Welcome to BalaBit Shell Control Box (SCB) version 3 F2 and thank you for choosing our product. This document describes the new features and most important changes since the latest release of SCB. The main aim of this paper is to aid system administrators in planning the migration to the new version of SCB. The following sections describe the news and highlights of SCB 3 F2.

This document covers the BalaBit Shell Control Box 3 F2 and Audit Player 2011.3 products.

	Note
	For step-by-step instructions on upgrading to 3 F2 see the How to upgrade to BalaBit Shell Control Box 3 F2 at http://www.balabit.com/support/documentation/.

1.1. Versions and releases of SCB

As of June 2011, the following release policy applies to BalaBit Shell Control Box:

• Long Term Supported or LTS releases (for example, SCB 3 LTS) are supported for 3 years after their original publication date and for 1 year after the next LTS release is published (whichever date is later). The second digit of the revisions of such releases is 0 (for example, SCB 3.0.1). Maintenance releases to LTS releases contain only bugfixes and security updates.

• Feature releases (for example, SCB 3 F1) are supported for 6 months after their original publication date and for 2 months after succeeding Feature or LTS Release is published (whichever date is later). Feature releases contain enhancements and new features, presumably 1-3 new feature per release. Only the last feature release is supported (for example when a new feature release comes out, the last one becomes unsupported within two months).

For a full description on stable and feature releases, see Stable and feature releases.

Warning

Downgrading from a feature release to an earlier (and thus unsupported) feature release, or to the stable release is not supported: this means that once you upgrade a system from a stable release (for example 1.0) to a feature release (for example 1.1), you will have to keep upgrading to the new feature releases until the next stable version release (for example 2.0) is published, or risk using an unsupported product.

Implementing a single-sign-on solution for administrators and other privileged users using remote access can greatly simplify the password management on the remote servers and also improves the access control possibilities.

Credential Stores offer a way to store user credentials (for example, passwords, private keys, certificates) and use them to login to the target server, without the user having access to the credentials. That way, the users only have to authenticate on SCB with their usual password (that can be stored locally on SCB or in your central LDAP database). If the user is allowed to access the target server, SCB automatically logs in using the data from the Credential Store. In a sense, using Credential Stores is an improved version of the keymapping available for SSH connections.

Figure 1. Authentication using Credential Stores

In addition to storing credentials locally, SCB integrates smoothly to Enterprise Random Password Manager (ERPM), Lieberman Software's privileged identity management solution. That way, the passwords of the target servers can be managed centrally using the ERPM, while SCB ensures that the protected servers can be accessed only via SCB — since the users do not know the passwords required for direct access.

SCB supports creating custom reports and custom statistics, including user-created statistics and charts based on search results, the contents of audit trails, and other customizable content. Reports from custom queries executed on the databases of SCB can be created as well. For details, see Chapter 6, Browsing log messages and SCB reports in BalaBit Shell Control Box 3 F2 Administrator Guide.

Custom reports created in earlier SCB versions from the contents of audit trails are now available as report subchapters and can be included in multiple reports. The search keywords and other search-related parameters of existing custom reports can be modified on the Reporting > Content subchapter page, while other parameters of the report can be modified on the Reporting > Configuration page of the SCB web interface.

To simplify auditing the privileges and permissions of SCB users and usergroups, the AAA > Permission Query page can display the privileges for the SCB web interface itself, as well as the parameters of connections that can be accessed by users or usergroups. For details, see Section 4.4.8, Displaying the privileges of users and user groups in BalaBit Shell Control Box 3 F2 Administrator Guide.

Figure 2. Displaying web interface permissions

SCB has supported compression in RDP connections since version 3.0. However, it was found that enabling compression in certain RDP channels causes problems: most notably, files copied in disk redirection channels can become corrupt in certain situations. Therefore, although compression support for RDP connections is enabled by default in SCB version 3.2, it can be disabled by unchecking the RDP Control > Settings > Enable compression option.

Note that disabling compression significantly increases the network load of RDP connections. The exact ratio of the increase depends on the content of the connections, but on the average the network load can be expected to increase by 500%.

This section describes the main changes of the Audit Player version 3 F2 application.