6.5.2 Agent-Based Session Management In Windows

Using the following methods you can provide a privileged session to a user and capture the user actions in the privileged session:

Remote Desktop Protocol Relay

The Remote Desktop Protocol Relay (RDP Relay) feature offers Single Sign-on capability and remote access to desktops through a secured connection.In a privileged session, an administrator user who is allowed to access various devices can sign on to many managed devices from a single workstation without knowing the authentication passwords of those devices. In addition, the user can remotely view the desktops of the managed devices and work on them.

You enable privileged sessions for an administrator user with the user's information. Then you associate the privileged session with a rule that controls the commands that the user can run on permitted devices and applications.

NOTE:RDP Relay is supported with the following installers:

  • Windows Installers

  • Generic Linux Installers

Configuring the RDP Relay

You can configure a RDP Relay for Windows machines to allow users to remotely access these machine without the privileged account credentials.

For steps to configure, see Work Flow to Configure Privileged Access for Windows

NOTE:In Windows 2008 R2, configure the following User Account Control settings:

  • Disable Switch to the secure desktop when prompting for elevation.

  • Set UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode to a value other than Prompt for credentials on the secure desktop and Prompt for consent on the secure desktop.

Accessing the RDP Relay

After a RDP relay is configured by an administrator, the user can access the privileged session as follows:

  1. Click on home icon on the new Administration console.

  2. Specify the username and password to log in to Privileged Account Manager and click Login.

  3. Click Home > My Access > Predefined Tags > Windows and click the icon before the appropriate resource name. An RDP file is downloaded.

  4. You can administer the live Remote Desktop Protocol Web Relay session as it opens in Home > Active Sessions. The administrator audits the user actions in this privileged session and views these reports in the administration console.

  5. Save and open the RDP file to launch the session.

NOTE:

  • RDP Relay Manager name is always shown in the RDP connection bar.

  • When connecting to the remote session specify the username in capital letters.

  • When establishing a remote session through RDP Relay, the following error may be displayed:

    The remote computer disconnected the session because of an error in the licensing protocol

    To continue establishing a remote session, perform the following steps before starting an RDP session:

    1. Install the latest version of Privileged Account Manager.

    2. Launch Internet Explorer in Run as administrator mode.

Remote Desktop Protocol Web Relay

Privileged session monitoring and management is important for achieving the compliance and security requirements, but can be complex and time-consuming to achieve. Privileged account Manager 4.0 onwards you can monitor and manage RDP sessions with agent-based web relay capability.

Usage Scenario for Agent-based Windows Web RDP Relay

Consider a scenario where the administrator has to provide privileged access to Windows Agent and the Privileged Account Manager user can access the session from the browser. For this scenario, the administrator must perform the following configuration in Access Control:

  1. Create a Windows or LDAP type Credential Vault resource for the Windows agent and add the respective credentials.

  2. Go to Hosts console (Old Administration Console) and double click on Windows Agent and add the vault created in the previous step to the vault label.

  3. Go to new administration console and click Users and add the users (LDAP or Local) which will be using the resource.

  4. Click Access Control > Users and create a user group and add the users who can access the resource. For more information, see Section 6.1.3, Configuring User Roles.

  5. Click Access Control > Resource Pools and create a resource group and add the Windows Vault for Agent-based Windows Servers. For more information, see Section 6.1.2, Configuring Resource Pools.

  6. Click Access Control > Assignments and create a Web Agent RDP and add the user group and resource pool that you created in steps 2 and 3 to it.

  7. Assign the permissions as relevant.

  8. Click Finish. After the administrator configures the authorization rule in Privileged Account Manager, the Privileged Account Manager user can get access to privileged session using steps 9, 10, and 11.

  9. Log in using the Privileged Account Manager user credentials and click Login.

  10. Click Home > My Access > Predefined Tags > Windows and click the launch icon before the appropriate resource name.

  11. You can administer the live Remote Desktop Protocol Web Relay session as it opens in Home > Active Sessions. The administrator audits the user actions in this privileged session and views these reports in the administration console.

