[Enterprise] Random Password Manager - BeyondTrust · 2020. 7. 6. · Enterprise Random Password...
Transcript of [Enterprise] Random Password Manager - BeyondTrust · 2020. 7. 6. · Enterprise Random Password...
[Enterprise] Random Password Manager
Application Launching & Session Recording
5.x
Copyright © 2003-2015 Lieberman Software Corporation.
All rights reserved.
The software contains proprietary information of Lieberman Software Corporation; it is provided under a
license agreement containing restrictions on use and disclosure and is also protected by copyright
law. Reverse engineering of the software is prohibited.
Due to continued product development this information may change without notice. The information
and intellectual property contained herein is confidential between Lieberman Software and the client
and remains the exclusive property of Lieberman Software. If there are any problems in the
documentation, please report them to Lieberman Software in writing. Lieberman Software does not
warrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written
permission of Lieberman Software.
Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. Other brands and product names are trademarks of their respective owners.
Lieberman Software Corporation
1900 Avenue of the Stars
Suite 425
Los Angeles
CA 90067
310.550.8575
Internet E-Mail: [email protected]
Website: http://www.liebsoft.com
iii
CONTENTS
INTRODUCTION .............................................................................................................................5
License Agreement .............................................................................................................................. 5
Limited Warranty ................................................................................................................................ 6
Overview ............................................................................................................................................. 7
Background and Goals ......................................................................................................................... 8
PRE-REQUISITES ............................................................................................................................9
INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING WITH A BASTION HOST ............. 11
1. Installing Remote Desktop Services ..............................................................................................12
Installing Remote Desktop Services for Server 2012 (R2) ............................................................12 Installing Remote Desktop Services for Server 2008 R2 ..............................................................27
2. Installing Desktop Experience .......................................................................................................37
Installing Desktop Experience for Server 2012 (R2) .....................................................................37 Installing Desktop Experience for Server 2008 R2 .......................................................................40
3. Installing Application Launcher and Session Recording ................................................................45
1. On the Transcoder Host ...........................................................................................................45 2. On the Bastion Host .................................................................................................................57
4. Setting up RDS for Application Launching .....................................................................................70
Configuring Remote App for Server 2012 (R2) ............................................................................70 Configuring Remote App for Server 2008 R2 ...............................................................................75
5. Setting Up Streaming Media Services ...........................................................................................80
6. Configuring IIS to Host Recorded Sessions ....................................................................................85
CONFIGURING APPLICATION LAUNCHING .................................................................................... 87
Configuring a Bastion Host Login Account ........................................................................................87
Configure ERPM Web Settings ........................................................................................................112
Configure a Bastion Host Object .....................................................................................................114
Configure a Session Recording Host Object ....................................................................................117
Configure ERPM Website for Session Playback ..............................................................................121
Configure Applications for Launching .............................................................................................125
Variables for App Launching ......................................................................................................130 Multi-tab Support ......................................................................................................................132 Multi-tab Support Configuration ...............................................................................................135
Multi-tab AutoIT Script Examples ....................................................................................... 140
Application Sets ...............................................................................................................................144
Shadow Accounts ............................................................................................................................149
Contents iv
USING APPLICATION LAUNCHING .............................................................................................. 161
AUDITING APPLICATION LAUNCHING ......................................................................................... 167
INDEX ....................................................................................................................................... 169
5
This chapter includes an overview of Enterprise Random Password Manager (ERPM), what problems it is
designed to solve, performance information, expected prerequisite knowledge, and some background
information on Windows.
This chapter also includes the license and warranty information for ERPM.
IN THIS CHAPTER
License Agreement .................................................................................... 5
Limited Warranty ...................................................................................... 6
Overview ................................................................................................... 7
Background and Goals ............................................................................... 8
LICENSE AGREEMENT
This is a legal and binding contract between you, the end user, and Lieberman Software Corporation.
By using this software, you agree to be bound by the terms of this agreement. If you do not agree to
the terms of this agreement, you should return the software and documentation as well as all
accompanying items promptly for a refund.
1. Your Rights: Lieberman Software Corporation hereby grants you the right to use a single copy of
Enterprise Random Password Manager to control the licensed number of systems and/or devices.
2. Copyright. The SOFTWARE is owned by Lieberman Software Corporation and is protected by United
States copyright law and international treaty provisions. Therefore, you must treat the software like
any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make
one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a
single hard disk provided you keep the original solely for backup and archival purposes. The manual is
a copyrighted work also--you may not make copies of the manual for any purpose other than the use of
the software.
3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer,
de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). If
the SOFTWARE is an update, any transfer must include the update and all prior versions.
4. Notice: This software contains functionality designed to periodically notify Lieberman Software
Corporation of demo usage and of the detection of suspected pirated license keys. By using this
software, you consent to allow the software to send information to Lieberman Software Corporation
INTRODUCTION
Introduction 6
under these circumstances, and you agree to not hold Lieberman Software Corporation responsible for
the use of any or all of the information by Lieberman Software Corporation or any third party.
When used lawfully, this software periodically transmits to us the serial number and network
identification information of the machine running the software. No personally identifiable information
or usage details are transmitted to us in this case. The program does not contain any spyware or
remote control functionality that may be activated remotely by us or any other 3rd party.
Lieberman Software Corporation
1900 Avenue of the Stars
Suite 425
Los Angeles
CA 90067
310.550.8575
Internet E-Mail: [email protected]
Website: http://www.liebsoft.com
LIMITED WARRANTY
The media (optional) and manual that make up this software are warranted by Lieberman Software
Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of
your purchase. If you notify us within the warranty period of such defects in material and workmanship,
we will replace the defective manual or media.
The sole remedy for breach of this warranty is limited to replacement of defective materials and/or
refund of purchase price and does not include any other kinds of damages.
Apart from the foregoing limited warranty, the software programs are provided "AS-IS", without
warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs
is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or
error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the
programs or documentation of/for consequences of any such errors.
This agreement is governed by the laws of the State of California.
Should you have any questions concerning this Agreement, or if you wish to contact Lieberman
Software, please write:
Introduction 7
Lieberman Software Corporation
1900 Avenue of the Stars
Suite 425
Los Angeles
CA 90067
You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com or
e-mail us at: [email protected].
OVERVIEW
Enterprise Random Password Manager is the missing layer of privileged identity management (PIM) and
identity and access governance (IGA). ERPM is a platform that is designed to build a CMDB of the
networks on which it functions. It will catalog, systems, devices, their user accounts and attributes, SSH
keys and certificates, and manage credentials, keys, and the access to them. Historically the core
functionality of ERPM revolved around its ability to randomize and store the passwords for accounts on
target systems on a regular recurring basis. ERPM built on basic password management by leveraging
its True Discovery technology to determine where service accounts were used and when changing the
password for these accounts also to propagate those password changes to all places the account was
used. This provides the mechanism and methods to maintain not only company up time during service
account changes but also bring risk averse companies into a place where they could begin to follow good
security practices and achieve a state of continuous compliance rather than point in time compliance.
Because these passwords are stored and managed by ERPM, they can be retrieved via a delegated web
interface, programs, orchestration systems, and more. Access to the password store as well as other
web interface features can be limited to specific groups, users, explicit accounts, or various other
identities with or without two factor authentication.
ERPM provide more functionality beyond password management, password vaulting, and session
management. ERPM also provide for:
Account escalation - the ability to add a user to a pre-defined group with higher privileges than the
user would normally have on a target system and then automatically remove that access.
Secure file storage - the ability to upload and store as an encrypted data blob in the programs secure
data store, any file such as password spread sheets, digital certificates, instructions, and more. After
the files are uploaded, an ACL system identifies what users will be able to retrieve the files while
auditing access to the files.
Orchestration - ERPM can run headless; being controlled programmatically. This permits tight
integration in other systems such as work-flow engines, run book orchestration for user and system
provisioning and de-provisioning, programmatic access to almost all functions, and much more. This
Introduction 8
control os provided via SOAP based web services and PowerShell. User's may tie into ERPM using any
program or language which can call the web service or PowerShell.
Privileged Account Management - providing session based control to privileged accounts to run
specific programs against specific hosts. Via the optional bastion server model, any program,
website, script, etc., may be run in a controlled and secured environment to allow users from
network access to specific systems or other trusted or untrusted networks using specific tools with
specific feature sets. This allows access to the tool set need to get a job done without providing
direct physical access or access to the credential.
Session Recording - building on the concept of privileged account management, when using the
optional bastion host, these sessions can be recorded for later playback and auditing of the user
actions that took place during a user's session. This further helps to comply with auditing mandates
as well as training procedures.
BACKGROUND AND GOALS
The Need for Strong Local Credentials
Organizations with a need for the most basic access security should use unique local logon credentials
customized for each workstation and server in their environment. Unfortunately, most organizations
use common credentials (same user name and password for the built-in administrator account) for each
system for the ease of creating and managing those systems by the IT Department without any concern
as to the consequences to the organization should these common credentials be compromised.
With the mandates of PCI-DSS, Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, California Security Breach
Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD 5015.2 and others, the implementation of
reasonably hard to compromise local logon credentials is mandatory for most organizations as a means
for protecting not only the confidentiality of their data, but also to protect against tampering.
Creating Strong Local Credentials
Lieberman Software’s program: ERPM can change any common account on all workstations and servers
in just a few minutes without the need for scripts or any other type of program. The new common
credentials can be stored in a local or remote SQL Server database and can be recovered on demand
using the password recovery website.
Enterprise Random Password Manager can be configured to regularly change the passwords of common
accounts on all target systems (i.e. workstation built-in administrator account) according to a schedule so
that each account receives a fresh cryptographically strong password regularly. This product feature
protects the overall security of an organization so that the compromise of a single machine’s local
administrator password does not lead to the total compromise of the entire organization’s security.
ERPM further builds on these concepts by automatically discovering all references to the specified
Pre-requisites 9
account, such as services, tasks, COM and DCOM objects, and more, and following a password change
for a users account, whether domain or local, propagating the new password to all those references.
Delegated Password Recovery
ERPM also contains a web interface to allow the remote recovery of passwords, access to privileges
sessions and more. The web interface is web application comprised of ASP and ASP.NET web pages that
allows any user with the appropriate group memberships the right to use the application as well as the
right to recover passwords for accounts managed by the program. All access to the web application
and all actions taken therein are logged and the history is also available via the same web interface to
authorized users.
Because this application protects and provides extremely sensitive information, it is essential that
particular attention be payed to the security settings of the application and also use appropriate
encryption such as SSL based on the scope of access provided.
For more information on security hardening, please refer to the proposed options for server hardening:
http://forum.liebsoft.com/enterprise-random-password-manager-knowledgebase/546-server-hardeni
ng-guide.html.
Windows Server operating system for bastion host and session recording:
Windows Server 2012 R2 (recommended)
Windows Server 2012
Windows Server 2008 R2
It is highly recommended for all servers in the ERPM system to be fully patched.
Note: Earlier versions of Windows Server are not supported. Windows workstation platforms are not
supported for hosting the application launcher.
The following items will be required for application launching and session recording:
Remote Desktop Session Host server role.*
Desktop Experience if using session recording.
Existing ERPM installation and installed files (SupplementalInstallers directory)
ERPM Web Service installed with SSL and no certificate errors and accessible from the bastion host.
If using self-signed certificates, the certificate from the issuing web server should be added to the
PRE-REQUISITES
Pre-requisites 10
Trusted Root Certification Authorities on the machines hosting the Web Service, Bastion Host, and
client systems.
Dot Net framework 4.x on bastion and transcoder hosts.
Dot Net framework 4.x on machines connecting to run an application.
* Microsoft Remote Desktop Services (RDS) will require additional licensing be purchased from
Microsoft.
11
The following sections outline the steps to prepare for and install the Lieberman Software Application
Launcher and optional session recording components.
Application Launching is an add-on for ERPM. Application Launching can be configured with or without
the Session Recording component. Lieberman Software provides Session Recording for free when the
Application Launcher add-on is purchased. However, the provided session recording only works with
applications launched via the Lieberman Software application launcher.
The sections describing the installation of these components are broken down as follows:
1) Installing Remote Desktop Services
2) Installing Desktop Experience - only required if using session recording
3) Installing Application Launcher and Session Recording - session recording is optional
4) Setting up Remote Desktop Services for Application Launching
5) Setting up Streaming Media Services - required if using session recording
6) Configuring IIS to Host Recorded Sessions - required if using session recording
Sections 1, 2, & 4 all have subsections detailing how to perform the steps on Windows Server 2008 R2 or
Windows Server 2012 (R2). Section 3 has additional steps detailing how to install the application
launcher and optional session recording across multiple systems.
