Enterprise Random Password Manager · management (PIM) and identity and access governance...
Transcript of Enterprise Random Password Manager · management (PIM) and identity and access governance...
Enterprise Random Password Manager
Application Launching & Session Recording
5.5.1
Copyright © 2003–2016 Lieberman Software Corporation.
All rights reserved.
The software contains proprietary information of Lieberman Software Corporation; it is provided
under a license agreement containing restrictions on use and disclosure and is also protected by
copyright law. Reverse engineering of the software is prohibited.
Due to continued product development this information may change without notice. The
information and intellectual property contained herein is confidential between Lieberman Software
and the client and remains the exclusive property of Lieberman Software. If there are any
problems in the documentation, please report them to Lieberman Software in writing. Lieberman
Software does not warrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or otherwise without the
prior written permission of Lieberman Software.
Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. Other brands and product names are trademarks of their respective owners.
Lieberman Software Corporation
1875 Century Park East, Suite 1200
Los Angeles, CA 90067
(310) 550-8575
Internet E-Mail: [email protected]
Website: http://www.liebsoft.com
iii
Contents
CHAPTER 1 INTRODUCTION ...................................................................................................5
1.1 Overview................................................................................................................................... 5
1.2 Background and Goals .............................................................................................................. 6
1.3 Limited Warranty ..................................................................................................................... 8
1.4 License Agreement ................................................................................................................... 8
CHAPTER 2 UNDERSTANDING SESSION RECORDING ............................................................. 10
CHAPTER 3 INSTALLING THE APPLICATION LAUNCHER AND SESSION RECORDING FEATURES . 13
3.1 Application Launcher and Session Recording Installation Overview .....................................14
3.2 Application Launcher and Session Recording Installation Prerequisites ...............................19
3.3 Step 1. Install Remote Desktop Services ................................................................................20
3.3.1 Installing Remote Desktop Services for Server 2012 (R2) ..............................................20 3.3.2 Installing Remote Desktop Services for Server 2008 R2 ................................................35
3.4 Step 2. Install Desktop Experience .........................................................................................45
3.4.1 Installing Desktop Experience for Server 2012 (R2) .......................................................45 3.4.2 Installing Desktop Experience for Server 2008 R2 .........................................................49
3.5 Step 3. Install the Application Launcher and Session Recording Feature ..............................54
3.5.1 Installing on the Transcoder Host ..................................................................................54 3.5.2 Installing on the Application Launch Server ...................................................................65
3.6 Step 4. Set up RDS for Application Launching ........................................................................77
3.6.1 Configuring Remote App for Server 2012 (R2) ...............................................................77 3.6.2 Configuring Remote App for Server 2008 R2 .................................................................83
3.7 Step 5. Set Up Streaming Media Services ..............................................................................88
3.8 Step 6. Configure IIS to Host Recorded Sessions ....................................................................93
CHAPTER 4 CONFIGURING APPLICATION LAUNCHING AND SESSION RECORDING .................. 95
4.1 Configure an Application Launch Server Logon Account .......................................................96
4.2 Configure the Web Launcher Settings ..................................................................................122
4.3 Configure the Application Launch Server Settings ...............................................................125
4.4 Configure the Application Launch Server Host ....................................................................130
4.5 Configure Session Recording Settings ..................................................................................132
4.6 Configure the ERPM Web Client for Session Playback .........................................................136
4.7 Configure Applications for Launching ..................................................................................139
4.7.1 Adding Application Launching Scripts ..........................................................................139 4.7.2 Configuring ERPM to Launch Applications ...................................................................140 4.7.3 Variables for App Launching .........................................................................................146
iv Contents
4.7.4 Maintaining Application Launching Scripts ..................................................................147 4.7.5 Multi-Tab Support ........................................................................................................149 4.7.6 Multi-Tab Support Configuration .................................................................................153
4.7.6.1 Multi-Tab AutoIT Script Examples ......................................................................................... 158
4.8 Configure Application Sets ...................................................................................................162
4.9 Shadow Accounts .................................................................................................................168
CHAPTER 5 USING APPLICATION LAUNCHING ..................................................................... 179
5.1 Setting User Permissions to Launch Applications ................................................................179
5.2 Using the Application Launcher ...........................................................................................180
CHAPTER 6 AUDITING APPLICATION LAUNCHING ............................................................... 185
5
This chapter includes an overview of Enterprise Random Password Manager (ERPM), what problems
it is designed to solve, performance information, expected prerequisite knowledge, and some
background information on Windows.
This chapter also includes the license and warranty information for ERPM.
IN THIS CHAPTER
Overview ................................................................................................... 5
Background and Goals ............................................................................... 6
Limited Warranty ...................................................................................... 8
License Agreement .................................................................................... 8
1.1 OVERVIEW Enterprise Random Password Manager (ERPM) fills the gaps found in other privileged identity
management (PIM) and identity and access governance solutions. ERPM builds a configuration
management database (CMDB) for the networks that it can access. It catalogs systems and devices,
their user accounts, attributes, SSH keys, and certificates, and manages credentials and keys, as well
as user access to them.
Historically, the core functionality of ERPM revolves around its ability to randomize and store
passwords for accounts on target systems on a regular recurring basis. ERPM expanded its
capabilities with True Discovery technology, which determines where service accounts are used,
and when executing password change jobs for these accounts, propagates changed passwords to
every location where an account is used. This provides the mechanism and methods to maintain not
only company up-time during service account changes, but also makes it possible for risk-averse
companies to follow proper security practices and achieve a state of continuous compliance rather
than point-in-time compliance.
Because privileged passwords are stored and managed by ERPM, they can be retrieved using a thick
client, a thin (web) client, an orchestration system, and more. Access to the password store and
Chapter 1 Introduction
6 Introduction
other web interface features can be limited to specific groups, users, explicit accounts, and other
identities, with or without two-factor authentication.
ERPM provides more functionality beyond password management, password vaulting, and session
management. ERPM also provides for:
Account escalation – The ability to add a user to a pre-defined group with higher privileges than
the user would normally have on a target system, and then automatically remove that access.
Secure file storage – The ability to upload and store as an encrypted data blob in the program's
secure data store any file, such as password spread sheets, digital certificates, instructions, and
more. After the files are uploaded, an ACL system identifies what users will be able to retrieve
the files while auditing access to the files.
Orchestration – ERPM can run headless and can be controlled programmatically. This permits
tight integration with other systems, such as work-flow engines, run-book orchestration for user
and system provisioning and de-provisioning, programmatic access to almost all functions, and
much more. This control is provided using either a SOAP-based or REST-based web service
and/or using PowerShell commands. Users may tie into ERPM using any program or language
that can call a web service or interact with PowerShell.
Privileged Account Management – ERPM provides session-based control over privileged
accounts to run specific programs against specific hosts. Using the optional Application Launch
Server model, any program, website, or script may be run in a controlled and secured
environment and give users access to specific systems or networks using specific tools with
specific feature sets. This allows access to the tool set needed to get a job done, but without
providing access to the credential or direct physical access to the system.
Session Recording – When using the optional Application Launch Server, administrative sessions
can be recorded for later playback. Screen recording audits the user's actions during a session
and can be helpful when developing training procedures. Visually recording an administrator's
actions can help satisfy the requirements of auditing mandates.
1.2 BACKGROUND AND GOALS
The Need for Strong Local Credentials
Organizations with a need for the most basic access security should use unique local logon
credentials customized for each workstation and server in their environment. Unfortunately, most
organizations use common credentials (same user name and password for the built-in administrator
account) for each system for the ease of creating and managing those systems by the IT Department
Introduction 7
without any concern as to the consequences to the organization should these common credentials
be compromised.
With the mandates of PCI-DSS, Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, California Security
Breach Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD 5015.2 and others, the
implementation of reasonably hard to compromise local logon credentials is mandatory for most
organizations as a means for protecting not only the confidentiality of their data, but also to protect
against tampering.
Creating Strong Local Credentials
Enterprise Random Password Manager can change any common account on all workstations and
servers in just a few minutes without the need for scripts or any other type of program. The new
common credentials can be stored in a local or remote SQL Server database and can be recovered
on demand using the web client.
ERPM can be configured to regularly change the passwords of common accounts on all target
systems (i.e. workstation built-in administrator account) according to a schedule so that each
account receives a fresh cryptographically strong password regularly. This product feature protects
the overall security of an organization so that the compromise of a single machine’s local
administrator password does not lead to the total compromise of the entire organization’s security.
ERPM further builds on these concepts by automatically discovering all references to the specified
account, such as services, tasks, COM and DCOM objects, and more, and following a password
change for a user's account, whether domain or local, propagating the new password to all those
references.
Delegated Password Recovery
ERPM also contains a web client to allow the remote recovery of passwords, access to privileges
sessions, and more. The web client is a web application comprised of ASP and ASP.NET web pages
that allows any user with the appropriate group memberships the right to use the application, as
well as the right to recover passwords for accounts managed by the program. All access to the
ERPM web client and all actions taken therein are logged, and the history is also available via the
same web interface to authorized users.
Because this application protects and provides extremely sensitive information, it is essential that
particular attention be payed to the security settings of the application and also use appropriate
encryption such as SSL based on the scope of access provided.
For more information on security hardening, please refer to the proposed options for server
hardening:
8 Introduction
http://forum.liebsoft.com/forum/products/enterprise-random-password-manager/enterprise-rand
om-password-manager-knowledgebase/180-server-hardening-guide
1.3 LIMITED WARRANTY The media (optional) and manual that make up this software are warranted by Lieberman Software
Corporation to be free of defects in materials and workmanship for a period of 30-days from the
date of your purchase. If you notify us within the warranty period of such defects in material and
workmanship, we will replace the defective manual or media (if either were supplied).
The sole remedy for breach of this warranty is limited to replacement of defective materials and/or
refund of purchase price and does not include any other kinds of damages.
Apart from the foregoing limited warranty, the software programs are provided "AS-IS," without
warranty of any kind, either expressed or implied. The entire risk as to the performance of the
programs is with the purchaser. Lieberman Software does not warrant that the operation will be
uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind
for errors in the programs or documentation of/for consequences of any such errors.
This agreement is governed by the laws of the State of California.
Should you have any questions concerning this Agreement, or if you wish to contact Lieberman
Software, please write:
Lieberman Software Corporation
1875 Century Park East, Suite 1200
Los Angeles, CA 90067
You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com or
e-mail us at: [email protected].
1.4 LICENSE AGREEMENT This is a legal and binding contract between you, the end user, and Lieberman Software
Corporation. By using this software, you agree to be bound by the terms of this agreement. If you
do not agree to the terms of this agreement, you should return the software and documentation, as
well as all accompanying items promptly for a refund.
1. Your Rights: Lieberman Software Corporation hereby grants you the right to use a single copy of
Enterprise Random Password Manager to control the licensed number of systems and/or devices.
Introduction 9
2. Copyright. The SOFTWARE is owned by Lieberman Software Corporation and is protected by
United States copyright law and international treaty provisions. Therefore, you must treat the
software like any other copyrighted material (e.g. a book or musical recording) except that you may
either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer
the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival
purposes. The manual is a copyrighted work. Also–you may not make copies of the manual for any
purpose other than the use of the software.
3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer,
de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE
files). If the SOFTWARE is an update, any transfer must include the update and all prior versions.
When used lawfully, this software periodically transmits to us the serial number and network
identification information of the machine running the software. No personally identifiable
information or usage details are transmitted to us in this case. The program does not contain any
spyware or remote control functionality that may be activated remotely by us or any other third
party.
Lieberman Software Corporation
1875 Century Park East, Suite 1200
Los Angeles, CA 90067
310.550.8575
Internet E-Mail: [email protected]
Website: http://www.liebsoft.com
10 Understanding Session Recording
Session recording consists of two pieces: the recorder and the transcoder. The recorder is the
Application Launch Server. The transcoder component converts the raw video from the session
recorder to playable video. These videos will be played back via streaming media services through
the ERPM website.
Note: Session recording only works for applications launched via the
LiebsoftLauncher application. That means that any users that retrieve
passwords and connect directly will not have their sessions recorded
when using this session recording technology.
The flow for session recording is as follows:
1) The application is launched on the Application Launch Server and session recording is initiated.
2) After the session exits, the raw recorded files are copied to the designated source directory on
the transcoder host.
3) The ERPM file watcher server picks up the raw files and moves them to the working directory
where they are formatted, converted, and watermarked.
4) Completed files are moved to the SessionRecording directory on the transcoder host.
5) IIS and Media Server will stream the videos to requesting authorized users.
Recorded sessions are available in the ERPM auditing section with a camera icon next to their audit
entry.
Chapter 2 Understanding
Session Recording
Understanding Session Recording 11
To play back the recorded sessions, the user clicks the film icon.
13
The following sections outline the steps to prepare for and install the Application Launcher and
optional session recording components. Application Launching is an add-on for ERPM. Application
Launching can be configured with or without the Session Recording component. Session Recording
is provided for free when the Application Launcher add-on is purchased. However, the provided
session recording only works with applications launched using the ERPM application launcher.
Note: Instructions for upgrading the Application Launcher and Session Recording
components are located in the ERPM Installation Guide. See the Upgrade the
Application Launcher topic.
IN THIS CHAPTER
Application Launcher and Session Recording Installation Overview ....... 14
Application Launcher and Session Recording Installation Prerequisites . 19
Step 1. Install Remote Desktop Services .................................................. 20
Step 2. Install Desktop Experience ........................................................... 45
Step 3. Install the Application Launcher and Session Recording
Feature ..................................................................................................... 54
Step 4. Set up RDS for Application Launching ......................................... 77
Step 5. Set Up Streaming Media Services ................................................ 88
Step 6. Configure IIS to Host Recorded Sessions ..................................... 93
Chapter 3 Installing the
Application Launcher and
Session Recording Features
14 Installing the Application Launcher and Session Recording Features
3.1 APPLICATION LAUNCHER AND SESSION RECORDING INSTALLATION OVERVIEW
Planning Your Installation
The application launching capability of ERPM requires an Application Launch Server (also called a
jump server). An Application Launch Server in the context of ERPM is a Windows Remote Desktop
Session Services machine that will proxy connections to specific target systems.
