[Enterprise] Random Password Manager - BeyondTrust · 2020. 7. 6. · Enterprise Random Password...

[Enterprise] Random Password Manager

Application Launching & Session Recording

5.x

Copyright © 2003-2015 Lieberman Software Corporation.

All rights reserved.

The software contains proprietary information of Lieberman Software Corporation; it is provided under a

license agreement containing restrictions on use and disclosure and is also protected by copyright

law. Reverse engineering of the software is prohibited.

Due to continued product development this information may change without notice. The information

and intellectual property contained herein is confidential between Lieberman Software and the client

and remains the exclusive property of Lieberman Software. If there are any problems in the

documentation, please report them to Lieberman Software in writing. Lieberman Software does not

warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or

by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written

permission of Lieberman Software.

Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either

registered trademarks or trademarks of Microsoft Corporation in the United States and/or other

countries. Other brands and product names are trademarks of their respective owners.

Lieberman Software Corporation

1900 Avenue of the Stars

Suite 425

Los Angeles

CA 90067

310.550.8575

Internet E-Mail: [email protected]

Website: http://www.liebsoft.com

iii

CONTENTS

INTRODUCTION .............................................................................................................................5

License Agreement .............................................................................................................................. 5

Limited Warranty ................................................................................................................................ 6

Overview ............................................................................................................................................. 7

Background and Goals ......................................................................................................................... 8

PRE-REQUISITES ............................................................................................................................9

INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING WITH A BASTION HOST ............. 11

1. Installing Remote Desktop Services ..............................................................................................12

Installing Remote Desktop Services for Server 2012 (R2) ............................................................12 Installing Remote Desktop Services for Server 2008 R2 ..............................................................27

2. Installing Desktop Experience .......................................................................................................37

Installing Desktop Experience for Server 2012 (R2) .....................................................................37 Installing Desktop Experience for Server 2008 R2 .......................................................................40

3. Installing Application Launcher and Session Recording ................................................................45

1. On the Transcoder Host ...........................................................................................................45 2. On the Bastion Host .................................................................................................................57

4. Setting up RDS for Application Launching .....................................................................................70

Configuring Remote App for Server 2012 (R2) ............................................................................70 Configuring Remote App for Server 2008 R2 ...............................................................................75

5. Setting Up Streaming Media Services ...........................................................................................80

6. Configuring IIS to Host Recorded Sessions ....................................................................................85

CONFIGURING APPLICATION LAUNCHING .................................................................................... 87

Configuring a Bastion Host Login Account ........................................................................................87

Configure ERPM Web Settings ........................................................................................................112

Configure a Bastion Host Object .....................................................................................................114

Configure a Session Recording Host Object ....................................................................................117

Configure ERPM Website for Session Playback ..............................................................................121

Configure Applications for Launching .............................................................................................125

Variables for App Launching ......................................................................................................130 Multi-tab Support ......................................................................................................................132 Multi-tab Support Configuration ...............................................................................................135

Multi-tab AutoIT Script Examples ....................................................................................... 140

Application Sets ...............................................................................................................................144

Shadow Accounts ............................................................................................................................149

Contents iv

USING APPLICATION LAUNCHING .............................................................................................. 161

AUDITING APPLICATION LAUNCHING ......................................................................................... 167

INDEX ....................................................................................................................................... 169

5

This chapter includes an overview of Enterprise Random Password Manager (ERPM), what problems it is

designed to solve, performance information, expected prerequisite knowledge, and some background

information on Windows.

This chapter also includes the license and warranty information for ERPM.

IN THIS CHAPTER

License Agreement .................................................................................... 5

Limited Warranty ...................................................................................... 6

Overview ................................................................................................... 7

Background and Goals ............................................................................... 8

LICENSE AGREEMENT

This is a legal and binding contract between you, the end user, and Lieberman Software Corporation.

By using this software, you agree to be bound by the terms of this agreement. If you do not agree to

the terms of this agreement, you should return the software and documentation as well as all

accompanying items promptly for a refund.

1. Your Rights: Lieberman Software Corporation hereby grants you the right to use a single copy of

Enterprise Random Password Manager to control the licensed number of systems and/or devices.

2. Copyright. The SOFTWARE is owned by Lieberman Software Corporation and is protected by United

States copyright law and international treaty provisions. Therefore, you must treat the software like

any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make

one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a

single hard disk provided you keep the original solely for backup and archival purposes. The manual is

a copyrighted work also--you may not make copies of the manual for any purpose other than the use of

the software.

3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer,

de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). If

the SOFTWARE is an update, any transfer must include the update and all prior versions.

4. Notice: This software contains functionality designed to periodically notify Lieberman Software

Corporation of demo usage and of the detection of suspected pirated license keys. By using this

software, you consent to allow the software to send information to Lieberman Software Corporation

INTRODUCTION

Introduction 6

under these circumstances, and you agree to not hold Lieberman Software Corporation responsible for

the use of any or all of the information by Lieberman Software Corporation or any third party.

When used lawfully, this software periodically transmits to us the serial number and network

identification information of the machine running the software. No personally identifiable information

or usage details are transmitted to us in this case. The program does not contain any spyware or

remote control functionality that may be activated remotely by us or any other 3rd party.



Suite 425

Los Angeles

CA 90067

310.550.8575

Internet E-Mail: [email protected]

Website: http://www.liebsoft.com

LIMITED WARRANTY

The media (optional) and manual that make up this software are warranted by Lieberman Software

Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of

your purchase. If you notify us within the warranty period of such defects in material and workmanship,

we will replace the defective manual or media.

The sole remedy for breach of this warranty is limited to replacement of defective materials and/or

refund of purchase price and does not include any other kinds of damages.

Apart from the foregoing limited warranty, the software programs are provided "AS-IS", without

warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs

is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or

error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the

programs or documentation of/for consequences of any such errors.

This agreement is governed by the laws of the State of California.

Should you have any questions concerning this Agreement, or if you wish to contact Lieberman

Software, please write:

Introduction 7



Suite 425

Los Angeles

CA 90067

You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com or

e-mail us at: [email protected].

OVERVIEW

Enterprise Random Password Manager is the missing layer of privileged identity management (PIM) and

identity and access governance (IGA). ERPM is a platform that is designed to build a CMDB of the

networks on which it functions. It will catalog, systems, devices, their user accounts and attributes, SSH

keys and certificates, and manage credentials, keys, and the access to them. Historically the core

functionality of ERPM revolved around its ability to randomize and store the passwords for accounts on

target systems on a regular recurring basis. ERPM built on basic password management by leveraging

its True Discovery technology to determine where service accounts were used and when changing the

password for these accounts also to propagate those password changes to all places the account was

used. This provides the mechanism and methods to maintain not only company up time during service

account changes but also bring risk averse companies into a place where they could begin to follow good

security practices and achieve a state of continuous compliance rather than point in time compliance.

Because these passwords are stored and managed by ERPM, they can be retrieved via a delegated web

interface, programs, orchestration systems, and more. Access to the password store as well as other

web interface features can be limited to specific groups, users, explicit accounts, or various other

identities with or without two factor authentication.

ERPM provide more functionality beyond password management, password vaulting, and session

management. ERPM also provide for:

Account escalation - the ability to add a user to a pre-defined group with higher privileges than the

user would normally have on a target system and then automatically remove that access.

Secure file storage - the ability to upload and store as an encrypted data blob in the programs secure

data store, any file such as password spread sheets, digital certificates, instructions, and more. After

the files are uploaded, an ACL system identifies what users will be able to retrieve the files while

auditing access to the files.

Orchestration - ERPM can run headless; being controlled programmatically. This permits tight

integration in other systems such as work-flow engines, run book orchestration for user and system

provisioning and de-provisioning, programmatic access to almost all functions, and much more. This

Introduction 8

control os provided via SOAP based web services and PowerShell. User's may tie into ERPM using any

program or language which can call the web service or PowerShell.

Privileged Account Management - providing session based control to privileged accounts to run

specific programs against specific hosts. Via the optional bastion server model, any program,

website, script, etc., may be run in a controlled and secured environment to allow users from

network access to specific systems or other trusted or untrusted networks using specific tools with

specific feature sets. This allows access to the tool set need to get a job done without providing

direct physical access or access to the credential.

Session Recording - building on the concept of privileged account management, when using the

optional bastion host, these sessions can be recorded for later playback and auditing of the user

actions that took place during a user's session. This further helps to comply with auditing mandates

as well as training procedures.

BACKGROUND AND GOALS

The Need for Strong Local Credentials

Organizations with a need for the most basic access security should use unique local logon credentials

customized for each workstation and server in their environment. Unfortunately, most organizations

use common credentials (same user name and password for the built-in administrator account) for each

system for the ease of creating and managing those systems by the IT Department without any concern

as to the consequences to the organization should these common credentials be compromised.

With the mandates of PCI-DSS, Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, California Security Breach

Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD 5015.2 and others, the implementation of

reasonably hard to compromise local logon credentials is mandatory for most organizations as a means

for protecting not only the confidentiality of their data, but also to protect against tampering.

Creating Strong Local Credentials

Lieberman Software’s program: ERPM can change any common account on all workstations and servers

in just a few minutes without the need for scripts or any other type of program. The new common

credentials can be stored in a local or remote SQL Server database and can be recovered on demand

using the password recovery website.

Enterprise Random Password Manager can be configured to regularly change the passwords of common

accounts on all target systems (i.e. workstation built-in administrator account) according to a schedule so

that each account receives a fresh cryptographically strong password regularly. This product feature

protects the overall security of an organization so that the compromise of a single machine’s local

administrator password does not lead to the total compromise of the entire organization’s security.

ERPM further builds on these concepts by automatically discovering all references to the specified

Pre-requisites 9

account, such as services, tasks, COM and DCOM objects, and more, and following a password change

for a users account, whether domain or local, propagating the new password to all those references.

Delegated Password Recovery

ERPM also contains a web interface to allow the remote recovery of passwords, access to privileges

sessions and more. The web interface is web application comprised of ASP and ASP.NET web pages that

allows any user with the appropriate group memberships the right to use the application as well as the

right to recover passwords for accounts managed by the program. All access to the web application

and all actions taken therein are logged and the history is also available via the same web interface to

authorized users.

Because this application protects and provides extremely sensitive information, it is essential that

particular attention be payed to the security settings of the application and also use appropriate

encryption such as SSL based on the scope of access provided.

For more information on security hardening, please refer to the proposed options for server hardening:

http://forum.liebsoft.com/enterprise-random-password-manager-knowledgebase/546-server-hardeni

ng-guide.html.

Windows Server operating system for bastion host and session recording:

Windows Server 2012 R2 (recommended)

Windows Server 2012

Windows Server 2008 R2

It is highly recommended for all servers in the ERPM system to be fully patched.

Note: Earlier versions of Windows Server are not supported. Windows workstation platforms are not

supported for hosting the application launcher.

The following items will be required for application launching and session recording:

Remote Desktop Session Host server role.*

Desktop Experience if using session recording.

Existing ERPM installation and installed files (SupplementalInstallers directory)

ERPM Web Service installed with SSL and no certificate errors and accessible from the bastion host.

If using self-signed certificates, the certificate from the issuing web server should be added to the

PRE-REQUISITES

Pre-requisites 10

Trusted Root Certification Authorities on the machines hosting the Web Service, Bastion Host, and

client systems.

Dot Net framework 4.x on bastion and transcoder hosts.

Dot Net framework 4.x on machines connecting to run an application.

* Microsoft Remote Desktop Services (RDS) will require additional licensing be purchased from

Microsoft.

11

The following sections outline the steps to prepare for and install the Lieberman Software Application

Launcher and optional session recording components.

