7.1 Agent and Agentless Capability

Agent is an installable component that resides on a machine and helps to manage and monitor privileged access to the machine. It creates comprehensive session audits and video recordings of the privileged sessions of the machine beyond the limits of the Agentless approach. This approach requires regular maintenance and is not suitable for a sophisticated environment.

Agentless enables you to secure, manage and monitor privileged access to remote machines through the PAM User Portal. This approach provides monitoring of computers without agents by using a proxy agent and applying those management packs that support agentless monitoring. The ability to capture session audits and create video recordings of the privileged sessions varies from one agentless module to another. This approach is easy to manage as new updates to the agent need not be applied.

Clientless enables users to connect through a web browser and use HTTPS connections. Clientless solutions provides access to the web-based resources without any client. On demand client - Users connect through a web browser and a client is installed when necessary. The client supplies access to most types of corporate resources according to the access privileges of the user

Privileged Account Manager provides both these capabilities. Refer to Remote Desktop Protocol Web Relay and Section 7.3.3, Agentless Session Management in Unix and Linux to use SSH and RDP on Linux/Unix and Windows machines respectively to reap agentless as well as clientless benefits. Browser refresh disconnects the active sessions for both SSH Web and RDP Web.

Figure 7-1 Agentless Capability

The following tabular overview illustrates the agent and agentless features available in the product.

Methods

 

Key Stroke Audit

Command Audits

Video Capture

High level Session Audits (Who got access to what and how)

Session Level Elevation

Command Risks

Automatic Disconnect

Manual Disconnect

Live Video Session

 

 

 

 

 

Linux/Unix/Network Devices/SSH Servers

Agent

 

Agentless (SSHRelay)

 

Agentless(SSH Web Relay)

Windows

Agent-Direct/CP Connection

 

Agent-Proxy Connection (RDP Relay)

 

Agentless-Proxy Connection (RDP Web Agent Relay)

 

Agent (appsso)

 

Agentless (RDP Web Relay)

7.1.1 Sample Use Cases for Agentless Capability

This section describes different requirements and configurations required to achieve the requirement using the following sample use cases:

Securing and Monitoring Web Based RDP Sessions without Installing Privileged Account Manager Agent

Let us assume, an organization Intech Data, Inc. wants to secure and monitor employees’ action during the privileged access to Windows Server that is located in the network lab. This Windows Server contains confidential data.

Employees can access this server without using the remote desktop client. A few employees can access it remotely only during the business hours (9 AM to 6 PM) on business days (Monday to Friday).

This example refers to the following user profiles:

  • Markus: An administrator of Intech Data, Inc.

  • Albert Jones: An employee of Intech Data, Inc.

Markus wants to enforce Windows Agentless Web RDP to secure the Windows server. With this implementation, designated employees can access the Windows server through PAM User console for privileged access, and each action is recorded and monitored for auditing purposes. If employees perform any action that poses potential risk, such as deleting, copying data, and so on, the actions are recorded. Markus can suspend the just-in-time session if he is monitoring the active session.

The following diagram depicts the requirement of this use case:

This section explains the prerequisites, flow of actions, and step-by-step configuration details to achieve this requirement.

Flow Diagram

The following diagram illustrates the sequential flow of configuration required for implementing the Windows Agentless Web RDP:

To achieve this requirement, Markus performs the following tasks:

  1. Configure the LDAP Repository

  2. Add a Resource

  3. Defining a User Role

  4. Create a Resource Pool

  5. Create an Assignment and Grant Permission

Prerequisites

  • Privileged Account Manager is installed with the required Agentless module.

    NOTE:The agentless component of Privileged Account Manager (agentless) is supported on SLES 12 (64-bit), SLES 15 (64-bit), Oracle Linux 8 (64-bit), and RHEL 8(64-bit).

  • Enable the Access Control Engine option in Server Settings > Policy Engine.

  • Import the CA certificate on the system where Privileged Account Manager is installed to enable communication over Secure Sockets Layer (SSL).

    For more information, see Exporting the Certificate From the Active Directory Server.

Configure the LDAP Repository

  1. Click Settings on the Administration Console.

  2. Click LDAP Servers on the left pane and click Add New.

  3. Perform the following actions:

    1. Specify Domain Name of the LDAP Server.

    2. Type is set to Active Directory Services, by default.

    3. Specify Host Name/IP Address of the LDAP Server.

      NOTE:Port is set to 636, by default.

    4. Select SSL and Verify Certificate to secure the connection via SSL by using the CA certificate.

    5. Click GetBaseDN to fetch the appropriate details.

    6. Set Scope to Subtree.

    7. Specify User DN, User Name, and Password that are required for retrieving the user details and domain details for authentication.

