7.2 Privileged Access to Windows

Using Privileged Account Manager (PAM), you can provide access to a Windows computer in the following ways:

  • Remote Desktop Protocol Relay (RDP relay): Using this method, you can create a policy for a windows RDP relay which can be accessed by the user from the User Console.

    This approach can be used when the direct access to the target Windows system is blocked using the Windows Firewall.

    For information about configuring RDP Relay, see Remote Desktop Protocol Relay.

  • Remote Desktop Protocol Web Relay (RDP relay): Using this method, you can create a policy for a windows RDP web relay which can be accessed by the user from the User Console.

    For information about configuring RDP Web Relay, see Remote Desktop Protocol Web Relay.

  • Direct Remote Desktop Protocol (Direct RDP): Using this method, you cannot provide privileged access to the user but you can monitor and audit user actions in the Windows server. The user can access this Windows server using any remote desktop client with their Windows account credentials.

    This approach can be used, when you want to avoid storing the credentials of the privileged users in Privileged Account Manager and avoid using proxy.

    For information about configuring Direct RDP, see Direct Remote Desktop Protocol.

  • Run as Privileged User: Using this method, you can provide privileged access to a specific application in the Windows server. The user can access this application as a privileged user by connecting directly to the Windows server using any remote desktop client with their Windows account credentials.

    This approach can be used, when you want to provide privileged access to a specific application in the target Windows system.

    For information about configuring Run as Privileged User, see Run as Privileged User.

  • Credential Provider (CP): Using this method, you can provide privileged access to a Windows server which can be accessed by the user using Privileged Account Manager credentials.

    This approach can be used, when you have host-based firewall in the target system and proxy cannot be used to connect with the system. It can also be used in a scenario of a lab environment, where you need direct privileged access to the system without knowing the administrator credentials.

    For information about configuring Credential Provider, see Credential Provider.

  • Application SSO: Using this method, you can provide privileged access to a Windows server and monitor the actions performed in the windows machine without installing a Privileged Account Manager agent.

    For information about configuring application SSO, see Application SSO.

Based on the information in the following table, you can choose the appropriate method to establish privileged session in windows system:

Method

Keystroke Audit

Video Capture

Privileged Access

Live Session View

Command Risk & Automatic Session Disconnect

Access Through

Authentication Through

User Console

RDP Client

Privileged Account Manager Account

System Account

RDP Relay

(Agent based)

RDP Web Relay (Agentless)

Credential Provider

(Agent based)

Direct RDP

(Agent based)

Run as Privileged User

(Agent based)

(Audits only privileged application access)

(Privileged access to specific application)

Application SSO

(Agentless)

NOTE:Keystrokes are not audited in the Windows Command Prompt.

7.2.1 Work Flow to Configure Privileged Access for Windows

This is the generic work flow that must be followed to configure privileged access for Windows:

  1. Register the agent (Conditional)

    For steps to register the agent, refer Installing and Registering a Framework Agent

  2. Add a Windows resource and its credentials

    For information about adding a Windows resource, see the Contextual Help of Credential Vault.

  3. Add a User Group (Optional)

    Add a user group with a list of Windows system users, who must get privileged access.

    For steps to add a user group, refer Adding a User Group

  4. Add a Command

    • You can use the commands that are preloaded by Privileged Account Manager thats has default configurations, such as Windows Credential Provider Session, Windows Direct Session and RDP Session.

      (or)

    • Add and Modify a Command

      For detailed information on adding a command, refer Adding a Command

      For detailed information on modifying a command, refer Modifying a Command

  5. Add and Modify a Rule

    For steps to add a rule, refer Adding a Rule

    NOTE:When adding a rule, ensure that you choose the correct value for the Run User. Based on the value of the Run User, the user gets appropriated privileged access.