Application Launching is an add-on for ERPM. Application Launching can be configured with or without

the Session Recording component. Lieberman Software provides Session Recording for free when the

Application Launcher add-on is purchased. However, the provided session recording only works with

applications launched via the Lieberman Software application launcher.

The sections describing the installation of these components are broken down as follows:

1) Installing Remote Desktop Services

2) Installing Desktop Experience - only required if using session recording

3) Installing Application Launcher and Session Recording - session recording is optional

4) Setting up Remote Desktop Services for Application Launching

5) Setting up Streaming Media Services - required if using session recording

6) Configuring IIS to Host Recorded Sessions - required if using session recording

Sections 1, 2, & 4 all have subsections detailing how to perform the steps on Windows Server 2008 R2 or

Windows Server 2012 (R2). Section 3 has additional steps detailing how to install the application

launcher and optional session recording across multiple systems.

IN THIS CHAPTER

1. Installing Remote Desktop Services .................................................... 12

2. Installing Desktop Experience ............................................................. 37

3. Installing Application Launcher and Session Recording ...................... 45

4. Setting up RDS for Application Launching ........................................... 70

5. Setting Up Streaming Media Services ................................................. 80

6. Configuring IIS to Host Recorded Sessions .......................................... 85

INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING WITH A BASTION HOST

Installing Application Launcher and Session Recording with a Bastion Host 12

1. INSTALLING REMOTE DESKTOP SERVICES

The following sub-sections show the installation of Remote Desktop Services on both a Windows Server

2008 R2 and Windows Server 2012 [R2] host. If multiple jump servers will be employed they do not need

to all be the same operating system, though they do all need to be Windows Server 2008 R2 or later

(2012 R2 recommended).

INSTALLING REMOTE DESKTOP SERVICES FOR SERVER 2012 (R2)

This section covers installation of the pre-requisites on a Windows Server 2012 and Windows Server

2012 R2 host which will function as a bastion host for the purposes of launching applications.

Open Server Manager and select Add Roles and Features.

Click Next on the Before You Begin page.


On the Select installation type page select Remote Desktop Services installation then click Next.

On the Select deployment type page, choose a deployment type and click Next.


The steps present go through a standard deployment where the admin will be required to configure a

collection post RDS installation. The Quick Start method will be faster while automatically creation a

collection, but it will also add and publish additional applications that are unnecessary and will not

provide any configuration options.


On the Select deployment scenario page, select Session-based desktop deployment, the click Next.


Click Next on the Role Services page.


On the Specify RD Connection Broker server page, select the server from the Server Pool field, then add

it to the selected computer field by clicking the right arrow head between the two fields.


Click Next to continue.


On the Specify RD Web Access server page, select the server from the Server Pool field, then add it to

the selected computer field by clicking the right arrow head between the two fields.


On the Confirm selections page, click Deploy. Restart the host if required.

Upon restart, open Server Manager and click on Remote Desktop Services from the right pane, then click

on Collections from the center pane. A new collection must be made to publish the Lieberman Software

application used to launch software from the bastion host.

At the top right corner, select Tasks and click Creation Session Collection.


On the Before you begin page, click Next.


On the Name the collection page, supply a friendly name for the collection and click Next.


On the Specify RD Session Host server page, select the server from the Server Pool field, then add it to

the selected computer field by clicking the right arrow head between the two fields. Then click Next.

ERPM will use a proxy account to connect to the bastion host prior to launching the selected application.

This account will either need to be added to a group which can RDP to the target bastion host and launch

subsequent applications, or should be added directly as a user which can connect to the RD Session host

server. Description of this account is covered in the parent section, 1. Installing Remote Desktop

Services.


On the Specify user profile disks page, click Next.


On the Confirm selections page, click Create.

An empty collection will be created. The installation and configuration of the launcher application will be

described later in this document.

INSTALLING REMOTE DESKTOP SERVICES FOR SERVER 2008 R2

This section covers installation of Remote Desktop Services on a Windows Server 2008 R2 host as

required for bastion host services.


Start Server Manager and select Add Roles. Click Next on the welcome page and select Remote Desktop

Services then click Next.


Click Next on the Introduction to Remote Desktop Services page.


On the Select Role Services page, select Remote Desktop Session Host, then click Next.


Click Next on the Uninstall and Reinstall Applications for Compatibility page.


On the Specify Authentication Method for Remote Desktop Session Host page, choose the option that

best suits your company's needs. The option to Require Network Level Authentication will provide

greater security but may only work properly for newer hosts and if all incoming connections are properly

verified. The option Do not require Network Level Authentication will provide greater compatibility for

all connecting system but may reduce overall security of the bastion host. Click Next to continue.


On the Specify Licensing Mode page, a remote desktop session license mode must be selected. If RDS

client access licenses are not yet available but will be soon, select Configure later. If unsure about what

option to choose, select Configure later, and then contact your Microsoft licensing services manager.

RDS will function for 120 days without a proper licensing server. If RDS CALs are available, then choose

the proper Per Device or Per User model for your organization.

ERPM will use a proxy account to connect to the bastion host prior to launching the selected application.

This account will either need to be added to a group which can RDP to the target bastion host and launch

subsequent applications, or should be added directly as a user which can connect to the RD Session host

server. Description of this account is covered in the parent section, 1. Installing Remote Desktop

Services.


On the Configure Client Experience page, it is recommended to leave all options deselected. Click Next

to continue.


On the Confirm Installation Selections page, examine the installation selections. If everything is correct,

click Install. The server will need to reboot after installation

The installation and configuration of the launcher application will be described later in this document.


2. INSTALLING DESKTOP EXPERIENCE

The Desktop Experience will be required if session recording is to be enabled. If the Lieberman Software

provided free session recording will not be enabled, Desktop Experience will not be required.

Session recording will involve a bastion host to capture the session, and a system to function as a video

transcoder. These could be the same machine or separate systems. If they are separate systems, then

Desktop Experience will be installed on both systems. More information on this will be provided in later

sections.

INSTALLING DESKTOP EXPERIENCE FOR SERVER 2012 (R2)

If session recording will be configured then the Desktop Experience must be installed. To add the

Desktop Experience, open Server Manager and select Add Features.

On the Features Page, expand User Interfaces and Infrastructure, and select Desktop Experience.


If prompted for additional components, click Add Features.


Add any other requirements that other applications that will be launched from this system may require

(such as .net framework 3.51 or 4.x) and click Next.


Continue through to the end of the wizard. Click Close when done. Installation of the Desktop Experience

will require a restart of the host.

INSTALLING DESKTOP EXPERIENCE FOR SERVER 2008 R2

If session recording will be configured then the Desktop Experience must be installed. To add the

Desktop Experience, open Server Manager and select Add Features.


On the Features Page, select Desktop Experience.


If prompted for additional components, click Add Required Features.


Once the installation is complete, click Close and restart the server.


3. INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING

This step includes installation of session recoding options. The particular session recording options may

be safely omitted if the Lieberman Software provided free session recording will not be enabled. If the

Lieberman Software free session recording will not be installed, then skip the session titled On the

Transcoder Host and go straight to the section titled On the Bastion Host.

The application launching capability of ERPM is best utilized with a bastion host. A bastion host in the

context of ERPM is a Windows Remote Desktop Session Services machine (formerly Terminal Services)

that will proxy connection attempts made to specific target systems. The bastion host will have all

programs used to connect to target systems installed on it. ERPM will use a proxy account to connect to

the bastion host. This account can and should be managed by ERPM, but automated management is not

necessary as a static un-stored password may also be used.

Session recording for ERPM is a feature that accompanies the application launcher such that remote

sessions initiated by ERPM through the bastion host may be recorded. Recorded sessions will be copied

from the bastion host to a machine functioning as a video transcoder. Videos will be converted from the

raw format to one that may be played back by the machine functioning as a streaming media server.

The bastion may function as both recorder and transcoder and streaming media server. However,

transcoding of videos requires significant overhead in terms of CPU usage. It is recommended to use the

system functioning as ERPM web server to also function as the streaming media server and possibly as

the video transcoder.

This section outlines the installation of session recording for application launching on two separate

machines functioning independently. In sub-section 5, the installation of streaming media services will

be detailed for the purposes of streaming the final recorded sessions.

1. ON THE TRANSCODER HOST

To begin installing the session recording software on the machine that will function as the video

transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory, typically

"%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to the machine

that will function as the transcoder and launch the installer.


Click Next on the welcome page.


Read and accept the license agreement to continue installation. Then click Next to continue.

Enter the full SSL secured URL to ERPM application launcher web service. The web service is a separate

installation, typically on the ERPM web server. The application launcher web service is installed is

installed with the standard ERPMWebService installer package. The URL is typically

https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.

Click Test to validate the URL. Any certificate issues must be corrected before installation can properly

succeed. If the web page does not appear at all, validate the URL and try again or install the web service.

Installation instructions for the web service are included in the administrators guide within the SDK

section.


If the page tests without issue or errors, click Next to continue.

For the transcoder host, select to install:


Microsoft Expression 4 Encoder SP2

Session Recorder and File Watcher Service

Select the installation directory. Click Next to continue.


On the transcoder host, make note of the source and destination directories. This directory will be used

in later instructions when setting up the application launcher and streaming media services. This

directory will also be shared between the transcoder and bastion hosts if they are on two separate

systems.

On the transcoder host, set the service identity to run as either Local System or as a Specific User.

Local system offers the benefit of already having proper access and no password management

requirements.

Running as a specific user will offer the path of least privilege but will require configuring NTFS

permissions on the Source directory from the previous step for read, write, and delete files (Modify)

and will also require a password be managed (which ERPM has the ability to do automatically).

Running the File Watcher service as Local System is recommended on the transcoder host.


Click Install to continue.


Click Finish to complete the first part of the installation.

After the initial installation is complete, A separate installation for the Microsoft Expressions recorder

will be initiated automatically.


Accept the License agreement for the Microsoft Expressions recorder.

Click Next on the Enter product key page. There is no product key to enter.


Elect to join the Microsoft customer experience or not. Click Next to continue.

Select to install Expression Encoder 4 and click Install.


Click Finish to complete the installation.

IMPORTANT NOTES REGARDING THIS INSTALLATION!

This installation will take additional actions that are not visible in the installer:


A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is

taking place on a domain controller, the group is created in the Users container.

The Domain Admins group will be added to this WriteRecordingGroup.

The installer will create and share the following directory: %inetpub%\wwwroot\SessionRecording

as SessionRecording. This directory is used to copy compiled session recordings from the bastion to

the transcoder host. This scenario would apply if using the FFMPeg video recorder rather than the

Expressions recorder. If the transcoder and bastion host is the same system, or if the Expression

session recorder is the only used session recorder, this share may be safely deleted. This share

directory will be required when configuring the bastion host for app launching with session

recording.

The installer will create and share the following directory: %programfiles

(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be used

by the bastion hosts to copy raw session recording files to the transcoder host(s). If the transcoder

and bastion host is the same system this share can be safely deleted. This scenario would apply if

using the Expressions 4 recording software. This share directory will be required when configuring

the bastion host for app launching with session recording.

Each of the shared directory share permissions will be set to allow the WriteRecordingGroup "Full

Control". Minimum permissions required are "Change".

2. ON THE BASTION HOST

To begin installing the session recording software on the machine that will function as the video


"%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to the machine

that will function as the transcoder and launch the installer.


Read and accept the license agreement to continue installation. Then click Next to continue.

Enter the full SSL secured URL to ERPM application launcher web service. The web service is a separate

installation, typically on the ERPM web server. The application launcher web service is installed is

installed with the standard ERPMWebService installer package. The URL is typically

https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.