IN THIS CHAPTER
1. Installing Remote Desktop Services .................................................... 12
2. Installing Desktop Experience ............................................................. 37
3. Installing Application Launcher and Session Recording ...................... 45
4. Setting up RDS for Application Launching ........................................... 70
5. Setting Up Streaming Media Services ................................................. 80
6. Configuring IIS to Host Recorded Sessions .......................................... 85
INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING WITH A BASTION HOST
Installing Application Launcher and Session Recording with a Bastion Host 12
1. INSTALLING REMOTE DESKTOP SERVICES
The following sub-sections show the installation of Remote Desktop Services on both a Windows Server
2008 R2 and Windows Server 2012 [R2] host. If multiple jump servers will be employed they do not need
to all be the same operating system, though they do all need to be Windows Server 2008 R2 or later
(2012 R2 recommended).
INSTALLING REMOTE DESKTOP SERVICES FOR SERVER 2012 (R2)
This section covers installation of the pre-requisites on a Windows Server 2012 and Windows Server
2012 R2 host which will function as a bastion host for the purposes of launching applications.
Open Server Manager and select Add Roles and Features.
Click Next on the Before You Begin page.
Installing Application Launcher and Session Recording with a Bastion Host 13
On the Select installation type page select Remote Desktop Services installation then click Next.
On the Select deployment type page, choose a deployment type and click Next.
Installing Application Launcher and Session Recording with a Bastion Host 14
The steps present go through a standard deployment where the admin will be required to configure a
collection post RDS installation. The Quick Start method will be faster while automatically creation a
collection, but it will also add and publish additional applications that are unnecessary and will not
provide any configuration options.
Installing Application Launcher and Session Recording with a Bastion Host 15
On the Select deployment scenario page, select Session-based desktop deployment, the click Next.
Installing Application Launcher and Session Recording with a Bastion Host 16
Click Next on the Role Services page.
Installing Application Launcher and Session Recording with a Bastion Host 17
On the Specify RD Connection Broker server page, select the server from the Server Pool field, then add
it to the selected computer field by clicking the right arrow head between the two fields.
Installing Application Launcher and Session Recording with a Bastion Host 18
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 19
On the Specify RD Web Access server page, select the server from the Server Pool field, then add it to
the selected computer field by clicking the right arrow head between the two fields.
Installing Application Launcher and Session Recording with a Bastion Host 20
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 21
On the Confirm selections page, click Deploy. Restart the host if required.
Upon restart, open Server Manager and click on Remote Desktop Services from the right pane, then click
on Collections from the center pane. A new collection must be made to publish the Lieberman Software
application used to launch software from the bastion host.
At the top right corner, select Tasks and click Creation Session Collection.
Installing Application Launcher and Session Recording with a Bastion Host 22
On the Before you begin page, click Next.
Installing Application Launcher and Session Recording with a Bastion Host 23
On the Name the collection page, supply a friendly name for the collection and click Next.
Installing Application Launcher and Session Recording with a Bastion Host 24
On the Specify RD Session Host server page, select the server from the Server Pool field, then add it to
the selected computer field by clicking the right arrow head between the two fields. Then click Next.
ERPM will use a proxy account to connect to the bastion host prior to launching the selected application.
This account will either need to be added to a group which can RDP to the target bastion host and launch
subsequent applications, or should be added directly as a user which can connect to the RD Session host
server. Description of this account is covered in the parent section, 1. Installing Remote Desktop
Services.
Installing Application Launcher and Session Recording with a Bastion Host 25
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 26
On the Specify user profile disks page, click Next.
Installing Application Launcher and Session Recording with a Bastion Host 27
On the Confirm selections page, click Create.
An empty collection will be created. The installation and configuration of the launcher application will be
described later in this document.
INSTALLING REMOTE DESKTOP SERVICES FOR SERVER 2008 R2
This section covers installation of Remote Desktop Services on a Windows Server 2008 R2 host as
required for bastion host services.
Installing Application Launcher and Session Recording with a Bastion Host 28
Start Server Manager and select Add Roles. Click Next on the welcome page and select Remote Desktop
Services then click Next.
Installing Application Launcher and Session Recording with a Bastion Host 29
Click Next on the Introduction to Remote Desktop Services page.
Installing Application Launcher and Session Recording with a Bastion Host 30
On the Select Role Services page, select Remote Desktop Session Host, then click Next.
Installing Application Launcher and Session Recording with a Bastion Host 31
Click Next on the Uninstall and Reinstall Applications for Compatibility page.
Installing Application Launcher and Session Recording with a Bastion Host 32
On the Specify Authentication Method for Remote Desktop Session Host page, choose the option that
best suits your company's needs. The option to Require Network Level Authentication will provide
greater security but may only work properly for newer hosts and if all incoming connections are properly
verified. The option Do not require Network Level Authentication will provide greater compatibility for
all connecting system but may reduce overall security of the bastion host. Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 33
On the Specify Licensing Mode page, a remote desktop session license mode must be selected. If RDS
client access licenses are not yet available but will be soon, select Configure later. If unsure about what
option to choose, select Configure later, and then contact your Microsoft licensing services manager.
RDS will function for 120 days without a proper licensing server. If RDS CALs are available, then choose
the proper Per Device or Per User model for your organization.
ERPM will use a proxy account to connect to the bastion host prior to launching the selected application.
This account will either need to be added to a group which can RDP to the target bastion host and launch
subsequent applications, or should be added directly as a user which can connect to the RD Session host
server. Description of this account is covered in the parent section, 1. Installing Remote Desktop
Services.
Installing Application Launcher and Session Recording with a Bastion Host 34
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 35
On the Configure Client Experience page, it is recommended to leave all options deselected. Click Next
to continue.
Installing Application Launcher and Session Recording with a Bastion Host 36
On the Confirm Installation Selections page, examine the installation selections. If everything is correct,
click Install. The server will need to reboot after installation
The installation and configuration of the launcher application will be described later in this document.
Installing Application Launcher and Session Recording with a Bastion Host 37
2. INSTALLING DESKTOP EXPERIENCE
The Desktop Experience will be required if session recording is to be enabled. If the Lieberman Software
provided free session recording will not be enabled, Desktop Experience will not be required.
Session recording will involve a bastion host to capture the session, and a system to function as a video
transcoder. These could be the same machine or separate systems. If they are separate systems, then
Desktop Experience will be installed on both systems. More information on this will be provided in later
sections.
INSTALLING DESKTOP EXPERIENCE FOR SERVER 2012 (R2)
If session recording will be configured then the Desktop Experience must be installed. To add the
Desktop Experience, open Server Manager and select Add Features.
On the Features Page, expand User Interfaces and Infrastructure, and select Desktop Experience.
Installing Application Launcher and Session Recording with a Bastion Host 38
If prompted for additional components, click Add Features.
Installing Application Launcher and Session Recording with a Bastion Host 39
Add any other requirements that other applications that will be launched from this system may require
(such as .net framework 3.51 or 4.x) and click Next.
Installing Application Launcher and Session Recording with a Bastion Host 40
Continue through to the end of the wizard. Click Close when done. Installation of the Desktop Experience
will require a restart of the host.
INSTALLING DESKTOP EXPERIENCE FOR SERVER 2008 R2
If session recording will be configured then the Desktop Experience must be installed. To add the
Desktop Experience, open Server Manager and select Add Features.
Installing Application Launcher and Session Recording with a Bastion Host 41
On the Features Page, select Desktop Experience.
Installing Application Launcher and Session Recording with a Bastion Host 42
If prompted for additional components, click Add Required Features.
Installing Application Launcher and Session Recording with a Bastion Host 43
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 44
Once the installation is complete, click Close and restart the server.
Installing Application Launcher and Session Recording with a Bastion Host 45
3. INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING
This step includes installation of session recoding options. The particular session recording options may
be safely omitted if the Lieberman Software provided free session recording will not be enabled. If the
Lieberman Software free session recording will not be installed, then skip the session titled On the
Transcoder Host and go straight to the section titled On the Bastion Host.
The application launching capability of ERPM is best utilized with a bastion host. A bastion host in the
context of ERPM is a Windows Remote Desktop Session Services machine (formerly Terminal Services)
that will proxy connection attempts made to specific target systems. The bastion host will have all
programs used to connect to target systems installed on it. ERPM will use a proxy account to connect to
the bastion host. This account can and should be managed by ERPM, but automated management is not
necessary as a static un-stored password may also be used.
Session recording for ERPM is a feature that accompanies the application launcher such that remote
sessions initiated by ERPM through the bastion host may be recorded. Recorded sessions will be copied
from the bastion host to a machine functioning as a video transcoder. Videos will be converted from the
raw format to one that may be played back by the machine functioning as a streaming media server.
The bastion may function as both recorder and transcoder and streaming media server. However,
transcoding of videos requires significant overhead in terms of CPU usage. It is recommended to use the
system functioning as ERPM web server to also function as the streaming media server and possibly as
the video transcoder.
This section outlines the installation of session recording for application launching on two separate
machines functioning independently. In sub-section 5, the installation of streaming media services will
be detailed for the purposes of streaming the final recorded sessions.
1. ON THE TRANSCODER HOST
To begin installing the session recording software on the machine that will function as the video
transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory, typically
"%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to the machine
that will function as the transcoder and launch the installer.
Installing Application Launcher and Session Recording with a Bastion Host 46
Click Next on the welcome page.
Installing Application Launcher and Session Recording with a Bastion Host 47
Read and accept the license agreement to continue installation. Then click Next to continue.
Enter the full SSL secured URL to ERPM application launcher web service. The web service is a separate
installation, typically on the ERPM web server. The application launcher web service is installed is
installed with the standard ERPMWebService installer package. The URL is typically
https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.
Click Test to validate the URL. Any certificate issues must be corrected before installation can properly
succeed. If the web page does not appear at all, validate the URL and try again or install the web service.
Installation instructions for the web service are included in the administrators guide within the SDK
section.
Installing Application Launcher and Session Recording with a Bastion Host 48
If the page tests without issue or errors, click Next to continue.
For the transcoder host, select to install:
Installing Application Launcher and Session Recording with a Bastion Host 49
Microsoft Expression 4 Encoder SP2
Session Recorder and File Watcher Service
Select the installation directory. Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 50
On the transcoder host, make note of the source and destination directories. This directory will be used
in later instructions when setting up the application launcher and streaming media services. This
directory will also be shared between the transcoder and bastion hosts if they are on two separate
systems.
On the transcoder host, set the service identity to run as either Local System or as a Specific User.
Local system offers the benefit of already having proper access and no password management
requirements.
Running as a specific user will offer the path of least privilege but will require configuring NTFS
permissions on the Source directory from the previous step for read, write, and delete files (Modify)
and will also require a password be managed (which ERPM has the ability to do automatically).
Running the File Watcher service as Local System is recommended on the transcoder host.
Installing Application Launcher and Session Recording with a Bastion Host 51
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 52
Click Install to continue.
Installing Application Launcher and Session Recording with a Bastion Host 53
Click Finish to complete the first part of the installation.
After the initial installation is complete, A separate installation for the Microsoft Expressions recorder
will be initiated automatically.
Installing Application Launcher and Session Recording with a Bastion Host 54
Accept the License agreement for the Microsoft Expressions recorder.
Click Next on the Enter product key page. There is no product key to enter.
Installing Application Launcher and Session Recording with a Bastion Host 55
Elect to join the Microsoft customer experience or not. Click Next to continue.
Select to install Expression Encoder 4 and click Install.
Installing Application Launcher and Session Recording with a Bastion Host 56
Click Finish to complete the installation.
IMPORTANT NOTES REGARDING THIS INSTALLATION!
This installation will take additional actions that are not visible in the installer:
Installing Application Launcher and Session Recording with a Bastion Host 57
A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is
taking place on a domain controller, the group is created in the Users container.
The Domain Admins group will be added to this WriteRecordingGroup.
