Application Launching & Session Recording

Transcription

1 [Enterprise] Random Password Manager Application Launching & Session Recording

2 Copyright Lieberman Software Corporation. All rights reserved. The software contains proprietary information of Lieberman Software Corporation; it is provided under a license agreement containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of the software is prohibited. Due to continued product development this information may change without notice. The information and intellectual property contained herein is confidential between Lieberman Software and the client and remains the exclusive property of Lieberman Software. If there are any problems in the documentation, please report them to Lieberman Software in writing. Lieberman Software does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Lieberman Software. Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other brands and product names are trademarks of their respective owners. Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA Internet support@liebsoft.com Website:

3 iii CONTENTS INTRODUCTION...5 License Agreement... 5 Limited Warranty... 6 Overview... 7 Background and Goals... 8 PRE-REQUISITES...9 INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING WITH A BASTION HOST Installing Remote Desktop Services...12 Installing Remote Desktop Services for Server 2012 (R2)...12 Installing Remote Desktop Services for Server 2008 R Installing Desktop Experience...37 Installing Desktop Experience for Server 2012 (R2)...37 Installing Desktop Experience for Server 2008 R Installing Application Launcher and Session Recording On the Transcoder Host On the Bastion Host Setting up RDS for Application Launching...70 Configuring Remote App for Server 2012 (R2)...70 Configuring Remote App for Server 2008 R Setting Up Streaming Media Services Configuring IIS to Host Recorded Sessions...86 CONFIGURING APPLICATION LAUNCHING Configuring a Bastion Host Login Account...89 Configure ERPM Web Settings Configure a Bastion Host Object Configure a Session Recording Host Object Configure ERPM Website for Session Playback Configure Applications for Launching Variables for App Launching USING APPLICATION LAUNCHING AUDITING APPLICATION LAUNCHING INDEX

4

5 5 INTRODUCTION This manual makes reference to both Random Password Manager (RPM) and Enterprise Random Password Manager (ERPM). The concepts and steps outlined in this manual are applicable to both ERPM and RPM except as where expressly noted. This chapter includes an overview of ERPM and RPM, what problems it is designed to solve, performance information, expected pre-requisite knowledge, and some background information on Windows. This chapter also includes the license and warranty information for ERPM and RPM. IN THIS CHAPTER License Agreement... 5 Limited Warranty... 6 Overview... 7 Background and Goals... 8 LICENSE AGREEMENT This is a legal and binding contract between you, the end user, and Lieberman Software Corporation. By using this software, you agree to be bound by the terms of this agreement. If you do not agree to the terms of this agreement, you should return the software and documentation as well as all accompanying items promptly for a refund. 1. Your Rights: Lieberman Software Corporation hereby grants you the right to use a single copy of [Enterprise] Random Password Manager to control the licensed number of systems and/or devices. 2. Copyright. The SOFTWARE is owned by Lieberman Software Corporation and is protected by United States copyright law and international treaty provisions. Therefore, you must treat the software like any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival purposes. The manual is a copyrighted work also--you may not make copies of the manual for any purpose other than the use of the software. 3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer, de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). the SOFTWARE is an update, any transfer must include the update and all prior versions. If

6 Introduction 6 4. Notice: This software contains functionality designed to periodically notify Lieberman Software Corporation of demo usage and of the detection of suspected pirated license keys. By using this software, you consent to allow the software to send information to Lieberman Software Corporation under these circumstances, and you agree to not hold Lieberman Software Corporation responsible for the use of any or all of the information by Lieberman Software Corporation or any third party. When used lawfully, this software periodically transmits to us the serial number and network identification information of the machine running the software. No personally identifiable information or usage details are transmitted to us in this case. The program does not contain any spyware or remote control functionality that may be activated remotely by us or any other 3rd party. Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA Internet support@liebsoft.com Website: LIMITED WARRANTY The media (optional) and manual that make up this software are warranted by Lieberman Software Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of your purchase. If you notify us within the warranty period of such defects in material and workmanship, we will replace the defective manual or media. The sole remedy for breach of this warranty is limited to replacement of defective materials and/or refund of purchase price and does not include any other kinds of damages. Apart from the foregoing limited warranty, the software programs are provided "AS-IS", without warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the programs or documentation of/for consequences of any such errors.