Click Test to validate the URL. Any certificate issues must be corrected before installation can properly

succeed. If the web page does not appear at all, validate the URL and try again or install the web service.

Installation instructions for the web service are included in the administrators guide within the SDK

section.


If the page tests without issue or errors, click Next to continue.

For the bastion host, if session recording WILL BE enabled, select to install:

Microsoft Expression 4 Encoder SP2

Session Recorder and File Watcher Service

Application Launcher

If session recording will NOT be enabled, select to install:


Application Launcher

Select the installation directory. Click Next to continue.


Click Next on the video transcoder paths.

On the bastion host, set the service identity to run as a Specific User, Network Service, or Local System.

Local system offers the benefit of already having proper access and no password management

requirements. If the transcoder is running on a separate system and Local system is used, then the

computer account of the bastion host must be granted Modify access to the source directory on the

transcoder host.

Network service provides for less rights than Local system and offers the benefit of already having

proper access and no password management requirements. If the transcoder is running on a

separate system and network service is used, then the computer account of the bastion host must

be granted Modify access to the source directory on the transcoder host. "NT Authority\Network

Service" must also be granted Modify access to the Session Recording directory.

Running as a specific user will offer the path of least privilege but will require configuring NTFS

permissions on the Source directory from the previous step for read, write, and delete files (Modify)

and will also require a password be managed (which ERPM has the ability to do automatically).

Running as a specific user is recommended for running the File Watcher service on the bastion host

when the transcoder is on a separate system.


Click Install to continue.


Click Finish to complete the first part of the installation.

After the initial installation is complete, A separate installation for the Microsoft Expressions recorder

will be initiated automatically.


Accept the License agreement for the Microsoft Expressions recorder.

Click Next on the Enter product key page. There is no product key to enter.


Elect to join the Microsoft customer experience or not. Click Next to continue.

Select to install Expression Encoder 4 and click Install.


Click Finish to complete the installation.

This installation will take additional actions that are not visible in the installer:


A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is

taking place on a domain controller, the group is created in the Users container. This group may be

safely deleted from the bastion host if it is also functioning as the transcoder host.

The Domain Admins group will be added to this WriteRecordingGroup.

The installer will create and share the following directory: %inetpub%\wwwroot\SessionRecording

as SessionRecording. This directory is used to copy compiled session recordings from the bastion to

the transcoder host. This scenario would apply if using the FFMPeg video recorder rather than the

Expressions recorder. This share directory will be required when configuring the bastion host for app

launching with session recording. If the transcoder and bastion host is the same system this share

can be safely deleted.

The installer will create and share the following directory: %programfiles

(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be used

by the bastion hosts to copy raw session recording files to the transcoder host(s). This scenario

would apply if using the Expressions 4 recording software. This share directory will be required when

configuring the bastion host for app launching with session recording. If the transcoder and bastion

host is the same system this share can be safely deleted.

Each of the shared directory share permissions will be set to allow the WriteRecordingGroup "Full

Control". Minimum permissions required are "Change".


4. SETTING UP RDS FOR APPLICATION LAUNCHING

The section details configuring Remote App on the Remote Session host to launch the Lieberman

Software Application Launcher. The application launcher is a boot strapper used to launch and provide

authentication information for configured applications.

When a user uses the Launch App links in the ERPM web interface, this application will be called which

will obtain the necessary credential information for the application to launch, and launch the application

from the bastion host. In turn, VDI will display the remote application on the user's workstation as if it

were a local application.

CONFIGURING REMOTE APP FOR SERVER 2012 (R2)

Open Server Manager and click the Remote Desktop Services link on the left pane. Then click on

Collections. The select the collection to configure the Lieberman Software Application Launcher for.

In the REMOTEAPP PROGRAMS area, click Tasks and select Publish RemoteApp Programs. Then click

Add on the Publish RemoteApp programs dialog.


Select LiebsoftLauncher.exe from the application launcher installation location on the bastion host

(configured in step 3 previously). The default directory for this file is: C:\Program Files

(x86)\Lieberman\Roulette\LaunchApp. Then click Next.


On the Confirmation page, click Publish.

Once the LiebsoftLauncher application is published, right-click on it in the RemoteApp Programs list and

select Edit Properties.


On the General tab, set the Show the RemoteApp program in RD Web Access dialog to No. Although

everything will work fine if this is not done, there is no need to publicize this application.


On the Parameters tab, set the Command-line Parameters option to Allow any command-line

parameters. The LiebsoftLauncher will differ every single time it is run based on many factors including

session IDs, programs being run and parameters included when launching the programs.


On the User Assignment tab, it is highly recommended to change the User Assignment option to be a

specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated account

(which should be managed by ERPM). This is the only account that will require access to run the

program. This account will be covered later in the Configuring Application Launching section. The

account assigned here will require any permissions and rights to launch the desired programs.

Click OK when done.

CONFIGURING REMOTE APP FOR SERVER 2008 R2

Open Server Manager and expand the Remote Desktop Services | RemoteApp Manager nodes in the

left pane.


In the RemoteApp Programs area, right-click and select Add RemoteApp Programs. Click Next on the

Welcome page then click Browse on the Choose programs to add to the RemoteApp Programs list page.


Select LiebsoftLauncher.exe from the application launcher installation location on the bastion host

(configured in step 3 previously). The default directory for this file is: C:\Program Files

(x86)\Lieberman\Roulette\LaunchApp. Then click Next.


On the Review Settings page, click Finish.

Once the LiebsoftLauncher application is added, right-click on it in the RemoteApp Programs list and

select Properties.

CAUTION! DO NOT CHANGE THE ALIAS value.

De-select the check box for RemoteApp program in RD Web Access. Although everything will work fine

if this is not done, there is no need to publicize this application.


Set the Command-line arguments option to Allow any command-line parameters. The LiebsoftLauncher

will differ every single time it is run based on many factors including session IDs, programs being run and

parameters included when launching the programs.


On the User Assignment tab, it is highly recommended to change the User Assignment option to be a

specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated account

(which should be managed by ERPM). This is the only account that will require access to run the

program. This account will be covered later in the Configuring Application Launching section. The

account assigned here will require any permissions and rights to launch the desired programs.

Click OK when done.

5. SETTING UP STREAMING MEDIA SERVICES

Streaming Media Services is used to provide smooth streaming of the recorded sessions from the

transcoder host (typically the ERPM web server) to the client's browser and video player.


Installation of this component is only required if session recording will be used. If not using the

Lieberman Software free session recording module, installation of this component is not required.

To begin installing the streaming media software on the machine that will function as the video


"%programfiles (x86)\Lieberman\Roulette". Copy IISMEdia64.msi to the machine that will function as

the transcoder and launch the installer.

The installation of IIS Media services requires a basic stock installation of IIS be available on the same

host server.



Read and accept the terms of the license agreement, then click Next.


Leave the default options selected then click Next.


Click Install.


Click Finish.

6. CONFIGURING IIS TO HOST RECORDED SESSIONS

This step is only required if session recording has been enabled. If session recording is not enabled, then

do not perform this step. This will likely be configured on the same system where Streaming Media

Services was installed.

When an application is launched via a bastion host / jump server and that application is configured to

also record the session, the recorded sessions will first be placed into a pre-configured directory on the

machine which will ultimately host the videos for later playback. When using the Microsoft Expressions

session recorder, the files will first be copied locally to the file system. The Lieberman Software File

Watcher Service will then move the raw files to a share called "Source" on a machine that is configured

as the video transcoder (typically the ERPM web server, but could be any machine). Once the raw XESC

files are copied to the transcoder, the Lieberman Software File Watcher service on that machine will

transcode the videos to WMV format and move the compiled files into the "SessionRecording" share on

the same system. It is this directory that will be hosted in IIS and made available via the ERPM website.


To configure IIS on the machine which will host the compiled videos, not much work is required as the

application launcher installer will have configured most of the required elements:

The default website will have a new virtual directory added to it called SessionRecording. This directory

will point to %inetpub%\wwwroot\SessionRecording.

The only change that may need to be made is to set the authentication scheme to anonymous. To do

this, open IIS, expend the default website, and open the Authentication area. Right click on the

authentication types and enable Anonymous Authentication and disable all others.

87

Once the pre-requisites are installed for application launching, there are four mandatory additional steps

and two optional steps to setting up ERPM to use the application launcher and the session recorder:

1) Configure an account for login to the bastion host.

2) Configure ERPM web settings with information about the web launcher service.

3) Configure a bastion host object in ERPM.

4) Optionally configure a session recording host object in ERPM.

5) Configure applications for launching and grant permissions to those applications as necessary.

6) Optionally configure the ERPM website to playback recorded sessions.

The following sub-sections will outline these steps.

IN THIS CHAPTER

Configuring a Bastion Host Login Account .............................................. 87

Configure ERPM Web Settings .............................................................. 112

Configure a Bastion Host Object ........................................................... 114

Configure a Session Recording Host Object .......................................... 117

Configure ERPM Website for Session Playback ..................................... 121

Configure Applications for Launching ................................................... 125

Application Sets ..................................................................................... 144

Shadow Accounts .................................................................................. 149

CONFIGURING A BASTION HOST LOGIN ACCOUNT

ERPM will use a standard login account to login to the target bastion host and launch the

LiebsoftLauncher application which will in turn launch the target application. The LiebsoftLauncher in

turn connects to a web service (WebLauncherBackendService.svc) to obtain the necessary program

settings and credentials from ERPM.

The logon account should have its password managed regularly by ERPM. Regularly should be often such

as daily or weekly. Setting the rotation schedule to hourly could possibly invalidate the logon account's

session. The account can be a local account but if possible, a domain account is recommended. This

account will need any rights necessary to launch the final target application; it does not necessarily need

local or domain admin privileged. It will need the ability to remotely log on to the target bastion host.

CONFIGURING APPLICATION LAUNCHING

Configuring Application Launching 88

That means if the account is not an administrator, it must be added to the Remote Desktop Users group

on the bastion host.

If it is desired (as it is recommended) to have ERPM manage the password for the account, simply follow

the basic procedures for a password change in ERPM (as per the administrative guide). There is no

requirements for password propagation so password propagation can be safely turned off for the

password change job. It is recommended to keep the password length to 80 characters or less as some

versions of Windows will not allow long passwords to be used via RDP.

This user account upon login will first launch the LiebsoftLauncher. Be sure in the RemoteApp settings

that at a minimum this account or a group it belongs to was granted the permissions to launch the

LiebsoftLauncher application. RemoteApp is generally found in Server Manager under the Roles |

Remote Desktop Services heading.

This account can be heavily locked down as it generally doesn't need access to anything other than the

application being locked.

Caution! When launching an application, this account will be able to do anything that the target

application lets them do.

If this account comes from Active Directory, it is recommended to place this account into an

organizational unit (OU) by itself or with other similarly locked down accounts. On this OU, create a

policy and modify the User Settings portion of the policy to lock down this logon account. There is no

need to place the bastion hosts in this OU as the policies that lockdown the user experience are user

based, not system based.