  4. Click Save.

Add a Resource

A resource is a network device, application, repository, or data storage device to which users can get privileged access.

  1. Click Credential Vault on the Administration Console.

  2. Click +Add > Windows > Windows Host.

  3. In Name, specify a name for Windows Server.

    For this example, the resource name is set to winsrv16.intech.com.

  4. Click Next.

  5. Perform the following actions to configure the Connection details:

    1. In Host Name/IP Address, specify the host name or IP address of Windows Server.

      NOTE:Port is set to 3389, by default.

    2. Select Active Directory Domain displays the list of domains if the specified host name is associated to a domain.

      In this example, Windows Server is a standalone device and does not need to be associated to any Active Directory Domain.

  6. Click Next.

  7. Click Finish.

  8. Click the resource that you have added and click Credentials tab.

  9. Click Add.

  10. Specify the User Name, Password, and Privilege Type required to access Windows Server.

Defining a User Role

  1. Click Access Control > User Roles > Create.

  2. Specify the role name in Name and additional information about the role in Description.

  3. Click Next.

  4. Click +Add > LDAP Users and Groups.

  5. Select the domain and select the preferred user or group.

    In this example, the user AlbertJ is selected.

  6. Click Add > Create.

Create a Resource Pool

  1. Click Access Control > Resource Pools > Create.

  2. Specify Name and Description for this resource pool.

    For this example, the resource pool name is set to Windows Server with AD Users.

  3. Select Type as Windows Servers under Agentless.

  4. Click Next.

  5. Click Add and select the resource that you added in Add a Resource.

  6. Click Add.

  7. Select Default Credentials that is required to allow users to access the resource.

  8. Click Create.

Create an Assignment and Grant Permission

  1. Click Access Control > Assignments > Create.

  2. Select the Resource Pool that you created in Create a Resource Pool.

  3. Select the User Role that you defined in Defining a User Role.

    The Description gets generated with the name that you have provided for Resource Pool and User Role.

  4. Click Add and select Web RDP permission in the Privilege Elevation window.

    NOTE:By default, Credential is set to Default to allow users to access Windows Server with the default credentials that is configure for the resource.

  5. Click Next.

  6. Select Custom Days and set the days and time frame as follows:

    1. Select Mon to Fri as the days.

    2. Specify 9 to 6 as time frame for the selected days.

  7. Click Next.

  8. Disable Secondary Authentication.

  9. In User Message, specify a message that is displayed to users on connecting to the resource.

  10. Click Next > Finish > Create.

After Markus implements Windows Agentless Web RDP, the following are possible scenarios:

Scenario

Result

Albert logs in to the User Console and accesses the Windows Server. Later, he installs software and configures it.

Each action is recorded, the live session video is captured, and stored in Reports. No malicious activity is detected.

Albert wants to access Windows Server on Thursday at 8 PM.

The Windows Server resource is not available on the User Console for Albert. As Windows Server is accessible from 9 AM to 6 PM.

Albert installs a malware on Windows Server unintentionally.

The install procedure is recorded. When Markus checks the report and notices malware installation, he notifies Albert to uninstall the identified malware.

Markus is monitoring the live session and Albert attempts to delete the server configuration.

Markus terminates the session. Later, he drafts a mail with the reason and sends it to Albert.

Examining the Elevated SSH Session without the Thick Client

Let us assume an organization, Intech Data, Inc. wants to assess the user actions during the elevated session to the Linux system that functions as the Web Server of the organization. The Linux system is accessed without the thick clients, such as PuTTy, MobaXterm, and so on. In the elevated session, an employee can access Linux system with the root permissions.

This example refers to the following user profiles:

  • Markus: An administrator of Intech Data, Inc.

  • Silvia Pereria: An employee of Intech Data, Inc.

Markus wants to implement Linux Agentless Web SSH to secure the elevated session from internal misuse. With this implementation, authorized employees can access Linux system through the User Console for elevated access and each Keystore is captured and recorded for auditing purposes. Also, Markus has the authority to inspect the live session and perform the following upon noticing any suspicious activity, such as changing the system configuration, installing an unauthorized application, and so on:

  • Terminate the active session and send a notice to the user

  • Block access to the elevated session

The following diagram depicts the requirement of this use case:

This section explains the prerequisites, flow of actions, and step-by-step configuration details to achieve this requirement.

