16.2 Session Management

Using the following methods you can provide a privileged session to a user and capture the user actions in the privileged session:

16.2.1 Remote Desktop Protocol Relay

The Remote Desktop Protocol Relay (RDP Relay) feature offers Single Sign-on capability and remote access to desktops through a secured connection.In a privileged session, an administrator user who is allowed to access various devices can sign on to many managed devices from a single workstation without knowing the authentication passwords of those devices. In addition, the user can remotely view the desktops of the managed devices and work on them.

You enable privileged sessions for an administrator user with the user's information. Then you associate the privileged session with a rule that controls the commands that the user can run on permitted devices and applications.

NOTE:RDP Relay is supported with the following installers:

  • Windows Installers

  • Generic Linux Installers

Configuring the RDP Relay

You can configure a RDP Relay for Windows machines to allow users to remotely access these machine without the privileged account credentials.

For steps to configure, see Workflow to Configure Privileged Access for Windows

NOTE:In Windows 2008 R2, configure the following User Account Control settings:

  • Disable Switch to the secure desktop when prompting for elevation.

  • Set UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode to a value other than Prompt for credentials on the secure desktop and Prompt for consent on the secure desktop.

If RDP Relay to Windows 10 or Windows 2016 fails with an error, see the section RDP Relay to Windows 10 or Windows 2016 Fails with a Network Authentication Error to workaround the issue.

Accessing the RDP Relay

After a RDP relay is configured by an administrator, the user can access the privileged session as follows:

  1. Launch the My Access page.

    In a browser specify the IP address of the Framework Manager in the address bar in the following format:

    https:// <IP address of the Framework Manager>/pam

  2. Press Enter. A Login screen appears.

  3. Specify the username and password to log in to Privileged Account Manager and click Login.

  4. Click Windows and click the icon before the appropriate resource name.

    An RDP file is downloaded.

  5. Save and open the RDP file to launch the session.

NOTE:

  • RDP Relay Manager name is always shown in the RDP connection bar.

  • When connecting to the remote session specify the username in capital letters.

  • When establishing a remote session through RDP Relay, the following error may be displayed:

    The remote computer disconnected the session because of an error in the licensing protocol

    To continue establishing a remote session, perform the following steps before starting an RDP session:

    1. Install the latest version of Privileged Account Manager.

    2. Launch Internet Explorer in Run as administrator mode.

16.2.2 Credential Provider

The Credential Provider feature helps the users to single sign-on to any Windows server or desktop through a secured Remote Desktop Connection. With Credential Provider, users can login to Windows server or desktop as a Privileged user by using Privileged Account Manager credentials.

Configuring Credential Provider

You can create rule to allow/deny access to specific users on a Windows server or desktop to connect to the required server. To disconnect a session refer, Disconnecting a Privileged Session.

To configure the rule for a Windows server or desktop, perform the following:

  1. Ensure that the Windows computer which you want to access is registered to Privileged Account Manager as a agent. For more information, see Installing and Registering a Framework Agent .

  2. Ensure that you have added the account domain for the Windows computer. For more information, see Creating an Account Domain for Windows Systems.

  3. In the home page of the administrator console, click Command Control.

  4. (Conditional) If you want to control who can access a particular Windows computer, create a user group with the user name in capital letters.

    1. If you want to deny specific users to access the server or desktop, create a separate user group and add the user names (in capital letters) in the Users field. By default all the users are granted access to the server.

  5. Add a rule:

    1. In the Command Control pane, click Rules.

    2. In the details pane, click Add.

    3. Specify a name for the rule, then click Add.

    4. Select the newly added rule, then click edit icon in the details pane.

    5. (Conditional) Configure the following for the users, who are allowed to access the Windows computer:

      Session Capture: Yes

      Authorize: Yes

      Run Hosts: Submit User

      Run Hosts: Submit Host

      For more information about the rule configuration fields, see Modifying a Rule.

    6. (Conditional) Configure the following for the users, who are denied access to the Windows Computer:

      Session Capture: No

      Authorize: No

    7. Click Modify.

    8. In the middle pane, click the commands icon.

    9. From the list of commands, drag the Windows Credential Provider Session command and drop it to the newly added rule.

NOTE:If some of the users are not part of any defined user group, the actions of that user is not monitored but in the reporting console you can view the users who are connecting to the server or desktop, and the time when they started the session.

16.2.3 Direct Remote Desktop Protocol

When a user connects to a remote Windows server through any Remote Desktop Connection Client, the user's actions are not monitored. But, with the Direct Remote Desktop Protocol (Direct RDP) feature you can control the authorization, and monitor the actions of users connecting to a remote Windows server or desktop through remote desktop connection client.

You can connect to a Windows server or desktop by using your account credentials that are set up on the server. If you require to monitor the actions of the users, then you can use the direct remote desktop protocol feature. The Windows Direct Session command object is included with the rdpDirect command, which helps in monitoring the direct sessions. You can create a rule and specify who is authorized to connect to a Windows server or desktop and also disconnect the session when any malicious activity is detected.

Configuring Direct RDP

You can create rule to allow/deny access to specific users on a Windows server or desktop to connect to the required server. To disconnect a session refer, Disconnecting a Privileged Session.

To configure the rule for a Windows server or desktop, perform the following:

  1. Ensure that the Windows computer which you want to access is registered to Privileged Account Manager as a agent. For more information, see Installing and Registering a Framework Agent .

  2. In the home page of the administrator console, click Command Control.

  3. (Conditional) If you want to control who can access a particular Windows computer, create a user group with the user name in capital letters.

    1. If you want to deny specific users to access the server or desktop, create a separate user group and add the user names (in capital letters) in the Users field. By default all the users are granted access to the server.

  4. Add a rule:

    1. In the Command Control pane, click Rules.

    2. In the details pane, click Add.

    3. Specify a name for the rule, then click Add.

    4. Select the newly added rule, then click edit icon in the details pane.

    5. (Conditional) Configure the following for the users, who are allowed to access the Windows computer:

      Session Capture: Yes

      Authorize: Yes

      Run User: Submit User

      Run Hosts: Submit Host

      For more information about the rule configuration fields, see Modifying a Rule.

    6. (Conditional) Configure the following for the users, who are denied access to the Windows Computer:

      Session Capture: No

      Authorize: No

    7. Click Modify.

    8. In the middle pane, click the commands icon.

    9. From the list of commands, drag the Windows Direct Session command and drop it to the newly added rule.

NOTE:If some of the users are not part of any defined user group, the actions of that user is not monitored but in the reporting console you can view the users who are connecting to the server or desktop, and the time when they started the session.