Following are some of the settings recommended to lock down the session. All policies should be tested

to ensure they do not interfere with the required operation of a target application:

User Configuration | Policies | Windows Settings | Security Settings | Software Restriction

Policies

Policy Setting

Enforcement

Apply Software Restriction Policies to the following All software files

except libraries (such

as DLLs)

Apply Software Restriction Policies to the following users All users

When applying Software Restriction Policies Ignore certificate rules


Trusted Publishers

Trusted publisher management Allow all administrators

and users to manage

user's own Trusted

Publishers

Certificate verification None

Software Restriction Policies/Security Levels

Default Security Level Disallowed

Software Restriction Policies/Additional Rules >> Path Rules

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Security Level =

Unrestricted

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Security Level =

Unrestricted

C:\Program Files (x86)\Lieberman\Roulette\RemoteAppLauncher\LiebsoftLauncher.exe Security Level =

Unrestricted

User Configuration | Policies | Administrative Templates

Control Panel

Prohibit access to Control Panel and PC settings Enabled

Control Panel/Display


Disable the Display Control Panel Enabled

Control Panel/Printers

Browse a common web site to find printers Disabled

Browse the network to find printers Disabled

Prevent addition of printers Enabled

Prevent deletion of printers Enabled

Control Panel/Programs

Hide "Get Programs" page Enabled

Hide "Installed Updates" page Enabled

Hide "Programs and Features" page Enabled

Hide "Set Program Access and Computer Defaults" page Enabled

Hide "Windows Features" Enabled

Hide the Programs Control Panel Enabled

Control Panel/Regional and Language Options

Hide Regional and Language Options administrative options Enabled

Hide the geographic location option Enabled

Hide the select language group options Enabled

Hide user locale selection and customization options Enabled


Desktop

Don't save settings at exit Enabled

Hide and disable all items on the desktop Enabled

Hide Internet Explorer icon on desktop Enabled

Hide Network Locations icon on desktop Enabled

Prevent adding, dragging, dropping and closing the Taskbar's toolbars Enabled

Prohibit adjusting desktop toolbars Enabled

Prohibit User from manually redirecting Profile Folders Enabled

Remove Computer icon on the desktop Enabled

Remove Properties from the Computer icon context menu Enabled

Remove Properties from the Recycle Bin context menu Enabled

Remove Recycle Bin icon from desktop Enabled

Turn off Aero Shake window minimizing mouse gesture Enabled

Network/Network Connections

Ability to change properties of an all user remote access connection Disabled

Prohibit access to properties of a LAN connection Enabled

Prohibit access to the Remote Access Preferences item on the Advanced menu Enabled

Prohibit changing properties of a private remote access connection Enabled

Prohibit connecting and disconnecting a remote access connection Enabled


Prohibit renaming private remote access connections Enabled

Network/Offline Files

Remove "Make Available Offline" command Enabled

Remove "Work offline" command Enabled

Network/Windows Connect Now

Prohibit access of the Windows Connect Now wizards Enabled

Start Menu and Taskbar

Add Search Internet link to Start Menu Disabled

Add the Run command to the Start Menu Disabled

Clear history of recently opened documents on exit Enabled

Clear history of tile notifications on exit Enabled

Clear the recent programs list for new users Enabled

Do not allow pinning items in Jump Lists Enabled

Do not allow pinning programs to the Taskbar Enabled

Do not display any custom toolbars in the taskbar Enabled

Do not display or track items in Jump Lists from remote locations Enabled

Do not keep history of recently opened documents Enabled

Do not search communications Enabled


Do not search for files Enabled

Do not search Internet Enabled

Do not search programs and Control Panel items Enabled

Do not use the search-based method when resolving shell shortcuts Enabled

Do not use the tracking-based method when resolving shell shortcuts Enabled

Hide the notification area Enabled

Lock all taskbar settings Enabled

Lock the Taskbar Enabled

Prevent changes to Taskbar and Start Menu Settings Enabled

Prevent users from adding or removing toolbars Enabled

Prevent users from moving taskbar to another screen dock location Enabled

Prevent users from rearranging toolbars Enabled

Prevent users from uninstalling applications from Start Enabled

Remove access to the context menus for the taskbar Enabled

Remove All Programs list from the Start menu Enabled

Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands Enabled

Remove Clock from the system notification area Enabled

Remove common program groups from Start Menu Enabled

Remove Default Programs link from the Start menu. Enabled

Remove Documents icon from Start Menu Enabled

Remove Downloads link from Start Menu Enabled


Remove drag-and-drop and context menus on the Start Menu Enabled

Remove Favorites menu from Start Menu Enabled

Remove frequent programs list from the Start Menu Enabled

Remove Games link from Start Menu Enabled

Remove Help menu from Start Menu Enabled

Remove Homegroup link from Start Menu Enabled

Remove links and access to Windows Update Enabled

Remove Logoff on the Start Menu Disabled

Remove Music icon from Start Menu Enabled

Remove Network Connections from Start Menu Enabled

Remove Network icon from Start Menu Enabled

Remove Pictures icon from Start Menu Enabled

Remove pinned programs from the Taskbar Enabled

Remove pinned programs list from the Start Menu Enabled

Remove programs on Settings menu Enabled

Remove Recent Items menu from Start Menu Enabled

Remove Recorded TV link from Start Menu Enabled

Remove Run menu from Start Menu Enabled

Remove See More Results / Search Everywhere link Enabled

Remove the Action Center icon Enabled

Remove the battery meter Enabled


Remove the networking icon Enabled

Remove the volume control icon Enabled

Remove user folder link from Start Menu Enabled

Remove user's folders from the Start Menu Enabled

Remove Videos link from Start Menu Enabled

Show "Run as different user" command on Start Disabled

Turn off all balloon notifications Enabled

Turn off automatic promotion of notification icons to the taskbar Enabled

Turn off feature advertisement balloon notifications Enabled

Turn off notification area cleanup Enabled

Turn off user tracking Enabled

Start Menu and Taskbar/Notifications

Turn off notifications network usage Enabled

System/Ctrl+Alt+Del Options

Remove Change Password Enabled

Remove Task Manager Enabled

System/Internet Communication Management/Internet Communication settings

Turn off access to the Store Enabled


Turn off downloading of print drivers over HTTP Enabled

Turn off handwriting recognition error reporting Enabled

Turn off Help Experience Improvement Program Enabled

Turn off Help Ratings Enabled

Turn off Internet download for Web publishing and online ordering wizards Enabled

Turn off Internet File Association service Enabled

Turn off printing over HTTP Enabled

Turn off the "Order Prints" picture task Enabled

Turn off the "Publish to Web" task for files and folders Enabled

Turn off the Windows Messenger Customer Experience Improvement Program Enabled

Turn off Windows Online Enabled

System/Removable Storage Access

All Removable Storage classes: Deny all access Enabled

CD and DVD: Deny read access Enabled

CD and DVD: Deny write access Enabled

Floppy Drives: Deny read access Enabled

Floppy Drives: Deny write access Enabled

Removable Disks: Deny read access Enabled

Removable Disks: Deny write access Enabled

Tape Drives: Deny read access Enabled


Tape Drives: Deny write access Enabled

WPD Devices: Deny read access Enabled

WPD Devices: Deny write access Enabled

System/Windows HotStart

Turn off Windows HotStart Enabled

Windows Components/Add features to Windows 8

Prevent the wizard from running. Enabled

Windows Components/App runtime

Block launching desktop apps associated with a file. Enabled

Block launching desktop apps associated with a protocol Enabled

Windows Components/Application Compatibility

Turn off Program Compatibility Assistant Enabled

Windows Components/Attachment Manager

Hide mechanisms to remove zone information Enabled

Windows Components/AutoPlay Policies


Disallow Autoplay for non-volume devices Enabled

Prevent AutoPlay from remembering user choices. Enabled

Set the default behavior for AutoRun Enabled

Default AutoRun Behavior Do not execute any autorun commands

Turn off Autoplay Enabled

Turn off Autoplay on All drives

Windows Components/Credential User Interface

Do not display the password reveal button Enabled

Windows Components/Desktop Gadgets

Restrict unpacking and installation of gadgets that are not digitally signed. Enabled

Turn off desktop gadgets Enabled

Turn Off user-installed desktop gadgets Enabled

Windows Components/Digital Locker

Do not allow Digital Locker to run Enabled

Windows Components/Edge UI

Turn off switching between recent apps Enabled

Turn off tracking of app usage Enabled


Windows Components/File Explorer

Display confirmation dialog when deleting files Enabled

Display the menu bar in File Explorer Enabled

Do not allow Folder Options to be opened from the Options button on the View tab of the

ribbon

Enabled

Do not display the Welcome Center at user logon Enabled

Do not request alternate credentials Enabled

Hide these specified drives in My Computer Enabled

Restrict all drives

Hides the Manage item on the File Explorer context menu Enabled

No Entire Network in Network Locations Enabled

Prevent access to drives from My Computer Enabled

Restrict all drives

Prevent users from adding files to the root of their Users Files folder. Enabled

Remove "Map Network Drive" and "Disconnect Network Drive" Enabled

Remove CD Burning features Enabled

Remove File Explorer's default context menu Enabled

Remove File menu from File Explorer Enabled

Remove Hardware tab Enabled

Remove Security tab Enabled

Remove the Search the Internet "Search again" link Enabled


Turn off display of recent search entries in the File Explorer search box Enabled