Flow Diagram

The following diagram illustrates the sequential flow of configuration required for implementing the Linux Agentless Web SSH:

To achieve this requirement, Markus performs the following tasks:

  1. Add LDAP Repository

  2. Add Linux System as a Resource

  3. Defining a User Role

  4. Create a Resource Pool

  5. Create an Assignment and Grant Permission

Prerequisites

  • The Privileged Account Manager is installed with the required Agentless module.

    NOTE:The agentless component of Privileged Account Manager (agentless) is supported only on SLES 12 (64-bit), SLES 15 (64-bit), Oracle Linux 8 (64-bit), and RHEL 8(64-bit).

  • Ensure to enable the Access Control Engine option in Server Settings > Policy Engine.

  • Import the CA certificate on the system where you have installed Privileged Account Manager to enable communication over Secure Sockets Layer (SSL).

    For more information, see Exporting the Certificate From the Active Directory Server.

Add LDAP Repository

  1. Click Settings on the Administration Console.

  2. Click LDAP Servers on the left pane and click Add New.

  3. Perform the following actions:

    1. Specify Domain Name of the LDAP Server.

    2. Specify Host Name/IP Address of the LDAP Server.

      NOTE:By default, Type is set to Active Directory Services and Port is set to 636.

    3. Select SSL and Verify Certificate to secure the connection via SSL by using the CA certificate.

    4. Click GetBaseDN to fetch the appropriate details.

    5. Set Scope to Subtree.

    6. Specify User DN, User Name, and Password that are required for retrieving the user details and domain details for authentication.

  4. Click Save.

Add Linux System as a Resource

  1. Click Credential Vault on the Administration Console.

  2. Click +Add > Linux/Unix/Network Device > SSH.

  3. In Name, specify a name for the Linux system.

    For this example, the resource name is set to lnx-mchs.intech.com.

  4. Click Next.

  5. Perform the following to configure the Connection details:

    1. In Host Name/IP Address, specify the host name or IP address of the Linux system.

      NOTE:Port is set to 22 by default.

    2. Click Get Host Key to get the key of the specified machine.

  6. Click Next.

  7. Click Finish.

  8. Click Count of the resource that you have added.

  9. Click Add in the Credentials tab.

    NOTE:Credential Type is set to Password by default, this grants elevated access to the resource using the specified Password.

  10. Specify the User Name, Password, and Privilege Type required to access Linux system.

  11. Click Add.

Defining a User Role

  1. Click Access Control > User Roles > Create.

  2. Specify the role name in Name and additional information about the role in Description.

  3. Click Next.

  4. Click +Add > LDAP Users and Groups.

  5. Select the domain and select the preferred user or group.

    In this example, the user Silvia is selected.

  6. Click Add > Create.

Create a Resource Pool

  1. Click Access Control > Resource Pools > Create.

  2. Specify Name and Description for this resource pool.

    For this example, the resource pool name is set to lnx-ssh-pool.

  3. Select Type as SSH Servers under Agentless.

  4. Click Next.

  5. Click Add and select the resource that you added in Add Linux System as a Resource.

  6. Click Add.

  7. Select Default Credentials that is required to allow users to access the resource.

  8. Click Create.

Create an Assignment and Grant Permission

  1. Click Access Control > Assignments > Create.

  2. Select the Resource Pool that you created in Create a Resource Pool.

  3. Select the User Role that you defined in Defining a User Role.

    The Description gets generated with the name that you have provided for Resource Pool and User Role.

  4. Click Add and select Web SSH permission.

    NOTE:By default, the Credential is set to Default in the Privilege Elevation window.

  5. Click Next.

    NOTE:Time Restriction is set to All Days (24 hours) by default, allowing Linux system to be accessible for 24 hours without any restriction.

  6. Click Next.

  7. Disable Secondary Authentication.

  8. In User Message, specify a message that is displayed to users on connecting to the resource.

  9. Click Next > Finish > Create.

After Markus implements Linux Agentless Web SSH, the following are possible scenarios:

Scenario

Result

Silvia logs in to the User Console and accesses the elevated session on Linux. Later, she executes some commands.

Each command is recorded and the live session video is captured. No malicious activity is detected.

Silvia installs malware on Linux SSH unintentionally.

The install procedure is recorded. When Markus goes through the recorded session and notices malware installation, he notifies Silvia to uninstall the identified malware.

Markus is monitoring the live session and Silvia attempts to modify the security controls.

Markus terminates the session and blocks access to Linux SSH. Later, he drafts a mail with the reason and sends it to Silvia.

Silvia deletes a configuration file.

The action is recorded and saved in the Reports. Markus can take relevant actions while auditing the report.