Other formats |

What is new in Balabit Shell Control Box 4 F3

May 05, 2017

Extended support period for SCB 4 F3

Version 4 F3 has extended support period, and will be supported for 6 months after SCB 5 LTS is released.

Balabit Shell Control Box wins at SC Awards Europe

The Balabit Shell Control Box has won the SC Awards Europe in Best Identity Management category.

Cybersecurity Excellence Awards

The Balabit Shell Control Box was a finalist of the 2016 Cybersecurity Excellence Awards in the Privileged Access Management category. Another Balabit product, the syslog-ng Store Box (SSB), won in the Forensics category. Cybersecurity Excellence Awards are rewarded each year to individuals, products and companies that demonstrate excellence, innovation and leadership in information security. Nominees are awarded based on the content of their nomination and the popular vote by the Information Security Community.

Indexing improvements in graphical protocols

To optimize indexing resources and improve the speed and performance of Optical Character Recognition in graphical protocols, you can now configure Indexer policies for every Connection policy to specify the languages typically used in these connections. For example, if you know that your users use only a few languages in their connections (for example, because they use the Remote Desktop Protocol (RDP) to access only English and French software), then setting these languages in the Indexer policy improves accuracy and reduces the time required to perform character recognition.

For details, see Chapter 15, Indexing audit trails in The Balabit Shell Control Box 4 F3 Administrator Guide.

Indexing Arabic text in graphical protocols

To make the audit trails of graphical protocols easier to review and manage in forensic situations, SCB 4 F3 adds support for Optical Character Recognition for languages that use Arabic characters. That way your auditors can search in the content of the graphical protocols, for example, in the texts typed or seen by a user in RDP, even if the text is Arabic.

SCB in Azure Marketplace

You can deploy SCB from the Microsoft Azure Marketplace, with a bring-your-own-license model. For details, see the Balabit Shell Control Box virtual machine page.

When deployed from the Azure Marketplace, you can use Azure File storage shares in your for Backup and Archive Policies. This is very useful as the quota for the files storage can be changed dynamically, so the cumulative size of the audit trails is not limited to the OS disk size. You can set up this share as a normal SMB shares in your Backup and Archive policies. The parameters for the policy can be obtained from the Azure portal.

Installing Balabit Shell Control Box as a Kernel-based Virtual Machine

You can deploy SCB as a virtual appliance using the Kernel-based Virtual Machine (KVM) solution. For details, see Appendix H, Installing Balabit Shell Control Box as a Kernel-based Virtual Machine in The Balabit Shell Control Box 4 F3 Administrator Guide.

Search connection metadata via the REST API

You can now access and search connection metadata using the REST API, allowing you, for example, to access this information from external applications, or to run timed queries automatically.

For details, see Section 13.7, Searching in the connection database in Using the Balabit Shell Control Box REST API.

More SCB features accessible using the REST API

To make integrating SCB into various management systems easier and more complete, you can now access the several SCB features using the RESTful API, including:

Other features will be available via the REST API in future releases.

For details, see Using the Balabit Shell Control Box REST API.

Splunk integration

Balabit provides an add-on and an app for Splunk, integrating SCB logs into Splunk, and making SCB information available in other Splunk apps, for example, in the Splunk Enterprise Security app. The BalabitSCB Add-On for Splunk and the BalabitSCB App for Splunk are both available for free in the splunkbase.

For details, see Procedure 4.5.1, Configuring system logging in The Balabit Shell Control Box 4 F3 Administrator Guide.

HPE Security ArcSight CEF Certification

SCB has received the HPE Security ArcSight CEF Certification, and can send logs to the HPE ArcSight Data Platform via a syslog-ng relay (syslog-ng Premium Edition 5 F6 or syslog-ng Open Source Edition 3.8 and later).

Plugin framework for authentication and authorization (AAPlugin)

SCB now includes a new plugin framework that allows you to integrate with external third-party tools to request authentication or authorization for connections that SCB monitors. As a first step, AAPlugins are supported only in RDP connections.

Such plugins allow you, for example, to request additional challenge-response information from the user or an external system (for example, LDAP or Active Directory), and permit or deny the connection based on this information. For details, contact the Balabit Support Team.

Inband destination selection improvements in RDP

Using inband destination selection in RDP connections without a Terminal Services Gateway was difficult and limited, because Windows RDP clients often send only the first 9 characters of the username to the server. SCB now supports parsing key-value pairs from the username, making it possible to encode the address and port of the target server into the username of the client.

General improvements and changes

  • To improve the protection of your sensitive data, SCB can now authenticate on your mail server, and send emails in an encrypted channel. This applies to every email sent from SCB, including alerts to the administrators, and reports sent to other users. For details, see Procedure 4.5.2, Configuring e-mail alerts in The Balabit Shell Control Box 4 F3 Administrator Guide.

  • Due to popular customer demand, SCB keeps support for GSSAPI-based authentication. This means that in contrast to earlier announcements, this feature is not deprecated, and still available in version 4 F3 and later.

  • On the Connections and the Channel Policies pages, as well as when configuring the network interfaces of SCB, you can also enter a hostname instead of the IP address into most fields, and SCB automatically resolves the hostname to IP address. Note the following limitations:

    • SCB uses the Domain Name Servers set Basic Settings > Network > Naming > Primary DNS server and Secondary DNS server fields to resolve the hostnames.

    • Only IPv4 addresses are supported.

    • If the Domain Name Server returns multiple IP addresses, SCB selects randomly from the list.

    • In SSH connections SCB now supports the diffie-hellman-group-exchange-sha256 and diffie-hellman-group-exchange-sha1 KEX algorithms.

Deprecated features

  • Sending data to an Intrusion Detection System (IDS) or a Data Leak Prevention (DLP) system is deprecated and has been removed in SCB version 4 F3.

  • The indexing functionality of the Audit Player (AP) is deprecated and will be removed from release 4 F4. The Audit Player application will be available and supported for offline playback of audit trails.


Since the official support of Internet Explorer 9 and 10 ended in January, 2016, they are not supported in SCB version 4 F3 and later.