    For steps to modify a rule, see Modifying a Rule

    NOTE:When modifying a rule for Run as privileged user, ensure to modify the Run Host as Submit Host

  6. Add Command and User Groups to the Rule

    After creating the rule, drag and drop the appropriate command and user group to the rule.

After making appropriate configurations in the Privileged Account Manager, you can access the target host using any RDP client or user console as appropriate.

7.2.2 Agent-Based Session Management In Windows

Using the following methods you can provide a privileged session to a user and capture the user actions in the privileged session:

Remote Desktop Protocol Relay

The Remote Desktop Protocol Relay (RDP Relay) feature offers Single Sign-on capability and remote access to desktops through a secured connection.In a privileged session, an administrator user who is allowed to access various devices can sign on to many managed devices from a single workstation without knowing the authentication passwords of those devices. In addition, the user can remotely view the desktops of the managed devices and work on them.

You enable privileged sessions for an administrator user with the user's information. Then you associate the privileged session with a rule that controls the commands that the user can run on permitted devices and applications.

NOTE:RDP Relay is supported with the following installers:

  • Windows Installers

  • Generic Linux Installers

Configuring the RDP Relay

You can configure a RDP Relay for Windows machines to allow users to remotely access these machine without the privileged account credentials.

For steps to configure, see Work Flow to Configure Privileged Access for Windows

NOTE:In Windows 2008 R2, configure the following User Account Control settings:

  • Disable Switch to the secure desktop when prompting for elevation.

  • Set UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode to a value other than Prompt for credentials on the secure desktop and Prompt for consent on the secure desktop.

Accessing the RDP Relay

After a RDP relay is configured by an administrator, the user can access the privileged session as follows:

  1. Click on home icon on the new Administration console.

  2. Specify the username and password to log in to Privileged Account Manager and click Login.

  3. Click > My Access and click the launch icon before the appropriate resource name.

  4. You can administer the active Remote Desktop Protocol Web Relay session as it opens in > Active Sessions. The administrator audits the user actions in this privileged session and views these reports in the administration console.

  5. Save and open the RDP file to launch the session.

NOTE:

  • RDP Relay Manager name is always shown in the RDP connection bar.

  • When connecting to the remote session specify the username in capital letters.

  • When establishing a remote session through RDP Relay, the following error may be displayed:

    The remote computer disconnected the session because of an error in the licensing protocol

    To continue establishing a remote session, perform the following steps before starting an RDP session:

    1. Install the latest version of Privileged Account Manager.

    2. Launch Internet Explorer in Run as administrator mode.

Remote Desktop Protocol Web Relay

Privileged session monitoring and management is important for achieving the compliance and security requirements, but can be complex and time-consuming to achieve. Privileged account Manager 4.0 onwards you can monitor and manage RDP sessions with agent-based web relay capability.

Usage Scenario for Agent-based Windows Web RDP Relay

Consider a scenario where the administrator has to provide privileged access to Windows Agent and the Privileged Account Manager user can access the session from the browser. For this scenario, the administrator must perform the following configuration in Access Control:

  1. Create a Windows or LDAP type Credential Vault resource for the Windows agent and add the respective credentials.

  2. Go to Hosts console (Old Administration Console) and double click Windows Agent and add the vault created in the previous step to the vault label.

  3. Go to new administration console and click Users and add the users (LDAP or Local) who will be using the resource.

  4. Click Access Control > Users and create a user group and add the users who can access the resource. For more information, see Configuring a User Role.

  5. Click Access Control > Resource Pools and create a resource group and add the Windows Vault for Agent-based Windows Servers. For more information, see Configuring Access Control.

  6. Click Access Control > Assignments and create a Web Agent RDP and add the user group and resource pool that you created in steps 2 and 3 to it.

  7. Assign the permissions as relevant.

  8. Click Finish. After the administrator configures the authorization rule in Privileged Account Manager, the Privileged Account Manager user can get access to privileged session using steps 9, 10, and 11.

