6.5 Privileged Access to Windows
Using Privileged Account Manager (PAM), you can provide access to a Windows computer in the following ways:
-
Remote Desktop Protocol Relay (RDP relay): Using this method, you can create a policy for a windows RDP relay which can be accessed by the user from the User Console.
This approach can be used when the direct access to the target Windows system is blocked using the Windows Firewall.
For information about configuring RDP Relay, see Remote Desktop Protocol Relay.
-
Remote Desktop Protocol Web Relay (RDP relay): Using this method, you can create a policy for a windows RDP web relay which can be accessed by the user from the User Console.
For information about configuring RDP Web Relay, see Remote Desktop Protocol Web Relay.
-
Direct Remote Desktop Protocol (Direct RDP): Using this method, you cannot provide privileged access to the user but you can monitor and audit user actions in the Windows server. The user can access this Windows server using any remote desktop client with their Windows account credentials.
This approach can be used, when you want to avoid storing the credentials of the privileged users in Privileged Account Manager and avoid using proxy.
For information about configuring Direct RDP, see Direct Remote Desktop Protocol.
-
Run as Privileged User: Using this method, you can provide privileged access to a specific application in the Windows server. The user can access this application as a privileged user by connecting directly to the Windows server using any remote desktop client with their Windows account credentials.
This approach can be used, when you want to provide privileged access to a specific application in the target Windows system.
For information about configuring Run as Privileged User, see Run as Privileged User.
-
Credential Provider (CP): Using this method, you can provide privileged access to a Windows server which can be accessed by the user using Privileged Account Manager credentials.
This approach can be used, when you have host-based firewall in the target system and proxy cannot be used to connect with the system. It can also be used in a scenario of a lab environment, where you need direct privileged access to the system without knowing the admin credentials.
For information about configuring Credential Provider, see Credential Provider.
-
Application SSO: Using this method, you can provide privileged access to a Windows server and monitor the actions performed in the windows machine without installing a Privileged Account Manager agent.
For information about configuring application SSO, see Application SSO.
Based on the information in the following table, you can choose the appropriate method to establish privileged session in windows system:
|
Method |
Keystroke Audit |
Video Capture |
Privileged Access |
Live Session View |
Command Risk & Automatic Session Disconnect |
Access Through |
Authentication Through |
||
|---|---|---|---|---|---|---|---|---|---|
|
User Console |
RDP Client |
Privileged Account Manager Account |
System Account |
||||||
|
RDP Relay (Agent based) |
|
|
|
|
|
|
|
|
|
|
RDP Web Relay (Agentless) |
|
|
|
|
|
|
|
|
|
|
Credential Provider (Agent based) |
|
|
|
|
|
|
|
|
|
|
Direct RDP (Agent based) |
|
|
|
|
|
|
|
|
|
|
Run as Privileged User (Agent based) |
(Audits only privileged application access) |
|
(Privileged access to specific application) |
|
|
|
|
|
|
|
Application SSO (Agentless) |
|
|
|
|
|
|
|
|
|
NOTE:Keystrokes are not audited in the Windows Command Prompt.