fix
Earlier, the Search function failed to work when multiple text filters were added. This issue has been fixed.
Behavior Change
PAM360 will no longer support both the 32 and 64-bit versions of the C++ agent for Windows and Windows Domain systems and the C Agent for Linux. The C and C++ agents will still be functional in the older versions of PAM360 past this date. But, we highly recommend using the C# agent for Windows and Windows Domain machines and the Go agent for Linux machines, as they come with additional features, such as password reset listeners, dynamic account filtering, and self-service privilege elevation in Windows. Refer to the forum post to learn more about the end of support announcement.
Enhancements
Bug Fixes
New Feature
Intending to provide uninterrupted access to passwords, we have introduced another functionality - the Read-Only (RO) server for the PostgreSQL database. Unlike the concept of High Availability, where there will be one Primary server and one Secondary server, the Read-Only server can be configured in multiple. The Read-Only servers function as mirror servers, synchronizing all of the Primary server's operations. In the event of the Primary server failure, administrators can convert any Read-Only server into the Primary server and reconfigure all other Read-Only servers to point to the new Primary server. Read-Only Servers can be configured from 'Admin >> Configurations >> Read-Only Server.'
New Feature
PAM360 Remote Connect - a Native Desktop Client for Remote Access
Introducing PAM360 Remote Connect—an independent desktop client for Windows, designed to
facilitate direct remote access to Windows and SSH-based target resources without the need for multiple
remote clients or web browsers. PAM360 Remote Connect harnesses the ability of Windows' native Remote
Desktop client and the SSH Putty client to launch RDP and SSH-based connections from a centralized
console. The lightweight desktop client directly leverages the PAM360 web application's privilege access
governance to regulate remote access to the critical assets in your environment. It offers enhanced ease
of use and a superior user experience with its faster and smoother RDP and SSH-based remote connections.
Besides, it has auditing capabilities—the session audit trails are recorded in PAM360's web
application. PAM360 Remote Connect is compatible with PAM360 build 5600 and above. To learn more and to
download PAM360 Remote Connect, click here.
Bug Fixes
From build 5500 onwards, administrators were unable to delete a user profile if the user had created any type of resource discovery task. Also, if the user owned a discovery schedule, administrators were unable to transfer the schedule ownership to another user from 'Discovery >> Schedule.'
Security Fix
We identified several SQL injection vulnerabilities in the Search and Resource Group export operations that were caused by improper user input validation. These issues have been fixed.
Enhancement
Integration with Entrust nShield Hardware Security Module (HSM)
PAM360 now offers a new data encryption method—Entrust nShield HSM. Through this integration,
users can switch from PAM360's native encryption method to Entrust nShield's hardware-based data
encryption for the privileged identities and the personal passwords stored in PAM360. Users can secure
their data encryption key within the HSM to safeguard it locally in their environment.
Bug Fixes
Enhancements
New Feature
Folders
We have introduced a new feature - Folders in PAM360, which allows the users to organize the resource
accounts stored in PAM360 under various custom folders. The 'Folders' option is available for the
Resources and Connections tabs. Administrators can enable or disable the Folders' option from 'Admin
>> Settings >> General Settings >> Miscellaneous'. This system of organizing the
accounts based on personal preferences will allow users to manage them effortlessly.
Bug Fix
In Linux, when users tried to discover accounts using a root user account when direct login access is disabled, the account discovery failed. This issue has been fixed.
New Feature
Integrating with a new Ticketing System: BMC Helix Remedyforce
PAM360 now integrates with the BMC Helix Remedyforce. This integration ensures automatic validation of
service requests related to privileged access. Through this integration, administrators can mandate
users to provide valid ticket IDs to gain authorized access to privileged passwords. The integration
helps in granting approvals to access requests through automatic validation of the corresponding service
requests in the ticketing system.
Enhancement
Two new fields - PAM360 User Full Name and PAM360 User Email Id have been added to the 'Column Name' drop-down under 'Ticketing System >> Advanced configurations'. This will allow administrators to configure the ticketing system to validate tickets based on User Full Name and Email Id.