The installer will create and share the following directory: %inetpub%\wwwroot\SessionRecording
as SessionRecording. This directory is used to copy compiled session recordings from the bastion to
the transcoder host. This scenario would apply if using the FFMPeg video recorder rather than the
Expressions recorder. If the transcoder and bastion host is the same system, or if the Expression
session recorder is the only used session recorder, this share may be safely deleted. This share
directory will be required when configuring the bastion host for app launching with session
recording.
The installer will create and share the following directory: %programfiles
(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be used
by the bastion hosts to copy raw session recording files to the transcoder host(s). If the transcoder
and bastion host is the same system this share can be safely deleted. This scenario would apply if
using the Expressions 4 recording software. This share directory will be required when configuring
the bastion host for app launching with session recording.
Each of the shared directory share permissions will be set to allow the WriteRecordingGroup "Full
Control". Minimum permissions required are "Change".
2. ON THE BASTION HOST
To begin installing the session recording software on the machine that will function as the video
transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory, typically
"%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to the machine
that will function as the transcoder and launch the installer.
Installing Application Launcher and Session Recording with a Bastion Host 58
Click Next on the welcome page.
Installing Application Launcher and Session Recording with a Bastion Host 59
Read and accept the license agreement to continue installation. Then click Next to continue.
Enter the full SSL secured URL to ERPM application launcher web service. The web service is a separate
installation, typically on the ERPM web server. The application launcher web service is installed is
installed with the standard ERPMWebService installer package. The URL is typically
https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.
Click Test to validate the URL. Any certificate issues must be corrected before installation can properly
succeed. If the web page does not appear at all, validate the URL and try again or install the web service.
Installation instructions for the web service are included in the administrators guide within the SDK
section.
Installing Application Launcher and Session Recording with a Bastion Host 60
If the page tests without issue or errors, click Next to continue.
For the bastion host, if session recording WILL BE enabled, select to install:
Microsoft Expression 4 Encoder SP2
Session Recorder and File Watcher Service
Application Launcher
If session recording will NOT be enabled, select to install:
Installing Application Launcher and Session Recording with a Bastion Host 61
Application Launcher
Select the installation directory. Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 62
Click Next on the video transcoder paths.
On the bastion host, set the service identity to run as a Specific User, Network Service, or Local System.
Local system offers the benefit of already having proper access and no password management
requirements. If the transcoder is running on a separate system and Local system is used, then the
computer account of the bastion host must be granted Modify access to the source directory on the
transcoder host.
Network service provides for less rights than Local system and offers the benefit of already having
proper access and no password management requirements. If the transcoder is running on a
separate system and network service is used, then the computer account of the bastion host must
be granted Modify access to the source directory on the transcoder host. "NT Authority\Network
Service" must also be granted Modify access to the Session Recording directory.
Running as a specific user will offer the path of least privilege but will require configuring NTFS
permissions on the Source directory from the previous step for read, write, and delete files (Modify)
and will also require a password be managed (which ERPM has the ability to do automatically).
Running as a specific user is recommended for running the File Watcher service on the bastion host
when the transcoder is on a separate system.
Installing Application Launcher and Session Recording with a Bastion Host 63
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 64
Click Install to continue.
Installing Application Launcher and Session Recording with a Bastion Host 65
Click Finish to complete the first part of the installation.
After the initial installation is complete, A separate installation for the Microsoft Expressions recorder
will be initiated automatically.
Installing Application Launcher and Session Recording with a Bastion Host 66
Accept the License agreement for the Microsoft Expressions recorder.
Click Next on the Enter product key page. There is no product key to enter.
Installing Application Launcher and Session Recording with a Bastion Host 67
Elect to join the Microsoft customer experience or not. Click Next to continue.
Select to install Expression Encoder 4 and click Install.
Installing Application Launcher and Session Recording with a Bastion Host 68
Click Finish to complete the installation.
This installation will take additional actions that are not visible in the installer:
Installing Application Launcher and Session Recording with a Bastion Host 69
A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is
taking place on a domain controller, the group is created in the Users container. This group may be
safely deleted from the bastion host if it is also functioning as the transcoder host.
The Domain Admins group will be added to this WriteRecordingGroup.
The installer will create and share the following directory: %inetpub%\wwwroot\SessionRecording
as SessionRecording. This directory is used to copy compiled session recordings from the bastion to
the transcoder host. This scenario would apply if using the FFMPeg video recorder rather than the
Expressions recorder. This share directory will be required when configuring the bastion host for app
launching with session recording. If the transcoder and bastion host is the same system this share
can be safely deleted.
The installer will create and share the following directory: %programfiles
(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be used
by the bastion hosts to copy raw session recording files to the transcoder host(s). This scenario
would apply if using the Expressions 4 recording software. This share directory will be required when
configuring the bastion host for app launching with session recording. If the transcoder and bastion
host is the same system this share can be safely deleted.
Each of the shared directory share permissions will be set to allow the WriteRecordingGroup "Full
Control". Minimum permissions required are "Change".
Installing Application Launcher and Session Recording with a Bastion Host 70
4. SETTING UP RDS FOR APPLICATION LAUNCHING
The section details configuring Remote App on the Remote Session host to launch the Lieberman
Software Application Launcher. The application launcher is a boot strapper used to launch and provide
authentication information for configured applications.
When a user uses the Launch App links in the ERPM web interface, this application will be called which
will obtain the necessary credential information for the application to launch, and launch the application
from the bastion host. In turn, VDI will display the remote application on the user's workstation as if it
were a local application.
CONFIGURING REMOTE APP FOR SERVER 2012 (R2)
Open Server Manager and click the Remote Desktop Services link on the left pane. Then click on
Collections. The select the collection to configure the Lieberman Software Application Launcher for.
In the REMOTEAPP PROGRAMS area, click Tasks and select Publish RemoteApp Programs. Then click
Add on the Publish RemoteApp programs dialog.
Installing Application Launcher and Session Recording with a Bastion Host 71
Select LiebsoftLauncher.exe from the application launcher installation location on the bastion host
(configured in step 3 previously). The default directory for this file is: C:\Program Files
(x86)\Lieberman\Roulette\LaunchApp. Then click Next.
Installing Application Launcher and Session Recording with a Bastion Host 72
On the Confirmation page, click Publish.
Once the LiebsoftLauncher application is published, right-click on it in the RemoteApp Programs list and
select Edit Properties.
Installing Application Launcher and Session Recording with a Bastion Host 73
On the General tab, set the Show the RemoteApp program in RD Web Access dialog to No. Although
everything will work fine if this is not done, there is no need to publicize this application.
Installing Application Launcher and Session Recording with a Bastion Host 74
On the Parameters tab, set the Command-line Parameters option to Allow any command-line
parameters. The LiebsoftLauncher will differ every single time it is run based on many factors including
session IDs, programs being run and parameters included when launching the programs.
Installing Application Launcher and Session Recording with a Bastion Host 75
On the User Assignment tab, it is highly recommended to change the User Assignment option to be a
specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated account
(which should be managed by ERPM). This is the only account that will require access to run the
program. This account will be covered later in the Configuring Application Launching section. The
account assigned here will require any permissions and rights to launch the desired programs.
Click OK when done.
CONFIGURING REMOTE APP FOR SERVER 2008 R2
Open Server Manager and expand the Remote Desktop Services | RemoteApp Manager nodes in the
left pane.
Installing Application Launcher and Session Recording with a Bastion Host 76
In the RemoteApp Programs area, right-click and select Add RemoteApp Programs. Click Next on the
Welcome page then click Browse on the Choose programs to add to the RemoteApp Programs list page.
Installing Application Launcher and Session Recording with a Bastion Host 77
Select LiebsoftLauncher.exe from the application launcher installation location on the bastion host
(configured in step 3 previously). The default directory for this file is: C:\Program Files
(x86)\Lieberman\Roulette\LaunchApp. Then click Next.
Installing Application Launcher and Session Recording with a Bastion Host 78
On the Review Settings page, click Finish.
Once the LiebsoftLauncher application is added, right-click on it in the RemoteApp Programs list and
select Properties.
CAUTION! DO NOT CHANGE THE ALIAS value.
De-select the check box for RemoteApp program in RD Web Access. Although everything will work fine
if this is not done, there is no need to publicize this application.
Installing Application Launcher and Session Recording with a Bastion Host 79
Set the Command-line arguments option to Allow any command-line parameters. The LiebsoftLauncher
will differ every single time it is run based on many factors including session IDs, programs being run and
parameters included when launching the programs.
Installing Application Launcher and Session Recording with a Bastion Host 80
On the User Assignment tab, it is highly recommended to change the User Assignment option to be a
specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated account
(which should be managed by ERPM). This is the only account that will require access to run the
program. This account will be covered later in the Configuring Application Launching section. The
account assigned here will require any permissions and rights to launch the desired programs.
Click OK when done.
5. SETTING UP STREAMING MEDIA SERVICES
Streaming Media Services is used to provide smooth streaming of the recorded sessions from the
transcoder host (typically the ERPM web server) to the client's browser and video player.
Installing Application Launcher and Session Recording with a Bastion Host 81
Installation of this component is only required if session recording will be used. If not using the
Lieberman Software free session recording module, installation of this component is not required.
To begin installing the streaming media software on the machine that will function as the video
transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory, typically
"%programfiles (x86)\Lieberman\Roulette". Copy IISMEdia64.msi to the machine that will function as
the transcoder and launch the installer.
The installation of IIS Media services requires a basic stock installation of IIS be available on the same
host server.
Click Next on the welcome page.
Installing Application Launcher and Session Recording with a Bastion Host 82
Read and accept the terms of the license agreement, then click Next.
Installing Application Launcher and Session Recording with a Bastion Host 83
Leave the default options selected then click Next.
Installing Application Launcher and Session Recording with a Bastion Host 84
Click Install.
Installing Application Launcher and Session Recording with a Bastion Host 85
Click Finish.
6. CONFIGURING IIS TO HOST RECORDED SESSIONS
This step is only required if session recording has been enabled. If session recording is not enabled, then
do not perform this step. This will likely be configured on the same system where Streaming Media
Services was installed.
When an application is launched via a bastion host / jump server and that application is configured to
also record the session, the recorded sessions will first be placed into a pre-configured directory on the
machine which will ultimately host the videos for later playback. When using the Microsoft Expressions
session recorder, the files will first be copied locally to the file system. The Lieberman Software File
Watcher Service will then move the raw files to a share called "Source" on a machine that is configured
as the video transcoder (typically the ERPM web server, but could be any machine). Once the raw XESC
files are copied to the transcoder, the Lieberman Software File Watcher service on that machine will
transcode the videos to WMV format and move the compiled files into the "SessionRecording" share on
the same system. It is this directory that will be hosted in IIS and made available via the ERPM website.
Installing Application Launcher and Session Recording with a Bastion Host 86
To configure IIS on the machine which will host the compiled videos, not much work is required as the
application launcher installer will have configured most of the required elements:
The default website will have a new virtual directory added to it called SessionRecording. This directory
will point to %inetpub%\wwwroot\SessionRecording.
The only change that may need to be made is to set the authentication scheme to anonymous. To do
this, open IIS, expend the default website, and open the Authentication area. Right click on the
authentication types and enable Anonymous Authentication and disable all others.
87
Once the pre-requisites are installed for application launching, there are four mandatory additional steps
and two optional steps to setting up ERPM to use the application launcher and the session recorder:
1) Configure an account for login to the bastion host.
2) Configure ERPM web settings with information about the web launcher service.
3) Configure a bastion host object in ERPM.
4) Optionally configure a session recording host object in ERPM.
5) Configure applications for launching and grant permissions to those applications as necessary.
6) Optionally configure the ERPM website to playback recorded sessions.
The following sub-sections will outline these steps.
IN THIS CHAPTER
Configuring a Bastion Host Login Account .............................................. 87
Configure ERPM Web Settings .............................................................. 112
Configure a Bastion Host Object ........................................................... 114
Configure a Session Recording Host Object .......................................... 117
Configure ERPM Website for Session Playback ..................................... 121
Configure Applications for Launching ................................................... 125
Application Sets ..................................................................................... 144
Shadow Accounts .................................................................................. 149
CONFIGURING A BASTION HOST LOGIN ACCOUNT
ERPM will use a standard login account to login to the target bastion host and launch the
LiebsoftLauncher application which will in turn launch the target application. The LiebsoftLauncher in
turn connects to a web service (WebLauncherBackendService.svc) to obtain the necessary program
settings and credentials from ERPM.