7 Introduction 7 This agreement is governed by the laws of the State of California. Should you have any questions concerning this Agreement, or if you wish to contact Lieberman Software, please write: Lieberman Software Corporation 1900 Avenue of the Stars Suite 425 Los Angeles CA You can also keep up to date on the latest upgrades via our website at or us at: sales@liebsoft.com. OVERVIEW This manual makes reference to both Random Password Manager (RPM) and Enterprise Random Password Manager (ERPM). The concepts and steps outlined in this manual are applicable to both ERPM and RPM except as where expressly noted. Random Password Manager is designed to randomize and store the passwords for accounts on target systems on a regular recurring basis. Because these passwords are stored and managed by the program, they can be retrieved via a delegated web interface. Access to the password store as well as other web interface features can be limited to specific Windows groups, Windows users, or explicit accounts. Enterprise Random Password Manager builds on the concepts introduced with Random Password Manager by automatically discovering all references to the specified account, such as services, tasks, COM and DCOM objects, and more, and following a password change for a users account, whether domain or local, propagating the new password to all those references. ERPM/RPM provide more functionality beyond password management, password vaulting, and session management. ERPM/RPM also provide for: Account escalation - the ability to add a user to a pre-defined group with higher privileges than the user would normally have on a target system and then automatically remove that access. Secure file storage - the ability to upload and store as an encrypted data blob in the programs secure data store, any file such as password spread sheets, digital certificates, instructions, and more. After the files are uploaded, an ACL system identifies what users will be able to retrieve the files while auditing access to the files. Orchestration - ERPM can run headless; being controlled programmatically. This permits tight integration in other systems such as work-flow engines, run book orchestration for user and system provisioning and de-provisioning, programmatic access to almost all functions, and much more. This

8 Introduction 8 control os provided via SOAP based web services and PowerShell. User's may tie into ERPM using any program or language which can call the web service or PowerShell. Privileged Account Management - providing session based control to privileged accounts to run specific programs against specific hosts. Via the optional bastion server model, any program, website, script, etc., may be run in a controlled and secured environment to allow users from network access to specific systems or other trusted or untrusted networks using specific tools with specific feature sets. This allows access to the tool set need to get a job done without providing direct physical access or access to the credential. Session Recoding - building on the concept of privileged account management, when using the optional bastion host, these sessions can be recorded for later playback and auditing of the user actions that took place during a user's session. This further helps to comply with auditing mandates as well as training procedures. BACKGROUND AND GOALS The Need for Strong Local Credentials Organizations with a need for the most basic access security should use unique local logon credentials customized for each workstation and server in their environment. Unfortunately, most organizations use common credentials (same user name and password for the built-in administrator account) for each system for the ease of creating and managing those systems by the IT Department without any concern as to the consequences to the organization should these common credentials be compromised. With the mandates of PCI-DSS, Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, California Security Breach Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD and others, the implementation of reasonably hard to compromise local logon credentials is mandatory for most organizations as a means for protecting not only the confidentiality of their data, but also to protect against tampering. Creating Strong Local Credentials Lieberman Software s program: ERPM and RPM can change any common account on all workstations and servers in just a few minutes without the need for scripts or any other type of program. The new common credentials can be stored in a local or remote SQL Server database and can be recovered on demand using the password recovery website. Random Password Manager can be configured to regularly change the passwords of common accounts on all target systems (i.e. workstation built-in administrator account) according to a schedule so that each account receives a fresh cryptographically strong password regularly. This product feature protects the overall security of an organization so that the compromise of a single machine s local administrator password does not lead to the total compromise of the entire organization s security.

9 Pre-requisites 9 Enterprise Random Password Manager builds on the concepts introduced with Random Password Manager by automatically discovering all references to the specified account, such as services, tasks, COM and DCOM objects, and more, and following a password change for a users account, whether domain or local, propagating the new password to all those references. Delegated Password Recovery ERPM and RPM also contains a web interface to allow the remote recovery of passwords. The web interface is web application comprised of ASP and ASP.NET web pages that allows any user with the appropriate group memberships the right to use the application as well as the right to recover passwords for accounts managed by the program. All access to the web application as well as all password recoveries are logged and the history is also available via the same web interface to authorized users. Because this application protects and provides extremely sensitive information, it is essential that particular attention be payed to the security settings of the application and also use appropriate encryption such as SSL based on the scope of access provided. For more information on security hardening, please refer to the proposed options for server hardening: PRE-REQUISITES ng-guide.html. Windows Server operating system for bastion host and session recording: Windows Server 2012 R2 (recommended) Windows Server 2012 Windows Server 2008 R2 It is highly recommended for all servers in the ERPM system to be fully patched. Note: Earlier versions of Windows Server are not supported. Windows workstation platforms are not supported for hosting the application launcher. The following items will be required for application launching and session recording:

10 Pre-requisites 10 Remote Desktop Session Host server role.* Desktop Experience if using session recording. Existing ERPM installation and installed files (SupplementalInstallers directory) ERPM Web Service installed with SSL and no certificate errors and accessible from the bastion host. If using self-signed certificates, the certificate from the issuing web server should be added to the Trusted Root Certification Authorities on the machines hosting the Web Service, Bastion Host, and client systems. Dot Net framework 4.x on bastion and transcoder hosts. Dot Net framework 4.x on machines connecting to run an application. * Microsoft Remote Desktop Services (RDS) will require additional licensing be purchased from Microsoft.

11 11 INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING WITH A BASTION HOST The following sections outline the steps to prepare for and install the Lieberman Software Application Launcher and optional session recording components. Application Launching is an add-on for ERPM. Application Launching can be configured with or without the Session Recording component. Lieberman Software provides SessionRecording for free when the Application Launcher add-on is purchased. However, the provided session recording only works with applications launched via the Lieberman Software application launcher. The sections describing the installation of these components are broken down as follows: 1) Installing Remote Desktop Services 2) Installing Desktop Experience - only required if using session recording 3) Installing Application Launcher and Session Recording - session recording is optional 4) Setting up Remote Desktop Services for Application Launching 5) Setting up Streaming Media Services - required if using session recording 6) Configuring IIS to Host Recorded Sessions - required if using session recording Sections 1, 2, & 4 all have subsections detailing how to perform the steps on Windows Server 2008 R2 or Windows Server 2012 (R2). Section 3 has additional steps detailing how to install the application launcher and optional session recording across multiple systems. IN THIS CHAPTER 1. Installing Remote Desktop Services Installing Desktop Experience Installing Application Launcher and Session Recording Setting up RDS for Application Launching Setting Up Streaming Media Services Configuring IIS to Host Recorded Sessions... 86

12 Installing Application Launcher and Session Recording with a Bastion Host INSTALLING REMOTE DESKTOP SERVICES The following sub-sections show the installation of Remote Desktop Services on both a Windows Server 2008 R2 and Windows Server 2012 [R2] host. If multiple jump servers will be employed they do not need to all be the same operating system, though they do all need to be Windows Server 2008 R2 or later (2012 R2 recommended). INSTALLING REMOTE DESKTOP SERVICES FOR SERVER 2012 (R2) This section covers installation of the pre-requisites on a Windows Server 2012 and Windows Server 2012 R2 host which will function as a bastion host for the purposes of launching applications. Open Server Manager and select Add Roles and Features. Click Next on the Before You Begin page.

13 Installing Application Launcher and Session Recording with a Bastion Host 13 On the Select installation type page select Remote Desktop Services installation then click Next. On the Select deployment type page, choose a deployment type and click Next.

14 Installing Application Launcher and Session Recording with a Bastion Host 14 The steps present go through a standard deployment where the admin will be required to configure a collection post RDS installation. The Quick Start method will be faster while automatically creation a collection, but it will also add and publish additional applications that are unnecessary and will not provide any configuration options.

15 Installing Application Launcher and Session Recording with a Bastion Host 15 On the Select deployment scenario page, select Session-based desktop deployment, the click Next.

16 Installing Application Launcher and Session Recording with a Bastion Host 16 Click Next on the Role Services page.

17 Installing Application Launcher and Session Recording with a Bastion Host 17 On the Specify RD Connection Broker server page, select the server from the Server Pool field, then add it to the selected computer field by clicking the right arrow head between the two fields.

18 Installing Application Launcher and Session Recording with a Bastion Host 18 Click Next to continue.

19 Installing Application Launcher and Session Recording with a Bastion Host 19 On the Specify RD Web Access server page, select the server from the Server Pool field, then add it to the selected computer field by clicking the right arrow head between the two fields.