  9. Log in using the Privileged Account Manager user credentials and click Login.

  10. Click > My Access and click the launch icon before the appropriate resource name.

  11. You can administer the live Remote Desktop Protocol Web Relay session as it opens in > Active Sessions. The administrator audits the user actions in this privileged session and views these reports in the administration console.

Credential Provider

The Credential Provider feature helps the users to single sign-on to any Windows server or desktop through a secured Remote Desktop Connection. With Credential Provider, users can login to Windows server or desktop as a Privileged user by using Privileged Account Manager credentials.

Configuring Credential Provider

You can create rule to allow/deny access to specific users on a Windows server or desktop to connect to the required server. To disconnect a session refer, Prerequisites for Disconnecting a Session.

To configure the rule for a Windows server or desktop, perform the following:

  1. Ensure that the Windows computer which you want to access is registered to Privileged Account Manager as a agent. For more information, see Installing and Registering a Framework Agent.

  2. Ensure that you have added the resource for the Windows computer. For more information, see the Contextual Help of Credential Vault.

  3. In the home page of the administrator console, click Command Control.

  4. (Conditional) If you want to control who can access a particular Windows computer, create a user group with the user name in capital letters.

    1. If you want to deny specific users to access the server or desktop, create a separate user group and add the user names (in capital letters) in the Users field. By default all the users are granted access to the server.

  5. Add a rule:

    1. In the Command Control pane, click Rules.

    2. In the details pane, click Add.

    3. Specify a name for the rule, then click Add.

    4. Select the newly added rule, then click edit icon in the details pane.

    5. (Conditional) Configure the following for the users, who are allowed to access the Windows computer:

      Session Capture: Yes

      Authorize: Yes

      Run Hosts: Submit User

      Run Hosts: Submit Host

      For more information about the rule configuration fields, see Modifying a Rule.

    6. (Conditional) Configure the following for the users, who are denied access to the Windows Computer:

      Session Capture: No

      Authorize: No

    7. Click Modify.

    8. In the middle pane, click the commands icon.

    9. From the list of commands, drag the Windows Credential Provider Session command and drop it to the newly added rule.

NOTE:If some of the users are not part of any defined user group, the actions of that user is not monitored but in the Reports console you can view the users who are connecting to the server or desktop, and the time when they started the session.

Direct Remote Desktop Protocol

When a user connects to a remote Windows server through any Remote Desktop Connection Client, the user's actions are not monitored. But, with the Direct Remote Desktop Protocol (Direct RDP) feature you can control the authorization, and monitor the actions of users connecting to a remote Windows server or desktop through remote desktop connection client.

You can connect to a Windows server or desktop by using your account credentials that are set up on the server. If you require to monitor the actions of the users, then you can use the direct remote desktop protocol feature. The Windows Direct Session command object is included with the rdpDirect command, which helps in monitoring the direct sessions. You can create a rule and specify who is authorized to connect to a Windows server or desktop and also disconnect the session when any malicious activity is detected.

Configuring Direct RDP

You can create rule to allow/deny access to specific users on a Windows server or desktop to connect to the required server. To disconnect a session refer, .

To configure the rule for a Windows server or desktop, perform the following:

  1. Ensure that the Windows computer which you want to access is registered to Privileged Account Manager as a agent. For more information, see Installing and Registering a Framework Agent.

  2. In the home page of the administrator console, click Command Control.

  3. (Conditional) If you want to control who can access a particular Windows computer, create a user group with the user name in capital letters.

    1. If you want to deny specific users to access the server or desktop, create a separate user group and add the user names (in capital letters) in the Users field. By default all the users are granted access to the server.

  4. Add a rule:

    1. In the Command Control pane, click Rules.

    2. In the details pane, click Add.

    3. Specify a name for the rule, then click Add.

    4. Select the newly added rule, then click edit icon in the details pane.

    5. (Conditional) Configure the following for the users, who are allowed to access the Windows computer:

      Session Capture: Yes

      Authorize: Yes

      Run User: Submit User

      Run Hosts: Submit Host

      For more information about the rule configuration fields, see Modifying a Rule.