The logon account should have its password managed regularly by ERPM. Regularly should be often such
as daily or weekly. Setting the rotation schedule to hourly could possibly invalidate the logon account's
session. The account can be a local account but if possible, a domain account is recommended. This
account will need any rights necessary to launch the final target application; it does not necessarily need
local or domain admin privileged. It will need the ability to remotely log on to the target bastion host.
CONFIGURING APPLICATION LAUNCHING
Configuring Application Launching 88
That means if the account is not an administrator, it must be added to the Remote Desktop Users group
on the bastion host.
If it is desired (as it is recommended) to have ERPM manage the password for the account, simply follow
the basic procedures for a password change in ERPM (as per the administrative guide). There is no
requirements for password propagation so password propagation can be safely turned off for the
password change job. It is recommended to keep the password length to 80 characters or less as some
versions of Windows will not allow long passwords to be used via RDP.
This user account upon login will first launch the LiebsoftLauncher. Be sure in the RemoteApp settings
that at a minimum this account or a group it belongs to was granted the permissions to launch the
LiebsoftLauncher application. RemoteApp is generally found in Server Manager under the Roles |
Remote Desktop Services heading.
This account can be heavily locked down as it generally doesn't need access to anything other than the
application being locked.
Caution! When launching an application, this account will be able to do anything that the target
application lets them do.
If this account comes from Active Directory, it is recommended to place this account into an
organizational unit (OU) by itself or with other similarly locked down accounts. On this OU, create a
policy and modify the User Settings portion of the policy to lock down this logon account. There is no
need to place the bastion hosts in this OU as the policies that lockdown the user experience are user
based, not system based.
Following are some of the settings recommended to lock down the session. All policies should be tested
to ensure they do not interfere with the required operation of a target application:
User Configuration | Policies | Windows Settings | Security Settings | Software Restriction
Policies
Policy Setting
Enforcement
Apply Software Restriction Policies to the following All software files
except libraries (such
as DLLs)
Apply Software Restriction Policies to the following users All users
When applying Software Restriction Policies Ignore certificate rules
Configuring Application Launching 89
Trusted Publishers
Trusted publisher management Allow all administrators
and users to manage
user's own Trusted
Publishers
Certificate verification None
Software Restriction Policies/Security Levels
Default Security Level Disallowed
Software Restriction Policies/Additional Rules >> Path Rules
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Security Level =
Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Security Level =
Unrestricted
C:\Program Files (x86)\Lieberman\Roulette\RemoteAppLauncher\LiebsoftLauncher.exe Security Level =
Unrestricted
User Configuration | Policies | Administrative Templates
Control Panel
Prohibit access to Control Panel and PC settings Enabled
Control Panel/Display
Configuring Application Launching 90
Disable the Display Control Panel Enabled
Control Panel/Printers
Browse a common web site to find printers Disabled
Browse the network to find printers Disabled
Prevent addition of printers Enabled
Prevent deletion of printers Enabled
Control Panel/Programs
Hide "Get Programs" page Enabled
Hide "Installed Updates" page Enabled
Hide "Programs and Features" page Enabled
Hide "Set Program Access and Computer Defaults" page Enabled
Hide "Windows Features" Enabled
Hide the Programs Control Panel Enabled
Control Panel/Regional and Language Options
Hide Regional and Language Options administrative options Enabled
Hide the geographic location option Enabled
Hide the select language group options Enabled
Hide user locale selection and customization options Enabled
Configuring Application Launching 91
Desktop
Don't save settings at exit Enabled
Hide and disable all items on the desktop Enabled
Hide Internet Explorer icon on desktop Enabled
Hide Network Locations icon on desktop Enabled
Prevent adding, dragging, dropping and closing the Taskbar's toolbars Enabled
Prohibit adjusting desktop toolbars Enabled
Prohibit User from manually redirecting Profile Folders Enabled
Remove Computer icon on the desktop Enabled
Remove Properties from the Computer icon context menu Enabled
Remove Properties from the Recycle Bin context menu Enabled
Remove Recycle Bin icon from desktop Enabled
Turn off Aero Shake window minimizing mouse gesture Enabled
Network/Network Connections
Ability to change properties of an all user remote access connection Disabled
Prohibit access to properties of a LAN connection Enabled
Prohibit access to the Remote Access Preferences item on the Advanced menu Enabled
Prohibit changing properties of a private remote access connection Enabled
Prohibit connecting and disconnecting a remote access connection Enabled
Configuring Application Launching 92
Prohibit renaming private remote access connections Enabled
Network/Offline Files
Remove "Make Available Offline" command Enabled
Remove "Work offline" command Enabled
Network/Windows Connect Now
Prohibit access of the Windows Connect Now wizards Enabled
Start Menu and Taskbar
Add Search Internet link to Start Menu Disabled
Add the Run command to the Start Menu Disabled
Clear history of recently opened documents on exit Enabled
Clear history of tile notifications on exit Enabled
Clear the recent programs list for new users Enabled
Do not allow pinning items in Jump Lists Enabled
Do not allow pinning programs to the Taskbar Enabled
Do not display any custom toolbars in the taskbar Enabled
Do not display or track items in Jump Lists from remote locations Enabled
Do not keep history of recently opened documents Enabled
Do not search communications Enabled
Configuring Application Launching 93
Do not search for files Enabled
Do not search Internet Enabled
Do not search programs and Control Panel items Enabled
Do not use the search-based method when resolving shell shortcuts Enabled
Do not use the tracking-based method when resolving shell shortcuts Enabled
Hide the notification area Enabled
Lock all taskbar settings Enabled
Lock the Taskbar Enabled
Prevent changes to Taskbar and Start Menu Settings Enabled
Prevent users from adding or removing toolbars Enabled
Prevent users from moving taskbar to another screen dock location Enabled
Prevent users from rearranging toolbars Enabled
Prevent users from uninstalling applications from Start Enabled
Remove access to the context menus for the taskbar Enabled
Remove All Programs list from the Start menu Enabled
Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands Enabled
Remove Clock from the system notification area Enabled
Remove common program groups from Start Menu Enabled
Remove Default Programs link from the Start menu. Enabled
Remove Documents icon from Start Menu Enabled
Remove Downloads link from Start Menu Enabled
Configuring Application Launching 94
Remove drag-and-drop and context menus on the Start Menu Enabled
Remove Favorites menu from Start Menu Enabled
Remove frequent programs list from the Start Menu Enabled
Remove Games link from Start Menu Enabled
Remove Help menu from Start Menu Enabled
Remove Homegroup link from Start Menu Enabled
Remove links and access to Windows Update Enabled
Remove Logoff on the Start Menu Disabled
Remove Music icon from Start Menu Enabled
Remove Network Connections from Start Menu Enabled
Remove Network icon from Start Menu Enabled
Remove Pictures icon from Start Menu Enabled
Remove pinned programs from the Taskbar Enabled
Remove pinned programs list from the Start Menu Enabled
Remove programs on Settings menu Enabled
Remove Recent Items menu from Start Menu Enabled
Remove Recorded TV link from Start Menu Enabled
Remove Run menu from Start Menu Enabled
Remove See More Results / Search Everywhere link Enabled
Remove the Action Center icon Enabled
Remove the battery meter Enabled
Configuring Application Launching 95
Remove the networking icon Enabled
Remove the volume control icon Enabled
Remove user folder link from Start Menu Enabled
Remove user's folders from the Start Menu Enabled
Remove Videos link from Start Menu Enabled
Show "Run as different user" command on Start Disabled
Turn off all balloon notifications Enabled
Turn off automatic promotion of notification icons to the taskbar Enabled
Turn off feature advertisement balloon notifications Enabled
Turn off notification area cleanup Enabled
Turn off user tracking Enabled
Start Menu and Taskbar/Notifications
Turn off notifications network usage Enabled
System/Ctrl+Alt+Del Options
Remove Change Password Enabled
Remove Task Manager Enabled
System/Internet Communication Management/Internet Communication settings
Turn off access to the Store Enabled
Configuring Application Launching 96
Turn off downloading of print drivers over HTTP Enabled
Turn off handwriting recognition error reporting Enabled
Turn off Help Experience Improvement Program Enabled
Turn off Help Ratings Enabled
Turn off Internet download for Web publishing and online ordering wizards Enabled
Turn off Internet File Association service Enabled
Turn off printing over HTTP Enabled
Turn off the "Order Prints" picture task Enabled
Turn off the "Publish to Web" task for files and folders Enabled
Turn off the Windows Messenger Customer Experience Improvement Program Enabled
Turn off Windows Online Enabled
System/Removable Storage Access
All Removable Storage classes: Deny all access Enabled
CD and DVD: Deny read access Enabled
CD and DVD: Deny write access Enabled
Floppy Drives: Deny read access Enabled
Floppy Drives: Deny write access Enabled
Removable Disks: Deny read access Enabled
Removable Disks: Deny write access Enabled
Tape Drives: Deny read access Enabled
Configuring Application Launching 97
Tape Drives: Deny write access Enabled
WPD Devices: Deny read access Enabled
WPD Devices: Deny write access Enabled
System/Windows HotStart
Turn off Windows HotStart Enabled
Windows Components/Add features to Windows 8
Prevent the wizard from running. Enabled
Windows Components/App runtime
Block launching desktop apps associated with a file. Enabled
Block launching desktop apps associated with a protocol Enabled
Windows Components/Application Compatibility
Turn off Program Compatibility Assistant Enabled
Windows Components/Attachment Manager
Hide mechanisms to remove zone information Enabled
Windows Components/AutoPlay Policies
Configuring Application Launching 98
Disallow Autoplay for non-volume devices Enabled
Prevent AutoPlay from remembering user choices. Enabled
Set the default behavior for AutoRun Enabled
Default AutoRun Behavior Do not execute any autorun commands
Turn off Autoplay Enabled
Turn off Autoplay on All drives
Windows Components/Credential User Interface
Do not display the password reveal button Enabled
Windows Components/Desktop Gadgets
Restrict unpacking and installation of gadgets that are not digitally signed. Enabled
Turn off desktop gadgets Enabled
Turn Off user-installed desktop gadgets Enabled
Windows Components/Digital Locker
Do not allow Digital Locker to run Enabled
Windows Components/Edge UI
Turn off switching between recent apps Enabled
Turn off tracking of app usage Enabled
Configuring Application Launching 99
Windows Components/File Explorer
Display confirmation dialog when deleting files Enabled
Display the menu bar in File Explorer Enabled
Do not allow Folder Options to be opened from the Options button on the View tab of the
ribbon
Enabled
Do not display the Welcome Center at user logon Enabled
Do not request alternate credentials Enabled
Hide these specified drives in My Computer Enabled
Restrict all drives
Hides the Manage item on the File Explorer context menu Enabled
No Entire Network in Network Locations Enabled
Prevent access to drives from My Computer Enabled
Restrict all drives
Prevent users from adding files to the root of their Users Files folder. Enabled
Remove "Map Network Drive" and "Disconnect Network Drive" Enabled
Remove CD Burning features Enabled
Remove File Explorer's default context menu Enabled
Remove File menu from File Explorer Enabled
Remove Hardware tab Enabled
Remove Security tab Enabled
Remove the Search the Internet "Search again" link Enabled
Configuring Application Launching 100
Turn off display of recent search entries in the File Explorer search box Enabled
Turn off Windows+X hotkeys Enabled
Windows Components/File Explorer/Common Open File Dialog
Hide the common dialog back button Enabled
Hide the common dialog places bar Enabled
Hide the dropdown list of recent files Enabled
Windows Components/File Explorer/Explorer Frame Pane
Turn off Preview Pane Enabled
Turn on or off details pane Enabled
Configure details pane Always hide
Windows Components/File Explorer/Previous Versions
Prevent restoring previous versions from backups Enabled
Windows Components/IME
Turn off history-based predictive input Enabled
Turn off Internet search integration Enabled
Windows Components/Internet Explorer
Configuring Application Launching 101
Automatically activate newly installed add-ons Disabled
Configure Media Explorer Bar Enabled
Disable the Media Explorer Bar and auto-play feature Enabled
Auto-Play Media files in the Media bar whenEnabled Disabled
Disable AutoComplete for forms Enabled
Disable changing accessibility settings Enabled
Disable changing Advanced page settings Enabled
Disable changing Automatic Configuration settings Enabled
Disable changing Calendar and Contact settings Enabled
Disable changing certificate settings Enabled
Disable changing connection settings Enabled
Disable changing home page settings Enabled
Home Page Define a home page if
necessary
Disable changing language settings Enabled
Disable changing Messaging settings Enabled
Disable changing ratings settings Enabled
Disable changing Temporary Internet files settings Enabled
Disable Import/Export Settings wizard Enabled
Disable Internet Connection wizard Enabled