20 Installing Application Launcher and Session Recording with a Bastion Host 20 Click Next to continue.

21 Installing Application Launcher and Session Recording with a Bastion Host 21 On the Confirm selections page, click Deploy. Restart the host if required. Upon restart, open Server Manager and click on Remote Desktop Services from the right pane, then click on Collections from the center pane. A new collection must be made to publish the Lieberman Software application used to launch software from the bastion host. At the top right corner, select Tasks and click Creation Session Collection.

22 Installing Application Launcher and Session Recording with a Bastion Host 22 On the Before you begin page, click Next.

23 Installing Application Launcher and Session Recording with a Bastion Host 23 On the Name the collection page, supply a friendly name for the collection and click Next.

24 Installing Application Launcher and Session Recording with a Bastion Host 24 On the Specify RD Session Host server page, select the server from the Server Pool field, then add it to the selected computer field by clicking the right arrow head between the two fields. Then click Next. ERPM will use a proxy account to connect to the bastion host prior to launching the selected application. This account will either need to be added to a group which can RDP to the target bastion host and launch subsequent applications, or should be added directly as a user which can connect to the RD Session host server. Description of this account is covered in the parent section, 1. Installing Remote Desktop Services.

25 Installing Application Launcher and Session Recording with a Bastion Host 25 Click Next to continue.

26 Installing Application Launcher and Session Recording with a Bastion Host 26 On the Specify user profile disks page, click Next.

27 Installing Application Launcher and Session Recording with a Bastion Host 27 On the Confirm selections page, click Create. An empty collection will be created. The installation and configuration of the launcher application will be described later in this document. INSTALLING REMOTE DESKTOP SERVICES FOR SERVER 2008 R2 This section covers installation of Remote Desktop Services on a Windows Server 2008 R2 host as required for bastion host services.

28 Installing Application Launcher and Session Recording with a Bastion Host 28 Start Server Manager and select Add Roles. Click Next on the welcome page and select Remote Desktop Services then click Next.

29 Installing Application Launcher and Session Recording with a Bastion Host 29 Click Next on the Introduction to Remote Desktop Services page.

30 Installing Application Launcher and Session Recording with a Bastion Host 30 On the Select Role Services page, select Remote Desktop Session Host, then click Next.

31 Installing Application Launcher and Session Recording with a Bastion Host 31 Click Next on the Uninstall and Reinstall Applications for Compatibility page.

32 Installing Application Launcher and Session Recording with a Bastion Host 32 On the Specify Authentication Method for Remote Desktop Session Host page, choose the option that best suits your company's needs. The option to Require Network Level Authentication will provide greater security but may only work properly for newer hosts and if all incoming connections are properly verified. The option Do not require Network Level Authentication will provide greater compatibility for all connecting system but may reduce overall security of the bastion host. Click Next to continue.

33 Installing Application Launcher and Session Recording with a Bastion Host 33 On the Specify Licensing Mode page, a remote desktop session license mode must be selected. If RDS client access licenses are not yet available but will be soon, select Configure later. If unsure about what option to choose, select Configure later, and then contact your Microsoft licensing services manager. RDS will function for 120 days without a proper licensing server. If RDS CALs are available, then choose the proper Per Device or Per User model for your organization. ERPM will use a proxy account to connect to the bastion host prior to launching the selected application. This account will either need to be added to a group which can RDP to the target bastion host and launch subsequent applications, or should be added directly as a user which can connect to the RD Session host server. Description of this account is covered in the parent section, 1. Installing Remote Desktop Services.

34 Installing Application Launcher and Session Recording with a Bastion Host 34 Click Next to continue.

35 Installing Application Launcher and Session Recording with a Bastion Host 35 On the Configure Client Experience page, it is recommended to leave all options deselected. Click Next to continue.

36 Installing Application Launcher and Session Recording with a Bastion Host 36 On the Confirm Installation Selections page, examine the installation selections. If everything is correct, click Install. The server will need to reboot after installation The installation and configuration of the launcher application will be described later in this document.

37 Installing Application Launcher and Session Recording with a Bastion Host INSTALLING DESKTOP EXPERIENCE The Desktop Experience will be required if session recording is to be enabled. If the Lieberman Software provided free session recording will not be enabled, Desktop Experience will not be required. Session recording will involve a bastion host to capture the session, and a system to function as a video transcoder. These could be the same machine or separate systems. If they are separate systems, then Desktop Experience will be installed on both systems. More information on this will be provided in later sections. INSTALLING DESKTOP EXPERIENCE FOR SERVER 2012 (R2) If session recording will be configured then the Desktop Experience must be installed. To add the Desktop Experience, open Server Manager and select Add Features. On the Features Page, expand User Interfaces and Infrastructure, and select Desktop Experience.