Credential Provider

The Credential Provider feature helps the users to single sign-on to any Windows server or desktop through a secured Remote Desktop Connection. With Credential Provider, users can login to Windows server or desktop as a Privileged user by using Privileged Account Manager credentials.

Configuring Credential Provider

You can create rule to allow/deny access to specific users on a Windows server or desktop to connect to the required server. To disconnect a session refer, Prerequisites for Disconnecting a Session.

To configure the rule for a Windows server or desktop, perform the following:

  1. Ensure that the Windows computer which you want to access is registered to Privileged Account Manager as a agent. For more information, see Installing and Registering a Framework Agent.

  2. Ensure that you have added the resource for the Windows computer. For more information, see the Contextual Help of Credential Vault.

  3. In the home page of the administrator console, click Command Control.

  4. (Conditional) If you want to control who can access a particular Windows computer, create a user group with the user name in capital letters.

    1. If you want to deny specific users to access the server or desktop, create a separate user group and add the user names (in capital letters) in the Users field. By default all the users are granted access to the server.

  5. Add a rule:

    1. In the Command Control pane, click Rules.

    2. In the details pane, click Add.

    3. Specify a name for the rule, then click Add.

    4. Select the newly added rule, then click edit icon in the details pane.

    5. (Conditional) Configure the following for the users, who are allowed to access the Windows computer:

      Session Capture: Yes

      Authorize: Yes

      Run Hosts: Submit User

      Run Hosts: Submit Host

      For more information about the rule configuration fields, see Modifying a Rule.

    6. (Conditional) Configure the following for the users, who are denied access to the Windows Computer:

      Session Capture: No

      Authorize: No

    7. Click Modify.

    8. In the middle pane, click the commands icon.

    9. From the list of commands, drag the Windows Credential Provider Session command and drop it to the newly added rule.

NOTE:If some of the users are not part of any defined user group, the actions of that user is not monitored but in the Reports console you can view the users who are connecting to the server or desktop, and the time when they started the session.

Direct Remote Desktop Protocol

When a user connects to a remote Windows server through any Remote Desktop Connection Client, the user's actions are not monitored. But, with the Direct Remote Desktop Protocol (Direct RDP) feature you can control the authorization, and monitor the actions of users connecting to a remote Windows server or desktop through remote desktop connection client.

You can connect to a Windows server or desktop by using your account credentials that are set up on the server. If you require to monitor the actions of the users, then you can use the direct remote desktop protocol feature. The Windows Direct Session command object is included with the rdpDirect command, which helps in monitoring the direct sessions. You can create a rule and specify who is authorized to connect to a Windows server or desktop and also disconnect the session when any malicious activity is detected.

Configuring Direct RDP

You can create rule to allow/deny access to specific users on a Windows server or desktop to connect to the required server. To disconnect a session refer, .

To configure the rule for a Windows server or desktop, perform the following:

  1. Ensure that the Windows computer which you want to access is registered to Privileged Account Manager as a agent. For more information, see Installing and Registering a Framework Agent.

  2. In the home page of the administrator console, click Command Control.

  3. (Conditional) If you want to control who can access a particular Windows computer, create a user group with the user name in capital letters.

    1. If you want to deny specific users to access the server or desktop, create a separate user group and add the user names (in capital letters) in the Users field. By default all the users are granted access to the server.

  4. Add a rule:

    1. In the Command Control pane, click Rules.

    2. In the details pane, click Add.

    3. Specify a name for the rule, then click Add.

    4. Select the newly added rule, then click edit icon in the details pane.

    5. (Conditional) Configure the following for the users, who are allowed to access the Windows computer:

      Session Capture: Yes

      Authorize: Yes

      Run User: Submit User

      Run Hosts: Submit Host

      For more information about the rule configuration fields, see Modifying a Rule.

    6. (Conditional) Configure the following for the users, who are denied access to the Windows Computer:

      Session Capture: No

      Authorize: No

    7. Click Modify.

    8. In the middle pane, click the commands icon.

    9. From the list of commands, drag the Windows Direct Session command and drop it to the newly added rule.

NOTE:If some of the users are not part of any defined user group, the actions of that user is not monitored but in the Reports console you can view the users who are connecting to the server or desktop, and the time when they started the session.