Enterprise Recon 2.0.28

ER 2.0.28 Release Notes

Highlights

New MariaDB Database Support

In this release of ER2, MariaDB is now officially supported. Previously customers used a workaround to achieve MariaDB scanning, however it is now listed as an available database type within the scanning user interface. Customers using MariaDB can now expect full production support when submitting support tickets for this database type.

See Databases for more information.

Enhanced Permissions Architecture

ER 2.0.28 comes with a new User Permissions Architecture which enables Administrators to have more flexibility when assigning user permissions. Task delegation is now possible with:

  • Global Permissions, which allows Administrators to grant users access to specific pages on the Web Console to manage user accounts, create custom data types or configure security and compliance policies.
  • Resource Permissions, which offers greater control in assigning permissions to resources (e.g. Targets, Target Groups and credentials), down to a path on a Target. Administrators can now control actions like scanning, make only certain remediation options available, and determine the level of information that a user is allowed to view. This is particularly useful for organisations who want to restrict access to shared resources.

See User Permissions for more information.

Improved Support for SharePoint and Microsoft SQL

With the updated SharePoint module, you can now easily scan all site collections within a SharePoint on-premise deployment. Furthermore, the new credential management scheme enables you to conveniently scan all resources in a SharePoint Server even when multiple access credentials are required.

The capability to scan SharePoint Online (Office 365) in ER2 remains fully supported for deployments of any size.

The process of scanning Microsoft SQL servers has also been greatly simplified with the capability to view and select a specific database, or all databases within a given SQL server as part of the standard ER2 UI workflow.

See SharePoint Server and Databases for more information.

Scan Amazon S3 Buckets Protected By Server-side Encryption

Sensitive data can exist anywhere, even in encrypted cloud storage locations. With ER 2.0.28, you can now scan Amazon S3 Buckets protected by Amazon Server-Side Encryption to discover and protect personal data at rest in your Amazon S3 Buckets.

See Amazon S3 Buckets for more information.

Account Security Features For User Identification Management

ER2 now offers additional security measures that allow compliance with stricter corporate security policies. Administrators can enforce account security rules including limiting repeated access attempts by locking out a user ID and setting a 30 minute lockout duration. In addition, password policies have been improved with a new minimum password complexity requirement and mandatory password resets every 90 days, to name a few.

See Security and Compliance Policies to learn more about the available account security and password policy settings.

Pre-Login Message Of The Day

Organisations now have the option to configure a login banner to be displayed before allowing users to sign in to the Web Console. Use the login banner to show users a message of the day, or to inform users on their legal obligations relating to acceptable use of the ER2 system.

See Legal Warning Banner for more information on how to setup and configure the login banner.

ER2 Is Now On CentOS 7

The ER2 Master Server has been upgraded to CentOS 7. An updated kernel, improved security features and support for operating system patches and updates until June 2024 means you can be assured of enterprise stability and compliance with security best practices for your ER2 Master Server.

Please note that installing the ER 2.0.28 update will not automatically upgrade your master to CentOS 7. Please contact the Ground Labs support team at support@groundlabs.com to receive instructions on upgrading your ER2 Master Server installation to CentOS 7.

New and Improved Data Types

Storage of information relating to an individual’s race, ethnicity or heritage may be inappropriate or completely prohibited and many organisations are required to validate if this has been or still is occurring across any data storage locations.

To meet this requirement, ER 2.0.28 introduces a new Ethnicity (English) data type to bolster GDPR and related requirements to enable detection of more than 400 types of data points related to race, ethnicity or heritage stored across your organisation.

Also included are two additional data types to assist customers looking for Romanian or South Korean personal and confidential details. For Romania, the Romanian national identity card number is now available and for South Korea, the corporate registration number (CRN) has been added.

Improvements have also been made for detection of South African ID and South Korean passport numbers.

For more information, see the Changelog below.

Changelog

What’s New?

  • New Input Module:
    • MariaDB.
  • New Data Types:
    • Ethnicity (English).
    • Romanian national identity card numbers.
    • South Korean corporate registration number (CRN).
  • Added:
    • New User Permissions Architecture which enables Administrators to have more flexibility and granularity when assigning user permissions.
    • New Security Policy and Compliance options for user identification management.
    • Configure a login banner to displayed before allowing users to sign in to the Web Console.
    • You can now search for specific custom data types when creating a new version of an existing data type profile.
    • New test data patterns have been added for cardholder data types.