Turn off Windows+X hotkeys Enabled

Windows Components/File Explorer/Common Open File Dialog

Hide the common dialog back button Enabled

Hide the common dialog places bar Enabled

Hide the dropdown list of recent files Enabled

Windows Components/File Explorer/Explorer Frame Pane

Turn off Preview Pane Enabled

Turn on or off details pane Enabled

Configure details pane Always hide

Windows Components/File Explorer/Previous Versions

Prevent restoring previous versions from backups Enabled

Windows Components/IME

Turn off history-based predictive input Enabled

Turn off Internet search integration Enabled

Windows Components/Internet Explorer


Automatically activate newly installed add-ons Disabled

Configure Media Explorer Bar Enabled

Disable the Media Explorer Bar and auto-play feature Enabled

Auto-Play Media files in the Media bar whenEnabled Disabled

Disable AutoComplete for forms Enabled

Disable changing accessibility settings Enabled

Disable changing Advanced page settings Enabled

Disable changing Automatic Configuration settings Enabled

Disable changing Calendar and Contact settings Enabled

Disable changing certificate settings Enabled

Disable changing connection settings Enabled

Disable changing home page settings Enabled

Home Page Define a home page if

necessary

Disable changing language settings Enabled

Disable changing Messaging settings Enabled

Disable changing ratings settings Enabled

Disable changing Temporary Internet files settings Enabled

Disable Import/Export Settings wizard Enabled

Disable Internet Connection wizard Enabled

Do not allow users to enable or disable add-ons Enabled

Identity Manager: Prevent user from using Identities Enabled


Notify users if Internet Explorer is not the default web browser Disabled

Pop-up allow list Enabled

Enter the list of sites here. Define allowed sites list

if applicable such as

*.microsoft.com

Prevent "Fix settings" functionality Enabled

Prevent access to Internet Explorer Help Enabled

Prevent bypassing SmartScreen Filter warnings Enabled

Prevent bypassing SmartScreen Filter warnings about files that are not commonly

downloaded from the Internet

Enabled

Prevent changing pop-up filter level Enabled

Prevent changing proxy settings Enabled

Prevent changing the default search provider Enabled

Prevent configuration of how windows open Enabled

Select where to open links Open in existing

Internet Explorer

window

Prevent Internet Explorer Search box from appearing Enabled

Prevent managing pop-up exception list Enabled

Prevent managing SmartScreen Filter Enabled

Select SmartScreen Filter mode On

Prevent participation in the Customer Experience Improvement Program Enabled

Prevent per-user installation of ActiveX controls Enabled

Prevent running First Run wizard Enabled


Select your choice Go directly to home

page

Search: Disable Find Files via F3 within the browser Enabled

Search: Disable Search Customization Enabled

Specify default behavior for a new tab Enabled

New tab behavior Home page

Turn off ability to pin sites in Internet Explorer on the desktop Enabled

Turn off add-on performance notifications Enabled

Turn off browser geolocation Enabled

Turn off configuration of pop-up windows in tabbed browsing Enabled

Select tabbed browsing pop-up behavior Force pop-ups to open

in a new tab

Turn off Crash Detection Enabled

Turn off Favorites bar Enabled

Turn off Managing SmartScreen Filter for Internet Explorer 8 Enabled

Select SmartScreen Filter mode for Internet Explorer 8 On

Turn off pop-up management Enabled

Turn off Quick Tabs functionality Enabled

Turn off Reopen Last Browsing Session Enabled

Turn off suggestions for all user-installed providers Enabled

Turn off tabbed browsing Enabled

Turn off the auto-complete feature for web addresses Enabled


Turn off the quick pick menu Enabled

Turn on Suggested Sites Disabled

Turn on the auto-complete feature for user names and passwords on forms Disabled

Windows Components/Internet Explorer/Accelerators

Turn off Accelerators Enabled

Windows Components/Internet Explorer/Browser menus

Disable Open in New Window menu option Enabled

Disable Save this program to disk option Enabled

File menu: Disable closing the browser and Explorer windows Enabled

File menu: Disable New menu option Enabled

File menu: Disable Open menu option Enabled

File menu: Disable Save As Web Page Complete Enabled

File menu: Disable Save As... menu option Enabled

Help menu: Remove 'Send Feedback' menu option Enabled

Help menu: Remove 'Tour' menu option Enabled

Hide Favorites menu Enabled

Tools menu: Disable Internet Options... menu option Enabled

Turn off Print Menu Enabled

Turn off Shortcut Menu Enabled


View menu: Disable Full Screen menu option Enabled

View menu: Disable Source menu option Enabled

Windows Components/Internet Explorer/Delete Browsing History

Disable "Configuring History" Enabled

Days to keep pages in History 1

Windows Components/Internet Explorer/Internet Control Panel

Disable the Advanced page Enabled

Disable the Connections page Enabled

Disable the Content page Enabled

Disable the General page Enabled

Disable the Privacy page Enabled

Disable the Programs page Enabled

Disable the Security page Enabled

Windows Components/Internet Explorer/Internet Control Panel/Advanced Page

Allow active content from CDs to run on user machines Disabled

Allow software to run or install even if the signature is invalid Disabled

Do not allow resetting Internet Explorer settings Enabled

Empty Temporary Internet Files folder when browser is closed Enabled


Windows Components/Internet Explorer/Internet Control Panel/General Page

Start Internet Explorer with tabs from last browsing session Disabled

Windows Components/Internet Explorer/Internet Control Panel/General Page/Browsing

History

Allow websites to store application caches on client computers Disabled

Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing

Turn off details in messages about Internet connection problems Enabled

Turn on script debugging Disabled

Windows Components/Internet Explorer/Internet Settings/Advanced settings/Multimedia

Allow Internet Explorer to play media files that use alternative codecs Disabled

Windows Components/Internet Explorer/Internet Settings/Advanced settings/Searching

Prevent configuration of search on Address bar Enabled

When searching from the address bar Do not search from the

address bar

Prevent configuration of top-result search on Address bar Enabled

When searching from the Address bar Disable top result

search


Windows Components/Internet Explorer/Internet Settings/Advanced settings/Signup

Settings

Turn on automatic signup Disabled

Windows Components/Internet Explorer/Internet Settings/AutoComplete

Turn off URL Suggestions Enabled

Turn off Windows Search AutoComplete Enabled

Turn on inline AutoComplete Disabled

Windows Components/Internet Explorer/Security Features/Restrict File Download

All Processes Enabled

Internet Explorer Processes Enabled

Windows Components/Internet Explorer/Toolbars

Configure Toolbar Buttons Enabled

Show Back button Enabled

Show Forward button Enabled

Show Stop button Enabled

Show Refresh button Enabled

Show Home button Enabled

Show Search button Disabled

Show Favorites button Disabled


Show History button Disabled

Show Folders button Disabled

Show Fullscreen button Disabled

Show Tools button Disabled

Show Mail button Disabled

Show Font size button Disabled

Show Print button Disabled

Show Edit button Disabled

Show Discussions button Disabled

Show Cut button Disabled

Show Copy button Disabled

Show Paste button Disabled

Show Encoding button Disabled

Disable customizing browser toolbar buttons Enabled

Disable customizing browser toolbars Enabled

Display tabs on a separate row Enabled

Hide the Command bar Enabled

Hide the status bar Enabled

Lock all toolbars Enabled

Lock location of Stop and Refresh buttons Enabled

Turn off Developer Tools Enabled


Turn off toolbar upgrade tool Enabled

Windows Components/Location and Sensors

Turn off location Enabled

Windows Components/Microsoft Management Console

Restrict the user from entering author mode Enabled

Windows Components/Network Sharing

Prevent users from sharing files within their profile. Enabled

Windows Components/Presentation Settings

Turn off Windows presentation settings Enabled

Windows Components/Sound Recorder

Do not allow Sound Recorder to run Enabled

Windows Components/Tablet PC/Accessories

Do not allow printing to Journal Note Writer Enabled

Do not allow Snipping Tool to run Enabled

Do not allow Windows Journal to be run Enabled


Windows Components/Tablet PC/Hardware Buttons

Prevent Back-ESC mapping Enabled

Prevent launch an application Enabled

Prevent press and hold Enabled

Turn off hardware buttons Enabled

Windows Components/Windows Error Reporting

Disable Windows Error Reporting Enabled

Windows Components/Windows Installer

Prevent removable media source for any installation Enabled

Prohibit rollback Enabled

Windows Components/Windows Logon Options

Set action to take when logon hours expire Enabled

Set action to take when logon hours expire Logoff

Windows Components/Windows Mail

Turn off the communities features Enabled

Turn off Windows Mail application Enabled


Windows Components/Windows Media Center

Do not allow Windows Media Center to run Enabled

Windows Components/Windows Media Player

Prevent CD and DVD Media Information Retrieval Enabled

Prevent Music File Media Information Retrieval Enabled

Windows Components/Windows Media Player/Networking

Hide Network Tab Enabled

Windows Components/Windows Media Player/Playback

Prevent Codec Download Enabled

Windows Components/Windows Messenger

Do not allow Windows Messenger to be run Enabled

Do not automatically start Windows Messenger initially Enabled

Windows Components/Windows Mobility Center

Turn off Windows Mobility Center Enabled


Windows Components/Windows Update

Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog

box

Enabled

Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled

CONFIGURE ERPM WEB SETTINGS

To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings |

Manage Web Application | Application Launch.

The Global tab identifies the ERPM web service and other related settings that will be used when

launching applications.

The Web service URL is the URL of the application launcher web service. When the web service is

installed (typically on the ERPM web server), [typically] a web service is installed at

[site]/erpmwebservice. The web service is called WebLauncherBackendService.svc. This full URL should

be entered in the Web service URL field including the protocol and port if applicable.

IMPORTANT! There should be no certificate or access errors when accessing this URL in a browser. It

should be tested as any user that will be accessing the web server. The best test is to login to the

bastion host as the bastion host login account configured int he previous section and attempt to access

this URL. If the account is prompted for credentials or certificate errors the application launcher will

fail.

The typical URL is

https://erpmwebservername.yourdomain.com/erpmwebservice/weblauncherbackendservice.svc.

Enable launching applications using stored passwords in the web application is required to enable

remote launching. If this option is not selected, then the Launch Application option will be unavailable in

the website.

Enable launching applications on a remote server will enable the configured applications to launch via a

bastion host rather than launching only locally on the client. When the option is enabled and an

application is configured to use a bastion host, the applications can instead launch from the bastion host

and will use RemoteApp to display the program's UI to the users desktop as if it were a native

application.

[Script Launch] Path to script files on client systems is the path that the script automation files will be

copied to (manual copy). This path is used when local launch (rather than via bastion host) will be used


to launch web based applications such as Twitter, FaceBook, or other web based programs. If local

launching of these sorts of applications will not be launched directly from a client's machine (rather than

via bastion host) it will not be necessary to configure this path. The default location these scripts are

found are at C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation.

Sign generated RDP files with certificate identified by thumb print - when RDP files are generated, they

will be signed with the identified certificate. This helps avoid unknown/untrusted RDP connection

warnings and errors. For this option to function, the following must be true:

The certificate needs to be on the client workstation to generate RDP files to connect to the bastion.

The certificate also needs to be on the bastion if RDP connections are configured to go through the

bastion.

The certificate must be accessible to the user that’s running the process creating and launching the

RDP file.

The security policy of the machine must be configured to require signed RDP files for this setting to

have any effect (it is not by default).


CONFIGURE A BASTION HOST OBJECT



The Remote Servers tab identifies the available bastion hosts and other related settings that will be used

for launching applications. The option Enable launching applications on a remote server must also be

selected on the Global tab to make use of these servers.

To add a new server, click the Add button in the lower right area of the dialog.

The following fields are mandatory:


Server configuration identifier - the friendly name of the server as it will appear in the application

launcher configuration.

Remote server system name - the actual name of the bastion host. This should be the name (FQDN

or simple or IP) as can be reach from the client systems that will be initiating the session.

Use RemoteApp to launch the liebsoft launcher on the server - this option must be selected to

remotely launch applications from the bastion host using RemoteApp as available in 2008 R2 and

newer.

Use integrated Windows credentials to login to the jump server when used in conjunction with a

Windows Server 2012 bastion host that is properly configured for web single server sign on and

where the ERPM website is also configured for use with integrated authentication and where the

user actually logs in using integrated authentication, then this feature will connect to the bastion

host using the ERPM user's credentials rather than a specific bastion login. The login user must have

proper permissions to launch the application and RDP to the server.

Prompt for login credentials to application server will cause credentials to not be automatically

provided when connecting to the bastion. The user performing the application launch must provide

credentials that are valid for the bastion host.

Login credential system name - this value must be populated. If ERPM will be using stored

(managed) credentials to log into the bastion host, this is the name of the system/server as it

appears in ERPM from which to draw the credentials from. It is recommended to use a domain

credential for this purpose; see the section for configuring a bastion host login account.

Login credential account name - this is the name of the account that will be used to login to the

bastion host. It is recommended to use a domain credential for this purpose; see the section for

configuring a bastion host login account.

Login credential domain name - the domain to which the account belongs. If this is a local account

(not recommended) then this should be the simple (NetBIOS) name of the bastion host.

Load saved password for connection from password store - select this option to pull the managed

password from the ERPM password store. If it is desired to use a hard coded password instead, then

supply the actual password in the remote server logon password field.

[Script Launch] Path to script files on client systems is the path that the script automation files will

be copied to during installation of the AppLauncher. This path is used when launching web based

applications such as Twitter, FaceBook, or other web based programs. The default location these

scripts are found are at C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation.

Update OIT agent data for agent running on the server only provides functionality when the session

recorder is provided by ObserveIT. Selecting this option will change certain metadata attributes to

more accurately reflect which user account is performing certain actions. This affects auditing

information stored within OIT.


Important: If using the built-in session recording, instead of the session recording offering from

ObserveIT, DO NOT check the Update OIT agent data for agent running on the server. This wwill prevent

the built-in session recorder from working.


Once the entries are validated, click OK to add the bastion host object. If the option to Load saved

password for connection from password store is selected and a stored password for the target account

does not exist, a warning indicating such will appear to the user otherwise the dialog will close without

incident.

Any of these settings can be changed at any time without having to make any changes to IIS or

performing IISReset or other administrative actions.

CONFIGURE A SESSION RECORDING HOST OBJECT



The Session Recorders tab identifies configured session recording servers. There will typically be a one to

one relationship with the servers configured on the Remote Servers tab.