Do not allow users to enable or disable add-ons Enabled
Identity Manager: Prevent user from using Identities Enabled
Configuring Application Launching 102
Notify users if Internet Explorer is not the default web browser Disabled
Pop-up allow list Enabled
Enter the list of sites here. Define allowed sites list
if applicable such as
*.microsoft.com
Prevent "Fix settings" functionality Enabled
Prevent access to Internet Explorer Help Enabled
Prevent bypassing SmartScreen Filter warnings Enabled
Prevent bypassing SmartScreen Filter warnings about files that are not commonly
downloaded from the Internet
Enabled
Prevent changing pop-up filter level Enabled
Prevent changing proxy settings Enabled
Prevent changing the default search provider Enabled
Prevent configuration of how windows open Enabled
Select where to open links Open in existing
Internet Explorer
window
Prevent Internet Explorer Search box from appearing Enabled
Prevent managing pop-up exception list Enabled
Prevent managing SmartScreen Filter Enabled
Select SmartScreen Filter mode On
Prevent participation in the Customer Experience Improvement Program Enabled
Prevent per-user installation of ActiveX controls Enabled
Prevent running First Run wizard Enabled
Configuring Application Launching 103
Select your choice Go directly to home
page
Search: Disable Find Files via F3 within the browser Enabled
Search: Disable Search Customization Enabled
Specify default behavior for a new tab Enabled
New tab behavior Home page
Turn off ability to pin sites in Internet Explorer on the desktop Enabled
Turn off add-on performance notifications Enabled
Turn off browser geolocation Enabled
Turn off configuration of pop-up windows in tabbed browsing Enabled
Select tabbed browsing pop-up behavior Force pop-ups to open
in a new tab
Turn off Crash Detection Enabled
Turn off Favorites bar Enabled
Turn off Managing SmartScreen Filter for Internet Explorer 8 Enabled
Select SmartScreen Filter mode for Internet Explorer 8 On
Turn off pop-up management Enabled
Turn off Quick Tabs functionality Enabled
Turn off Reopen Last Browsing Session Enabled
Turn off suggestions for all user-installed providers Enabled
Turn off tabbed browsing Enabled
Turn off the auto-complete feature for web addresses Enabled
Configuring Application Launching 104
Turn off the quick pick menu Enabled
Turn on Suggested Sites Disabled
Turn on the auto-complete feature for user names and passwords on forms Disabled
Windows Components/Internet Explorer/Accelerators
Turn off Accelerators Enabled
Windows Components/Internet Explorer/Browser menus
Disable Open in New Window menu option Enabled
Disable Save this program to disk option Enabled
File menu: Disable closing the browser and Explorer windows Enabled
File menu: Disable New menu option Enabled
File menu: Disable Open menu option Enabled
File menu: Disable Save As Web Page Complete Enabled
File menu: Disable Save As... menu option Enabled
Help menu: Remove 'Send Feedback' menu option Enabled
Help menu: Remove 'Tour' menu option Enabled
Hide Favorites menu Enabled
Tools menu: Disable Internet Options... menu option Enabled
Turn off Print Menu Enabled
Turn off Shortcut Menu Enabled
Configuring Application Launching 105
View menu: Disable Full Screen menu option Enabled
View menu: Disable Source menu option Enabled
Windows Components/Internet Explorer/Delete Browsing History
Disable "Configuring History" Enabled
Days to keep pages in History 1
Windows Components/Internet Explorer/Internet Control Panel
Disable the Advanced page Enabled
Disable the Connections page Enabled
Disable the Content page Enabled
Disable the General page Enabled
Disable the Privacy page Enabled
Disable the Programs page Enabled
Disable the Security page Enabled
Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
Allow active content from CDs to run on user machines Disabled
Allow software to run or install even if the signature is invalid Disabled
Do not allow resetting Internet Explorer settings Enabled
Empty Temporary Internet Files folder when browser is closed Enabled
Configuring Application Launching 106
Windows Components/Internet Explorer/Internet Control Panel/General Page
Start Internet Explorer with tabs from last browsing session Disabled
Windows Components/Internet Explorer/Internet Control Panel/General Page/Browsing
History
Allow websites to store application caches on client computers Disabled
Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing
Turn off details in messages about Internet connection problems Enabled
Turn on script debugging Disabled
Windows Components/Internet Explorer/Internet Settings/Advanced settings/Multimedia
Allow Internet Explorer to play media files that use alternative codecs Disabled
Windows Components/Internet Explorer/Internet Settings/Advanced settings/Searching
Prevent configuration of search on Address bar Enabled
When searching from the address bar Do not search from the
address bar
Prevent configuration of top-result search on Address bar Enabled
When searching from the Address bar Disable top result
search
Configuring Application Launching 107
Windows Components/Internet Explorer/Internet Settings/Advanced settings/Signup
Settings
Turn on automatic signup Disabled
Windows Components/Internet Explorer/Internet Settings/AutoComplete
Turn off URL Suggestions Enabled
Turn off Windows Search AutoComplete Enabled
Turn on inline AutoComplete Disabled
Windows Components/Internet Explorer/Security Features/Restrict File Download
All Processes Enabled
Internet Explorer Processes Enabled
Windows Components/Internet Explorer/Toolbars
Configure Toolbar Buttons Enabled
Show Back button Enabled
Show Forward button Enabled
Show Stop button Enabled
Show Refresh button Enabled
Show Home button Enabled
Show Search button Disabled
Show Favorites button Disabled
Configuring Application Launching 108
Show History button Disabled
Show Folders button Disabled
Show Fullscreen button Disabled
Show Tools button Disabled
Show Mail button Disabled
Show Font size button Disabled
Show Print button Disabled
Show Edit button Disabled
Show Discussions button Disabled
Show Cut button Disabled
Show Copy button Disabled
Show Paste button Disabled
Show Encoding button Disabled
Disable customizing browser toolbar buttons Enabled
Disable customizing browser toolbars Enabled
Display tabs on a separate row Enabled
Hide the Command bar Enabled
Hide the status bar Enabled
Lock all toolbars Enabled
Lock location of Stop and Refresh buttons Enabled
Turn off Developer Tools Enabled
Configuring Application Launching 109
Turn off toolbar upgrade tool Enabled
Windows Components/Location and Sensors
Turn off location Enabled
Windows Components/Microsoft Management Console
Restrict the user from entering author mode Enabled
Windows Components/Network Sharing
Prevent users from sharing files within their profile. Enabled
Windows Components/Presentation Settings
Turn off Windows presentation settings Enabled
Windows Components/Sound Recorder
Do not allow Sound Recorder to run Enabled
Windows Components/Tablet PC/Accessories
Do not allow printing to Journal Note Writer Enabled
Do not allow Snipping Tool to run Enabled
Do not allow Windows Journal to be run Enabled
Configuring Application Launching 110
Windows Components/Tablet PC/Hardware Buttons
Prevent Back-ESC mapping Enabled
Prevent launch an application Enabled
Prevent press and hold Enabled
Turn off hardware buttons Enabled
Windows Components/Windows Error Reporting
Disable Windows Error Reporting Enabled
Windows Components/Windows Installer
Prevent removable media source for any installation Enabled
Prohibit rollback Enabled
Windows Components/Windows Logon Options
Set action to take when logon hours expire Enabled
Set action to take when logon hours expire Logoff
Windows Components/Windows Mail
Turn off the communities features Enabled
Turn off Windows Mail application Enabled
Configuring Application Launching 111
Windows Components/Windows Media Center
Do not allow Windows Media Center to run Enabled
Windows Components/Windows Media Player
Prevent CD and DVD Media Information Retrieval Enabled
Prevent Music File Media Information Retrieval Enabled
Windows Components/Windows Media Player/Networking
Hide Network Tab Enabled
Windows Components/Windows Media Player/Playback
Prevent Codec Download Enabled
Windows Components/Windows Messenger
Do not allow Windows Messenger to be run Enabled
Do not automatically start Windows Messenger initially Enabled
Windows Components/Windows Mobility Center
Turn off Windows Mobility Center Enabled
Configuring Application Launching 112
Windows Components/Windows Update
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog
box
Enabled
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled
CONFIGURE ERPM WEB SETTINGS
To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings |
Manage Web Application | Application Launch.
The Global tab identifies the ERPM web service and other related settings that will be used when
launching applications.
The Web service URL is the URL of the application launcher web service. When the web service is
installed (typically on the ERPM web server), [typically] a web service is installed at
[site]/erpmwebservice. The web service is called WebLauncherBackendService.svc. This full URL should
be entered in the Web service URL field including the protocol and port if applicable.
IMPORTANT! There should be no certificate or access errors when accessing this URL in a browser. It
should be tested as any user that will be accessing the web server. The best test is to login to the
bastion host as the bastion host login account configured int he previous section and attempt to access
this URL. If the account is prompted for credentials or certificate errors the application launcher will
fail.
The typical URL is
https://erpmwebservername.yourdomain.com/erpmwebservice/weblauncherbackendservice.svc.
Enable launching applications using stored passwords in the web application is required to enable
remote launching. If this option is not selected, then the Launch Application option will be unavailable in
the website.
Enable launching applications on a remote server will enable the configured applications to launch via a
bastion host rather than launching only locally on the client. When the option is enabled and an
application is configured to use a bastion host, the applications can instead launch from the bastion host
and will use RemoteApp to display the program's UI to the users desktop as if it were a native
application.
[Script Launch] Path to script files on client systems is the path that the script automation files will be
copied to (manual copy). This path is used when local launch (rather than via bastion host) will be used
Configuring Application Launching 113
to launch web based applications such as Twitter, FaceBook, or other web based programs. If local
launching of these sorts of applications will not be launched directly from a client's machine (rather than
via bastion host) it will not be necessary to configure this path. The default location these scripts are
found are at C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation.
Sign generated RDP files with certificate identified by thumb print - when RDP files are generated, they
will be signed with the identified certificate. This helps avoid unknown/untrusted RDP connection
warnings and errors. For this option to function, the following must be true:
The certificate needs to be on the client workstation to generate RDP files to connect to the bastion.
The certificate also needs to be on the bastion if RDP connections are configured to go through the
bastion.
The certificate must be accessible to the user that’s running the process creating and launching the
RDP file.
The security policy of the machine must be configured to require signed RDP files for this setting to
have any effect (it is not by default).
Configuring Application Launching 114
CONFIGURE A BASTION HOST OBJECT
To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings |
Manage Web Application | Application Launch.
The Remote Servers tab identifies the available bastion hosts and other related settings that will be used
for launching applications. The option Enable launching applications on a remote server must also be
selected on the Global tab to make use of these servers.
To add a new server, click the Add button in the lower right area of the dialog.
The following fields are mandatory:
Configuring Application Launching 115
Server configuration identifier - the friendly name of the server as it will appear in the application
launcher configuration.
Remote server system name - the actual name of the bastion host. This should be the name (FQDN
or simple or IP) as can be reach from the client systems that will be initiating the session.
Use RemoteApp to launch the liebsoft launcher on the server - this option must be selected to
remotely launch applications from the bastion host using RemoteApp as available in 2008 R2 and
newer.
Use integrated Windows credentials to login to the jump server when used in conjunction with a
Windows Server 2012 bastion host that is properly configured for web single server sign on and
where the ERPM website is also configured for use with integrated authentication and where the
user actually logs in using integrated authentication, then this feature will connect to the bastion
host using the ERPM user's credentials rather than a specific bastion login. The login user must have
proper permissions to launch the application and RDP to the server.
Prompt for login credentials to application server will cause credentials to not be automatically
provided when connecting to the bastion. The user performing the application launch must provide
credentials that are valid for the bastion host.
Login credential system name - this value must be populated. If ERPM will be using stored
(managed) credentials to log into the bastion host, this is the name of the system/server as it
appears in ERPM from which to draw the credentials from. It is recommended to use a domain
credential for this purpose; see the section for configuring a bastion host login account.
Login credential account name - this is the name of the account that will be used to login to the
bastion host. It is recommended to use a domain credential for this purpose; see the section for
configuring a bastion host login account.