38 Installing Application Launcher and Session Recording with a Bastion Host 38 If prompted for additional components, click Add Features.

39 Installing Application Launcher and Session Recording with a Bastion Host 39 Add any other requirements that other applications that will be launched from this system may require (such as.net framework 3.51 or 4.x) and click Next.

40 Installing Application Launcher and Session Recording with a Bastion Host 40 Continue through to the end of the wizard. Click Close when done. Installation of the Desktop Experience will require a restart of the host. INSTALLING DESKTOP EXPERIENCE FOR SERVER 2008 R2 If session recording will be configured then the Desktop Experience must be installed. To add the Desktop Experience, open Server Manager and select Add Features.

41 Installing Application Launcher and Session Recording with a Bastion Host 41 On the Features Page, select Desktop Experience.

42 Installing Application Launcher and Session Recording with a Bastion Host 42 If prompted for additional components, click Add Required Features.

43 Installing Application Launcher and Session Recording with a Bastion Host 43 Click Next to continue.

44 Installing Application Launcher and Session Recording with a Bastion Host 44 Once the installation is complete, click Close and restart the server.

45 Installing Application Launcher and Session Recording with a Bastion Host INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING This step includes installation of session recoding options. The particular session recording options may be safely omitted if the Lieberman Software provided free session recording will not be enabled. If the Lieberman Software free session recording will not be installed, then skip the session titled On the Transcoder Host and go straight to the section titled On the Bastion Host. The application launching capability of ERPM is best utilized with a bastion host. A bastion host in the context of ERPM is a Windows Remote Desktop Session Services machine (formerly Terminal Services) that will proxy connection attempts made to specific target systems. The bastion host will have all programs used to connect to target systems installed on it. ERPM will use a proxy account to connect to the bastion host. This account can and should be managed by ERPM, but automated management is not necessary as a static un-stored password may also be used. Session recording for ERPM is a feature that accompanies the application launcher such that remote sessions initiated by ERPM through the bastion host may be recorded. Recorded sessions will be copied from the bastion host to a machine functioning as a video transcoder. Videos will be converted from the raw format to one that may be played back by the machine functioning as a streaming media server. The bastion may function as both recorder and transcoder and streaming media server. However, transcoding of videos requires significant overhead in terms of CPU usage. It is recommended to use the system functioning as ERPM web server to also function as the streaming media server and possibly as the video transcoder. This section outlines the installation of session recording for application launching on two separate machines functioning independently. In sub-section 5, the installation of streaming media services will be detailed for the purposes of streaming the final recorded sessions. 1. ON THE TRANSCODER HOST To begin installing the session recording software on the machine that will function as the video transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory, typically "%programfiles (x86)\lieberman\roulette". Copy ERPMRemoteLauncherInstaller.exe to the machine that will function as the transcoder and launch the installer.

46 Installing Application Launcher and Session Recording with a Bastion Host 46 Click Next on the welcome page.

47 Installing Application Launcher and Session Recording with a Bastion Host 47 Read and accept the license agreement to continue installation. Then click Next to continue. Enter the full SSL secured URL to ERPM application launcher web service. The web service is a separate installation, typically on the ERPM web server. The application launcher web service is installed is installed with the standard ERPMWebService installer package. The URL is typically Click Test to validate the URL. Any certificate issues must be corrected before installation can properly succeed. If the web page does not appear at all, validate the URL and try again or install the web service. Installation instructions for the web service are included in the administrators guide within the SDK section.

48 Installing Application Launcher and Session Recording with a Bastion Host 48 If the page tests without issue or errors, click Next to continue. For the transcoder host, select to install:

49 Installing Application Launcher and Session Recording with a Bastion Host 49 Microsoft Expression 4 Encoder SP2 Session Recorder and File Watcher Service Select the installation directory. Click Next to continue.