Session recording only works for applications launched via the LiebsoftLauncher application. That means

any users which retrieve passwords will and connect directly will not have their sessions recorded when

using this session recording technology.

The session recording system consists of two components specific to the session recording: session

recording and video transcoding. When a session is recorded on a bastion host that is done by the

session recorder. These files are created in a raw format and placed into the configured source directory.

The Lieberman file watcher server picks up the raw files and moves them to the working directory where

they are formatted and converted and watermarked. Completed files are then moved to the

SessionRecording directory. Typically it is recommended to have the transcoder NOT be the same system

as the bastion host/session recorder due to resource constraints (CPU specifically).

To add a new server, click the Add button in the lower right area of the dialog.

The following fields are mandatory:


Configuration label - the friendly name of the server as it will appear in the application launcher

configuration.

Basic configuration - use this option if the session recording host will perform both recording and

transcoding duties. Recorder options include Expressions 4, VLC, and Windows Problem Steps

Recorder. It is recommended to choose the Expressions 4 recorder option. The output path will

default a default local path if this option is selected.

Advanced configuration - use this option if it is desired to put recordings in a custom location or if

video transcoding will occur on a separate host (typical). It is not recommended to change the

Assembly path or Type in Assembly values.

Abort application launch if session recording fails - with this option selected, if session recording

fails to initialize, the remote session will be logged off and no remote app launch will occur.

Output path - if using the bastion host for both session recording and video transcoding and it is

desired to place the recordings to an alternate location, specify the path here. If transcoding is

occurring on a separate host, then this should be a network UNC path (\\server\source) to the

Source share on the transcoder host.

File name template - the default value is SessionRecording-$(SessionID). In this scenario

SessionRecording- is the filename prefix and $(SessionID) is a variable for the session ID of the

remote app launch session. If the names of the recordings should be changed, this is acceptable but

to not remote the $(SessionID) value from the name. There should also be no extension listed for the

file name.


Once the entries are validated, click OK to add the session recorder host object.

Any of these settings can be changed at any time without having to make any changes to IIS or

performing IISReset or other administrative actions.

CONFIGURE ERPM WEBSITE FOR SESSION PLAYBACK

In order to playback recorded sessions, ERPM will need to know the location of the machine with the

completed session recordings. From the previous sections, this will most likely be the video transcoder

host, which is also most likely the ERPM web server.

For reference session recording consists of two pieces: recorder and transcoder. The recorder is typically

the bastion host while the transcoder is recommended to be another machine (due to CPU and RAM

constraints). The transcoder host is typically the ERPM web server and will convert the raw video from

the session recorder to playable video. These videos will be played back via streaming media services

through the ERPM website.


The flow for session recording is as follows:

1) Application is launched on a bastion host and session recording is initiated.

2) After the session exits, the file will be copied to the source directory on the transcoder host.

3) Raw video will be converted and placed into the SessionRecording directory on that host.

4) IIS and Media Server will stream the videos to requesting authorized users.

The machine performing the video transcoding will have configured IIS with a virtual directory under the

default root website called SessionRecording. It is this URL that will be provided to the ERPM website

configuration. The SessionRecording URL may be presented with or without SSL but should be configured

to use anonymous authentication.

To configure ERPM with the SessionRecording URL open the admin console, and click on the Manage

Web App button on the left action pane. Go to the Options | Configure default web application options

menu.

On the User/Session Management tab, enter the URL for the transcoder/media server where the videos

are hosted from in the Session playback URL field. If using HTTPS, be sure to enter the valid name of the

server that matches the assigned name on the certificate to avoid certificate errors. A typical URL will be

similar to https://server.your.domain/sessionrecording/. Be aware that the system is expecting a

trailing forward slash at the end of the URL.


Click OK once the URL is entered.


If updating an existing website with this new information, right-click on the website instance and select

Replace instance options with default web application options. There is no need to restart any servers

or components after making this change.

Once the URL is added and once any sessions have been recorded, users with access to the auditing

section of the ERPM website will be able to playback any recorded sessions that exist. Such recored

sessions will be visible in the ERPM auditing section with a camera icon next to their audit entry.

Simply click on the camera icon to playback the recorded sessions.


CONFIGURE APPLICATIONS FOR LAUNCHING



The Applications tab identifies the applications which can be made available to launch from the ERPM

website and other related settings that will be used when launching these applications. Once an

application is added, it must be properly configured before it may be launched.

Lieberman Software ships a number of pre-configured application objects available. Most will still

require additional configurations before they could be used for launching the specified target

application. To add the pre-defined applications, click the Add Defaults button in the lower left area of

the dialog. Add new applications by clicking the Add button. Duplicate or edit existing explications by

using the Copy or Edit buttons respectively.

When editing a dialog, there are many elements to fill out. The required elements for a basic application

configuration to be valid are:


Remote application label - required - this is the friendly name of the application as it will appear in

the ERPM website.

Remote application description - optional - enter a description for the application that will appear in

the ERPM website.

Remote application icon path - optional - to set a custom icon for the application, locate the physical

ERPM website installation files. Typically, this will be at %inetpub%\wwwroot\PWCWeb. All file

paths defined for the icons will be relative to this path. It is recommended to create a custom folder

(example "CompanyIcons") and add your icons to this folder so they will persist through website

upgrades. Then for the icon path, simply add the FolderName\IconName.gif. All GIF files should be

32x32 pixels.

Remote launch type - required -select from the available launch types:

LAUNCH APPLICATION WITH COMMAND LINE PARAMETERS - use this for any application which can be

launched with command line options such as SQL Management Studio, PuTTy, VMware vCenter,

etc.

OPEN WEB APPLICATION WITH FORM POST - use this for websites which only require a basic form post

and does not make use of JSON, YAML or other technologies for passing the user name and

password information. When this is selected, fill out the WEB PAGE AND NAME-VALUE PAIR FIELDS. The

web page the name of the login page including protocol such as

http://webserver/pwcweb/login.asp. The name value pair is the variables for the user name and

password.

LAUNCH TERMINAL SERVICES CLIENT - use this for launching the Microsoft Terminal Services client.

There are no additional requirements to setup this launch type.

LAUNCH APP THROUGH .NET ASSEMBLY - used when an external .net assembly will be used to perform

the connection and credential passing. Supply the ASSEMBLY PATH and TYPE NAME values. The

assembly path is the full physical file patch to the .net assembly. Type name is the name of the

.net interface.

LAUNCH APP THROUGH SCRIPT AUTOMATION - this is most frequently used for launching MMCs,

websites which does not pass user name and password information basic form post (see most

web examples in the default list), fat clients which do not make use of command line parameters,

etc. Supply the Script Path and Automation URL. Script path is the name of the script to run

including the extension. For example, login_azuremgmt.vbs. This script must be found in the

pre-defined script automation directory on the global options or bastion host configuration

dialogs for the app launcher. Automation URL is the target URL. For example,

http://manage.windowsazure.com or for a device,

https://$(RemoteAccessTarget_TargetName)/login.html.

Run on the jump server - optional - use this option to launch the target application from a

bastion/jump server (configured previously) or from the user's workstation. If this option is not


selected then the application will attempt to launch locally on the user's local workstation. If this

option is selected, then the application will be launched on the jump server. The application must be

installed on the jump server at that time. This is a per-application setting.

USE THE TARGETED ACCOUNT TO CONNECT TO THE JUMP SERVER - if a jump server is used and the account

being targeted to launch the application is a domain account or a valid local bastion host

account, this option will establish a connection with those credentials rather than the

pre-configured bastion connection credentials. If the credentials are not valid on the bastion host

then the connection will not succeed. Do not use this option for non-Windows systems.

APPLICATION SUPPORTS MULTI-TAB - a special set of configurations and launch scripts for applications

which have multi-branch or multi-tab capabilities. See the the Multi-tab Support section for

more information on configuration and use.

LOAD USER PROFILE WHEN STARTING APPLICATION (CONFIGURE RDP CONNECTION PARAMETERS) - when

selected will load the connecting user's user profile on the bastion host which will enable

additional elements to available via RDP to become available such as color depth, mapped drives,

clipboard capability and so on.

Enable session recording - optional - if a session recording host is configured, this option will be

available. When configured, the launching of this application on a jump server will record just this

application being run. This is a per-application setting.

Application - mandatory - The application name is simply the name of the executable without the

path. For example, SSMS.EXE.

Command line - mandatory - Command line is the parameters to launch the executable with.

Parameters are specific to the program being launched and not ERPM. ERPM does however provide

specific replacement variables that can be used in place of otherwise static value such as

$(RemoteAccessTarget_TargetName) instead of the targets actual host name. See the following

sub-section for more information.

Application location - optional - An application location must also be defined but can either be a full

physical path in the application location field or be setup to search for and even to download a ready

to run executable from a predefined network path (At launch download file from path). A physical

path MUST be defined when launching the application from a jump server. If a physical path is not

defined in the application location field, then the option to Search for application on local system

should be enabled. Sub-options for application search include searching for the application on the

system root or program files directories. In addition, subsequent include and exclude directories may

be defined. Multiple values should be segregated by a semi-colon. There is no variable replacement

such as %systemroot% or %inetpub% so full physical locations must be used.

Search for application on local system - optional - will cause the application launcher to search the

bastion host or calling workstation's file system for the executable being launched and launch the

first valid application it comes across. If this option is deselected, then the Application location field


above it becomes active where a static path can be defined. Using the search mechanism adds time

to launch the application. The locations it can search are the program files directories or the system

root directory. Searching is controlled by the subsequent options on this dialog.

SEARCH FOR APPLICATION ON LOCAL SYSTEM ROOT directs ERPM to search the %systemroot% location

on the bastion host or calling workstation's file system when launching an application.

SEARCH FOR APPLICATION UNDER THE PROGRAM FILES DIRECTORY directs ERPM to search %programfiles%

and %programfiles(x86)% on the bastion host or calling workstation's file system when launching

an application.

SUBDIRECTORY RESTRICTION is the directories to not search when searching the program files

directory structure.

ADDITIONAL SEARCH DIRECTORIES is the additional directories to search are any other directories on

the system to search. The list is semi-colon delimited.

WORKING DIRECTORY is the default search starting point.


Only run signed executables - optional - will ensure the program has a digital signature on it. If the

option is enabled, an additional verification can be configured to validate specific fields of the digital

signature such as the certificate serial number, certificate issuer or other signing bits.

VERIFY CERTIFICATE FIELDS OF SIGNING CERTIFICATE - becomes available if the option to Only run signed

executables is selected. The resulting dialog allows defining which fields to verify in the signing

certificate.

Only run executables with expected hashes - optional - allows the admin to define hashes of a

target application. This is useful to ensure that someone did not rename a malicious executable or

that only a specific patched version runs. Multiple hashes can be calculated and defined from this

dialog.

At launch, download the file from path - optional - defines a network path or URL to download

the application from if it is not already present on the host system.

Settings apply to client system configuration - applies only to applications launched from the users

workstation and has no effect for applications launched via bastion host. Consider that a 32bit

application running on a 32bit Windows host will typically install to c:\program files\application. Yet

that same 32bit application running on a 64bit Windows host will typically install to c:\program files

(x86)\application. This setting permits configuration of only one application to launch with multiple

possible settings. When these settings are configured, the launcher will determine what host it is

running on and retrieve the appropriate settings, such as launch directory.

Application uses stored private key - optional - this option allows programs which can use

certificates (such as SSH clients) to define which certificate to use when connecting. These

certificates must have been pre-imported and assigned via the administrative console from Settings

| User Keys | Import Keys.