Session recording is an optional feature that requires additional resources to install and operate.
Session recording processes video files in three phases:
Recording. The Session Recorder component on the Application Launch Server records the
session and copies the resulting file(s) for video transcoding.
Transcoding. The Video Transcoding Service component compresses the raw video file and
processes it for streaming. We recommend installing the transcoding component on the web
server running ERPM (provided the hardware can support it), but it can be installed on the
Application Launch Server or on another server. Transcoding videos requires significant
overhead in terms of CPU usage. We recommend installing the video transcoding component to
the ERPM web server because the web server is usually under-utilized, but you can install it on
any machine with adequate resources.
Streaming. The Media Server component streams the video file for viewing on demand. We
recommend installing the media server on the web server running ERPM, but it can be installed
on any server that has IIS installed.
Installing the Application Launcher and Session Recording Features 15
The following diagrams illustrate three deployment scenarios. Deployment 1 places the recording,
transcoding, and streaming components on the Application Launch Server.
16 Installing the Application Launcher and Session Recording Features
Deployment 2 places the recording and transcoding components on the Application Launcher
Server, and the streaming component on the web server. This deployment may make sense if the
CPU on the Application Launcher Server is powerful and can quickly process the raw video for
streaming. Note that this deployment model does not require IIS on the Application Launch Server.
Installing the Application Launcher and Session Recording Features 17
Deployment 3 places the recording component on the Application Launch Server, and the
transcoding and streaming components on the web server. This model is recommended, provided
that the web server is sized to handle the demands placed on it by the video transcoding service.
Understanding the Installation Process
The following sections describe the installation of these components:
Note: Be sure your environment meets the requirements in the prerequisites section
before starting the installation steps. See Application Launcher and Session
Recording Installation Prerequisites (on page 19).
1) Install Remote Desktop Services on the Application Launch Server.
2) Install Desktop Experience on the servers that will run the video transcoding service and the
Application Launcher & Session Recorder components. If you are not going to enable session
recording, you do not need to install the Desktop Experience feature.
3) Install the Application Launcher & Session Recording component. You can install the
Application Launcher without the Session Recording feature. If installing the Session Recording
18 Installing the Application Launcher and Session Recording Features
feature, the Application Launcher is also required.
This section has additional steps that detail how to install the Application Luancher & Session
Recorder components across multiple systems.
4) Configure Remote Desktop Services for application launching.
5) Install and configure the Media Server (Streaming Media Services). This is only required if using
session recording.
6) Configure Internet Information Server (IIS) to host recorded sessions. This is only required if
using session recording.
Sections 1, 2, and 4 all have subsections that detail how to perform the steps on Windows Server
2008 R2 or Windows Server 2012 (R2).
19
3.2 APPLICATION LAUNCHER AND SESSION RECORDING INSTALLATION PREREQUISITES Windows Server operating system for the Application Launch Server:
Windows Server 2012 R2 (recommended)
Windows Server 2012
Windows Server 2008 R2
We recommend that all servers in the ERPM system to be fully patched.
Note: Earlier versions of Windows Server are not supported. Windows workstation
platforms are not supported for hosting the application launcher.
The following items will be required for application launching and session recording:
Remote Desktop Session Host server role.*
Desktop Experience if using session recording.
Existing ERPM installation and installed files (SupplementalInstallers directory)
ERPM Web Service installed with SSL and no certificate errors and accessible from the
Application Launch Server. If using self-signed certificates, the certificate from the issuing web
server should be added to the Trusted Root Certification Authorities on the machines hosting
the Web Service, the Application Launch Server, and client systems.
.NET Framework 4.x on the Application Launch Server and transcoder hosts.
.NET Framework 4.x on machines connecting to run an application.
* Microsoft Remote Desktop Services (RDS) will require additional licensing be purchased from
Microsoft.
20 Installing the Application Launcher and Session Recording Features
3.3 STEP 1. INSTALL REMOTE DESKTOP SERVICES The following sub-sections document how to install Remote Desktop Services on both a Windows
Server 2008 R2 and Windows Server 2012 (R2) host. If multiple Application Launch Servers will be
employed, they do not need to all run on the same operating system, but they do all need to be
Windows Server 2008 R2 or later (2012 R2 recommended).
3.3.1 Installing Remote Desktop Services for Server 2012 (R2)
This section covers installation of the prerequisites on a Windows Server 2012 and Windows Server
2012 R2 host which will function as an Application Launch Server for the purposes of launching
applications.
Open Server Manager and select Add Roles and Features.
Click Next on the Before You Begin page.
Installing the Application Launcher and Session Recording Features 21
On the Select installation type page select Remote Desktop Services installation then click Next.
On the Select deployment type page, choose a deployment type and click Next.
22 Installing the Application Launcher and Session Recording Features
The steps present go through a standard deployment where the admin will be required to configure
a collection post RDS installation. The Quick Start method will be faster while automatically creation
a collection, but it will also add and publish additional applications that are unnecessary and will not
provide any configuration options.
Installing the Application Launcher and Session Recording Features 23
On the Select deployment scenario page, select Session-based desktop deployment, the click Next.
24 Installing the Application Launcher and Session Recording Features
Click Next on the Role Services page.
Installing the Application Launcher and Session Recording Features 25
On the Specify RD Connection Broker server page, select the server from the Server Pool field, then
add it to the selected computer field by clicking the right arrow head between the two fields.
26 Installing the Application Launcher and Session Recording Features
Click Next to continue.
Installing the Application Launcher and Session Recording Features 27
On the Specify RD Web Access server page, select the server from the Server Pool field, then add it
to the selected computer field by clicking the right arrow head between the two fields.
28 Installing the Application Launcher and Session Recording Features
Click Next to continue.
Installing the Application Launcher and Session Recording Features 29
On the Confirm selections page, click Deploy. Restart the host if required.
After restarting, open Server Manager and click on Remote Desktop Services from the right pane,
then click on Collections from the center pane. A new collection must be made to publish the ERPM
application used to launch software from the Application Launch Server.
At the top right corner, select Tasks and click Creation Session Collection.
30 Installing the Application Launcher and Session Recording Features
On the Before you begin page, click Next.
Installing the Application Launcher and Session Recording Features 31
On the Name the collection page, supply a friendly name for the collection and click Next.
32 Installing the Application Launcher and Session Recording Features
On the Specify RD Session Host server page, select the server from the Server Pool field, then add it
to the selected computer field by clicking the right arrow head between the two fields. Then click
Next.
ERPM will use a proxy account to connect to the Application Launch Server prior to launching the
selected application. This account will either need to be added to a group which can RDP to the
target Application Launch Server and launch subsequent applications, or should be added directly as
a user which can connect to the RD Session host server. Description of this account is covered in the
parent section, 1. Installing Remote Desktop Services.
Installing the Application Launcher and Session Recording Features 33
Click Next to continue.
34 Installing the Application Launcher and Session Recording Features
On the Specify user profile disks page, click Next.
Installing the Application Launcher and Session Recording Features 35
On the Confirm selections page, click Create.
An empty collection will be created. The installation and configuration of the launcher application
will be described later in this document.
3.3.2 Installing Remote Desktop Services for Server 2008 R2
This section covers installation of Remote Desktop Services on a Windows Server 2008 R2 host as
required for Application Launch Server services.
36 Installing the Application Launcher and Session Recording Features
Start Server Manager and select Add Roles. Click Next on the welcome page and select Remote
Desktop Services then click Next.
Installing the Application Launcher and Session Recording Features 37
Click Next on the Introduction to Remote Desktop Services page.
38 Installing the Application Launcher and Session Recording Features
On the Select Role Services page, select Remote Desktop Session Host, then click Next.
Installing the Application Launcher and Session Recording Features 39
Click Next on the Uninstall and Reinstall Applications for Compatibility page.
40 Installing the Application Launcher and Session Recording Features
On the Specify Authentication Method for Remote Desktop Session Host page, choose the option
that best suits your company's needs. The option to Require Network Level Authentication will
provide greater security but may only work properly for newer hosts and if all incoming connections
are properly verified. The option Do not require Network Level Authentication will provide greater
compatibility for all connecting system but may reduce overall security of the Application Launch
Server. Click Next to continue.
Installing the Application Launcher and Session Recording Features 41
On the Specify Licensing Mode page, a remote desktop session license mode must be selected. If
RDS client access licenses are not yet available but will be soon, select Configure later. If unsure
about what option to choose, select Configure later, and then contact your Microsoft licensing
services manager. RDS will function for 120 days without a proper licensing server. If RDS CALs are
available, then choose the proper Per Device or Per User model for your organization.
ERPM will use a proxy account to connect to the Application Launch Server prior to launching the
selected application. This account will either need to be added to a group that can RDP to the target
Application Launch Server and launch subsequent applications, or should be added directly as a user
that can connect to the RD Session host server. Description of this account is covered in the parent
section, 1. Installing Remote Desktop Services.
42 Installing the Application Launcher and Session Recording Features
Click Next to continue.
Installing the Application Launcher and Session Recording Features 43
On the Configure Client Experience page, it is recommended to leave all options deselected. Click
Next to continue.
44 Installing the Application Launcher and Session Recording Features
On the Confirm Installation Selections page, examine the installation selections. If everything is
correct, click Install. The server will need to reboot after installation
The installation and configuration of the launcher application will be described later in this
document.
Installing the Application Launcher and Session Recording Features 45
3.4 STEP 2. INSTALL DESKTOP EXPERIENCE If you are not going to enable session recording, you do not need to install the Desktop Experience
feature. If you plan to enable session recording, install the Desktop Experience feature now.
Microsoft Desktop Experience is included with Windows Server 2008 and 2012. If you installed
Windows Server as a Server Core installation, Desktop Experience is not yet installed on your server.
If you installed a Full Windows Server installation, Desktop Experience may already be installed on
your server. For more information about Desktop Experience, see the following TechNet article:
https://technet.microsoft.com/en-us/library/dn609826.aspx (see
https://technet.microsoft.com/en-us/library/dn609826.aspx -
https://technet.microsoft.com/en-us/library/dn609826.aspx)
If you install the video transcoding service and the Application Launcher & Session Recorder
components on separate systems, install the Desktop Experience on the Application Launch Server
and the system that runs the video transcoder. You do not need to install Desktop Experience on
the streaming media server.
3.4.1 Installing Desktop Experience for Server 2012 (R2)
If session recording will be configured then the Desktop Experience must be installed. To add the
Desktop Experience, open Server Manager and select Add Features.
46 Installing the Application Launcher and Session Recording Features
On the Features Page, expand User Interfaces and Infrastructure, and select Desktop Experience.
Installing the Application Launcher and Session Recording Features 47
If prompted for additional components, click Add Features.
48 Installing the Application Launcher and Session Recording Features
Add any other requirements that other applications that will be launched from this system may
require (such as .net framework 3.51 or 4.x) and click Next.
Installing the Application Launcher and Session Recording Features 49
Continue through to the end of the wizard. Click Close when done. Installation of the Desktop
Experience will require a restart of the host.
3.4.2 Installing Desktop Experience for Server 2008 R2
If session recording will be configured then the Desktop Experience must be installed. To add the
Desktop Experience, open Server Manager and select Add Features.
50 Installing the Application Launcher and Session Recording Features
On the Features Page, select Desktop Experience.
Installing the Application Launcher and Session Recording Features 51
If prompted for additional components, click Add Required Features.
52 Installing the Application Launcher and Session Recording Features
Click Next to continue.
Installing the Application Launcher and Session Recording Features 53
Once the installation is complete, click Close and restart the server.
54 Installing the Application Launcher and Session Recording Features
3.5 STEP 3. INSTALL THE APPLICATION LAUNCHER AND SESSION RECORDING FEATURE This step covers the installation of the application launcher and the optional session recoding
feature.
If you are not installing the session recording feature, skip the section titled "On the Transcoder
Host" and go to the section titled "On the Application Launch Server."
If you are installing the session recording feature, complete the section titled "On the
Transcoder Host" if you are installing the video transcoding service on a server OTHER THAN the
Application Launch Server.
If you are installing the session recording feature and you will be running the transcoding
service on the Application Launch Server, skip the section titled "On the Transcoder Host" and
go to the section titled "On the Application Launch Server."
The application launching capability of ERPM is best utilized with an Application Launch Server. An
Application Launch Server in the context of ERPM is a Windows Remote Desktop Session Services
machine (formerly Terminal Services) that will proxy connection attempts made to specific target
systems. The Application Launch Server will have all programs used to connect to target systems
installed on it. ERPM will use a proxy account to connect to the Application Launch Server. This
account can and should be managed by ERPM, but automated management is not necessary as a
static un-stored password may also be used.
Session recording for ERPM records remote sessions that ERPM initiates using the application
launcher deployed on the Application Launch Server. Recorded sessions are copied from the
Application Launch Server to a machine functioning as a video transcoder. The transcoder converts
videos from the raw format to one that can be played back by the machine functioning as a
streaming media server.
This section outlines the installation of session recording for application launching on two separate
machines functioning independently. In sub-section 5, the installation of streaming media services
will be detailed for the purposes of streaming the final recorded sessions.
3.5.1 Installing on the Transcoder Host
To begin installing the session recording software o the machine that will function as the video
transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory,
Installing the Application Launcher and Session Recording Features 55
typically "%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to
the machine that will function as the transcoder and launch the installer.
Click Next on the welcome page.
56 Installing the Application Launcher and Session Recording Features
Read and accept the license agreement to continue installation. Then click Next to continue.
Enter the full SSL-secured URL to the ERPM application-launcher web service. ERPM Web Services
are installed separately, typically on the ERPM web server. The application launcher web service is
installed with the standard ERPMWebService installer package. The URL is typically
https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.
Click Test to validate the URL. Any certificate issues must be corrected before installation can
properly succeed. If the web page does not appear at all, validate the URL and try again or install
Web Services. See Installing the Web Service in the ERPM Programmer's Reference for installation
instructions.
Installing the Application Launcher and Session Recording Features 57
If the page tests without issue or errors, click Next to continue.
For the transcoder host, select to install:
Microsoft Expression 4 Encoder SP2
Session Recorder and File Watcher Service
58 Installing the Application Launcher and Session Recording Features
Select the installation directory. Click Next to continue.