50 Installing Application Launcher and Session Recording with a Bastion Host 50 On the transcoder host, make note of the source and destination directories. This directory will be used in later instructions when setting up the application launcher and streaming media services. This directory will also be shared between the transcoder and bastion hosts if they are on two separate systems. On the transcoder host, set the service identity to run as either Local System or as a Specific User. Local system offers the benefit of already having proper access and no password management requirements. Running as a specific user will offer the path of least privilege but will require configuring NTFS permissions on the Source directory from the previous step for read, write, and delete files (Modify) and will also require a password be managed (which ERPM has the ability to do automatically). Running the File Watcher service as Local System is recommended on the transcoder host.

51 Installing Application Launcher and Session Recording with a Bastion Host 51 Click Next to continue.

52 Installing Application Launcher and Session Recording with a Bastion Host 52 Click Install to continue.

53 Installing Application Launcher and Session Recording with a Bastion Host 53 Click Finish to complete the first part of the installation. After the initial installation is complete, A separate installation for the Microsoft Expressions recorder will be initiated automatically.

54 Installing Application Launcher and Session Recording with a Bastion Host 54 Accept the License agreement for the Microsoft Expressions recorder. Click Next on the Enter product key page. There is no product key to enter.

55 Installing Application Launcher and Session Recording with a Bastion Host 55 Elect to join the Microsoft customer experience or not. Click Next to continue. Select to install Expression Encoder 4 and click Install.

56 Installing Application Launcher and Session Recording with a Bastion Host 56 Click Finish to complete the installation. IMPORTANT NOTES REGARDING THIS INSTALLATION! This installation will take additional actions that are not visible in the installer:

57 Installing Application Launcher and Session Recording with a Bastion Host 57 A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is taking place on a domain controller, the group is created in the Users container. The Domain Admins group will be added to this WriteRecordingGroup. The installer will create and share the following directory: %inetpub%\wwwroot\sessionrecording as SessionRecording. This directory is used to copy compiled session recordings from the bastion to the transcoder host. This scenario would apply if using the FFMPeg video recorder rather than the Expressions recorder. If the transcoder and bastion host is the same system, or if the Expression session recorder is the only used session recorder, this share may be safely deleted. This share directory will be required when configuring the bastion host for app launching with session recording. The installer will create and share the following directory: %programfiles (x86)%\lieberman\roulette\launchapp\transcoders\source as Source. This directory will be used by the bastion hosts to copy raw session recording files to the transcoder host(s). If the transcoder and bastion host is the same system this share can be safely deleted. This scenario would apply if using the Expressions 4 recording software. This share directory will be required when configuring the bastion host for app launching with session recording. Each of the shared directory share permissions will be set to allow the WriteRecordingGroup "Full Control". Minimum permissions required are "Change". 2. ON THE BASTION HOST To begin installing the session recording software on the machine that will function as the video transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory, typically "%programfiles (x86)\lieberman\roulette". Copy ERPMRemoteLauncherInstaller.exe to the machine that will function as the transcoder and launch the installer.

58 Installing Application Launcher and Session Recording with a Bastion Host 58 Click Next on the welcome page.

59 Installing Application Launcher and Session Recording with a Bastion Host 59 Read and accept the license agreement to continue installation. Then click Next to continue. Enter the full SSL secured URL to ERPM application launcher web service. The web service is a separate installation, typically on the ERPM web server. The application launcher web service is installed is installed with the standard ERPMWebService installer package. The URL is typically Click Test to validate the URL. Any certificate issues must be corrected before installation can properly succeed. If the web page does not appear at all, validate the URL and try again or install the web service. Installation instructions for the web service are included in the administrators guide within the SDK section.

60 Installing Application Launcher and Session Recording with a Bastion Host 60 If the page tests without issue or errors, click Next to continue. For the bastion host, if session recording WILL BE enabled, select to install: Microsoft Expression 4 Encoder SP2 Session Recorder and File Watcher Service Application Launcher If session recording will NOT be enabled, select to install:

61 Installing Application Launcher and Session Recording with a Bastion Host 61 Application Launcher Select the installation directory. Click Next to continue.