Application uses gateway server - optional - if an SSH proxy/gateway is defined (Admin console at

Settings | Manage Web Application | Remote Gateway Servers) this option will be available. This

option is useful when a client must first connect to an SSH proxy first before connecting to the final

SSH target. This process will make use of plink.exe. The plink.exe download location must also be

specified with the path on the jump server where the plink.exe executable resides. Plink.exe is

installed the launch app folder on the bastion host if the PuTTy files are also installed when installing

the application launcher. Plink.exe can also be downloaded from http://www.putty.org.

Configure Allowable Types - required -this defines for which account types the application will be

available. At least one account type must be selected. This is what specifically makes an application

available to MySQL or Windows but not Linux or MS SQL or Oracle.

Always use the specified account when starting this application - optional - when this option is NOT

selected (default), the application will be made available for the selected account type(s) (Configure

Allowable Account Types). That means potentially any account could be used to launch this

application. If the option is enabled, ERPM will pull a predefined credential from the account store


and always use that account to launch the application. Also, the application will not be available in

the Launch App section of the ERPM website, rather, it will be made available in the Applications

section of the website for the users that have permission to launch the application. The Launch App

section is accessible when viewing specific managed passwords. Applications is always available

regardless of managed passwords.

See the next sub-section for replaceable variables in the command line or automation URL paths.

VARIABLES FOR APP LAUNCHING

When launching an application from the command line or via web automation scripts, there are many

available variables for ERPM to use to pass the user name, password, target server and more. What

follows is a list of available variables which can be used for replacement.

As the process works, DEMO\Broberts logs into the ERPM web application. DEMO\Broberts clicks on

launch app. This causes a secondary account (DEMO\BastionLogin) to connect to the bastion host and

initiate and launch the liebsoftlauncher.exe program. Liebsoftlauncher connects back to the web service

and retrieves program settings including target system, target user name, and target password. For

this example example, connecting to a server called DB2012 as SA with with the SA password.

For this example the following elements are defined by the following variables:

DEMO\Broberts = $(SourceAppLogin) or $(UserEnteredLoginUsername)

DEMO\BastionLogin = NOT EXPOSED

DB2012 = $(RemoteAccessTarget_TargetName)

SA = $(Username) or $(AccountName_FullyQualified)

SA Password = $(Password) or $(Password_Raw)

Following is a list of all possible variables


$(UserEnteredLoginUsername) - same as $(SourceAppLogin), is the account used to login to the

ERPM web application.

$(UserEnteredLoginUsername:RemoveNTSyleNamespace) - This element prunes the domain name

from the user name. From the example above, DEMO\Broberts becomes simply Broberts.

$(UserEnteredLoginUsername:ReplaceBackslashWithDot) - This element retains the domain name

with the user name but replaces the slash with a dot. From the example above, DEMO\Broberts

becomes DEMO.Broberts. Use this variable when a name is required that will no be interpreted as a

path for creating directories.

$(SourceAppLogin) - same as $(UserEnteredLoginUsername), is the account used to login to the app

[component] which is triggering the launcher, i.e. the RDP user to the bastion host.

$(SourceAppLogin:RemoveNTSyleNamespace) - This element prunes the domain name from the

user name. From the example above, DEMO\Broberts becomes simply Broberts.

$(SourceAppLogin:ReplaceBackslashWithDot) - This element retains the domain name with the user

name but replaces the slash with a dot. From the example above, DEMO\Broberts becomes

DEMO.Broberts. Use this variable when a name is required that will no be interpreted as a path for

creating directories.

$(Username) - this is the name of the target account. From the example above, SA.

$(AccountName_FullyQualified) - building on the $(Username) variable, this will pre-pend the

domain pre-fix to the account name if applicable.

$(Password) - the regex escaped password (e.g. pass\"word ).

$(Password_Raw) - the raw un-escaped password.

$(RemoteAccessTarget_TargetName) - the target host to which the application will connect.

$(LauncherPath) - the path to the application launcher.

$(SessionID) - GUID for the launcher link.

$(PrivateKey) - the file path for the DER encoded private key (if available).

$(PrivateKeyPassphrase) - the pass phrase, if present for $(PrivateKey).

$(PuttyKey) - the file path for the putty encoded private key (if available).

These variables are used in line and replaced by ERPM at the time the application is launched. For

example, if in the website the user were to go to the MSSQL database instance on a server called DB2012

and connect with the built-in (and managed) SA account, the command line syntax would be:

-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password) -nosplash

The switches ( -S, -U and -P ) are part of the SMSS.EXE executable. The subsequent values of

$(RemoteAccessTarget_TargetName), $(Username), and $(Password) would be replaced by the name of

the server (DB2012), the name of the account (SA), and the password for SA respectively.


MULTI-TAB SUPPORT

A lot of administrative tools support several connections to the target systems from one tool window. It

can be implemented as separate tabs like in SecureCRT or or like branches in tree-view navigation pane

like in Microsoft SQL Management Studio.

SecureCRT with two connections.


SQL Management Studio with two servers.

These applications can use different credentials for each target system connection. However, some

applications have limitations when using multiple tabs or branches. For example it is possible to use

integrated windows authentication to connect SQL Management Studio to some MS SQL servers while

others require an explicit SQL account using SQL authentication. In the case of SQL Management Studio,

when the tool is launched and integrated Windows authentication is used it is not possible to re-use the

existing instantiation of the tool. However, if one connection uses integrated authentication and the

secondary connections use SQL authentication or if all connections use SQL authentication, then it is

perfectly reasonable to re-use the currently running instance.

ERPM supports this ability of such tools. Multi-tab Configuration window in Remote Application

Configuration is used for this task.

If multi-tab is not used, when a user launches a tool, like SecureCRT or SQL Management Studio, that

establishes one session on the bastion and one instance of the application in that session. This is a more

secure scenario as it segregates the data and session information so it cannot be shared within the tool

and any systems the user may be accessing.

The trade off is that a secondary launch of the same tool, just to a new system, will cause a second

session to be created which can be slow and will consume more resources.


If multi-tab is used, when a user launches a tool, like SecureCRT or SQL Management Studio, that

establishes one session on the bastion and one instance of the application in that session. Then when a

user launches the same tool again to connect to another system, this will re-use the existing session and

simply add a tab or another tree to the tool. This reduces resource consumption on the bastion host and

can speed up the use of the tool. The trade off is that the application can now share information from all

servers with anything it is connected to. Consider launching a web application to your company's Twitter

feed and logging in and then launching a new tab to another site that has been compromised. Now the

cache and in memory information is available to all tabs in the browser.


MULTI-TAB SUPPORT CONFIGURATION

To configure multi-tab support, first establish the jump server and basic application settings as previously

described in the Configure Applications for Launching section.

Note: Mutli-tab is only supported when launching from bastion/jump servers.

Enable the Application supports multi-tab option on the left side of the Remote Application

Configuration dialog, then click the ellipses (...)


Click Add in the lower left corner of the dialog.

Fill out all the information on the Multi-tab Configuration dialog.


Multi-tab configuration label is a label that will be shown in the Multi-tab configuration selection

drop down list in the Remote application configuration window. The name should be indicative of

the multi-tab application settings being used.

Multi-tab automation local executable path is a path to compiled AutoIT script which is able to

open a new tab/establish a connection to new target system.

Automation executable arguments are new-tab-executable specific. Usually the ProcessID is used to

find the HWND (handle to a window) of the application window, target system is transferred to

provide it to the application for new connection. If is used in this case user name and password are

not needed.

Allow this multi-tab automation for existing application launches by EXE name controls how

launched application instance will be detected. If it is unchecked, the only instances of the

applications this multi-tab configuration is selected for will be assumed as previously launched.

In the example of using SQL Management Studio, there are two different application configurations: one

for Integrated Windows Authentication and another one for SQL server authentication. Both scenarios

use the same executable, ssms.exe. In case of multi-tab configuration for Integrated Windows

Authentication, where different Windows accounts are being used to connect to target database servers,

the option to Allow this multi-tab automation for existing application launches by EXE name should be

unchecked because it is impossible to connect to secondary instance of MS SQL using the existing

instance of smss.exe server using integrated Windows authentication if SSMS process was initially

launched from another user. In this case the automation executable arguments will be similar to this:

$(RemoteAccessTarget_TargetName) nouser nopasswords $(ProcessID)

ProcessID is the ID that will be used to reuse the currently running executable.

In the SQL Management Studio case where SQL Authentication is being used or similar types of

connections, the option to Allow this multi-tab automation for existing application launches by EXE

name can be selected. In this case the automation executable arguments will be similar to this:

-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password_Raw)

In the commands above, $(RemoteAccessTargget_TargetName), $(Username), $(Password_Raw) – are

standard ERPM’s variables. $(ProcessID) – is a new variable, which return PID of initial launched

application. “nouser” and “nopasswwords” – are “fake” values for username and passwords arguments.

Because if we use IWA – we do not need username and password. They are using for the scripts

unification.


SSMSNewTabIwa.exe and SSMSNewTabSql.exe – are compiled AutoIT scripts, which we using to interact

with MS SQL to open new connection, which will use Integrated Windows Authentication or SQL

authentication respectively. The listing of these scripts is below. Users may create their own AutoIT

scripts or Lieberman Software will provide the scripts on the ERPM download page.


Click OK when finished. Then select the appropriate multi-tab configuration settings for the target

application.

Lieberman Software has compiled multi-tab scripts for the following applications:


RunAs and wait until process finishes = RunAsWait

DHCP Manager = RunDHCP

DHCP Manager = RunDHCPNewTab

DNS Manager = RunDNS

DNS Manager = RunDNSNewTab

File Server Resource Manager = RunFSRM

Hyper-V Manager = RunHyperV

Hyper-V Manager = RunHyperVNewTab

MS Terminal Services = RunMstsc

Network File Services Management = RunNFSMGMT

Performance Monitor = RunPERFMON

Server Manager = RunServerManager

Storage Explorer = RunStorageExplorer

Storage Manager = RunStorageMgmt

Task Scheduler = RunTaskScheduler

Run process and wait until finished = RunWait

WBAdmin (Backup) = RunWBADMIN

WINS Manager = RunWINS

WINS Manager = RunWINSNewTab

SecureCRT = ARM_SCRTStart

SecureCRT = SCRTNewTabSSH2

SecureCRT = SCRTNewTabTELNET

SecureCRT = SCRTStart

SQL Mgmt Studio = SSMSNewTabIwa

SQL Mgmt Studio = SSMSNewTabSql

A simple test script = TestParams

Remote Desktop = UnlockMstsc

Remote Desktop for ARM = UnlockMstscARM

MULTI-TAB AUTOIT SCRIPT EXAMPLES

SSMSNewTabIwa.au3

#include <MsgBoxConstants.au3>

local $paramCount = $CmdLine[0]


local $systemName = $CmdLine[1]

local $domainUserName = $CmdLine[2]

local $password = $CmdLine[3]

local $ssmsPid = $CmdLine[4]

if $paramCount = 4 Then

openNewTab($ssmsPid, $systemName, $domainUserName, $password)

EndIf

Func openNewTab($p_ssmsPid, $p_systemName, $p_domainUserName, $p_password)

Opt("WinTitleMatchMode", 2)

local $ssmsWindows = WinList("Microsoft SQL Server Management Studio")

for $i=1 To $ssmsWindows[0][0]

If $ssmsPid=WinGetProcess($ssmsWindows[$i][1]) Then

local $delay = 5

WinActivate($ssmsWindows[$i][1])

WinWaitActive($ssmsWindows[$i][1])

Send('!f')

Sleep($delay)

Send('e')

Sleep($delay)

Send('+{TAB}')


Sleep($delay)