Installing the Application Launcher and Session Recording Features 59
On the transcoder host, make note of the source and destination directories. This directory will be
used in later instructions when setting up the application launcher and streaming media services.
This directory will also be shared between the transcoder and the Application Launch Server if they
are on two separate systems.
On the transcoder host, set the service identity to run as either Local System or as a Specific User.
Local system offers the benefit of already having proper access and no password management
requirements.
Running as a specific user will offer the path of least privilege but will require configuring NTFS
permissions on the Source directory from the previous step for read, write, and delete files
(Modify) and will also require a password be managed (which ERPM has the ability to do
automatically).
Running the File Watcher service as Local System is recommended on the transcoder host.
60 Installing the Application Launcher and Session Recording Features
Click Next to continue.
Click Install to continue.
Installing the Application Launcher and Session Recording Features 61
Click Finish to complete the first part of the installation.
After the initial installation is complete, a separate installation for the Microsoft Expressions
recorder will be initiated automatically.
62 Installing the Application Launcher and Session Recording Features
Accept the License agreement for the Microsoft Expressions recorder.
Click Next on the Enter product key page. There is no product key to enter.
Installing the Application Launcher and Session Recording Features 63
Elect to join the Microsoft customer experience or not. Click Next to continue.
Select to install Expression Encoder 4 and click Install.
64 Installing the Application Launcher and Session Recording Features
Click Finish to complete the installation.
IMPORTANT NOTES REGARDING THIS INSTALLATION!
This installation will take additional actions that are not visible in the installer:
A [Domain] Local security group will be created called WriteRecordingGroup. If the installation
is taking place on a domain controller, the group is created in the Users container.
The Domain Admins group will be added to this WriteRecordingGroup.
The installer will create and share the following directory:
%inetpub%\wwwroot\SessionRecording as SessionRecording. This directory is used to copy
compiled session recordings from the Application Launch Server to the transcoder host. This
scenario would apply if using the FFMPeg video recorder rather than the Expressions recorder.
If the transcoder component is installed on the Application Launch Server, or if the Expression
session recorder is the only used session recorder, this share may be safely deleted. This share
directory will be required when configuring the Application Launch Server for app launching
with session recording.
The installer will create and share the following directory: %programfiles
(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be
used by the Application Launch Server to copy raw session recording files to the transcoder
host(s). If the transcoder component is installed on the Application Launch Server, this share
Installing the Application Launcher and Session Recording Features 65
can be safely deleted. This scenario would apply if using the Expressions 4 recording software.
This share directory will be required when configuring the Application Launch Server for app
launching with session recording.
Each of the shared directory share permissions will be set to allow the WriteRecordingGroup
"Full Control". Minimum permissions required are "Change."
Test the Installation
The installer automatically opens the "Session Recording Configuration" dialog.
Click Test to verify that the installation if valid and can connect to the web service endpoint.
3.5.2 Installing on the Application Launch Server
To begin installing the session recording software on the machine that will function as the video
transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory,
66 Installing the Application Launcher and Session Recording Features
typically "%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to
the machine that will function as the transcoder and launch the installer.
Click Next on the welcome page.
Installing the Application Launcher and Session Recording Features 67
Read and accept the license agreement to continue installation. Then click Next to continue.
Enter the full SSL-secured URL to the ERPM application-launcher web service. ERPM Web Services
are installed separately, typically on the ERPM web server. The application launcher web service is
installed with the standard ERPMWebService installer package. The URL is typically
https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.
Click Test to validate the URL. Any certificate issues must be corrected before installation can
properly succeed. If the web page does not appear at all, validate the URL and try again or install
Web Services. See Installing the Web Service in the ERPM Programmer's Reference for installation
instructions.
68 Installing the Application Launcher and Session Recording Features
If the page tests without issue or errors, click Next to continue.
For the Application Launch Server host, if session recording WILL BE enabled, select to install:
Microsoft Expression 4 Encoder SP2
Session Recorder and File Watcher Service
Application Launcher
If session recording will NOT be enabled, select to install:
Application Launcher
Installing the Application Launcher and Session Recording Features 69
Select the installation directory. Click Next to continue.
Click Next on the video transcoder paths.
70 Installing the Application Launcher and Session Recording Features
On the Application Launch Server host, set the service identity to run as a Specific User, Network
Service, or Local System.
Local system offers the benefit of already having proper access and no password management
requirements. If the transcoder is running on a separate system and Local system is used, then
the computer account of the Application Launch Server host must be granted Modify access to
the source directory on the transcoder host.
Network service provides for less rights than Local system and offers the benefit of already
having proper access and no password management requirements. If the transcoder is running
on a separate system and network service is used, then the computer account of the
Application Launch Server host must be granted Modify access to the source directory on the
transcoder host. "NT Authority\Network Service" must also be granted Modify access to the
Session Recording directory.
Running as a specific user will offer the path of least privilege but will require configuring NTFS
permissions on the Source directory from the previous step for read, write, and delete files
(Modify) and will also require a password be managed (which ERPM has the ability to do
automatically).
Running as a specific user is recommended for running the File Watcher service on the Application
Launch Server host when the transcoder is on a separate system.
Installing the Application Launcher and Session Recording Features 71
Click Next to continue.
Click Install to continue.
72 Installing the Application Launcher and Session Recording Features
Click Finish to complete the first part of the installation.
After the initial installation is complete, A separate installation for the Microsoft Expressions
recorder will be initiated automatically.
Installing the Application Launcher and Session Recording Features 73
Accept the License agreement for the Microsoft Expressions recorder.
Click Next on the Enter product key page. There is no product key to enter.
74 Installing the Application Launcher and Session Recording Features
Elect to join the Microsoft customer experience or not. Click Next to continue.
Select to install Expression Encoder 4 and click Install.
Installing the Application Launcher and Session Recording Features 75
Click Finish to complete the installation.
This installation will take additional actions that are not visible in the installer:
A [Domain] Local security group will be created called WriteRecordingGroup. If the installation
is taking place on a domain controller, the group is created in the Users container. This group
may be safely deleted from the Application Launch Server host if it is also functioning as the
transcoder host.
The Domain Admins group will be added to this WriteRecordingGroup.
The installer will create and share the following directory:
%inetpub%\wwwroot\SessionRecording as SessionRecording. This directory is used to copy
compiled session recordings from the Application Launch Server to the transcoder host. This
scenario would apply if using the FFMPeg video recorder rather than the Expressions recorder.
This share directory will be required when configuring the Application Launch Server host for
app launching with session recording. If the transcoder and Application Launch Server host is
the same system this share can be safely deleted.
The installer will create and share the following directory: %programfiles
(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be
used by the Application Launch Server hosts to copy raw session recording files to the
transcoder host(s). This scenario would apply if using the Expressions 4 recording software. This
76 Installing the Application Launcher and Session Recording Features
share directory will be required when configuring the Application Launch Server host for app
launching with session recording. If the transcoder and Application Launch Server host is the
same system this share can be safely deleted.
Each of the shared directory share permissions will be set to allow the WriteRecordingGroup
"Full Control". Minimum permissions required are "Change."
Test the Installation
The installer automatically opens the "Session Recording Configuration" dialog.
Click Test to verify that the installation if valid and can connect to the web service endpoint.
Installing the Application Launcher and Session Recording Features 77
3.6 STEP 4. SET UP RDS FOR APPLICATION LAUNCHING The section details configuring Remote App on the Remote Session host to launch the ERPM
Application Launcher. The application launcher is a boot strapper used to launch and provide
authentication information for configured applications.
When a user uses the "Launch App" links in the ERPM web interface, this application is called. It will
obtain the necessary credential information for the application to launch, and then launch the
application from the Application Launch Server. In turn, VDI will display the remote application on
the user's workstation as if it were a local application.
3.6.1 Configuring Remote App for Server 2012 (R2)
Open Server Manager and click the Remote Desktop Services link on the left pane. Then click
Collections. Select the collection to configure the ERPM Application Launcher.
78 Installing the Application Launcher and Session Recording Features
In the REMOTEAPP PROGRAMS area, click Tasks and select Publish RemoteApp Programs. Then
click Add on the Publish RemoteApp programs dialog.
Installing the Application Launcher and Session Recording Features 79
Select LiebsoftLauncher.exe from the application launcher installation location on the Application
Launch Server (configured in step 3 previously). The default directory for this file is: C:\Program
Files (x86)\Lieberman\Roulette\LaunchApp. Then click Next.
80 Installing the Application Launcher and Session Recording Features
On the Confirmation page, click Publish.
Once the LiebsoftLauncher application is published, right-click on it in the RemoteApp Programs list
and select Edit Properties.
Installing the Application Launcher and Session Recording Features 81
On the General tab, set the Show the RemoteApp program in RD Web Access dialog to No.
Although everything will work fine if this is not done, there is no need to publicize this application.
82 Installing the Application Launcher and Session Recording Features
On the Parameters tab, set the Command-line Parameters option to Allow any command-line
parameters. The LiebsoftLauncher will differ every single time it is run based on many factors
including session IDs, programs being run and parameters included when launching the programs.
Installing the Application Launcher and Session Recording Features 83
On the User Assignment tab, it is highly recommended to change the User Assignment option to be
a specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated
account (which should be managed by ERPM). This is the only account that will require access to run
the program. This account will be covered later in the Configuring Application Launching section.
The account assigned here will require any permissions and rights to launch the desired programs.
Click OK when done.
3.6.2 Configuring Remote App for Server 2008 R2
Open Server Manager and expand the Remote Desktop Services > RemoteApp Manager nodes in
the left pane.
84 Installing the Application Launcher and Session Recording Features
In the RemoteApp Programs area, right-click and select Add RemoteApp Programs. Click Next on
the Welcome page then click Browse on the Choose programs to add to the RemoteApp Programs
list page.
Installing the Application Launcher and Session Recording Features 85
Select LiebsoftLauncher.exe from the application launcher installation location on the
Application Launch Server (configured in step 3 previously). The default directory for this file is:
C:\Program Files (x86)\Lieberman\Roulette\LaunchApp. Then click Next.
86 Installing the Application Launcher and Session Recording Features
On the Review Settings page, click Finish.
Once the LiebsoftLauncher application is added, right-click on it in the RemoteApp Programs list and
select Properties.
Note: CAUTION! DO NOT CHANGE THE ALIAS value.
De-select the check box for RemoteApp program in RD Web Access. Although everything will work
fine if this is not done, there is no need to publicize this application.
Installing the Application Launcher and Session Recording Features 87
Set the Command-line arguments option to Allow any command-line parameters. The
LiebsoftLauncher will differ every single time it is run based on many factors including session IDs,
programs being run and parameters included when launching the programs.
88 Installing the Application Launcher and Session Recording Features
On the User Assignment tab, it is highly recommended to change the User Assignment option to be
a specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated
account (which should be managed by ERPM). This is the only account that will require access to run
the program. This account will be covered later in the Configuring Application Launching section.
The account assigned here will require any permissions and rights to launch the desired programs.
Click OK when done.
3.7 STEP 5. SET UP STREAMING MEDIA SERVICES Streaming Media Services is used to provide smooth streaming of the recorded sessions from the
streaming host (typically the ERPM web server) to the client's browser and video player.
Installing the Application Launcher and Session Recording Features 89
Installation of this component is only required if session recording will be used. If you do not plan on
using the free session recording module provided with ERPM, this component is not required.
To begin installing the streaming media software on the machine that will function as the streaming
video server, open the SupplementalInstallers sub-folder from the ERPM installation directory,
typically %programfiles (x86)\Lieberman\Roulette. Copy IISMEdia64.msi to the machine that
will function as the streaming video server and launch the installer.
The installation of IIS Media services requires a basic stock installation of IIS to be available on the
same host server.
Click Next on the welcome page.
90 Installing the Application Launcher and Session Recording Features
Read and accept the terms of the license agreement, then click Next.
Installing the Application Launcher and Session Recording Features 91
Leave the default options selected then click Next.
92 Installing the Application Launcher and Session Recording Features
Click Install.
Installing the Application Launcher and Session Recording Features 93
Click Finish.
3.8 STEP 6. CONFIGURE IIS TO HOST RECORDED SESSIONS This step is only required if session recording has been enabled. If session recording is not enabled,
then do not perform this step. This will likely be configured on the same system where Streaming
Media Services was installed.
When an application is launched using the Application Launch Server and that application is
configured to also record the session, the recorded sessions will first be placed into a pre-configured
directory on the machine that will ultimately host the videos for later playback. When using the
Microsoft Expressions session recorder, the files will first be copied locally to the file system. The
File Watcher Service will then move the raw files to a share called "Source" on a machine that is
configured as the video transcoder (typically the ERPM web server, but could be any machine).
Once the raw XESC files are copied to the transcoder, the File Watcher service on that machine will
transcode the videos to WMV format and move the compiled files into the "SessionRecording"
94 Installing the Application Launcher and Session Recording Features
share on the same system. It is this directory that will be hosted in IIS and made available via the
ERPM website.
To configure IIS on the machine that will host the compiled videos, not much work is required as the
application launcher installer will have configured most of the required elements:
The default website will have a new virtual directory added to it called SessionRecording. This
directory will point to %inetpub%\wwwroot\SessionRecording.
The only change that may need to be made is to set the authentication scheme to anonymous. To
do this, open IIS, expend the default website, and open the Authentication area. Right click on the
authentication types and enable Anonymous Authentication and disable all others.
95
Following installation, there are five mandatory configuration steps that are required to use the
application launcher and the session recorder. The following steps are mandatory. The remaining
steps in this sections are optional.