    6. (Conditional) Configure the following for the users, who are denied access to the Windows Computer:

      Session Capture: No

      Authorize: No

    7. Click Modify.

    8. In the middle pane, click the commands icon.

    9. From the list of commands, drag the Windows Direct Session command and drop it to the newly added rule.

NOTE:If some of the users are not part of any defined user group, the actions of that user is not monitored but in the Reports console you can view the users who are connecting to the server or desktop, and the time when they started the session.

7.2.3 Agentless Session Management in Windows

Privileged session monitoring and management is important for achieving the compliance and security requirements, but can be complex and time-consuming to achieve. Privileged account Manager 4.0 onwards you can monitor and manage RDP sessions with agentless capability.

Prerequisites for Agentless Session Management in Windows

Ensure that the agentless module is installed.

  • The agentless component of Privileged Account Manager (agentless) is supported only on SLES 12 (64-bit), SLES 15 (64-bit), Oracle Linux 8 (64-bit), or RHEL 8(64-bit).

    NOTE:

    • For Oracle Linux 8 (64-bit) and RHEL 8 (64 bit), install the redhat-lsb-core package.

    • For SLES 12 (64-bit) and SLES 15 (64-bit), install the lsb-release package.

    • You must install libpango and libcairo, and the dependent packages for both SLES and RHEL. Additionally for RHEL alone install dejavu-sans-fonts.

Remote Desktop Protocol Web Relay

This method has agent less access benefits. This feature works without any agent installed in the target machine. Using this method, you can provide access to the target RDP machine through a standard RDP client. This feature provides the ability to access Privileged Account Manager functionality without an agent for Privileged Account Manager on the target host. RDP Relay allows users to connect to a remote host without knowing the privileged account credentials such as password or identity certificate of the user. RDP Relay session videos can be captured only if the Privileged Account Manager is in Linux environment.

The functionality also provides clientless benefits. It is called "clientless" because no plugins or client software is required. Remote desktop gateway supports standard protocols like VNC, RDP, and SSH. Once the agentless module is installed all you need to access your desktops is a web browser.

NOTE:You cannot add scripts when you are using RDP Web Relay.

Advantages of Configuring the Remote Desktop Protocol Web Relay

  • You can configure a RDP Web Relay for Windows machines to allow users to remotely access these machine without the privileged account credentials

  • This method is beneficial if you do not want any operating system installed software or client.

  • Resolves issues with Network level Authentication users as they do not have to do any additional configurations.

  • No requirement of MSTC-RDP file to be downloaded. System from which you launched the RDP session can be lightweight in terms of space and memory.

Accessing the Remote Desktop Protocol Web Relay

After a RDP Web relay is configured by an administrator, the user can access the privileged session as follows:

  1. Log in using the Privileged Account Manager user credentials and click Login.

  2. Click > My Access and click the Start Session icon adjacent to the preferred resource name.

  3. You can administer the active Remote Desktop Protocol Web Relay session as it opens in > Active Sessions. The administrator audits the user actions in this privileged session and views these reports in the administration console.

Usage Scenarios for Agentless Windows RDP Relay

Consider a scenario where the administrator has to provide privileged access to Windows system and the Privileged Account Manager user can access the session from the browser. For this scenario, the administrator must perform the following configuration in Access Control:

  1. Create a Windows or LDAP type Credential Vault resource for the Windows system and add the respective credentials.

  2. Click Users and add the users (LDAP or Local) which will be using the resource.

  3. Click Access Control > User Roles and create a user group and add the users who can access the resource.

  4. Click Access Control > Resource Pools and create a resource group and add the Windows Vault for Agentless Windows Servers

  5. Click Access Control > Assignments and create an RDP Web and add the user group and resource pool that you created in steps 2 and 3 to it.