Send('+d')

Sleep($delay)

Send('{TAB}')

Sleep($delay)

Send($systemName)

Sleep($delay)

Send('{TAB}')

Sleep($delay)

Send('+w')

Sleep($delay)

Send('{ENTER}')

EndIf

Next

EndFunc

SSMSNewTabSql.au3

#include <MsgBoxConstants.au3>

local $paramCount = $CmdLine[0]

local $systemName = $CmdLine[1]

local $domainUserName = $CmdLine[2]

local $password = $CmdLine[3]

local $ssmsPid = $CmdLine[4]

if $paramCount = 4 Then


openNewTab($ssmsPid, $systemName, $domainUserName, $password)

EndIf

Func openNewTab($p_ssmsPid, $p_systemName, $p_domainUserName, $p_password)

Opt("WinTitleMatchMode", 2)

local $ssmsWindows = WinList("Microsoft SQL Server Management Studio")

for $i=1 To $ssmsWindows[0][0]

If $ssmsPid=WinGetProcess($ssmsWindows[$i][1]) Then

local $delay = 5

WinActivate($ssmsWindows[$i][1])

WinWaitActive($ssmsWindows[$i][1])

Send('!f')

Sleep($delay)

Send('e')

Sleep($delay)

Send('+{TAB}')

Sleep($delay)

Send('+d')

Sleep($delay)

Send('{TAB}')

Sleep($delay)

Send($systemName)


Sleep($delay)

Send('{TAB}')

Sleep($delay)

Send('+s')

Sleep($delay)

Send('{TAB}')

Sleep($delay)

Send($domainUserName)

Sleep($delay)

Send('{TAB}')

Sleep($delay)

Send($password)

Sleep($delay)

Send('{ENTER}')

EndIf

Next

EndFunc

APPLICATION SETS

Application sets are simply pre-defined collections of applications to launch. They can be created to

group types of applications together such as DB management products or remote terminal products or

based on job duties.

To create a new set of applications, from the ERPM console, go to Settings | Manage Web Application |

Application Launch. Then click on the Add Sets button on the Applications tab.


On the Remote Application Sets tab, click the Add Set button in the lower left corner, supply a proper

name, then click OK and the new list will be added to the dialog.

To add applications to the application set, right-click on the application set and select Add applications

to set. To remove an application from an application set, right-click on the application set and select

Remove applications from set.


Select all the desired applications then click OK.


To view the applications added to an application set, expand the application set.

Once application sets are defined, in order for users who do not have all access to be able to use the

groupings, application set permissions must be defined in addition to the application permissions.


When the user does not have all access, additional permissions are required to launch a specific

application. To define these permissions, use the admin console and go to Delegation | Web application

remote application permissions. Click Add in the lower left corner, then select an available identity, click

OK, then select one or more applications the user can launch.

To define application set permissions, use the admin console and go to Delegation | Web application

remote application set permissions. Click the Add button to add an identity that will have permissions to

an application set and add the identity and click OK. Then select from the available application sets, then

click OK again. A prompt will appear to use a shadow account. Shadow accounts are covered in the next

section titled Shadow Accounts. If a Shadow account will be used, click Yes and continue to supply the

required information, otherwise, click No. After shadow accounts, another prompt will appear asking if


there will be system restrictions. If there will be system restrictions for these applications, click Yes and

continue to supply the required information, otherwise, click No.

When the user goes to the website, they will be able to select from among the available application set

filters when attempting to launch an application.

SHADOW ACCOUNTS

Shadow accounts allow a user to connect to a system with a specific app and choose from among one or

more accounts to connect with. Consider the normal paradigm where a user must go to the Managed


Passwords Area, find the target system and local account for the application to connect with. While this

works for many scenarios, it is not very flexible and it does not address the need be able to connect

with domain or directory accounts to other systems or applications. This is specifically what shadow

accounts do.

With a shadow account, a user will go to the system or application in question in the systems view of

ERPM and choose to launch an application. An available list of applications will be presented to the user

and the user can determine which account, local or central (domain or directory) to connect with to the

system or application.

To use shadow accounts requires the View Systems and Allow Remote Sessions global delegation

permission. Once permissions are granted, additional configuration to map shadow accounts must be

performed.


Shadow accounts are first mapped and then associated with application permissions, even when a user

has All Access. To use Shadow Accounts, a per application rule must be established for the target user.

To establish shadow accounts mappings go to Delegation | Web Application Identity to Shadow

Account Mappings. This dialog will show any existing mappings. To add a new mapping, click the Add

Mapping button in the lower left corner of the dialog.


Select the target identity from the list of available identities, then click OK.


Select from the available [previously] managed/stored identities in ERPM and click OK. The new

mappings will now be in the list of available mappings.

Click OK to close the Shadow Account Mappings dialog.

Next add the application permissions. Go to Delegation | Web Application Remote Application

Permissions.


Click Add in the lower left corner of the Remote Application Permissions dialog to add a new application

permission. The first dialog to appear will be for the identity that will be granted the permissions to use

an application with a shadow account. Select the identity then click OK.


Next a list of remote applications will be presented to the user. Select the target application(s) that will

be established for the user then click OK.


ERPM will then prompt to use a Shadow Account. Click Yes to assign one or more shadow accounts that

the target user may use when launching the specified application.

Based on the selected user, a list of available corresponding mappings will be presented Select the

mapping(s) that should be configured for the target user and selected applications, then click OK.


ERPM will then prompt to restrict the applications permissions & configured shadow account mappings

to specific management sets. If it is desired to restrict the applications and or shadow account mappings

to specific lists of systems, click Yes. Otherwise, click No.

If Yes was selected, then a list of management sets will be presented.


Select from the desired management set(s) and click OK.

The new mapping will be presented in the Web Application Remote Application Permissions dialog. Any

undesired mappings may be deleted or reports may be generated from this page.

To use the mappings, the user must go to the Systems view in the ERPM web page (View systems

permission required).


Click Launch App next to the desired target system. If Launch App is not visible it means the user does

not have either the Allow Remote Sessions permission or a Shadow Account Mapping is not present.

The user will be able to select from among the applications and launch accounts to launch the

application.

161

As of ERPM version 4.83.8 To launch an application user with either of the following sets of permissions

will be able to launch applications:

1) All Access

2) View account, remote sessions, and permissions for the specific application being launched.

USING APPLICATION LAUNCHING

Using Application Launching 162

When the user does not have all access, additional permissions are required to launch a specific

application. To define these permissions, use the admin console and go to Delegation | Web application

remote application permissions. Click Add in the lower left corner, then select an available identity, click

OK, then select one or more applications the user can launch.


There are two types of application launching in ERPM: launching with variable account and system

information and launching with pre-define account and system information. The difference in app

configuration is the option in the lower right corner of the application that says to always use the

specified account being selected or not. If the option is selected, the application will appear in the

applications portion of the website. If the option is not selected, the user must go to the Launch App

section next to the system/account they wish to use to connect.

Launching an App as a Pre-Configured Application

To launch an application which has been pre-configured for a specific account and target, such as a

company's Twitter or Facebook page, the user will click the Operations | Applications link, then click on

the application to launch. Only applications that are pre-configured to always launch as a specific user

and that the login user has access to will be shown on this page. If an application is not shown it is a sign

of at least one of two possible causes:


The user has no permission to launch an application

There are no apps configured to always run as a specific user

Launching an App Using Variable Target and Account Information

Once the the target system and account to connect as are located in the Passwords | Managed

Password section of the website, click the play button.

All applications available to the user for the specific account type will then be shown. If the RDP icon

appears at the right edge of the black title bar, that indicates the application is configured to launch via a

bastion host. if the camera icon appears at the right edge of the black title bar, that indicates the session

will be recorded.


To launch the application, click Launch. What happens next will depend on whether the application is

configured to launch locally or from a bastion host and whether or not the user has performed this

process previously. If connecting via a bastion host, the system will initiate a series of calls to the bastion

host and the LiebsoftLauncher on that host. This will be visible to the user. If the user has not previously

launched an app from the machine/profile they are currently logged into, they will likely receive a couple

of security prompts. Use the filter options at the top of the page to search for applications, show only a

set of applications, or change the layout of application launcher page.


Each application also has an Advanced launch configuration. Clicking the ear icon will allow the

interactive user to specify alternate credentials to connect to the target system as. These could be static

credentials or they could be other stored credentials in ERPM (if they have the rights to retrieve the

password). Generally, it will not be necessary to manipulate the advanced settings.

167

Once any sessions have been recorded, users with access to the auditing section of the ERPM website

will be able to playback any recorded sessions that exist. Such recored sessions will be visible in the

ERPM auditing section with a camera icon next to their audit entry.

Simply click on the camera icon to playback the recorded sessions.

The session properties page will identify user, IP address, and time stamp information and more. To

playback the recording, simply chose the desired recording and click Play Recording.

AUDITING APPLICATION LAUNCHING

Auditing Application Launching 168

The video will open on the systems preferred media player and begin streaming automatically.

169

1

1. INSTALLING REMOTE DESKTOP SERVICES

• 12

1. ON THE TRANSCODER HOST • 48

2

2. INSTALLING DESKTOP EXPERIENCE • 39

2. ON THE BASTION HOST • 60

3

3. INSTALLING APPLICATION LAUNCHER

AND SESSION RECORDING • 48

4

4. SETTING UP RDS FOR APPLICATION

LAUNCHING • 73

5

5. SETTING UP STREAMING MEDIA SERVICES

• 84

6

6. CONFIGURING IIS TO HOST RECORDED

SESSIONS • 89

A

APPLICATION SETS • 153

AUDITING APPLICATION LAUNCHING •

177

B

BACKGROUND AND GOALS • 8

C

CONFIGURE A BASTION HOST OBJECT •

119

CONFIGURE A SESSION RECORDING HOST

OBJECT • 124

CONFIGURE APPLICATIONS FOR

LAUNCHING • 132

CONFIGURE ERPM WEB SETTINGS • 116

CONFIGURE ERPM WEBSITE FOR SESSION

PLAYBACK • 129

CONFIGURING A BASTION HOST LOGIN

ACCOUNT • 91

CONFIGURING APPLICATION LAUNCHING

• 91

CONFIGURING REMOTE APP FOR SERVER

2008 R2 • 80

CONFIGURING REMOTE APP FOR SERVER

2012 (R2) • 73

I

INSTALLING APPLICATION LAUNCHER

AND SESSION RECORDING WITH A

BASTION HOST • 11

INSTALLING DESKTOP EXPERIENCE FOR

SERVER 2008 R2 • 43

INSTALLING DESKTOP EXPERIENCE FOR

SERVER 2012 (R2) • 39

INSTALLING REMOTE DESKTOP SERVICES

FOR SERVER 2008 R2 • 29

INDEX

Index 170

INSTALLING REMOTE DESKTOP SERVICES

FOR SERVER 2012 (R2) • 12

INTRODUCTION • 5

L

LICENSE AGREEMENT • 5

LIMITED WARRANTY • 6

M

MULTI-TAB AUTOIT SCRIPT EXAMPLES • 149

MULTI-TAB SUPPORT • 141

MULTI-TAB SUPPORT CONFIGURATION •

144

O

OVERVIEW • 7

P

PRE-REQUISITES • 9

S

SHADOW ACCOUNTS • 159

U

USING APPLICATION LAUNCHING • 171

V

VARIABLES FOR APP LAUNCHING • 139

[Enterprise] Random Password Manager - BeyondTrust · 2020. 7. 6. · Enterprise Random Password...

Documents

Transcript of [Enterprise] Random Password Manager - BeyondTrust · 2020. 7. 6. · Enterprise Random Password...