Login credential domain name - the domain to which the account belongs. If this is a local account
(not recommended) then this should be the simple (NetBIOS) name of the bastion host.
Load saved password for connection from password store - select this option to pull the managed
password from the ERPM password store. If it is desired to use a hard coded password instead, then
supply the actual password in the remote server logon password field.
[Script Launch] Path to script files on client systems is the path that the script automation files will
be copied to during installation of the AppLauncher. This path is used when launching web based
applications such as Twitter, FaceBook, or other web based programs. The default location these
scripts are found are at C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation.
Update OIT agent data for agent running on the server only provides functionality when the session
recorder is provided by ObserveIT. Selecting this option will change certain metadata attributes to
more accurately reflect which user account is performing certain actions. This affects auditing
information stored within OIT.
Configuring Application Launching 116
Important: If using the built-in session recording, instead of the session recording offering from
ObserveIT, DO NOT check the Update OIT agent data for agent running on the server. This wwill prevent
the built-in session recorder from working.
Configuring Application Launching 117
Once the entries are validated, click OK to add the bastion host object. If the option to Load saved
password for connection from password store is selected and a stored password for the target account
does not exist, a warning indicating such will appear to the user otherwise the dialog will close without
incident.
Any of these settings can be changed at any time without having to make any changes to IIS or
performing IISReset or other administrative actions.
CONFIGURE A SESSION RECORDING HOST OBJECT
To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings |
Manage Web Application | Application Launch.
The Session Recorders tab identifies configured session recording servers. There will typically be a one to
one relationship with the servers configured on the Remote Servers tab.
Configuring Application Launching 118
Session recording only works for applications launched via the LiebsoftLauncher application. That means
any users which retrieve passwords will and connect directly will not have their sessions recorded when
using this session recording technology.
The session recording system consists of two components specific to the session recording: session
recording and video transcoding. When a session is recorded on a bastion host that is done by the
session recorder. These files are created in a raw format and placed into the configured source directory.
The Lieberman file watcher server picks up the raw files and moves them to the working directory where
they are formatted and converted and watermarked. Completed files are then moved to the
SessionRecording directory. Typically it is recommended to have the transcoder NOT be the same system
as the bastion host/session recorder due to resource constraints (CPU specifically).
To add a new server, click the Add button in the lower right area of the dialog.
The following fields are mandatory:
Configuring Application Launching 119
Configuration label - the friendly name of the server as it will appear in the application launcher
configuration.
Basic configuration - use this option if the session recording host will perform both recording and
transcoding duties. Recorder options include Expressions 4, VLC, and Windows Problem Steps
Recorder. It is recommended to choose the Expressions 4 recorder option. The output path will
default a default local path if this option is selected.
Advanced configuration - use this option if it is desired to put recordings in a custom location or if
video transcoding will occur on a separate host (typical). It is not recommended to change the
Assembly path or Type in Assembly values.
Abort application launch if session recording fails - with this option selected, if session recording
fails to initialize, the remote session will be logged off and no remote app launch will occur.
Output path - if using the bastion host for both session recording and video transcoding and it is
desired to place the recordings to an alternate location, specify the path here. If transcoding is
occurring on a separate host, then this should be a network UNC path (\\server\source) to the
Source share on the transcoder host.
File name template - the default value is SessionRecording-$(SessionID). In this scenario
SessionRecording- is the filename prefix and $(SessionID) is a variable for the session ID of the
remote app launch session. If the names of the recordings should be changed, this is acceptable but
to not remote the $(SessionID) value from the name. There should also be no extension listed for the
file name.
Configuring Application Launching 120
Configuring Application Launching 121
Once the entries are validated, click OK to add the session recorder host object.
Any of these settings can be changed at any time without having to make any changes to IIS or
performing IISReset or other administrative actions.
CONFIGURE ERPM WEBSITE FOR SESSION PLAYBACK
In order to playback recorded sessions, ERPM will need to know the location of the machine with the
completed session recordings. From the previous sections, this will most likely be the video transcoder
host, which is also most likely the ERPM web server.
For reference session recording consists of two pieces: recorder and transcoder. The recorder is typically
the bastion host while the transcoder is recommended to be another machine (due to CPU and RAM
constraints). The transcoder host is typically the ERPM web server and will convert the raw video from
the session recorder to playable video. These videos will be played back via streaming media services
through the ERPM website.
Configuring Application Launching 122
The flow for session recording is as follows:
1) Application is launched on a bastion host and session recording is initiated.
2) After the session exits, the file will be copied to the source directory on the transcoder host.
3) Raw video will be converted and placed into the SessionRecording directory on that host.
4) IIS and Media Server will stream the videos to requesting authorized users.
The machine performing the video transcoding will have configured IIS with a virtual directory under the
default root website called SessionRecording. It is this URL that will be provided to the ERPM website
configuration. The SessionRecording URL may be presented with or without SSL but should be configured
to use anonymous authentication.
To configure ERPM with the SessionRecording URL open the admin console, and click on the Manage
Web App button on the left action pane. Go to the Options | Configure default web application options
menu.
On the User/Session Management tab, enter the URL for the transcoder/media server where the videos
are hosted from in the Session playback URL field. If using HTTPS, be sure to enter the valid name of the
server that matches the assigned name on the certificate to avoid certificate errors. A typical URL will be
similar to https://server.your.domain/sessionrecording/. Be aware that the system is expecting a
trailing forward slash at the end of the URL.
Configuring Application Launching 123
Click OK once the URL is entered.
Configuring Application Launching 124
If updating an existing website with this new information, right-click on the website instance and select
Replace instance options with default web application options. There is no need to restart any servers
or components after making this change.
Once the URL is added and once any sessions have been recorded, users with access to the auditing
section of the ERPM website will be able to playback any recorded sessions that exist. Such recored
sessions will be visible in the ERPM auditing section with a camera icon next to their audit entry.
Simply click on the camera icon to playback the recorded sessions.
Configuring Application Launching 125
CONFIGURE APPLICATIONS FOR LAUNCHING
To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings |
Manage Web Application | Application Launch.
The Applications tab identifies the applications which can be made available to launch from the ERPM
website and other related settings that will be used when launching these applications. Once an
application is added, it must be properly configured before it may be launched.
Lieberman Software ships a number of pre-configured application objects available. Most will still
require additional configurations before they could be used for launching the specified target
application. To add the pre-defined applications, click the Add Defaults button in the lower left area of
the dialog. Add new applications by clicking the Add button. Duplicate or edit existing explications by
using the Copy or Edit buttons respectively.
When editing a dialog, there are many elements to fill out. The required elements for a basic application
configuration to be valid are:
Configuring Application Launching 126
Remote application label - required - this is the friendly name of the application as it will appear in
the ERPM website.
Remote application description - optional - enter a description for the application that will appear in
the ERPM website.
Remote application icon path - optional - to set a custom icon for the application, locate the physical
ERPM website installation files. Typically, this will be at %inetpub%\wwwroot\PWCWeb. All file
paths defined for the icons will be relative to this path. It is recommended to create a custom folder
(example "CompanyIcons") and add your icons to this folder so they will persist through website
upgrades. Then for the icon path, simply add the FolderName\IconName.gif. All GIF files should be
32x32 pixels.
Remote launch type - required -select from the available launch types:
LAUNCH APPLICATION WITH COMMAND LINE PARAMETERS - use this for any application which can be
launched with command line options such as SQL Management Studio, PuTTy, VMware vCenter,
etc.
OPEN WEB APPLICATION WITH FORM POST - use this for websites which only require a basic form post
and does not make use of JSON, YAML or other technologies for passing the user name and
password information. When this is selected, fill out the WEB PAGE AND NAME-VALUE PAIR FIELDS. The
web page the name of the login page including protocol such as
http://webserver/pwcweb/login.asp. The name value pair is the variables for the user name and
password.
LAUNCH TERMINAL SERVICES CLIENT - use this for launching the Microsoft Terminal Services client.
There are no additional requirements to setup this launch type.
LAUNCH APP THROUGH .NET ASSEMBLY - used when an external .net assembly will be used to perform
the connection and credential passing. Supply the ASSEMBLY PATH and TYPE NAME values. The
assembly path is the full physical file patch to the .net assembly. Type name is the name of the
.net interface.
LAUNCH APP THROUGH SCRIPT AUTOMATION - this is most frequently used for launching MMCs,
websites which does not pass user name and password information basic form post (see most
web examples in the default list), fat clients which do not make use of command line parameters,
etc. Supply the Script Path and Automation URL. Script path is the name of the script to run
including the extension. For example, login_azuremgmt.vbs. This script must be found in the
pre-defined script automation directory on the global options or bastion host configuration
dialogs for the app launcher. Automation URL is the target URL. For example,
http://manage.windowsazure.com or for a device,
https://$(RemoteAccessTarget_TargetName)/login.html.
Run on the jump server - optional - use this option to launch the target application from a
bastion/jump server (configured previously) or from the user's workstation. If this option is not
Configuring Application Launching 127
selected then the application will attempt to launch locally on the user's local workstation. If this
option is selected, then the application will be launched on the jump server. The application must be
installed on the jump server at that time. This is a per-application setting.
USE THE TARGETED ACCOUNT TO CONNECT TO THE JUMP SERVER - if a jump server is used and the account
being targeted to launch the application is a domain account or a valid local bastion host
account, this option will establish a connection with those credentials rather than the
pre-configured bastion connection credentials. If the credentials are not valid on the bastion host
then the connection will not succeed. Do not use this option for non-Windows systems.
APPLICATION SUPPORTS MULTI-TAB - a special set of configurations and launch scripts for applications
which have multi-branch or multi-tab capabilities. See the the Multi-tab Support section for
more information on configuration and use.
LOAD USER PROFILE WHEN STARTING APPLICATION (CONFIGURE RDP CONNECTION PARAMETERS) - when
selected will load the connecting user's user profile on the bastion host which will enable
additional elements to available via RDP to become available such as color depth, mapped drives,
clipboard capability and so on.
Enable session recording - optional - if a session recording host is configured, this option will be
available. When configured, the launching of this application on a jump server will record just this
application being run. This is a per-application setting.
Application - mandatory - The application name is simply the name of the executable without the
path. For example, SSMS.EXE.
Command line - mandatory - Command line is the parameters to launch the executable with.
Parameters are specific to the program being launched and not ERPM. ERPM does however provide
specific replacement variables that can be used in place of otherwise static value such as
$(RemoteAccessTarget_TargetName) instead of the targets actual host name. See the following
sub-section for more information.
Application location - optional - An application location must also be defined but can either be a full
physical path in the application location field or be setup to search for and even to download a ready
to run executable from a predefined network path (At launch download file from path). A physical
path MUST be defined when launching the application from a jump server. If a physical path is not
defined in the application location field, then the option to Search for application on local system
should be enabled. Sub-options for application search include searching for the application on the
system root or program files directories. In addition, subsequent include and exclude directories may
be defined. Multiple values should be segregated by a semi-colon. There is no variable replacement
such as %systemroot% or %inetpub% so full physical locations must be used.
Search for application on local system - optional - will cause the application launcher to search the
bastion host or calling workstation's file system for the executable being launched and launch the
first valid application it comes across. If this option is deselected, then the Application location field
Configuring Application Launching 128
above it becomes active where a static path can be defined. Using the search mechanism adds time
to launch the application. The locations it can search are the program files directories or the system
root directory. Searching is controlled by the subsequent options on this dialog.
SEARCH FOR APPLICATION ON LOCAL SYSTEM ROOT directs ERPM to search the %systemroot% location
on the bastion host or calling workstation's file system when launching an application.
SEARCH FOR APPLICATION UNDER THE PROGRAM FILES DIRECTORY directs ERPM to search %programfiles%
and %programfiles(x86)% on the bastion host or calling workstation's file system when launching
an application.
SUBDIRECTORY RESTRICTION is the directories to not search when searching the program files
directory structure.
ADDITIONAL SEARCH DIRECTORIES is the additional directories to search are any other directories on
the system to search. The list is semi-colon delimited.
WORKING DIRECTORY is the default search starting point.
Configuring Application Launching 129
Only run signed executables - optional - will ensure the program has a digital signature on it. If the
option is enabled, an additional verification can be configured to validate specific fields of the digital
signature such as the certificate serial number, certificate issuer or other signing bits.