1) Configure an Application Launch Server Logon Account (on page 96)
2) Configure the Web Launcher Settings (on page 122)
3) Configure the Application Launch Server Settings (on page 125)
4) Configure the Application Launch Server Host (on page 130)
5) Configure Applications for Launching (on page 139)
IN THIS CHAPTER
Configure an Application Launch Server Logon Account ........................ 96
Configure the Web Launcher Settings .................................................. 122
Configure the Application Launch Server Settings ................................ 125
Configure the Application Launch Server Host ..................................... 130
Configure Session Recording Settings ................................................... 132
Configure the ERPM Web Client for Session Playback .......................... 136
Configure Applications for Launching ................................................... 139
Configure Application Sets .................................................................... 162
Shadow Accounts .................................................................................. 168
Chapter 4 Configuring
Application Launching and
Session Recording
96 Configuring Application Launching and Session Recording
4.1 CONFIGURE AN APPLICATION LAUNCH SERVER LOGON ACCOUNT ERPM uses a standard logon account to log on to the target Application Launch Server and launch
the LiebsoftLauncher application. The LiebsoftLauncher application then launches the target
application and connects to a web service (WebLauncherBackendService.svc) to obtain the
necessary program settings and credentials from ERPM.
Logon Account Requirements
The logon account has the following requirements:
A domain account is recommended, but the logon account can be a local account.
The account needs to be able to remotely log on to the target Application Launch Server. That
means that if the account is not an administrator, it must be added to the Remote Desktop
Users group on the Application Launch Server.
Because the user account launches the LiebsoftLauncher application upon login, be sure that
the account has the permissions required for the launch. Set the permissions in RemoteApp
settings, which typically are found in Server Manager under the Roles > Remote Desktop
Services heading. The permissions can be assigned directly to the user, or assigned to a group
that the user belongs to.
The account needs all of the same rights necessary to launch the final target application. It does
not necessarily need local or domain admin privileges.
Securing the Logon Account
ERPM should frequently change the logon account password, for example daily or weekly. (Setting
the rotation schedule to hourly could possibly invalidate the logon account's session.) Follow the
basic procedures for a password change in ERPM (as per the Admin Guide) to have ERPM manage
the password for the account. There is no requirements for password propagation, so turn off
password propagation for the password change job. We recommend keeping the password length
to 80 characters or less because some versions of Windows will not allow long passwords to be used
via RDP.
Caution: When launching an application, this account will be able to do
anything that the target application lets it do.
Configuring Application Launching and Session Recording 97
RECOMMENDED POLICY SETTINGS FOR THE LOGON ACCOUNT
This account can be heavily locked down as it generally doesn't need access to anything other than
the application being locked.
If this account is located in Active Directory, we recommend placing the account into an
organizational unit (OU) by itself or with other similarly locked down accounts. On this OU, create a
policy and modify the User Settings portion of the policy to lock down this logon account. There is
no need to place the Application Launch Servers in this OU as the policies that lock down the user
experience are user based, not system based.
Following are some of the settings recommended to lock down the session. All policies should be
tested to ensure they do not interfere with the required operation of a target application:
User Configuration > Policies > Windows Settings >
Security Settings > Software Restriction Policies
Policy Setting
Enforcement
Apply Software Restriction Policies to the following All software files
except libraries
(such as DLLs)
Apply Software Restriction Policies to the following users All users
When applying Software Restriction Policies Ignore certificate
rules
Trusted Publishers
Trusted publisher management Allow all
administrators and
users to manage
user's own Trusted
Publishers
Certificate verification None
98 Configuring Application Launching and Session Recording
Software Restriction Policies/Security Levels
Default Security Level Disallowed
Software Restriction Policies/Additional Rules >> Path Rules
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot% Security Level =
Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\ProgramFilesDir% Security Level =
Unrestricted
C:\Program Files
(x86)\Lieberman\Roulette\RemoteAppLauncher\LiebsoftLaunche
r.exe
Security Level =
Unrestricted
User Configuration | Policies | Administrative Templates
Control Panel
Prohibit access to Control Panel and PC settings Enabled
Control Panel/Display
Disable the Display Control Panel Enabled
Control Panel/Printers
Browse a common web site to find printers Disabled
Configuring Application Launching and Session Recording 99
Browse the network to find printers Disabled
Prevent addition of printers Enabled
Prevent deletion of printers Enabled
Control Panel/Programs
Hide "Get Programs" page Enabled
Hide "Installed Updates" page Enabled
Hide "Programs and Features" page Enabled
Hide "Set Program Access and Computer Defaults" page Enabled
Hide "Windows Features" Enabled
Hide the Programs Control Panel Enabled
Control Panel/Regional and Language Options
Hide Regional and Language Options administrative options Enabled
Hide the geographic location option Enabled
Hide the select language group options Enabled
Hide user locale selection and customization options Enabled
Desktop
Don't save settings at exit Enabled
100 Configuring Application Launching and Session Recording
Hide and disable all items on the desktop Enabled
Hide Internet Explorer icon on desktop Enabled
Hide Network Locations icon on desktop Enabled
Prevent adding, dragging, dropping and closing the Taskbar's toolbars Enabled
Prohibit adjusting desktop toolbars Enabled
Prohibit User from manually redirecting Profile Folders Enabled
Remove Computer icon on the desktop Enabled
Remove Properties from the Computer icon context menu Enabled
Remove Properties from the Recycle Bin context menu Enabled
Remove Recycle Bin icon from desktop Enabled
Turn off Aero Shake window minimizing mouse gesture Enabled
Network/Network Connections
Ability to change properties of an all user remote access connection Disabled
Prohibit access to properties of a LAN connection Enabled
Prohibit access to the Remote Access Preferences item on the Advanced
menu
Enabled
Prohibit changing properties of a private remote access connection Enabled
Prohibit connecting and disconnecting a remote access connection Enabled
Prohibit renaming private remote access connections Enabled
Configuring Application Launching and Session Recording 101
Network/Offline Files
Remove "Make Available Offline" command Enabled
Remove "Work offline" command Enabled
Network/Windows Connect Now
Prohibit access of the Windows Connect Now wizards Enabled
Start Menu and Taskbar
Add Search Internet link to Start Menu Disabled
Add the Run command to the Start Menu Disabled
Clear history of recently opened documents on exit Enabled
Clear history of tile notifications on exit Enabled
Clear the recent programs list for new users Enabled
Do not allow pinning items in Jump Lists Enabled
Do not allow pinning programs to the Taskbar Enabled
Do not display any custom toolbars in the taskbar Enabled
Do not display or track items in Jump Lists from remote locations Enabled
Do not keep history of recently opened documents Enabled
Do not search communications Enabled
Do not search for files Enabled
102 Configuring Application Launching and Session Recording
Do not search Internet Enabled
Do not search programs and Control Panel items Enabled
Do not use the search-based method when resolving shell shortcuts Enabled
Do not use the tracking-based method when resolving shell shortcuts Enabled
Hide the notification area Enabled
Lock all taskbar settings Enabled
Lock the Taskbar Enabled
Prevent changes to Taskbar and Start Menu Settings Enabled
Prevent users from adding or removing toolbars Enabled
Prevent users from moving taskbar to another screen dock location Enabled
Prevent users from rearranging toolbars Enabled
Prevent users from uninstalling applications from Start Enabled
Remove access to the context menus for the taskbar Enabled
Remove All Programs list from the Start menu Enabled
Remove and prevent access to the Shut Down, Restart, Sleep, and
Hibernate commands
Enabled
Remove Clock from the system notification area Enabled
Remove common program groups from Start Menu Enabled
Remove Default Programs link from the Start menu. Enabled
Remove Documents icon from Start Menu Enabled
Remove Downloads link from Start Menu Enabled
Configuring Application Launching and Session Recording 103
Remove drag-and-drop and context menus on the Start Menu Enabled
Remove Favorites menu from Start Menu Enabled
Remove frequent programs list from the Start Menu Enabled
Remove Games link from Start Menu Enabled
Remove Help menu from Start Menu Enabled
Remove Homegroup link from Start Menu Enabled
Remove links and access to Windows Update Enabled
Remove Logoff on the Start Menu Disabled
Remove Music icon from Start Menu Enabled
Remove Network Connections from Start Menu Enabled
Remove Network icon from Start Menu Enabled
Remove Pictures icon from Start Menu Enabled
Remove pinned programs from the Taskbar Enabled
Remove pinned programs list from the Start Menu Enabled
Remove programs on Settings menu Enabled
Remove Recent Items menu from Start Menu Enabled
Remove Recorded TV link from Start Menu Enabled
Remove Run menu from Start Menu Enabled
Remove See More Results / Search Everywhere link Enabled
Remove the Action Center icon Enabled
104 Configuring Application Launching and Session Recording
Remove the battery meter Enabled
Remove the networking icon Enabled
Remove the volume control icon Enabled
Remove user folder link from Start Menu Enabled
Remove user's folders from the Start Menu Enabled
Remove Videos link from Start Menu Enabled
Show "Run as different user" command on Start Disabled
Turn off all balloon notifications Enabled
Turn off automatic promotion of notification icons to the taskbar Enabled
Turn off feature advertisement balloon notifications Enabled
Turn off notification area cleanup Enabled
Turn off user tracking Enabled
Start Menu and Taskbar/Notifications
Turn off notifications network usage Enabled
System/Ctrl+Alt+Del Options
Remove Change Password Enabled
Remove Task Manager Enabled
Configuring Application Launching and Session Recording 105
System/Internet Communication Management/Internet
Communication settings
Turn off access to the Store Enabled
Turn off downloading of print drivers over HTTP Enabled
Turn off handwriting recognition error reporting Enabled
Turn off Help Experience Improvement Program Enabled
Turn off Help Ratings Enabled
Turn off Internet download for Web publishing and online ordering
wizards
Enabled
Turn off Internet File Association service Enabled
Turn off printing over HTTP Enabled
Turn off the "Order Prints" picture task Enabled
Turn off the "Publish to Web" task for files and folders Enabled
Turn off the Windows Messenger Customer Experience Improvement
Program
Enabled
Turn off Windows Online Enabled
System/Removable Storage Access
All Removable Storage classes: Deny all access Enabled
CD and DVD: Deny read access Enabled
CD and DVD: Deny write access Enabled
Floppy Drives: Deny read access Enabled
106 Configuring Application Launching and Session Recording
Floppy Drives: Deny write access Enabled
Removable Disks: Deny read access Enabled
Removable Disks: Deny write access Enabled
Tape Drives: Deny read access Enabled
Tape Drives: Deny write access Enabled
WPD Devices: Deny read access Enabled
WPD Devices: Deny write access Enabled
System/Windows HotStart
Turn off Windows HotStart Enabled
Windows Components/Add features to Windows 8
Prevent the wizard from running. Enabled
Windows Components/App runtime
Block launching desktop apps associated with a file. Enabled
Block launching desktop apps associated with a protocol Enabled
Windows Components/Application Compatibility
Turn off Program Compatibility Assistant Enabled
Configuring Application Launching and Session Recording 107
Windows Components/Attachment Manager
Hide mechanisms to remove zone information Enabled
Windows Components/AutoPlay Policies
Disallow Autoplay for non-volume devices Enabled
Prevent AutoPlay from remembering user choices. Enabled
Set the default behavior for AutoRun Enabled
Default AutoRun Behavior Do not execute any autorun commands
Turn off Autoplay Enabled
Turn off Autoplay on All drives
Windows Components/Credential User Interface
Do not display the password reveal button Enabled
Windows Components/Desktop Gadgets
Restrict unpacking and installation of gadgets that are not digitally
signed.