Enhancements

  • Improved Data Types:
    • South African ID number.
    • South Korean passport number.
  • Improved Features:
    • With the updated SharePoint module, you can now easily scan all site collections within a SharePoint on-premise deployment. Furthermore, the new credential management scheme enables you to conveniently scan all resources in a SharePoint Server even when multiple access credentials are required.
    • Scanning of Amazon S3 buckets protected using Amazon Server-Side Encryption methods is now supported.
    • Microsoft SQL server scanning has been greatly simplified to view and scan all databases on a Microsoft SQL server Target in a single workflow.
    • Existing Google Docs feature has been renamed to Google Drive and incorporates full support for scanning documents stored across Google Docs, Google Sheets and Google Slides.
    • Improved naming convention displayed for sub-paths under Cloud Targets.
    • Clearer error messaging if objects in the Recoverable Items folder for Microsoft Exchange or Office 365 Targets cannot be deleted during Remediation.
    • Improved support for scanning PST email file types.
    • Improved support for eliminating false positives within cardholder data type matches.
    • Improvement in false positive rates when scanning DOCX files.
    • Clearer messaging for errors related to out-of-memory exceptions.
    • Minor UI updates.

Bug Fixes

  • A partitioned IBM/Lotus Notes 9.0.1 Target could not be scanned successfully when the host name differed from the partition name. The option to specify the IBM/Lotus Notes partition is now available for ER2.
  • Incorrect value was displayed in the match inspector for the "File created" field.
  • Dashboard chart did not correctly indicate the date when a remediation or results removal (via trash icon) action was performed on a Target.
  • Oracle database tables with long column names that are encoded with Code Page 949 were marked as "Inaccessible Locations".
  • Scanning specific types of Word Document files would cause scanning engine failure.
  • Scanning Amazon S3 buckets with a very large number of files caused a "Memory limit reached" error.
  • Certain passport data type scenarios did not match in PowerPoint files.
  • Advanced Filter expressions on subsequent lines were cleared when the autocomplete entry is clicked.
  • The Scan History page for a Target displayed the incorrect scan status.
  • On specific desktop versions of Microsoft Windows, a scan that stopped because a Node Agent went offline did not resume when the Node Agent came back online. This issue could occur if the Node Agent is disconnected for more than 30 minutes.
  • Some user accounts were not returned as search results in the "Create a Notification" page when setting up global notifications and alerts.
  • A timeout error could intermittently occur when probing Office 365 Targets with a large number of mailboxes (more than 100,000).
  • Setting the Access Control List System Firewall default policy to "Deny" while allowing one remote connection would cause the Master Server to stop functioning properly.
  • Very large Excel files that require excessive amounts of memory to scan will be partially scanned if the scanning engine memory limit is reached with a Notice level warning generated in the corresponding logs.
  • Existing Box Targets could not be edited to scan the whole Box domain if the initial scans only included specific Box folders or accounts.
  • Korean characters matches found on Microsoft SQL Targets were not displayed correctly in the match inspector.
  • Scans appeared to be stalling when scanning cloud Targets with a huge number of files. This fix will improve the time required for initialising cloud Target scans.
  • The Settings button for Target locations shown in the TARGETS page were not mapped to the correct Target location. This occurs only if a scan is currently running on the Target.
  • Licenses were being consumed for Google mailboxes that were excluded from scans through global filter expressions.
  • Non-unique keys were generated in certain scenarios during Node Agent installation.
  • Scans stalled when scanning Exchange mailboxes that have a huge number of attachments.
  • When adding or editing a data type profile, selecting "All Types" after searching for a data type would cause the UI to restart.
  • Incorrect keys are printed in scan reports for Oracle database Targets when no primary key is present.
  • Repeated connection attempts by Node Agents from IP addresses that are denied via Access Control List rules would cause the datastore size to increase very quickly. With this fix, additional timeout is introduced before each reconnection attempt, resulting in lesser logs and subsequently a reduced datastore size.
  • Changing the Group that a Target belongs to while a scan is in progress would cause the scan to stop.

Features That Require Agent Upgrades

Agents do not need to be upgraded along with the Master Server, unless you require the following features in ER 2.0.28:

  • Easily scan all site collections within a SharePoint on-premise deployment with the updated SharePoint module. Furthermore, the new credential management scheme enables you to conveniently scan all resources in a SharePoint Server even when multiple access credentials are required.
  • Easily scan all site collections, sites, lists, folders and files for a given SharePoint Online web application.
  • Fix for issue where scans appear to be stalling when scanning cloud Targets with a huge number of files. This fix will improve the time required for initialising cloud Target scans.
  • Fix for issue where non-unique keys were generated in certain scenarios during Node Agent installation.
  • Fix for issue where repeated connection attempts by Node Agents from IP addresses that are denied via Access Control List rules would cause the datastore size to increase very quickly. With this fix, additional timeout is introduced before each reconnection attempt, resulting in lesser logs and subsequently a reduced datastore size.
  • Fix for issue where changing the Group that a Target belongs to while a scan is in progress would cause the scan to stop.

For a table of all features that require an Agent upgrade, see Agent Upgrade.