What’s New in the BeyondTrust UVM Appliance 2.2

Morey Haber, May 9th, 2017

BeyondTrust is pleased to announce UVM Appliance version 2.2. This new version of our privileged access management and vulnerability management appliance software enhances functionality and capabilities for new and existing UVM appliances. Enhancements include the following:

  • A new UVM appliance model is available without MS SQL Server to lower costs, provide flexible architectures, and lower resource requirements for advanced architectures or clients that have existing MS SQL infrastructures
  • New functionality provides automatic restoration of backups to a Cold Spare for Disaster Recovery and lab testing
  • UVMs are now permitted to join a Windows Domain under specific conditions
  • The addition of the BT Server Hardening Utility 1.0 for software installations of BeyondTrust software to mimic hardening used on appliances
  • UVM VMWare 6.5 virtual appliance support
  • Two-factor authentication with Radius on the UVM for appliance management accounts

Read below for more details on these new enhancements.

UVMs without MS SQL Server

BeyondTrust is offering a brand-new UVM appliance without MS SQL Server. MS SQL Server is not installed, has no associated costs, and requires a remote MS SQL Server to work either on another UVM appliance or one supplied by the organization. This configuration is ideal for organizations that are leveraging more than one appliance to save costs or have existing MS SQL clusters that can be leveraged for BeyondTrust technology.

UVM Cold Spare

Based on customer feedback, Cold Spare use cases have become a required component in many architectures. Typically, these involve the purchase of a 3rd UVM to remain idol with a recent database and keys as a cold spare, standby system. The backup from the primary can be restored at any time with the same functionality, and resume operation in a short period of time; normally under 20 minutes. This process is fully automated and allows for daily backup and recovery natively in the appliance diagnostics menu. For a representation of this new capability, please see the screenshot below.

UVM Appliances on a Windows Active Directory Domain

BeyondTrust will now support the addition of UVM appliances to be joined to a Windows Active Directory Domain under specific circumstances and using strict settings, including:

  • Joining a UVM appliance to a Domain is allowed when internal policy requires it or when Windows Authentication is required for remote MS SQL connectivity (typically for regulatory compliance).
  • UVM appliances must be in their own OU and have Block Inheritance Enabled in order to preserve appliance hardening and update settings.
  • Appliances will detect this change and report accordingly if there is a problem.

Server Hardening Utility

Many clients choose the software version of BeyondTrust solutions in lieu of appliances. To that end, they would like hardened software installations with the same best practices to avoid an incident. BeyondTrust has taken these settings and now made them available in a standalone utility to perform client-side hardening on any supported Windows Server using LocalGPO. This allows for: 

  • The Hardening Policy applied by BeyondTrust development during the creation of a UVM Appliance is now available as a utility for software installs by end users, partners, and professional services.
  • The tool utilizes Microsoft’s LocalGPO tool to apply local policy settings such that settings can be edited and reviewed by the end user.
  • The tool first executes a comparison against the local settings in order to troubleshoot “un-hardening” if a problem arises.
  • Support for Microsoft Windows 2008-R2 and 2012-R2.

For a representation of this utility, please see the screenshot below.

UVM Appliance Radius Support

Per security best practices, UVM appliances can now have their administrative accounts managed by a 2FA Radius server. This feature configures the UVM to use the same Radius server that has been previously set up in BeyondInsight for standard users. In case of a Radius fault, a BeyondInsight administrator can temporary disable 2FA to allow appliance access or use UVM Emergency Access to turn off any configured Radius server physically from the appliance LCD panel.

UVM VMware 6.5 Support

BeyondTrust UVM appliances now support VMWare 6.5 and the new HTML 5 web management client and vSphere client.

For more information on UVM appliances, please reference our updated data sheet. For more information, contact us today.