Enabled
Turn off desktop gadgets Enabled
Turn Off user-installed desktop gadgets Enabled
108 Configuring Application Launching and Session Recording
Windows Components/Digital Locker
Do not allow Digital Locker to run Enabled
Windows Components/Edge UI
Turn off switching between recent apps Enabled
Turn off tracking of app usage Enabled
Windows Components/File Explorer
Display confirmation dialog when deleting files Enabled
Display the menu bar in File Explorer Enabled
Do not allow Folder Options to be opened from the Options button on
the View tab of the ribbon
Enabled
Do not display the Welcome Center at user logon Enabled
Do not request alternate credentials Enabled
Hide these specified drives in My Computer Enabled
Restrict all drives
Hides the Manage item on the File Explorer context menu Enabled
No Entire Network in Network Locations Enabled
Prevent access to drives from My Computer Enabled
Restrict all drives
Prevent users from adding files to the root of their Users Files folder. Enabled
Configuring Application Launching and Session Recording 109
Remove "Map Network Drive" and "Disconnect Network Drive" Enabled
Remove CD Burning features Enabled
Remove File Explorer's default context menu Enabled
Remove File menu from File Explorer Enabled
Remove Hardware tab Enabled
Remove Security tab Enabled
Remove the Search the Internet "Search again" link Enabled
Turn off display of recent search entries in the File Explorer search box Enabled
Turn off Windows+X hotkeys Enabled
Windows Components/File Explorer/Common Open File Dialog
Hide the common dialog back button Enabled
Hide the common dialog places bar Enabled
Hide the dropdown list of recent files Enabled
Windows Components/File Explorer/Explorer Frame Pane
Turn off Preview Pane Enabled
Turn on or off details pane Enabled
Configure details pane Always hide
110 Configuring Application Launching and Session Recording
Windows Components/File Explorer/Previous Versions
Prevent restoring previous versions from backups Enabled
Windows Components/IME
Turn off history-based predictive input Enabled
Turn off Internet search integration Enabled
Windows Components/Internet Explorer
Automatically activate newly installed add-ons Disabled
Configure Media Explorer Bar Enabled
Disable the Media Explorer Bar and auto-play feature Enabled
Auto-Play Media files in the Media bar whenEnabled Disabled
Disable AutoComplete for forms Enabled
Disable changing accessibility settings Enabled
Disable changing Advanced page settings Enabled
Disable changing Automatic Configuration settings Enabled
Disable changing Calendar and Contact settings Enabled
Disable changing certificate settings Enabled
Disable changing connection settings Enabled
Disable changing home page settings Enabled
Configuring Application Launching and Session Recording 111
Home Page Define a home
page if necessary
Disable changing language settings Enabled
Disable changing Messaging settings Enabled
Disable changing ratings settings Enabled
Disable changing Temporary Internet files settings Enabled
Disable Import/Export Settings wizard Enabled
Disable Internet Connection wizard Enabled
Do not allow users to enable or disable add-ons Enabled
Identity Manager: Prevent user from using Identities Enabled
Notify users if Internet Explorer is not the default web browser Disabled
Pop-up allow list Enabled
Enter the list of sites here. Define allowed
sites list if
applicable such as
*.microsoft.com
Prevent "Fix settings" functionality Enabled
Prevent access to Internet Explorer Help Enabled
Prevent bypassing SmartScreen Filter warnings Enabled
Prevent bypassing SmartScreen Filter warnings about files that are not
commonly downloaded from the Internet
Enabled
Prevent changing pop-up filter level Enabled
Prevent changing proxy settings Enabled
112 Configuring Application Launching and Session Recording
Prevent changing the default search provider Enabled
Prevent configuration of how windows open Enabled
Select where to open links Open in existing
Internet Explorer
window
Prevent Internet Explorer Search box from appearing Enabled
Prevent managing pop-up exception list Enabled
Prevent managing SmartScreen Filter Enabled
Select SmartScreen Filter mode On
Prevent participation in the Customer Experience Improvement
Program
Enabled
Prevent per-user installation of ActiveX controls Enabled
Prevent running First Run wizard Enabled
Select your choice Go directly to
home page
Search: Disable Find Files via F3 within the browser Enabled
Search: Disable Search Customization Enabled
Specify default behavior for a new tab Enabled
New tab behavior Home page
Turn off ability to pin sites in Internet Explorer on the desktop Enabled
Turn off add-on performance notifications Enabled
Turn off browser geolocation Enabled
Configuring Application Launching and Session Recording 113
Turn off configuration of pop-up windows in tabbed browsing Enabled
Select tabbed browsing pop-up behavior Force pop-ups to
open in a new tab
Turn off Crash Detection Enabled
Turn off Favorites bar Enabled
Turn off Managing SmartScreen Filter for Internet Explorer 8 Enabled
Select SmartScreen Filter mode for Internet Explorer 8 On
Turn off pop-up management Enabled
Turn off Quick Tabs functionality Enabled
Turn off Reopen Last Browsing Session Enabled
Turn off suggestions for all user-installed providers Enabled
Turn off tabbed browsing Enabled
Turn off the auto-complete feature for web addresses Enabled
Turn off the quick pick menu Enabled
Turn on Suggested Sites Disabled
Turn on the auto-complete feature for user names and passwords on
forms
Disabled
Windows Components/Internet Explorer/Accelerators
Turn off Accelerators Enabled
114 Configuring Application Launching and Session Recording
Windows Components/Internet Explorer/Browser menus
Disable Open in New Window menu option Enabled
Disable Save this program to disk option Enabled
File menu: Disable closing the browser and Explorer windows Enabled
File menu: Disable New menu option Enabled
File menu: Disable Open menu option Enabled
File menu: Disable Save As Web Page Complete Enabled
File menu: Disable Save As... menu option Enabled
Help menu: Remove 'Send Feedback' menu option Enabled
Help menu: Remove 'Tour' menu option Enabled
Hide Favorites menu Enabled
Tools menu: Disable Internet Options... menu option Enabled
Turn off Print Menu Enabled
Turn off Shortcut Menu Enabled
View menu: Disable Full Screen menu option Enabled
View menu: Disable Source menu option Enabled
Windows Components/Internet Explorer/Delete Browsing History
Disable "Configuring History" Enabled
Days to keep pages in History 1
Configuring Application Launching and Session Recording 115
Windows Components/Internet Explorer/Internet Control Panel
Disable the Advanced page Enabled
Disable the Connections page Enabled
Disable the Content page Enabled
Disable the General page Enabled
Disable the Privacy page Enabled
Disable the Programs page Enabled
Disable the Security page Enabled
Windows Components/Internet Explorer/Internet Control
Panel/Advanced Page
Allow active content from CDs to run on user machines Disabled
Allow software to run or install even if the signature is invalid Disabled
Do not allow resetting Internet Explorer settings Enabled
Empty Temporary Internet Files folder when browser is closed Enabled
Windows Components/Internet Explorer/Internet Control
Panel/General Page
Start Internet Explorer with tabs from last browsing session Disabled
116 Configuring Application Launching and Session Recording
Windows Components/Internet Explorer/Internet Control
Panel/General Page/Browsing History
Allow websites to store application caches on client computers Disabled
Windows Components/Internet Explorer/Internet Settings/Advanced
settings/Browsing
Turn off details in messages about Internet connection problems Enabled
Turn on script debugging Disabled
Windows Components/Internet Explorer/Internet Settings/Advanced
settings/Multimedia
Allow Internet Explorer to play media files that use alternative codecs Disabled
Windows Components/Internet Explorer/Internet Settings/Advanced
settings/Searching
Prevent configuration of search on Address bar Enabled
When searching from the address bar Do not search
from the address
bar
Prevent configuration of top-result search on Address bar Enabled
When searching from the Address bar Disable top result
search
Windows Components/Internet Explorer/Internet Settings/Advanced
Configuring Application Launching and Session Recording 117
settings/Signup Settings
Turn on automatic signup Disabled
Windows Components/Internet Explorer/Internet
Settings/AutoComplete
Turn off URL Suggestions Enabled
Turn off Windows Search AutoComplete Enabled
Turn on inline AutoComplete Disabled
Windows Components/Internet Explorer/Security Features/Restrict
File Download
All Processes Enabled
Internet Explorer Processes Enabled
Windows Components/Internet Explorer/Toolbars
Configure Toolbar Buttons Enabled
Show Back button Enabled
Show Forward button Enabled
Show Stop button Enabled
Show Refresh button Enabled
Show Home button Enabled
Show Search button Disabled
118 Configuring Application Launching and Session Recording
Show Favorites button Disabled
Show History button Disabled
Show Folders button Disabled
Show Fullscreen button Disabled
Show Tools button Disabled
Show Mail button Disabled
Show Font size button Disabled
Show Print button Disabled
Show Edit button Disabled
Show Discussions button Disabled
Show Cut button Disabled
Show Copy button Disabled
Show Paste button Disabled
Show Encoding button Disabled
Disable customizing browser toolbar buttons Enabled
Disable customizing browser toolbars Enabled
Display tabs on a separate row Enabled
Hide the Command bar Enabled
Hide the status bar Enabled
Lock all toolbars Enabled
Configuring Application Launching and Session Recording 119
Lock location of Stop and Refresh buttons Enabled
Turn off Developer Tools Enabled
Turn off toolbar upgrade tool Enabled
Windows Components/Location and Sensors
Turn off location Enabled
Windows Components/Microsoft Management Console
Restrict the user from entering author mode Enabled
Windows Components/Network Sharing
Prevent users from sharing files within their profile. Enabled
Windows Components/Presentation Settings
Turn off Windows presentation settings Enabled
Windows Components/Sound Recorder
Do not allow Sound Recorder to run Enabled
Windows Components/Tablet PC/Accessories
120 Configuring Application Launching and Session Recording
Do not allow printing to Journal Note Writer Enabled
Do not allow Snipping Tool to run Enabled
Do not allow Windows Journal to be run Enabled
Windows Components/Tablet PC/Hardware Buttons
Prevent Back-ESC mapping Enabled
Prevent launch an application Enabled
Prevent press and hold Enabled
Turn off hardware buttons Enabled
Windows Components/Windows Error Reporting
Disable Windows Error Reporting Enabled
Windows Components/Windows Installer
Prevent removable media source for any installation Enabled
Prohibit rollback Enabled
Windows Components/Windows Logon Options
Set action to take when logon hours expire Enabled
Set action to take when logon hours expire Logoff
Configuring Application Launching and Session Recording 121
Windows Components/Windows Mail
Turn off the communities features Enabled
Turn off Windows Mail application Enabled
Windows Components/Windows Media Center
Do not allow Windows Media Center to run Enabled
Windows Components/Windows Media Player
Prevent CD and DVD Media Information Retrieval Enabled
Prevent Music File Media Information Retrieval Enabled
Windows Components/Windows Media Player/Networking
Hide Network Tab Enabled
Windows Components/Windows Media Player/Playback
Prevent Codec Download Enabled
Windows Components/Windows Messenger
Do not allow Windows Messenger to be run Enabled
122 Configuring Application Launching and Session Recording
Do not automatically start Windows Messenger initially Enabled
Windows Components/Windows Mobility Center
Turn off Windows Mobility Center Enabled
Windows Components/Windows Update
Do not adjust default option to 'Install Updates and Shut Down' in Shut
Down Windows dialog box
Enabled
Do not display 'Install Updates and Shut Down' option in Shut Down
Windows dialog box
Enabled
4.2 CONFIGURE THE WEB LAUNCHER SETTINGS To configure the web launcher settings for the ERPM web client, choose Settings > Manage Web
Application > Application Launch in the management console.
Configuring Application Launching and Session Recording 123
The "Launch Application with Credentials Settings" dialog opens.
Configuring the "Global" tab
The Global tab identifies the ERPM web service and other related settings that are used when
launching applications.
Launcher Web Service Config
Web service URL – The URL of the application launcher web service. When the web service
is installed (typically on the ERPM web server), a web service is normally created at
[site]/erpmwebservice. The web service is called WebLauncherBackendService.svc. Enter
the full URL in the Web service URL field, including the protocol and port if applicable.
124 Configuring Application Launching and Session Recording
Important: There should be no certificate or access errors when accessing this
URL in a browser. Test the URL to verify that it works for users that
will be accessing the web server. The best test is to log in to the
Application Launch Server using the Application Launch Server login
account (configured in the previous section) and attempt to access
the URL (provided below). If the account is prompted for credentials
or certificate errors, the application launcher will fail.
The typical URL is:
https://erpmwebservername.yourdomain.com/erpmwebservice/weblauncherbackends
ervice.svc.
Test Connection – Click to verify that the web service URL is correct and the web service is
properly responding to requests.
Launcher Related Web App Options
Enable launching applications using stored passwords in the web application – Required to
enable remote launching. If this option is not selected, then the Launch Application option
will be unavailable in the website.
Remote Launch
Enable launching applications on a remote server – Enable the configured applications to
launch via an Application Launch Server rather than launching only locally on the client.
When the option is enabled and an application is configured to use an Application Launch
Server, the applications can instead launch from the Application Launch Server and will use
RemoteApp to display the program's UI to the user's desktop as if it were a native
application.
[Script Launch] Path to script files on client systems – The path that the script automation files
will be copied to (manual copy). This path is used when local launch (rather than via the
Application Launch Server) will be used to launch web-based applications such as Twitter,
Facebook, or other web-based programs. If local launching of these sorts of applications will not
be launched directly from a client's machine (rather than via the Application Launch Server) it
Configuring Application Launching and Session Recording 125
will not be necessary to configure this path. The default location where these scripts are found
is:
C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation.
Sign generated RDP files with certificate identified by thumbprint – When RDP files are
generated, they will be signed with the identified certificate. This helps avoid
unknown/untrusted RDP connection warnings and errors. For this option to function, the
following must be true:
The certificate needs to be on the client workstation to generate RDP files to connect to the
Application Launch Server.
The certificate also needs to be on the Application Launch Server if RDP connections are
configured to go through the Application Launch Server.
The certificate must be accessible to the user that’s running the process creating and launching
the RDP file.
The security policy of the machine must be configured to require signed RDP files for this setting
to have any effect (it is not by default).
4.3 CONFIGURE THE APPLICATION LAUNCH SERVER SETTINGS Start by choosing Settings > Manage Web Application > Application Launch in the management
console.
The "Launch Application with Credentials Settings" dialog opens.
Configuring the "Remote Servers" tab
The Remote Servers tab identifies the available Application Launch Servers and other related
settings that will be used for launching applications. The option Enable launching applications on a
remote server must also be selected on the Global tab to make use of these servers.
126 Configuring Application Launching and Session Recording
To add a new server, click the Add button in the lower right area of the dialog.
CONFIGURING THE "REMOTE APPLICATION SERVER CONFIGURATION" DIALOG
The following fields are mandatory:
Server configuration identifier – The friendly name of the server as it will appear in the
application launcher configuration.
Remote server system name – The actual name of the Application Launch Server. This should
be the name (FQDN or simple or IP) as can be reached from the client systems that will be
initiating the session.
Use RemoteApp to launch the liebsoft launcher on the server – This option must be selected to
remotely launch applications from the Application Launch Server using RemoteApp as available
in 2008 R2 and newer.
Launcher path on jump server – The path to the launcher component on the jump server.
Configuring Application Launching and Session Recording 127
Use RemoteApp connection broker (RDS 2012+ only)
o Connection broker – The fully qualified domain name (FQDN) of the connection
broker. For example, 2k8r2-3.demo.msft.
o Load balancer info – The loadbalanceinfo value from the .rdp file. For example,
tsv://MS Terminal Services Plugin.1.lsc.example.
Warning! Be careful that your RDS collection name does not exceed 16 characters.
Microsoft truncates names that exceed 16 characters when storing the name in the
registry. If the truncated name does not match the configured load balancer info
value, the following error message is returned: "Your computer can't connect to the
remote computer because the connection broker couldn't validate the settings in your
RDP file."
Use integrated Windows credentials to login to the jump server – When used in conjunction
with a Windows Server 2012 Application Launch Server that is properly configured for web
single server sign on and where the ERPM website is also configured for use with integrated
authentication and where the user actually logs in using integrated authentication, then this
feature will connect to the Application Launch Server using the ERPM user's credentials rather
than a specific Application Launch Server login. The login user must have proper permissions to
launch the application and RDP to the server.
Prompt for login credentials to application server – Will cause credentials to not be
automatically provided when connecting to the Application Launch Server. The user performing
the application launch must provide credentials that are valid for the Application Launch Server.
Login credential system name – This value must be populated. If ERPM will be using stored
(managed) credentials to log into the Application Launch Server, this is the name of the
system/server as it appears in ERPM from which to draw the credentials from. It is
recommended to use a domain credential for this purpose; see the section for configuring an
Application Launch Server login account.
Login credential account name – This is the name of the account that will be used to log in to
the Application Launch Server. It is recommended to use a domain credential for this purpose;
see the section for configuring an Application Launch Server login account.
Login credential domain name – The domain to which the account belongs. If this is a local
account (not recommended) then this should be the simple (NetBIOS) name of the Application
Launch Server.
128 Configuring Application Launching and Session Recording
Load saved password for connection from password store – Select this option to pull the
managed password from the ERPM password store. If it is desired to use a hard coded password
instead, then supply the actual password in the remote server logon password field.