Behavior Change
Bug Fix
From build 5500, elevation of applications using Self-Service Privilege Elevation failed due to an invalid response from the PAM360 server. The issue has been fixed.
Enhancements
The Connection tab comes with the following improvements:
Security Fixes
New Feature
PAM360 now supports creating schedules for automatically discovering new privileged accounts during Linux, Network Devices, and VMware discovery.
Enhancements
New Query Reports:
Bug Fix
From build 5400, administrators were unable to import users through AD. The issue has been fixed.
Security Fix
An authentication bypass vulnerability (CVE-2022-29081) affecting ManageEngine PAM360 builds from 4001 to 5400, has been fixed. It occurred due to an improper URI check that allowed an adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application, and invoke the following operations:
Enhancements
Upgrades
Bug Fixes
Behavior Change
The API handling code which earlier responded to the V1 API format of ServiceDesk Plus MSP will henceforth respond to their V3 API format.
New Feature
Integration with the Cortex XSOAR RPA Tool
ManageEngine PAM360 integrates with Cortex XSOAR, a Robotic Process Automation (RPA) tool that allows
users to build standardized responses through commands to facilitate the automation of software
processes. PAM360 provides various commands that cover a wide range of automation tasks to perform
operations, such as creating resources and accounts, fetching passwords, updating resource and account
details, wherein the commands can be combined to create a complete endpoint management workflow.
Enhancements
Behavior Change
Before the upgrade, if the 'Autofill' option was enabled in the user's browser, there is a chance for the browser data to get auto-populated in the 'VNC Passwords' field. Now, with the 5305 upgrade, all the VNC resource passwords will be added to an account called '_VNCACCOUNT_' under their respective resources.
Feature
Self-Service Privilege Elevation
Using the Self-Service Privilege Elevation feature, an administrator can allow a user to run a specific
application(s) with elevated privileges without sharing the privileged account passwords. With this
feature, it is possible to perform administrative functions on an endpoint without the need for the
administrators to share the account passwords. The passwordless strategy used to run applications with
elevated account privileges assures that only the intended administrative tasks are performed by a user
without entering administrator credentials.
Enhancements
Security Fix
A SQL injection vulnerability that allowed users to access the restricted tables in 'Query Reports' has been fixed.
Security Fix
An authentication bypass vulnerability (CVE-2021-44525) that allows an adversary to gain unauthorized access to the application and invoke actions through specific application URLs has been fixed. It affects ManageEngine Access Manager Plus versions up to 4202.
Enhancement
Administrators can now enable and set up a customizable welcome message once a session commences. In addition, they can enable the session recording status in the session window.
Enhancement
New Agents
This release comes with two new agents - C# agent for Windows/ Windows Domain and Go agent for Linux.
Henceforth, it will be possible to restrict user accounts that are added via agents (the new agents
only) during account discovery, using regex patterns.
Bug Fixes
New Features
Enhancements
Behavior Change
From now on, all certificates with unique serial numbers will be listed under the 'Certificates' tab. However, the existing users can manage their already added certificates from the History section, which has now been moved under the 'Column Chooser'.
Bug Fixes
Security Fixes
Enhancements
Behavior Changes
Note: If your current Ticketing System is ServiceDesk Plus On-Premises or ServiceDesk Plus Cloud, this upgrade pack will disable the integration and delete the complete integration data. You will have to reconfigure the ticketing system again. So, make sure you save a backup of the advanced configurations in the form of screenshots for reference.
Bug Fixes
Security Fixes
Enhancements
Bug Fixes
Security Fix
Enhancement
Security Fixes
Security Fix
New Features
Bug Fixes
New Features
Enhancements
Bug Fixes
Security Fixes
Security Fix
New Features
Enhancements
Bug Fixes
Security Fixes
Enhancement
New Features
Enhancement
Bug Fixes
Security Enhancement
Earlier, PostgreSQL data directories in Windows installations were entirely accessible to all locally authenticated users. Now, as a security practice, we have exerted the following measures, applicable for installations under the 'Program Files' directory:
New Features
Enhancements
Bug Fix
In PAM360 build 4000, while trying to integrate with ServiceDesk Plus, the "Invalid API key" error was encountered. This issue has been fixed in this build.