VERIFY CERTIFICATE FIELDS OF SIGNING CERTIFICATE - becomes available if the option to Only run signed
executables is selected. The resulting dialog allows defining which fields to verify in the signing
certificate.
Only run executables with expected hashes - optional - allows the admin to define hashes of a
target application. This is useful to ensure that someone did not rename a malicious executable or
that only a specific patched version runs. Multiple hashes can be calculated and defined from this
dialog.
At launch, download the file from path - optional - defines a network path or URL to download
the application from if it is not already present on the host system.
Settings apply to client system configuration - applies only to applications launched from the users
workstation and has no effect for applications launched via bastion host. Consider that a 32bit
application running on a 32bit Windows host will typically install to c:\program files\application. Yet
that same 32bit application running on a 64bit Windows host will typically install to c:\program files
(x86)\application. This setting permits configuration of only one application to launch with multiple
possible settings. When these settings are configured, the launcher will determine what host it is
running on and retrieve the appropriate settings, such as launch directory.
Application uses stored private key - optional - this option allows programs which can use
certificates (such as SSH clients) to define which certificate to use when connecting. These
certificates must have been pre-imported and assigned via the administrative console from Settings
| User Keys | Import Keys.
Application uses gateway server - optional - if an SSH proxy/gateway is defined (Admin console at
Settings | Manage Web Application | Remote Gateway Servers) this option will be available. This
option is useful when a client must first connect to an SSH proxy first before connecting to the final
SSH target. This process will make use of plink.exe. The plink.exe download location must also be
specified with the path on the jump server where the plink.exe executable resides. Plink.exe is
installed the launch app folder on the bastion host if the PuTTy files are also installed when installing
the application launcher. Plink.exe can also be downloaded from http://www.putty.org.
Configure Allowable Types - required -this defines for which account types the application will be
available. At least one account type must be selected. This is what specifically makes an application
available to MySQL or Windows but not Linux or MS SQL or Oracle.
Always use the specified account when starting this application - optional - when this option is NOT
selected (default), the application will be made available for the selected account type(s) (Configure
Allowable Account Types). That means potentially any account could be used to launch this
application. If the option is enabled, ERPM will pull a predefined credential from the account store
Configuring Application Launching 130
and always use that account to launch the application. Also, the application will not be available in
the Launch App section of the ERPM website, rather, it will be made available in the Applications
section of the website for the users that have permission to launch the application. The Launch App
section is accessible when viewing specific managed passwords. Applications is always available
regardless of managed passwords.
See the next sub-section for replaceable variables in the command line or automation URL paths.
VARIABLES FOR APP LAUNCHING
When launching an application from the command line or via web automation scripts, there are many
available variables for ERPM to use to pass the user name, password, target server and more. What
follows is a list of available variables which can be used for replacement.
As the process works, DEMO\Broberts logs into the ERPM web application. DEMO\Broberts clicks on
launch app. This causes a secondary account (DEMO\BastionLogin) to connect to the bastion host and
initiate and launch the liebsoftlauncher.exe program. Liebsoftlauncher connects back to the web service
and retrieves program settings including target system, target user name, and target password. For
this example example, connecting to a server called DB2012 as SA with with the SA password.
For this example the following elements are defined by the following variables:
DEMO\Broberts = $(SourceAppLogin) or $(UserEnteredLoginUsername)
DEMO\BastionLogin = NOT EXPOSED
DB2012 = $(RemoteAccessTarget_TargetName)
SA = $(Username) or $(AccountName_FullyQualified)
SA Password = $(Password) or $(Password_Raw)
Following is a list of all possible variables
Configuring Application Launching 131
$(UserEnteredLoginUsername) - same as $(SourceAppLogin), is the account used to login to the
ERPM web application.
$(UserEnteredLoginUsername:RemoveNTSyleNamespace) - This element prunes the domain name
from the user name. From the example above, DEMO\Broberts becomes simply Broberts.
$(UserEnteredLoginUsername:ReplaceBackslashWithDot) - This element retains the domain name
with the user name but replaces the slash with a dot. From the example above, DEMO\Broberts
becomes DEMO.Broberts. Use this variable when a name is required that will no be interpreted as a
path for creating directories.
$(SourceAppLogin) - same as $(UserEnteredLoginUsername), is the account used to login to the app
[component] which is triggering the launcher, i.e. the RDP user to the bastion host.
$(SourceAppLogin:RemoveNTSyleNamespace) - This element prunes the domain name from the
user name. From the example above, DEMO\Broberts becomes simply Broberts.
$(SourceAppLogin:ReplaceBackslashWithDot) - This element retains the domain name with the user
name but replaces the slash with a dot. From the example above, DEMO\Broberts becomes
DEMO.Broberts. Use this variable when a name is required that will no be interpreted as a path for
creating directories.
$(Username) - this is the name of the target account. From the example above, SA.
$(AccountName_FullyQualified) - building on the $(Username) variable, this will pre-pend the
domain pre-fix to the account name if applicable.
$(Password) - the regex escaped password (e.g. pass\"word ).
$(Password_Raw) - the raw un-escaped password.
$(RemoteAccessTarget_TargetName) - the target host to which the application will connect.
$(LauncherPath) - the path to the application launcher.
$(SessionID) - GUID for the launcher link.
$(PrivateKey) - the file path for the DER encoded private key (if available).
$(PrivateKeyPassphrase) - the pass phrase, if present for $(PrivateKey).
$(PuttyKey) - the file path for the putty encoded private key (if available).
These variables are used in line and replaced by ERPM at the time the application is launched. For
example, if in the website the user were to go to the MSSQL database instance on a server called DB2012
and connect with the built-in (and managed) SA account, the command line syntax would be:
-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password) -nosplash
The switches ( -S, -U and -P ) are part of the SMSS.EXE executable. The subsequent values of
$(RemoteAccessTarget_TargetName), $(Username), and $(Password) would be replaced by the name of
the server (DB2012), the name of the account (SA), and the password for SA respectively.
Configuring Application Launching 132
MULTI-TAB SUPPORT
A lot of administrative tools support several connections to the target systems from one tool window. It
can be implemented as separate tabs like in SecureCRT or or like branches in tree-view navigation pane
like in Microsoft SQL Management Studio.
SecureCRT with two connections.
Configuring Application Launching 133
SQL Management Studio with two servers.
These applications can use different credentials for each target system connection. However, some
applications have limitations when using multiple tabs or branches. For example it is possible to use
integrated windows authentication to connect SQL Management Studio to some MS SQL servers while
others require an explicit SQL account using SQL authentication. In the case of SQL Management Studio,
when the tool is launched and integrated Windows authentication is used it is not possible to re-use the
existing instantiation of the tool. However, if one connection uses integrated authentication and the
secondary connections use SQL authentication or if all connections use SQL authentication, then it is
perfectly reasonable to re-use the currently running instance.
ERPM supports this ability of such tools. Multi-tab Configuration window in Remote Application
Configuration is used for this task.
If multi-tab is not used, when a user launches a tool, like SecureCRT or SQL Management Studio, that
establishes one session on the bastion and one instance of the application in that session. This is a more
secure scenario as it segregates the data and session information so it cannot be shared within the tool
and any systems the user may be accessing.
The trade off is that a secondary launch of the same tool, just to a new system, will cause a second
session to be created which can be slow and will consume more resources.
Configuring Application Launching 134
If multi-tab is used, when a user launches a tool, like SecureCRT or SQL Management Studio, that
establishes one session on the bastion and one instance of the application in that session. Then when a
user launches the same tool again to connect to another system, this will re-use the existing session and
simply add a tab or another tree to the tool. This reduces resource consumption on the bastion host and
can speed up the use of the tool. The trade off is that the application can now share information from all
servers with anything it is connected to. Consider launching a web application to your company's Twitter
feed and logging in and then launching a new tab to another site that has been compromised. Now the
cache and in memory information is available to all tabs in the browser.
Configuring Application Launching 135
MULTI-TAB SUPPORT CONFIGURATION
To configure multi-tab support, first establish the jump server and basic application settings as previously
described in the Configure Applications for Launching section.
Note: Mutli-tab is only supported when launching from bastion/jump servers.
Enable the Application supports multi-tab option on the left side of the Remote Application
Configuration dialog, then click the ellipses (...)
Configuring Application Launching 136
Click Add in the lower left corner of the dialog.
Fill out all the information on the Multi-tab Configuration dialog.
Configuring Application Launching 137
Multi-tab configuration label is a label that will be shown in the Multi-tab configuration selection
drop down list in the Remote application configuration window. The name should be indicative of
the multi-tab application settings being used.
Multi-tab automation local executable path is a path to compiled AutoIT script which is able to
open a new tab/establish a connection to new target system.
Automation executable arguments are new-tab-executable specific. Usually the ProcessID is used to
find the HWND (handle to a window) of the application window, target system is transferred to
provide it to the application for new connection. If is used in this case user name and password are
not needed.
Allow this multi-tab automation for existing application launches by EXE name controls how
launched application instance will be detected. If it is unchecked, the only instances of the
applications this multi-tab configuration is selected for will be assumed as previously launched.
In the example of using SQL Management Studio, there are two different application configurations: one
for Integrated Windows Authentication and another one for SQL server authentication. Both scenarios
use the same executable, ssms.exe. In case of multi-tab configuration for Integrated Windows
Authentication, where different Windows accounts are being used to connect to target database servers,
the option to Allow this multi-tab automation for existing application launches by EXE name should be
unchecked because it is impossible to connect to secondary instance of MS SQL using the existing
instance of smss.exe server using integrated Windows authentication if SSMS process was initially
launched from another user. In this case the automation executable arguments will be similar to this:
$(RemoteAccessTarget_TargetName) nouser nopasswords $(ProcessID)
ProcessID is the ID that will be used to reuse the currently running executable.
In the SQL Management Studio case where SQL Authentication is being used or similar types of
connections, the option to Allow this multi-tab automation for existing application launches by EXE
name can be selected. In this case the automation executable arguments will be similar to this:
-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password_Raw)
In the commands above, $(RemoteAccessTargget_TargetName), $(Username), $(Password_Raw) – are
standard ERPM’s variables. $(ProcessID) – is a new variable, which return PID of initial launched
application. “nouser” and “nopasswwords” – are “fake” values for username and passwords arguments.
Because if we use IWA – we do not need username and password. They are using for the scripts
unification.
Configuring Application Launching 138
SSMSNewTabIwa.exe and SSMSNewTabSql.exe – are compiled AutoIT scripts, which we using to interact
with MS SQL to open new connection, which will use Integrated Windows Authentication or SQL
authentication respectively. The listing of these scripts is below. Users may create their own AutoIT
scripts or Lieberman Software will provide the scripts on the ERPM download page.
Configuring Application Launching 139
Click OK when finished. Then select the appropriate multi-tab configuration settings for the target
application.