[Script Launch] Path to script files on client systems – The path that the script automation files
will be copied to during installation of the AppLauncher. This path is used when launching web
based applications such as Twitter, FaceBook, or other web based programs. The default
location where these scripts are found is:
C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation
Update OIT agent data for agent running on the server – Only provides functionality when the
session recorder is provided by ObserveIT. Selecting this option will change certain metadata
attributes to more accurately reflect which user account is performing certain actions. This
affects auditing information stored within OIT.
Configuring Application Launching and Session Recording 129
Note: Important! If using the built-in session recording, instead of the session recording
offering from ObserveIT, DO NOT check the Update OIT agent data for agent
running on the server. This will prevent the built-in session recorder from working.
130 Configuring Application Launching and Session Recording
Once the entries are validated, click OK to add the Application Launch Server object. If the option to
Load saved password for connection from password store is selected and a stored password for
the target account does not exist, a warning indicating such will appear to the user otherwise the
dialog will close without incident.
Any of these settings can be changed at any time without having to make any changes to IIS or
performing IISReset or other administrative actions.
4.4 CONFIGURE THE APPLICATION LAUNCH SERVER HOST This section lists two configuration updates that should be made on the Application Launch Server
host.
Configuring Application Launching and Session Recording 131
To Configure the Host Machine for Multiple Application Launcher Sessions
The following configuration change is needed to allow multiple application launcher sessions to run
concurrently.
1) Log on to the Application Launcher Server host machine.
2) Open the Run dialog using the Win+R keyboard shortcut.
3) Type gpedit.msc and press OK.
The "Local Group Policy Editor" window opens.
4) Choose Computer Configuration > Administrative Templates > Windows Components >
Remote Desktop Services > Remote Desktop Session Host > Connections : Restrict Remote
Desktop Services users to a single Remote Desktop Services session.
5) Right-click Restrict Remote Desktop Services users to a single Remote Desktop Services
session and choose Edit.
A dialog opens to configure the policy.
6) Select Disabled, then click OK.
To Configure the Host Machine to Prevent Transcoding Problems
The following configuration change is needed to prevent a problem that could potentially result in
your session recordings failing to be processed by the transcoder.
1) Open the Run dialog on the Application Launcher Server host using the Win+R keyboard
shortcut.
2) Type gpedit.msc and press OK.
The "Local Group Policy Editor" window opens.
3) Choose Computer Configuration > Administrative Templates > System > User Profiles: Do not
forcefully unload the user registry at logoff.
4) Right-click Do not forcefully unload the user registry at logoff and choose Edit.
A dialog opens to configure the policy.
5) Select Enabled, then click OK.
132 Configuring Application Launching and Session Recording
4.5 CONFIGURE SESSION RECORDING SETTINGS Start by choosing Settings > Manage Web Application > Application Launch in the management
console.
The "Launch Application with Credentials Settings" dialog opens.
Configuring the "Session Recorders" tab
The Session Recorders tab identifies configured session recording servers. There will typically be a
one-to-one relationship with the servers configured on the Remote Servers tab.
To add a new server, click the Add button in the lower right area of the dialog.
Configuring Application Launching and Session Recording 133
The following fields are mandatory:
Configuration label - the friendly name of the server as it will appear in the application launcher
configuration.
Basic configuration - use this option if the session recording host will perform both recording
and transcoding duties. Recorder options include Expressions 4, VLC, and Windows Problem
Steps Recorder. It is recommended to choose the Expressions 4 recorder option. The output
path will default a default local path if this option is selected.
Advanced configuration - use this option if it is desired to put recordings in a custom location or
if video transcoding will occur on a separate host (typical). It is not recommended to change the
Assembly path or Type in Assembly values.
Abort application launch if session recording fails - with this option selected, if session
recording fails to initialize, the remote session will be logged off and no remote app launch will
occur.
Output path - if using the Application Launch Server for both session recording and video
transcoding and it is desired to place the recordings to an alternate location, specify the path
here. If transcoding is occurring on a separate host, then this should be a network UNC path
(\\server\source) to the Source share on the transcoder host.
134 Configuring Application Launching and Session Recording
File name template - the default value is SessionRecording-$(SessionID). In this scenario
SessionRecording- is the filename prefix and $(SessionID) is a variable for the session ID of the
remote app launch session. If the names of the recordings should be changed, this is acceptable
but to not remote the $(SessionID) value from the name. There should also be no extension
listed for the file name.
Configuring Application Launching and Session Recording 135
Once the entries are validated, click OK to add the session recorder host object.
Any of these settings can be changed at any time without having to make any changes to IIS or
performing IISReset or other administrative actions.
Configuring the Transcoder to Record Multiple Videos at the Same Time
The session recording transcoder is set to record a maximum of one video at a time by default. To
configure the transcoder to record multiple concurrent videos, complete the following steps
1) Go to the system where the Application Launcher and Session Recorder components are
installed and choose Start > Lieberman Software > Settings.
The "Session Recording Configuration" dialog opens.
2) If necessary, expand the File Watcher Transcoder Service Settings section and locate Setting:
Maximum Concurrent Encoders.
136 Configuring Application Launching and Session Recording
3) Type the maximum number of simultaneous recordings that the transcoder should allow, then
click Push.
4) Close the "Session Recording Configuration" dialog.
4.6 CONFIGURE THE ERPM WEB CLIENT FOR SESSION PLAYBACK To play back recorded sessions, ERPM needs to know the location of the media server machine,
which is where the completed session recordings are located.
The media server will have configured IIS with a virtual directory under the default root website
called SessionRecording. It is this URL that will be provided to the ERPM website configuration. The
SessionRecording URL may be presented with or without SSL, but should be configured to use
anonymous authentication.
To Configure ERPM With the SessionRecording URL 1) Open the ERPM management console and click Manage Web App in the left action pane.
2) Choose Options > Configure default web application options from the menu.
Configuring Application Launching and Session Recording 137
3) Click the User/Session Management tab.
4) Locate the Session playback URL field and enter the URL for the media server where the videos
are hosted from. If using HTTPS, be sure to enter the valid name of the server that matches the
assigned name on the certificate to avoid certificate errors. A typical URL will be similar to
https://server.your.domain/sessionrecording/. Be aware that the system is expecting a
trailing forward slash at the end of the URL.
5) Click OK once the URL is entered.
138 Configuring Application Launching and Session Recording
6) If updating an existing website with this new information, right-click on the website instance
and select Replace instance options with default web application options. There is no need to
restart any servers or components after making this change.
Once the URL is added and once any sessions have been recorded, users with access to the auditing
section of the ERPM website will be able to play back any recorded sessions that exist.
Configuring Application Launching and Session Recording 139
4.7 CONFIGURE APPLICATIONS FOR LAUNCHING
4.7.1 Adding Application Launching Scripts
Enterprise Random Password Manager includes a number of application launching scripts. Most
scripts require additional configuration before they can be used to launch the target application.
To Add the Application Launching Scripts 1) In the management console, choose Settings > Manage Web Application > Application Launch.
The "Launch Application with Credentials Settings" dialog opens.
2) Click the Applications tab.
3) Click Add Defaults.
To add new applications, click the Add button. Duplicate or edit existing items by using the Copy
or Edit buttons respectively.
140 Configuring Application Launching and Session Recording
After adding an application you have to configure it before it can be launched.
4.7.2 Configuring ERPM to Launch Applications
This section documents how to configure ERPM for app launching.
To Configure ERPM to Launch Specific Applications 1) Open the management console and choose Settings > Manage Web Application > Application
Launch.
The "Launch Application with Credentials Settings" dialog opens.
2) Click the Applications tab.
Configuring Application Launching and Session Recording 141
The Applications tab identifies the applications that can be made available to launch from the
ERPM website and other related settings that will be used when launching these applications.
3) Select an application launch type item and click Edit.
The "Remote Application Configuration" dialog opens.
4) Complete the form.
EDITING THE REMOTE APPLICATION CONFIGURATION DIALOG
Remote application label – Required. This is the friendly name of the application as it will
appear in the ERPM website.
Remote application description – Optional. Enter a description for the application that will
appear in the ERPM website.
Remote application icon path – Optional. To set a custom icon for the application, identify the
location of the physical ERPM website installation files. Typically, this will be at
%inetpub%\wwwroot\PWCWeb. All file paths defined for the icons will be relative to this path.
It is recommended to create a custom folder (example "CompanyIcons") and add your icons to
this folder so that they persist through website upgrades. Then, for the icon path, simply add
the path using the following convention: FolderName\IconName.gif. All GIF files should be
32x32 pixels.
Remote launch type – Required. Select from the available launch types:
Launch application with command line parameters – Use this for any application which can be
launched with command line options such as SQL Management Studio, PuTTy, VMware vCenter,
and so on.
Open web application with form post – Use this for websites that only require a basic form post
and does not make use of JSON, YAML, or other technologies for passing the user name and
password information. When this is selected, fill out the Web Page and Name-Value pair fields.
The web page is the name of the login page, including the protocol, such as
http://webserver/pwcweb/login.asp. The name-value pair should consist of the variables
for the user name and password.
Launch terminal services client – Use this for launching the Microsoft Terminal Services client.
There are no additional requirements to set up this launch type.
Launch app through .net assembly – Used when an external .Net assembly will be used to
perform the connection and credential passing. Supply the Assembly Path and Type Name
values. The assembly path is the full physical file patch to the .Net assembly. Type name is the
name of the .Net interface.
142 Configuring Application Launching and Session Recording
Launch app through script automation – This is most frequently used for launching MMCs,
websites that do not pass user name and password information basic form post (see most web
examples in the default list), fat clients that do not make use of command line parameters, and
so on. Supply the Script Path and Automation URL. Script path is the name of the script to run,
including the extension. For example, login_azuremgmt.vbs. This script must be found in the
pre-defined script automation directory on the global options or Application Launch Server
configuration dialogs for the app launcher. Automation URL is the target URL. For example,
http://manage.windowsazure.com or for a device,
https://$(RemoteAccessTarget_TargetName)/login.html.
Run on the jump server – Optional. Use to launch the target application from the Application
Launch Server (configured previously) or from the user's workstation. If this option is not
selected then the application will attempt to launch locally on the user's local workstation. If
this option is selected, then the application will be launched on the Application Launch Server.
The application must be installed on the Application Launch Server at that time. This is a
per-application setting.
Use the targeted account to connect to the jump server – If the Application Launch Server is
used and the account being targeted to launch the application is a domain account or a valid
local Application Launch Server host account, this option will establish a connection with those
credentials rather than the pre-configured Application Launch Server connection credentials. If
the credentials are not valid on the Application Launch Server host then the connection will not
succeed. Do not use this option for non-Windows systems.
Application supports multi-tab – A special set of configurations and launch scripts for
applications which have multi-branch or multi-tab capabilities. See the the Multi-tab Support
section for more information on configuration and use.
Load user profile when starting application (Configure RDP connection parameters) – When
selected will load the connecting user's user profile on the Application Launch Server host which
will enable additional elements to available via RDP to become available such as color depth,
mapped drives, clipboard capability and so on.
Enable session recording – Optional. If a session recording host is configured, this option will be
available. When configured, the launching of this application on an Application Launch Server
will record just this application being run. This is a per-application setting.
Application – Mandatory. The application name is simply the name of the executable without
the path. For example, SSMS.EXE.
Command line – Mandatory. Command line is the parameters to launch the executable with.
Parameters are specific to the program being launched and not ERPM. ERPM does, however,
provide specific replacement variables that can be used in place of otherwise static values, such
Configuring Application Launching and Session Recording 143
as $(RemoteAccessTarget_TargetName) instead of the target's actual host name. See the
following sub-section for more information.
Application location – Optional. An application location must also be defined but can either be
a full physical path in the application location field or be setup to search for and even to
download a ready to run executable from a predefined network path (At launch download file
from path). A physical path MUST be defined when launching the application from an
Application Launch Server. If a physical path is not defined in the application location field, then
the option to Search for application on local system should be enabled. Sub-options for
application search include searching for the application on the system root or program files
directories. In addition, subsequent include and exclude directories may be defined. Multiple
values should be segregated by a semi-colon. There is no variable replacement such as
%systemroot% or %inetpub% so full physical locations must be used.
Search for application on local system –Optional. Will cause the application launcher to search
the Application Launch Server or the calling workstation's file system for the executable being
launched, and launch the first valid application it comes across. If this option is deselected, then
the Application location field above it becomes active where a static path can be defined. Using
the search mechanism adds time to launch the application. The locations it can search are the
Program Files directories or the system root directory. Searching is controlled by the
subsequent options on this dialog.
Search for application on local system root directs ERPM to search the %systemroot% location
on the Application Launch Server or the calling workstation's file system when launching an
application.
Search for application under the program files directory directs ERPM to search
%programfiles% and %programfiles(x86)% on the Application Launch Server or the calling
workstation's file system when launching an application.
Subdirectory restriction is the directories to not search when searching the program files
directory structure.
Additional search directories is the additional directories to search if there are any other
directories on the system to search. The list is semi-colon delimited.
Working Directory is the default search starting point.
144 Configuring Application Launching and Session Recording
Only run signed executables – Optional. Will ensure the program has a digital signature on it. If
the option is enabled, an additional verification can be configured to validate specific fields of
the digital signature such as the certificate serial number, certificate issuer or other signing bits.
Verify certificate fields of signing certificate – Becomes available if the option to Only run signed
executables is selected. The resulting dialog allows defining which fields to verify in the signing
certificate.
Only run executables with expected hashes – Optional. Allows the admin to define hashes of a
target application. This is useful to ensure that someone did not rename a malicious executable
or that only a specific patched version runs. Multiple hashes can be calculated and defined from
this dialog.
At launch, download the file from path – Optional. Defines a network path or URL to download
the application from if it is not already present on the host system.
Settings apply to client system configuration – Applies only to applications launched from the
users workstation and has no effect for applications launched using the Application Launch
Configuring Application Launching and Session Recording 145
Server host. Consider that a 32-bit application running on a 32-bit Windows host will typically
install to c:\program files\application. Yet that same 32-bit application running on a 64-bit
Windows host will typically install to c:\program files (x86)\application. This setting
permits configuration of only one application to launch with multiple possible settings. When
these settings are configured, the launcher will determine what host it is running on and
retrieve the appropriate settings, such as launch directory.