  6. Assign the permissions as relevant.

  7. Click Finish.

After the administrator configures the authorization rule in Privileged Account Manager, the Privileged Account Manager user can gain privileged session as follows:

  1. Log in using the Privileged Account Manager user credentials and click Login.

  2. Click > My Access and click the launch icon before the appropriate resource name.

  3. You can administer the live Remote Desktop Protocol Web Relay session as it opens in > Active Sessions. The administrator audits the user actions in this privileged session and views these reports in the administration console.

The administrator audits the user actions in this privileged session and views these reports in the administration console.

7.2.4 Application Management

Using the following method you can provide privileged access to a specific application in windows system and capture the user actions:

Application SSO

Application SSO allows you to provide privileged access to specific application in a Windows server and monitor the actions performed in the application without installing a Privileged Account Manager agent.

For information about configuring application SSO, see Application SSO.

Run as Privileged User

The administrator can use the run as privileged user feature to provide privileged access to users for a specific process, system tools, or specific files. For example, service.msc or notepad.exe.

Configuration to Run as Privileged user

For configuring the windows machine to Run as Privileged, see Work Flow to Configure Privileged Access for Windows

Accessing Windows System to Run as privileged user

After configuring the Run as privileged user policies in Privileged Account Manager, user can execute the Run as privileged user as follows:

  1. Login to the system as an administrator by using any remote desktop accessing tool.

  2. Right-click the process and select Run as privileged user to get privileged access to the process.

    NOTE:

    • In Windows 2008 R2, Shift+right-click the applications in the Start menu to execute Run as privileged user.

    • In Windows 2012, right-click the application in the folder where the application is installed to execute Run as privileged user.

You can also provide privileged access to specific files.

For Example: To provide privileged access to critical.txt file:

  1. Create a short-cut to Notepad.

    Notepad is the process that is used to open the critical.txt file.

  2. Right-click the short-cut to Notepad, then select Properties.

  3. In the Target field, add the file path of the critical.txt file after the file path of the process, then click OK.

    NOTE:For example, the path can be added in the following format:

    C:\WINDOWS\system32\notepad.exe "C:\critical.txt"

  4. Right-click the shortcut and select Run as privileged user to provide privileged access to the critical.txt file.

7.2.5 LDAP Group Lookup

The LDAP Group lookup feature retrieves LDAP group membership information for a user whose details are stored in external LDAP directories, such as NetIQ eDirectory, OpenLDAP, or Microsoft Active Directory. The information fetched can be used to perform external group matching in the rules.

Creating the LDAP Account in the Credential Vault

For creating LDAP account in the vault, click Credential Vault > LDAP / Active Directory > Vault Nameclick the + icon next to Resources and provide the required information. For more information about the resource fields, see Contextual Help.

Defining the User Group

After creating an LDAP account, define a group to refer to the external LDAP group. For information on creating a user group, see Adding a User Group.

To configure an existing user group, perform the following:

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click the Account Groups icon, then click User Groups.

  3. In the details pane, select the user group that you want to modify, then click the edit icon next to the user group name.

  4. Configure the following fields:

    Name: Specify a name for the group.

    Type: You must select the External Group check box.

    External Group: Includes the users you have added in this group

    Description: Describe the purpose of this user group.

    Manager Name, Manager Tel., Manager Email: Specify the name, telephone number, and e-mail address of the manager of this user group.

    Users: Add or change the users you want to include in this group. You can type the user names, one on each line, or paste them from elsewhere.

    For example, the external group can be matched by using the %:=~/^[Cc][Nn]=G*/ regular expression,. This expression matches all external groups starting with Cn=G and followed by anything where user is part of the group.

    User Groups: From the list of groups you have already defined, select the user groups you want to include as subgroups of this user group. You can also add subgroups to a by dragging and dropping the groups to the target user group in the navigation pane.