Lieberman Software has compiled multi-tab scripts for the following applications:
Configuring Application Launching 140
RunAs and wait until process finishes = RunAsWait
DHCP Manager = RunDHCP
DHCP Manager = RunDHCPNewTab
DNS Manager = RunDNS
DNS Manager = RunDNSNewTab
File Server Resource Manager = RunFSRM
Hyper-V Manager = RunHyperV
Hyper-V Manager = RunHyperVNewTab
MS Terminal Services = RunMstsc
Network File Services Management = RunNFSMGMT
Performance Monitor = RunPERFMON
Server Manager = RunServerManager
Storage Explorer = RunStorageExplorer
Storage Manager = RunStorageMgmt
Task Scheduler = RunTaskScheduler
Run process and wait until finished = RunWait
WBAdmin (Backup) = RunWBADMIN
WINS Manager = RunWINS
WINS Manager = RunWINSNewTab
SecureCRT = ARM_SCRTStart
SecureCRT = SCRTNewTabSSH2
SecureCRT = SCRTNewTabTELNET
SecureCRT = SCRTStart
SQL Mgmt Studio = SSMSNewTabIwa
SQL Mgmt Studio = SSMSNewTabSql
A simple test script = TestParams
Remote Desktop = UnlockMstsc
Remote Desktop for ARM = UnlockMstscARM
MULTI-TAB AUTOIT SCRIPT EXAMPLES
SSMSNewTabIwa.au3
#include <MsgBoxConstants.au3>
local $paramCount = $CmdLine[0]
Configuring Application Launching 141
local $systemName = $CmdLine[1]
local $domainUserName = $CmdLine[2]
local $password = $CmdLine[3]
local $ssmsPid = $CmdLine[4]
if $paramCount = 4 Then
openNewTab($ssmsPid, $systemName, $domainUserName, $password)
EndIf
Func openNewTab($p_ssmsPid, $p_systemName, $p_domainUserName, $p_password)
Opt("WinTitleMatchMode", 2)
local $ssmsWindows = WinList("Microsoft SQL Server Management Studio")
for $i=1 To $ssmsWindows[0][0]
If $ssmsPid=WinGetProcess($ssmsWindows[$i][1]) Then
local $delay = 5
WinActivate($ssmsWindows[$i][1])
WinWaitActive($ssmsWindows[$i][1])
Send('!f')
Sleep($delay)
Send('e')
Sleep($delay)
Send('+{TAB}')
Configuring Application Launching 142
Sleep($delay)
Send('+d')
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send($systemName)
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send('+w')
Sleep($delay)
Send('{ENTER}')
EndIf
Next
EndFunc
SSMSNewTabSql.au3
#include <MsgBoxConstants.au3>
local $paramCount = $CmdLine[0]
local $systemName = $CmdLine[1]
local $domainUserName = $CmdLine[2]
local $password = $CmdLine[3]
local $ssmsPid = $CmdLine[4]
if $paramCount = 4 Then
Configuring Application Launching 143
openNewTab($ssmsPid, $systemName, $domainUserName, $password)
EndIf
Func openNewTab($p_ssmsPid, $p_systemName, $p_domainUserName, $p_password)
Opt("WinTitleMatchMode", 2)
local $ssmsWindows = WinList("Microsoft SQL Server Management Studio")
for $i=1 To $ssmsWindows[0][0]
If $ssmsPid=WinGetProcess($ssmsWindows[$i][1]) Then
local $delay = 5
WinActivate($ssmsWindows[$i][1])
WinWaitActive($ssmsWindows[$i][1])
Send('!f')
Sleep($delay)
Send('e')
Sleep($delay)
Send('+{TAB}')
Sleep($delay)
Send('+d')
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send($systemName)
Configuring Application Launching 144
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send('+s')
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send($domainUserName)
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send($password)
Sleep($delay)
Send('{ENTER}')
EndIf
Next
EndFunc
APPLICATION SETS
Application sets are simply pre-defined collections of applications to launch. They can be created to
group types of applications together such as DB management products or remote terminal products or
based on job duties.
To create a new set of applications, from the ERPM console, go to Settings | Manage Web Application |
Application Launch. Then click on the Add Sets button on the Applications tab.
Configuring Application Launching 145
On the Remote Application Sets tab, click the Add Set button in the lower left corner, supply a proper
name, then click OK and the new list will be added to the dialog.
To add applications to the application set, right-click on the application set and select Add applications
to set. To remove an application from an application set, right-click on the application set and select
Remove applications from set.
Configuring Application Launching 146
Select all the desired applications then click OK.
Configuring Application Launching 147
To view the applications added to an application set, expand the application set.
Once application sets are defined, in order for users who do not have all access to be able to use the
groupings, application set permissions must be defined in addition to the application permissions.
Configuring Application Launching 148
When the user does not have all access, additional permissions are required to launch a specific
application. To define these permissions, use the admin console and go to Delegation | Web application
remote application permissions. Click Add in the lower left corner, then select an available identity, click
OK, then select one or more applications the user can launch.
To define application set permissions, use the admin console and go to Delegation | Web application
remote application set permissions. Click the Add button to add an identity that will have permissions to
an application set and add the identity and click OK. Then select from the available application sets, then
click OK again. A prompt will appear to use a shadow account. Shadow accounts are covered in the next
section titled Shadow Accounts. If a Shadow account will be used, click Yes and continue to supply the
required information, otherwise, click No. After shadow accounts, another prompt will appear asking if
Configuring Application Launching 149
there will be system restrictions. If there will be system restrictions for these applications, click Yes and
continue to supply the required information, otherwise, click No.
When the user goes to the website, they will be able to select from among the available application set
filters when attempting to launch an application.
SHADOW ACCOUNTS
Shadow accounts allow a user to connect to a system with a specific app and choose from among one or
more accounts to connect with. Consider the normal paradigm where a user must go to the Managed
Configuring Application Launching 150
Passwords Area, find the target system and local account for the application to connect with. While this
works for many scenarios, it is not very flexible and it does not address the need be able to connect
with domain or directory accounts to other systems or applications. This is specifically what shadow
accounts do.
With a shadow account, a user will go to the system or application in question in the systems view of
ERPM and choose to launch an application. An available list of applications will be presented to the user
and the user can determine which account, local or central (domain or directory) to connect with to the
system or application.
To use shadow accounts requires the View Systems and Allow Remote Sessions global delegation
permission. Once permissions are granted, additional configuration to map shadow accounts must be
performed.
Configuring Application Launching 151
Shadow accounts are first mapped and then associated with application permissions, even when a user
has All Access. To use Shadow Accounts, a per application rule must be established for the target user.
To establish shadow accounts mappings go to Delegation | Web Application Identity to Shadow
Account Mappings. This dialog will show any existing mappings. To add a new mapping, click the Add
Mapping button in the lower left corner of the dialog.
Configuring Application Launching 152
Select the target identity from the list of available identities, then click OK.
Configuring Application Launching 153
Select from the available [previously] managed/stored identities in ERPM and click OK. The new
mappings will now be in the list of available mappings.
Click OK to close the Shadow Account Mappings dialog.
Next add the application permissions. Go to Delegation | Web Application Remote Application
Permissions.
Configuring Application Launching 154
Click Add in the lower left corner of the Remote Application Permissions dialog to add a new application
permission. The first dialog to appear will be for the identity that will be granted the permissions to use
an application with a shadow account. Select the identity then click OK.
Configuring Application Launching 155
Next a list of remote applications will be presented to the user. Select the target application(s) that will
be established for the user then click OK.
Configuring Application Launching 156
ERPM will then prompt to use a Shadow Account. Click Yes to assign one or more shadow accounts that
the target user may use when launching the specified application.
Based on the selected user, a list of available corresponding mappings will be presented Select the
mapping(s) that should be configured for the target user and selected applications, then click OK.
Configuring Application Launching 157
ERPM will then prompt to restrict the applications permissions & configured shadow account mappings
to specific management sets. If it is desired to restrict the applications and or shadow account mappings
to specific lists of systems, click Yes. Otherwise, click No.
If Yes was selected, then a list of management sets will be presented.
Configuring Application Launching 158
Select from the desired management set(s) and click OK.
The new mapping will be presented in the Web Application Remote Application Permissions dialog. Any
undesired mappings may be deleted or reports may be generated from this page.
To use the mappings, the user must go to the Systems view in the ERPM web page (View systems
permission required).
Configuring Application Launching 159
Click Launch App next to the desired target system. If Launch App is not visible it means the user does
not have either the Allow Remote Sessions permission or a Shadow Account Mapping is not present.
The user will be able to select from among the applications and launch accounts to launch the
application.
161
As of ERPM version 4.83.8 To launch an application user with either of the following sets of permissions
will be able to launch applications:
1) All Access
2) View account, remote sessions, and permissions for the specific application being launched.
USING APPLICATION LAUNCHING
Using Application Launching 162
When the user does not have all access, additional permissions are required to launch a specific
application. To define these permissions, use the admin console and go to Delegation | Web application
remote application permissions. Click Add in the lower left corner, then select an available identity, click
OK, then select one or more applications the user can launch.
Using Application Launching 163
There are two types of application launching in ERPM: launching with variable account and system
information and launching with pre-define account and system information. The difference in app
configuration is the option in the lower right corner of the application that says to always use the
specified account being selected or not. If the option is selected, the application will appear in the
applications portion of the website. If the option is not selected, the user must go to the Launch App
section next to the system/account they wish to use to connect.
Launching an App as a Pre-Configured Application
To launch an application which has been pre-configured for a specific account and target, such as a
company's Twitter or Facebook page, the user will click the Operations | Applications link, then click on
the application to launch. Only applications that are pre-configured to always launch as a specific user
and that the login user has access to will be shown on this page. If an application is not shown it is a sign
of at least one of two possible causes:
Using Application Launching 164
The user has no permission to launch an application
There are no apps configured to always run as a specific user
Launching an App Using Variable Target and Account Information
Once the the target system and account to connect as are located in the Passwords | Managed
Password section of the website, click the play button.
All applications available to the user for the specific account type will then be shown. If the RDP icon
appears at the right edge of the black title bar, that indicates the application is configured to launch via a
bastion host. if the camera icon appears at the right edge of the black title bar, that indicates the session
will be recorded.
Using Application Launching 165
To launch the application, click Launch. What happens next will depend on whether the application is
configured to launch locally or from a bastion host and whether or not the user has performed this
process previously. If connecting via a bastion host, the system will initiate a series of calls to the bastion
host and the LiebsoftLauncher on that host. This will be visible to the user. If the user has not previously
launched an app from the machine/profile they are currently logged into, they will likely receive a couple
of security prompts. Use the filter options at the top of the page to search for applications, show only a
set of applications, or change the layout of application launcher page.
Using Application Launching 166
Each application also has an Advanced launch configuration. Clicking the ear icon will allow the
interactive user to specify alternate credentials to connect to the target system as. These could be static
credentials or they could be other stored credentials in ERPM (if they have the rights to retrieve the
password). Generally, it will not be necessary to manipulate the advanced settings.
167
Once any sessions have been recorded, users with access to the auditing section of the ERPM website
will be able to playback any recorded sessions that exist. Such recored sessions will be visible in the
ERPM auditing section with a camera icon next to their audit entry.
Simply click on the camera icon to playback the recorded sessions.
The session properties page will identify user, IP address, and time stamp information and more. To
playback the recording, simply chose the desired recording and click Play Recording.
AUDITING APPLICATION LAUNCHING
Auditing Application Launching 168
The video will open on the systems preferred media player and begin streaming automatically.
169
1
1. INSTALLING REMOTE DESKTOP SERVICES
• 12
1. ON THE TRANSCODER HOST • 48
2
2. INSTALLING DESKTOP EXPERIENCE • 39
2. ON THE BASTION HOST • 60
3
3. INSTALLING APPLICATION LAUNCHER
AND SESSION RECORDING • 48
4
4. SETTING UP RDS FOR APPLICATION
LAUNCHING • 73
5
5. SETTING UP STREAMING MEDIA SERVICES
• 84
6
6. CONFIGURING IIS TO HOST RECORDED
SESSIONS • 89
A
APPLICATION SETS • 153
AUDITING APPLICATION LAUNCHING •
177
B
BACKGROUND AND GOALS • 8
C
CONFIGURE A BASTION HOST OBJECT •
119
CONFIGURE A SESSION RECORDING HOST
OBJECT • 124
CONFIGURE APPLICATIONS FOR
LAUNCHING • 132
CONFIGURE ERPM WEB SETTINGS • 116
CONFIGURE ERPM WEBSITE FOR SESSION
PLAYBACK • 129
CONFIGURING A BASTION HOST LOGIN
ACCOUNT • 91
CONFIGURING APPLICATION LAUNCHING
• 91
CONFIGURING REMOTE APP FOR SERVER
2008 R2 • 80
CONFIGURING REMOTE APP FOR SERVER
2012 (R2) • 73
I
INSTALLING APPLICATION LAUNCHER
AND SESSION RECORDING WITH A
BASTION HOST • 11
INSTALLING DESKTOP EXPERIENCE FOR
SERVER 2008 R2 • 43
INSTALLING DESKTOP EXPERIENCE FOR
SERVER 2012 (R2) • 39
INSTALLING REMOTE DESKTOP SERVICES
FOR SERVER 2008 R2 • 29
INDEX
Index 170
INSTALLING REMOTE DESKTOP SERVICES
FOR SERVER 2012 (R2) • 12
INTRODUCTION • 5
L
LICENSE AGREEMENT • 5
LIMITED WARRANTY • 6
M
MULTI-TAB AUTOIT SCRIPT EXAMPLES • 149
MULTI-TAB SUPPORT • 141
MULTI-TAB SUPPORT CONFIGURATION •
144
O
OVERVIEW • 7
P
PRE-REQUISITES • 9
S
SHADOW ACCOUNTS • 159
U
USING APPLICATION LAUNCHING • 171
V
VARIABLES FOR APP LAUNCHING • 139