Application uses stored private key – Optional. This option allows programs that can use
certificates (such as SSH clients) to define which certificate to use when connecting. These
certificates must have been pre-imported and assigned via the management console by
choosing Settings > User Keys > Import Keys.
Application uses gateway server – Optional. If an SSH proxy/gateway is defined (in the
management console by choosing Settings > Manage Web Application > Remote Gateway
Servers) this option is available. This option is useful when a client must first connect to an SSH
proxy first before connecting to the final SSH target. This process uses plink.exe. The plink.exe
download location must also be specified with the path on the Application Launch Server where
the plink.exe executable resides. Plink.exe is installed in the launch app folder on the
Application Launch Server if the PuTTy files are also installed when installing the application
launcher. Plink.exe can also be downloaded from http://www.putty.org (see
http://www.putty.org - http://www.putty.org).
Configure Allowable Types – Mandatory. This defines which account types in the application
will be available. At least one account type must be selected. This is what specifically makes an
application available to MySQL or Windows but not Linux or SQL Server or Oracle.
Always use the specified account when starting this application – Optional. When this option is
NOT selected (default), the application is available for the selected account type(s) (Configure
Allowable Account Types). That means potentially any account could be used to launch this
application. If the option is enabled, ERPM will pull a predefined credential from the account
store and always use that account to launch the application. Also, the application will not be
available in the Launch App section of the ERPM website. Rather, it will be made available in the
Applications section of the website for the users that have permission to launch the application.
The Launch App section is accessible when viewing specific managed passwords. Applications is
always available regardless of managed passwords.
For replaceable variables in the command line or automation URL paths, see Variables for App
Launching (on page 146).
146 Configuring Application Launching and Session Recording
4.7.3 Variables for App Launching
ERPM provides variables for you to use to pass the user name, password, target server, and so on
when launching an application from the command line or via web automation scripts.
Consider the following scenario:
1) DEMO\Broberts logs into the ERPM web application.
2) DEMO\Broberts clicks on launch app. This causes a secondary account (DEMO\AppLaunchLogin)
to connect to the Application Launch Server and initiate and launch the liebsoftlauncher.exe
program.
3) Liebsoftlauncher connects back to the web service and retrieves program settings (including
target system), target user name, and target password. For this example, connecting to a server
called DB2012 as SA with with the SA password.
In this scenario the following elements are defined using the following variables:
DEMO\Broberts = $(SourceAppLogin) or $(UserEnteredLoginUsername)
DEMO\AppLaunchLogin = NOT EXPOSED
DB2012 = $(RemoteAccessTarget_TargetName)
SA = $(Username) or $(AccountName_FullyQualified)
SA Password = $(Password) or $(Password_Raw)
Following is a list of all possible variables
$(UserEnteredLoginUsername) – Same as $(SourceAppLogin), is the account used to log in to
the ERPM web application.
$(UserEnteredLoginUsername:RemoveNTSyleNamespace) – This element prunes the domain
name from the user name. From the example above, DEMO\Broberts becomes simply Broberts.
$(UserEnteredLoginUsername:ReplaceBackslashWithDot) – This element retains the domain
name with the user name but replaces the slash with a dot. From the example above,
DEMO\Broberts becomes DEMO.Broberts. Use this variable when a name is required that will
no be interpreted as a path for creating directories.
$(SourceAppLogin) – Same as $(UserEnteredLoginUsername), is the account used to login to
the app [component] that is triggering the launcher (that is, the RDP user to the Application
Launch Server).
$(SourceAppLogin:RemoveNTSyleNamespace) – This element prunes the domain name from
the user name. From the example above, DEMO\Broberts becomes simply Broberts.
Configuring Application Launching and Session Recording 147
$(SourceAppLogin:ReplaceBackslashWithDot) – This element retains the domain name with
the user name but replaces the slash with a dot. From the example above, DEMO\Broberts
becomes DEMO.Broberts. Use this variable when a name is required that will no be interpreted
as a path for creating directories.
$(Username) – This is the name of the target account. From the example above, SA.
$(AccountName_FullyQualified) – Building on the $(Username) variable, this will pre-pend the
domain prefix to the account name, if applicable.
$(Password) – The regex escaped password (for example, pass\"word ).
$(Password_Raw) – The raw un-escaped password.
$(RemoteAccessTarget_TargetName) – The target host to which the application will connect.
$(LauncherPath) – The path to the application launcher.
$(SessionID) – The GUID for the launcher link.
$(PrivateKey) – The file path for the DER encoded private key (if available).
$(PrivateKeyPassphrase) – The pass phrase, if present for $(PrivateKey).
$(PuttyKey) – The file path for the putty encoded private key (if available).
These variables are used in line and replaced by ERPM at the time the application is launched. For
example, if in the website the user were to go to the SQL Server database instance on a server
called DB2012 and connect with the built-in (and managed) SA account, the command-line syntax
would be:
-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password) -nosplash
The switches ( -S, -U, and -P ) are part of the SMSS.EXE executable. The subsequent values of
$(RemoteAccessTarget_TargetName), $(Username), and $(Password) would be replaced by the
name of the server (DB2012), the name of the account (SA), and the password for SA respectively.
4.7.4 Maintaining Application Launching Scripts
As a courtesy to our customers, updated scripts that support common online business applications
are periodically made available. This section describes how to download and install those files, and
keep the script directory in sync across multiple launchers if script updates are required.
To Install New Application Launching Scripts 1) Download updated scripts from the Enterprise Random Password Manager product download
page:
148 Configuring Application Launching and Session Recording
https://liebsoft.com/products/enterprise_random_password_manager/product-download/
Scripts are distributed as a single .zip archive file.
2) Customize the scripts as needed and test that they work.
Scripts are generic and may need to be customized to work in your environment. See Variables
for App Launching (on page 146) for additional information.
3) Copy updated and customized automation scripts to the WebAutomation location. Be sure to
also copy scripts to any secondary launchers.
To verify that you are copying scripts to the correct location, see "To Verify the Script Launch
Path Configured on Your Remote Application Server" later in this section.
The following table lists the default file installation locations.
Application Launcher File(s) Default installation location
Application launcher
files to be installed
on a bastion host
LiebSoftLauncher.exe
%ProgramFiles(x86)%\Lieberman\Roulette\LaunchApp
The automation
scripts
%ProgramFiles(x86)%\Lieberman\Roulette\LaunchApp\
WebAutomation
Note: If you add your own compiled scripts to the WebAutomation folder, the defined
login account must be able to read and execute the scripts.
To Verify the Script Launch Path Configured on Your Remote Application Server 1) In the management console, choose Settings > Manage Web Application > Application Launch.
2) Click the Remote Servers tab.
3) Select the remote application server and click Edit.
The "Remote Application Server Configuration" dialog opens.
4) Refer to the [Script Launch] Path to script files field to view the path.
Configuring Application Launching and Session Recording 149
4.7.5 Multi-Tab Support
A lot of administrative tools support several connections to the target systems from one tool
window. It can be implemented as separate tabs (like in SecureCRT) or like branches in tree-view
navigation pane (like in Microsoft SQL Management Studio).
150 Configuring Application Launching and Session Recording
The following shows SecureCRT with two connections.
Configuring Application Launching and Session Recording 151
The following shows SQL Management Studio with two servers.
These applications can use different credentials for each target system connection. However, some
applications have limitations when using multiple tabs or branches. For example it is possible to use
integrated windows authentication to connect SQL Management Studio to some MS SQL servers,
while others require an explicit SQL account using SQL authentication. In the case of SQL
Management Studio, when the tool is launched and integrated, Windows authentication is used and
it is not possible to re-use the existing instantiation of the tool. However, if one connection uses
integrated authentication and the secondary connections use SQL authentication, or if all
connections use SQL authentication, then you can re-use the currently running instance.
ERPM supports this functionality using Multi-tab Configuration window in Remote Application
Configuration.
If multi-tab is not used, when a user launches a tool like SecureCRT or SQL Management Studio, it
establishes one session on the Application Launch Server and one instance of the application in that
session. This is a more secure scenario as it segregates the data and session information so it cannot
be shared within the tool and any systems the user may be accessing.
152 Configuring Application Launching and Session Recording
The trade-off is that a secondary launch of the same tool, just to a new system, will cause a second
session to be created, which can be slow and will consume more resources.
If multi-tab is used, when a user launches a tool such as SecureCRT or SQL Management Studio, it
establishes one session on the Application Launch Server, and one instance of the application in that
session. Then, when a user launches the same tool again to connect to another system, it re-uses
the existing session and simply adds a tab or another tree to the tool. This reduces resource
consumption on the Application Launch Server host and can speed up the use of the tool. The
trade-off is that the application can now share information from all servers with anything it is
connected to. Consider launching a web application to your company's Twitter feed, logging in, and
then launching a new tab to another site that has been compromised. Now the cache and
in-memory information is available to all tabs in the browser.
Configuring Application Launching and Session Recording 153
4.7.6 Multi-Tab Support Configuration
To configure multi-tab support, first establish the Application Launch Server and basic application
settings as previously described in the Configure Applications for Launching section.
Note: Mutli-tab is only supported when launching from the Application Launch Server(s).
Enable the Application supports multi-tab option on the left side of the Remote Application
Configuration dialog, then click the ellipses (...)
154 Configuring Application Launching and Session Recording
Click Add in the lower left corner of the dialog.
Fill out all the information on the Multi-tab Configuration dialog.
Multi-tab configuration label is a label that will be shown in the Multi-tab configuration
selection drop down list in the Remote application configuration window. The name should be
indicative of the multi-tab application settings being used.
Multi-tab automation local executable path is a path to compiled AutoIT script which is able to
open a new tab/establish a connection to new target system.
Automation executable arguments are new-tab-executable specific. Usually the ProcessID is
used to find the HWND (handle to a window) of the application window, target system is
transferred to provide it to the application for new connection. If is used in this case user name
and password are not needed.
Configuring Application Launching and Session Recording 155
Allow this multi-tab automation for existing application launches by EXE name controls how
launched application instance will be detected. If it is unchecked, the only instances of the
applications this multi-tab configuration is selected for will be assumed as previously launched.
In the example of using SQL Management Studio, there are two different application configurations:
one for Integrated Windows Authentication and another one for SQL server authentication. Both
scenarios use the same executable, ssms.exe. In case of multi-tab configuration for Integrated
Windows Authentication, where different Windows accounts are being used to connect to target
database servers, the option to Allow this multi-tab automation for existing application launches
by EXE name should be unchecked because it is impossible to connect to secondary instance of MS
SQL using the existing instance of smss.exe server using integrated Windows authentication if SSMS
process was initially launched from another user. In this case the automation executable arguments
will be similar to this:
$(RemoteAccessTarget_TargetName) nouser nopasswords $(ProcessID)
ProcessID is the ID that will be used to reuse the currently running executable.
In the SQL Management Studio case where SQL Authentication is being used or similar types of
connections, the option to Allow this multi-tab automation for existing application launches by
EXE name can be selected. In this case the automation executable arguments will be similar to this:
-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password_Raw)
In the commands above, $(RemoteAccessTargget_TargetName), $(Username), and
$(Password_Raw) are standard ERPM variables. $(ProcessID) is a variable that returns the PID of
the initial launched application. The nouser and nopasswwords values are “fake” values for user
name and passwords arguments. Because we use IWA, we do not need user name and password
arguments.
156 Configuring Application Launching and Session Recording
SSMSNewTabIwa.exe and SSMSNewTabSql.exe are compiled AutoIT scripts that we use to interact
with Microsoft SQL Server to open new connections that use Integrated Windows Authentication or
SQL authentication respectively. The listing of these scripts is below. Users may create their own
AutoIT scripts or Lieberman Software will provide the scripts.
Configuring Application Launching and Session Recording 157
Click OK when finished. Then select the appropriate multi-tab configuration settings for the target
application.
Multi-tab scripts have been compiled for the following applications:
RunAs and wait until process finishes = RunAsWait
DHCP Manager = RunDHCP
DHCP Manager = RunDHCPNewTab
DNS Manager = RunDNS
DNS Manager = RunDNSNewTab
File Server Resource Manager = RunFSRM
Hyper-V Manager = RunHyperV
Hyper-V Manager = RunHyperVNewTab
MS Terminal Services = RunMstsc
Network File Services Management = RunNFSMGMT
Performance Monitor = RunPERFMON
158 Configuring Application Launching and Session Recording
Server Manager = RunServerManager
Storage Explorer = RunStorageExplorer
Storage Manager = RunStorageMgmt
Task Scheduler = RunTaskScheduler
Run process and wait until finished = RunWait
WBAdmin (Backup) = RunWBADMIN
WINS Manager = RunWINS
WINS Manager = RunWINSNewTab
SecureCRT = ARM_SCRTStart
SecureCRT = SCRTNewTabSSH2
SecureCRT = SCRTNewTabTELNET
SecureCRT = SCRTStart
SQL Mgmt Studio = SSMSNewTabIwa
SQL Mgmt Studio = SSMSNewTabSql
A simple test script = TestParams
Remote Desktop = UnlockMstsc
Remote Desktop for ARM = UnlockMstscARM
4.7.6.1 MULTI-TAB AUTOIT SCRIPT EXAMPLES
SSMSNewTabIwa.au3 #include <MsgBoxConstants.au3>
local $paramCount = $CmdLine[0]
local $systemName = $CmdLine[1]
local $domainUserName = $CmdLine[2]
local $password = $CmdLine[3]
local $ssmsPid = $CmdLine[4]
Configuring Application Launching and Session Recording 159
if $paramCount = 4 Then
openNewTab($ssmsPid, $systemName, $domainUserName, $password)
EndIf
Func openNewTab($p_ssmsPid, $p_systemName, $p_domainUserName, $p_password)
Opt("WinTitleMatchMode", 2)
local $ssmsWindows = WinList("Microsoft SQL Server Management Studio")
for $i=1 To $ssmsWindows[0][0]
If $ssmsPid=WinGetProcess($ssmsWindows[$i][1]) Then
local $delay = 5
WinActivate($ssmsWindows[$i][1])
WinWaitActive($ssmsWindows[$i][1])
Send('!f')
Sleep($delay)
Send('e')
Sleep($delay)
Send('+{TAB}')
Sleep($delay)
Send('+d')
Sleep($delay)
Send('{TAB}')
160 Configuring Application Launching and Session Recording
Sleep($delay)
Send($systemName)
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send('+w')
Sleep($delay)
Send('{ENTER}')
EndIf
Next
EndFunc
SSMSNewTabSql.au3 #include <MsgBoxConstants.au3>
local $paramCount = $CmdLine[0]
local $systemName = $CmdLine[1]
local $domainUserName = $CmdLine[2]
local $password = $CmdLine[3]
local $ssmsPid = $CmdLine[4]
if $paramCount = 4 Then
openNewTab($ssmsPid, $systemName, $domainUserName, $password)
EndIf
Configuring Application Launching and Session Recording 161
Func openNewTab($p_ssmsPid, $p_systemName, $p_domainUserName, $p_password)
Opt("WinTitleMatchMode", 2)
local $ssmsWindows = WinList("Microsoft SQL Server Management Studio")
for $i=1 To $ssmsWindows[0][0]
If $ssmsPid=WinGetProcess($ssmsWindows[$i][1]) Then
local $delay = 5
WinActivate($ssmsWindows[$i][1])
WinWaitActive($ssmsWindows[$i][1])
Send('!f')
Sleep($delay)
Send('e')
Sleep($delay)
Send('+{TAB}')
Sleep($delay)
Send('+d')
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send($systemName)
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send('+s')
162 Configuring Application Launching and Session Recording
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send($domainUserName)
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send($password)
Sleep($delay)
Send('{ENTER}')
EndIf
Next
EndFunc
4.8 CONFIGURE APPLICATION SETS Application sets are simply pre-defined collections of applications to launch. They can be created to
group types of applications together, such as DB management products or remote terminal
products, or they can be created based on job duties.