  5. Click Finish.

    You can now use this user group in rule conditions or as a script entity.

Creating a Rule for the LDAP Group

After creating a user group, you need to set up rules to use the created External User Group in Commands. For detailed information on adding a rule, see Adding a Rule.

Modifying a Rule for the LDAP Group

  1. On the home page of the console, click Command Control.

  2. In the Command Control pane, click Rules.

  3. Select the rule that you want to modify.

  4. In the details pane, click Modify.

  5. Make the following changes:

    Name: Change the name of the rule.

    Description: Specify a description of the rule.

    User Message: Specify the user message as $<ExtGroups>$.

    Session Capture: Select either On or Off.

    Authorize: Select either Yes or No, depending on whether you want the command protected by the rule to be authorized or not authorized if the rule conditions are met.

    Run User: Select Submit User from the drop-down list.

    Credentials: From the drop-down list, select the required resource. The Run User is automatically populated with the domain user provided in the resource.

    Run Host: Define a run host by selecting the name of the host on which you want to run this command (this overrides any hostname defined through a set command).

    Risk Level: Set a Risk Level of 0 to 99.

    Audit Group: Define an Audit Group. This setting is for use in Compliance Auditor reports.

  6. Click Finish. The settings you have defined for the rule are displayed in the console.

A typical result of the LDAP group lookup rule when a rule is created for a user to run the ID command as a root user is displayed below:

user1@pum-sles10sp3:/root> usrun id

<ExtGroups>

<groupname="CN=GROUP3,CN=Users,DC=pum,DC=com"/>

<groupname="CN=GROUP2,CN=Users,DC=pum,DC=com"/>

<groupname="CN=GROUP1,CN=Users,DC=pum,DC=com"/>

<groupname="cn=G1,o=netiq"/>

<groupname="cn=G2,o=netiq"/>

</extroups>

uid=1001(user1) gid=100(users) groups=0(root), 16(dialout), 33(video), 100(users)

user1@pum-sles10sp3:/root>

Enabling Virtual List View

Virtual List View (VLV) allows you as the LDAP application developer to query a very large directory container in efficient and bite-sized chunks. Virtual List View is enabled by default on eDirectory.

Enabling Virtual List View on Active Directory:

  1. Click Start > Run type Adsiedit.msc, and ENTER.

  2. In the ADSI Edit tool, expand the Configuration[DomainController] node.

  3. Expand the CN=Configuration,DC=DomainName container.

  4. Expand the CN=Services object.

  5. Expand the CN=Windows NT object.

  6. Right-click the CN=Directory Service object.

  7. Click Properties.

  8. In the Attributes list, click msds-Other-Settings > Edit.

  9. In the Values list, click any instance of DisableVLVSupport=x where x is not equal to 0, and click Remove.

  10. Click OK twice. Close the ADSI Edit tool.

Installing schema and sort control:

  1. Open a command prompt and type regsvr32 schmmgmt.dll command, and then press ENTER:

  2. Click Start > Run.

  3. Type mmc and then click OK.

  4. On the File menu, click Add/Remove Snap-in.

  5. In the Available snap-ins field, click Active Directory Schema > Add > OK.

  6. Click on the created schema search for cn → properties → enable. Index this attribute for containerized searches.

Enabling Virtual List View on OpenLDAP:

  1. Bind to the server that you want to perform the search on using ldap_bind or ldap_bind_s.

  2. Set the members for LDAPVLVInfo and create the control using ldap_create_vlv_control.

  3. Create a sort control using ldap_create_sort_control and add it to an array with the VLV control.

  4. Perform a search on the server using ldap_search_ext_s or ldap_search_ext.

  5. Parse the results from the server using ldap_parse_result, then parse the vlv results received from the response control (LDAP_CONTROL_VLVRESPONSE) using ldap_parse_vlv_control.

  6. Free the control using ldap_control_free.