A privileged user is allowed to start a remote desktop session to a Windows server or desktop by using RDP relay, Direct RDP or Credential Provider, and to a Linux server by using pcksh and SSH relay. But if the user performs an action that is unauthorized, you as an administrator can disconnect that session and if required you can block the user from starting the session again. The administrator can configure the level of risk, enable auto disconnect, and enable auto block. You can either disconnect the session manually or you can configure this feature to disconnect the session automatically.
You can also disconnect a database or an application session.
When defining policies ensure that Run Host should be same as the agent name that you have specified in the Host console.
If you want to grant access to any framework user to use the reporting console that includes the disconnect field, then in the Framework User Manager console, you need to add the user to a group that has a role with the following specification:
Module: *
Role: *
For information about Framework User Manager, refer Section 6.0, Managing Framework Users and Groups.
When you, as an administrator, are monitoring every activity that is performed on a remote machine for a particular session, and if you find an unexpected command that is run on the remote server, you can disconnect the session manually and send the reason for disconnecting the session to the user. You can also block the user from using the session again.
The administrator can disconnect the session when a high risk level or any suspicious activity is displayed in the Report data of the Reporting console. To disconnect a user from the session on which an unauthorized command is used, perform the following steps in the Reporting console:
Click Command Control Reports then select the report.
Open the session that is active.
In the Disconnect Reason field, specify the reason for disconnecting the session.
This is required for auditing.
(Conditional) If you want to block the user from connecting to the same session, select Block User.
By default this checkbox is deselected. Because you may not want to block the user but warn the user about the unauthorized activity that was performed during the session.
NOTE:When you block a user from a session, the user gets added to the Blocked Users list and the user will be blocked from accessing any of the sessions.
Click Disconnect.
You can automatically disconnect the session based on the risk of using a command. In case of emergency access, the session is disconnected automatically based on the expiry time that is specified for emergency access.
NOTE:An SSH relay session cannot be disconnected automatically.
An Administrator can configure Command Risk to automatically disconnect a remote session when a particular risk level is detected or when a user executes a particular command.
The administrator can add commands to a rule and enable the auto disconnect feature for the required commands that can be performed on the remote Windows server or desktop.
NOTE:For a pcksh session: the disconnect based on the risk can happen either when the command /usr/bin/pcksh -o audit 1 or /usr/bin/pcksh -o audit 2 is defined in the Rewrite field for the Commands object, or when the Enhanced Access Control Policy script is added.
To configure disconnecting the session automatically, perform the following:
In the navigation pane of the command control console, click the command icon then select Command.
In the details pane, click Command risk.
Set Command Risk.
For information on setting the command risk refer Setting the Command Risk.
Specifying 1 in Auto disconnect field will automatically disconnect the user when the specified command is executed on the host server. Specifying 1 in Auto Block will block the user from further starting the session.
When you have approved a request for emergency access for a specific time frame, the session gets expired after the expiry time that includes the grace period with the specified time. To disconnect a session based on the expiry time you need to configure the administrative settings for emergency access. For information about configuring the settings, refer Configuring Emergency Access Settings.
In the Reporting console, an administrator can view which session was disconnected, the type of disconnect (automatic or manual disconnect), and the reason of disconnecting the session. This can be monitored by using Command Control Reports. To include the fields that display the disconnect information you must perform the following:
On the home page of the console, click Reporting.
Click Command Control Reports then, click the required report.
To add a report, refer section Adding a Report.
Click the Filter tab then, select Disconnect Details.
The Disconnect Type and the Disconnect Reason fields are displayed under Report Data.
To view the reports for only the disconnected sessions, select Disconnect Report in the Command Control Reports.