To Create an Application Set 1) Open the ERPM console and choose Settings > Manage Web Application > Application Launch.
The "Launch Application with Credentials Settings" dialog opens.
2) Click App Sets on the Applications tab.
The "Remote Application Sets" dialog opens.
Configuring Application Launching and Session Recording 163
3) Click Add Set in the lower-left corner, supply a proper name, then click OK and the new list will
be added to the dialog.
4) To add applications to the application set, right-click the application set and select Add
applications to set.
The "Remote Applications" dialog opens.
164 Configuring Application Launching and Session Recording
5) Select all the desired applications then click OK.
Configuring Application Launching and Session Recording 165
To view the applications added to an application set, expand the application set.
Once application sets are defined, in order for users who do not have" All Access" privileges to be
able to use the groupings, application set permissions must be defined in addition to the application
permissions.
To Define Application Permissions
When the user does not have "All Access" privileges, additional permissions are required to launch a
specific application. Use the management console to define these permissions.
1) Open the management console and choose Delegation > Web Application Remote Application
Permissions.
The "Web Application Remote Application Permissions" dialog opens.
2) Click Add in the lower-left corner.
The "Select Enrolled Identities" dialog opens.
166 Configuring Application Launching and Session Recording
3) Select an available identity, click OK, then select one or more applications that the user can
launch.
To Define Application Set Permissions 1) Open the management console and choose Delegation > Web application Remote Application
Set Permissions.
2) Click the Add button to add an identity that will have permissions to an application set and add
the identity and click OK.
Configuring Application Launching and Session Recording 167
3) Select from the available application sets, then click OK again.
A prompt will appear to use a shadow account. (See Shadow Accounts (on page 168) for details.)
4) If a Shadow Account will be used, click Yes and continue to supply the required information,
otherwise, click No.
After shadow accounts, another prompt will appear asking if there will be system restrictions.
5) If there will be system restrictions for these applications, click Yes and continue to supply the
required information; otherwise, click No.
168 Configuring Application Launching and Session Recording
When the user goes to the website, they will be able to select from among the available
application set filters when attempting to launch an application.
4.9 SHADOW ACCOUNTS Shadow accounts allow a user to connect to a system with a specific app and choose from among
one or more accounts to connect with. Consider the normal paradigm where a user must go to the
Managed Passwords Area, find the target system and local account for the application to connect
with. While this works for many scenarios, it is not very flexible and it does not address the need be
able to connect with domain or directory accounts to other systems or applications. This is
specifically what shadow accounts do.
With a shadow account, a user will go to the system or application in question in the systems view
of ERPM and choose to launch an application. An available list of applications will be presented to
the user and the user can determine which account, local or central (domain or directory) to
connect with to the system or application.
To use shadow accounts requires the View Systems and Allow Remote Sessions global delegation
permission. Once permissions are granted, additional configuration to map shadow accounts must
be performed.
Configuring Application Launching and Session Recording 169
Shadow accounts are first mapped and then associated with application permissions, even when a
user has All Access. To use Shadow Accounts, a per application rule must be established for the
target user. To establish shadow accounts mappings go to Delegation > Web Application Identity to
Shadow Account Mappings. This dialog will show any existing mappings. To add a new mapping,
click the Add Mapping button in the lower left corner of the dialog.
170 Configuring Application Launching and Session Recording
Select the target identity from the list of available identities, then click OK.
Configuring Application Launching and Session Recording 171
Select from the available [previously] managed/stored identities in ERPM and click OK. The new
mappings will now be in the list of available mappings.
Click OK to close the Shadow Account Mappings dialog.
Next add the application permissions. Go to Delegation > Web Application Remote Application
Permissions.
172 Configuring Application Launching and Session Recording
Click Add in the lower left corner of the Remote Application Permissions dialog to add a new
application permission. The first dialog to appear will be for the identity that will be granted the
permissions to use an application with a shadow account. Select the identity then click OK.
Configuring Application Launching and Session Recording 173
Next a list of remote applications will be presented to the user. Select the target application(s) that
will be established for the user then click OK.
174 Configuring Application Launching and Session Recording
ERPM will then prompt to use a Shadow Account. Click Yes to assign one or more shadow accounts
that the target user may use when launching the specified application.
Based on the selected user, a list of available corresponding mappings will be presented Select the
mapping(s) that should be configured for the target user and selected applications, then click OK.
Configuring Application Launching and Session Recording 175
ERPM will then prompt to restrict the applications permissions & configured shadow account
mappings to specific management sets. If it is desired to restrict the applications and or shadow
account mappings to specific lists of systems, click Yes. Otherwise, click No.
If Yes was selected, then a list of management sets will be presented.
176 Configuring Application Launching and Session Recording
Select from the desired management set(s) and click OK.
The new mapping will be presented in the Web Application Remote Application Permissions dialog.
Any undesired mappings may be deleted or reports may be generated from this page.
To use the mappings, the user must go to the Systems view in the ERPM web page (View systems
permission required).
Configuring Application Launching and Session Recording 177
Click Launch App next to the desired target system. If Launch App is not visible it means the user
does not have either the Allow Remote Sessions permission or a Shadow Account Mapping is not
present.
The user will be able to select from among the applications and launch accounts to launch the
application.
179
IN THIS CHAPTER
Setting User Permissions to Launch Applications ................................. 179
Using the Application Launcher ............................................................ 180
5.1 SETTING USER PERMISSIONS TO LAUNCH APPLICATIONS To launch an application a user must have one of the following sets of permissions:
All Access, or
View accounts, Allow Remote Sessions, and permissions for the specific application being
launched
To Set Permission to Launch Applications
To define the additional permissions that are required to launch a specific application if a user does
not have All Access permissions, do the following:
1) Open the ERPM management console and choose Delegation > Web application remote
application permissions.
2) Click Add in the lower left corner, then select an available identity.
Chapter 5
Using Application Launching
180 Using Application Launching
3) Click OK, then select one or more applications the user can launch.
5.2 USING THE APPLICATION LAUNCHER There are two types of application launching in ERPM:
Launching with variable account and system information
Launching with pre-define account and system information
The difference in app configuration is the option in the lower right corner of the application that
says to always use the specified account being selected or not. If the option is selected, the
Using Application Launching 181
application will appear in the applications portion of the website. If the option is not selected, the
user must go to the Launch App section next to the system/account they wish to use to connect.
To Launch an App as a Pre-Configured Application
To launch an application that has been pre-configured for a specific account and target, such as a
company's Twitter or Facebook page, the user will click the Operations > Applications link, then
click on the application to launch. Only applications that are pre-configured to always launch as a
specific user and that the login user has access to will be shown on this page. If an application is not
shown it is a sign of at least one of two possible causes:
The user has no permission to launch an application
182 Using Application Launching
There are no apps configured to always run as a specific user
To Launch an App Using Variable Target and Account Information
Once the the target system and account to connect as are located in the Passwords > Managed
Password section of the website, click the play button.
All applications available to the user for the specific account type will then be shown. If the RDP icon
appears at the right edge of the black title bar, that indicates the application is configured to launch
via the Application Launch Server. If the camera icon appears at the right edge of the black title bar,
that indicates the session will be recorded.
Using Application Launching 183
To launch the application, click Launch. What happens next will depend on whether the application
is configured to launch locally or from an Application Launch Server, and whether or not the user
has performed this process previously. If connecting via an Application Launch Server, the system
will initiate a series of calls to the Application Launch Server and the LiebsoftLauncher on that host.
This will be visible to the user. If the user has not previously launched an app from the
machine/profile that they are currently logged into, they will likely receive a couple of security
prompts. Use the filter options at the top of the page to search for applications, show only a set of
applications, or change the layout of application launcher page.
184 Using Application Launching
Each application also has an Advanced launch configuration. Clicking the ear icon will allow the
interactive user to specify alternate credentials to connect to the target system as. These could be
static credentials or they could be other stored credentials in ERPM (if they have the rights to
retrieve the password). Generally, it will not be necessary to manipulate the advanced settings.
185
Once any sessions have been recorded, users with access to the auditing section of the ERPM
website will be able to playback any recorded sessions that exist. Such recored sessions will be
visible in the ERPM auditing section with a camera icon next to their audit entry.
Simply click on the camera icon to playback the recorded sessions.
The session properties page will identify user, IP address, and time stamp information and more. To
playback the recording, simply chose the desired recording and click Play Recording.
Chapter 6
Auditing Application Launching
186 Auditing Application Launching
The video will open on the systems preferred media player and begin streaming automatically.
187
Index
A
ADDING APPLICATION LAUNCHING
SCRIPTS • 139
APPLICATION LAUNCHER AND SESSION
RECORDING INSTALLATION OVERVIEW •
14
APPLICATION LAUNCHER AND SESSION
RECORDING INSTALLATION
PREREQUISITES • 17
APPLICATION LAUNCHER AND SESSION
RECORDING INSTALLATION
PREREQUISITES • 19
AUDITING APPLICATION LAUNCHING •
185
B
BACKGROUND AND GOALS • 6
C
CONFIGURE AN APPLICATION LAUNCH
SERVER LOGON ACCOUNT • 95
CONFIGURE AN APPLICATION LAUNCH
SERVER LOGON ACCOUNT • 96
CONFIGURE APPLICATION SETS • 162
CONFIGURE APPLICATIONS FOR
LAUNCHING • 95
CONFIGURE APPLICATIONS FOR
LAUNCHING • 139
CONFIGURE SESSION RECORDING
SETTINGS • 132
CONFIGURE THE APPLICATION LAUNCH
SERVER HOST • 95
CONFIGURE THE APPLICATION LAUNCH
SERVER HOST • 130
CONFIGURE THE APPLICATION LAUNCH
SERVER SETTINGS • 95
CONFIGURE THE APPLICATION LAUNCH
SERVER SETTINGS • 125
CONFIGURE THE ERPM WEB CLIENT FOR
SESSION PLAYBACK • 136
CONFIGURE THE WEB LAUNCHER
SETTINGS • 95
CONFIGURE THE WEB LAUNCHER
SETTINGS • 122
CONFIGURING APPLICATION LAUNCHING
AND SESSION RECORDING • 95
CONFIGURING ERPM TO LAUNCH
APPLICATIONS • 140
CONFIGURING REMOTE APP FOR SERVER
2008 R2 • 83
CONFIGURING REMOTE APP FOR SERVER
2012 (R2) • 77
I
INSTALLING DESKTOP EXPERIENCE FOR
SERVER 2008 R2 • 49
INSTALLING DESKTOP EXPERIENCE FOR
SERVER 2012 (R2) • 45
188 Auditing Application Launching
INSTALLING ON THE APPLICATION
LAUNCH SERVER • 65
INSTALLING ON THE TRANSCODER HOST
• 54
INSTALLING REMOTE DESKTOP SERVICES
FOR SERVER 2008 R2 • 35
INSTALLING REMOTE DESKTOP SERVICES
FOR SERVER 2012 (R2) • 20
INSTALLING THE APPLICATION LAUNCHER
AND SESSION RECORDING FEATURES •
13
INTRODUCTION • 5
L
LICENSE AGREEMENT • 8
LIMITED WARRANTY • 8
M
MAINTAINING APPLICATION LAUNCHING
SCRIPTS • 147
MULTI-TAB AUTOIT SCRIPT EXAMPLES • 158
MULTI-TAB SUPPORT • 149
MULTI-TAB SUPPORT CONFIGURATION •
153
O
OVERVIEW • 5
S
SETTING USER PERMISSIONS TO LAUNCH
APPLICATIONS • 179
SHADOW ACCOUNTS • 167
SHADOW ACCOUNTS • 168
STEP 1. INSTALL REMOTE DESKTOP
SERVICES • 20
STEP 2. INSTALL DESKTOP EXPERIENCE • 45
STEP 3. INSTALL THE APPLICATION
LAUNCHER AND SESSION RECORDING
FEATURE • 54
STEP 4. SET UP RDS FOR APPLICATION
LAUNCHING • 77
STEP 5. SET UP STREAMING MEDIA SERVICES
• 88
STEP 6. CONFIGURE IIS TO HOST
RECORDED SESSIONS • 93
U
UNDERSTANDING SESSION RECORDING •
10
USING APPLICATION LAUNCHING • 179
USING THE APPLICATION LAUNCHER • 180
V
VARIABLES FOR APP LAUNCHING • 145, 146,
148