62 Installing Application Launcher and Session Recording with a Bastion Host 62 Click Next on the video transcoder paths. On the bastion host, set the service identity to run as a Specific User, Network Service, or Local System. Local system offers the benefit of already having proper access and no password management requirements. If the transcoder is running on a separate system and Local system is used, then the computer account of the bastion host must be granted Modify access to the source directory on the transcoder host. Network service provides for less rights than Local system and offers the benefit of already having proper access and no password management requirements. If the transcoder is running on a separate system and network service is used, then the computer account of the bastion host must be granted Modify access to the source directory on the transcoder host. "NT Authority\Network Service" must also be granted Modify access to the Session Recording directory. Running as a specific user will offer the path of least privilege but will require configuring NTFS permissions on the Source directory from the previous step for read, write, and delete files (Modify) and will also require a password be managed (which ERPM has the ability to do automatically). Running as a specific user is recommended for running the File Watcher service on the bastion host when the transcoder is on a separate system.

63 Installing Application Launcher and Session Recording with a Bastion Host 63 Click Next to continue.

64 Installing Application Launcher and Session Recording with a Bastion Host 64 Click Install to continue.

65 Installing Application Launcher and Session Recording with a Bastion Host 65 Click Finish to complete the first part of the installation. After the initial installation is complete, A separate installation for the Microsoft Expressions recorder will be initiated automatically.

66 Installing Application Launcher and Session Recording with a Bastion Host 66 Accept the License agreement for the Microsoft Expressions recorder. Click Next on the Enter product key page. There is no product key to enter.

67 Installing Application Launcher and Session Recording with a Bastion Host 67 Elect to join the Microsoft customer experience or not. Click Next to continue. Select to install Expression Encoder 4 and click Install.

68 Installing Application Launcher and Session Recording with a Bastion Host 68 Click Finish to complete the installation. This installation will take additional actions that are not visible in the installer:

69 Installing Application Launcher and Session Recording with a Bastion Host 69 A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is taking place on a domain controller, the group is created in the Users container. This group may be safely deleted from the bastion host if it is also functioning as the transcoder host. The Domain Admins group will be added to this WriteRecordingGroup. The installer will create and share the following directory: %inetpub%\wwwroot\sessionrecording as SessionRecording. This directory is used to copy compiled session recordings from the bastion to the transcoder host. This scenario would apply if using the FFMPeg video recorder rather than the Expressions recorder. This share directory will be required when configuring the bastion host for app launching with session recording. If the transcoder and bastion host is the same system this share can be safely deleted. The installer will create and share the following directory: %programfiles (x86)%\lieberman\roulette\launchapp\transcoders\source as Source. This directory will be used by the bastion hosts to copy raw session recording files to the transcoder host(s). This scenario would apply if using the Expressions 4 recording software. This share directory will be required when configuring the bastion host for app launching with session recording. If the transcoder and bastion host is the same system this share can be safely deleted. Each of the shared directory share permissions will be set to allow the WriteRecordingGroup "Full Control". Minimum permissions required are "Change".

70 Installing Application Launcher and Session Recording with a Bastion Host SETTING UP RDS FOR APPLICATION LAUNCHING The section details configuring Remote App on the Remote Session host to launch the Lieberman Software Application Launcher. The application launcher is a boot strapper used to launch and provide authentication information for configured applications. When a user uses the Launch App links in the ERPM web interface, this application will be called which will obtain the necessary credential information for the application to launch, and launch the application from the bastion host. In turn, VDI will display the remote application on the user's workstation as if it were a local application. CONFIGURING REMOTE APP FOR SERVER 2012 (R2) Open Server Manager and click the Remote Desktop Services link on the left pane. Then click on Collections. The select the collection to configure the Lieberman Software Application Launcher for.

71 Installing Application Launcher and Session Recording with a Bastion Host 71 In the REMOTEAPP PROGRAMS area, click Tasks and select Publish RemoteApp Programs. Then click Add on the Publish RemoteApp programs dialog.

72 Installing Application Launcher and Session Recording with a Bastion Host 72 Select LiebsoftLauncher.exe from the application launcher installation location on the bastion host (configured in step 3 previously). The default directory for this file is: C:\Program Files (x86)\lieberman\roulette\launchapp. Then click Next.

73 Installing Application Launcher and Session Recording with a Bastion Host 73 On the Confirmation page, click Publish. Once the LiebsoftLauncher application is published, right-click on it in the RemoteApp Programs list and select Edit Properties.

74 Installing Application Launcher and Session Recording with a Bastion Host 74 On the General tab, set the Show the RemoteApp program in RD Web Access dialog to No. Although everything will work fine if this is not done, there is no need to publicize this application.

75 Installing Application Launcher and Session Recording with a Bastion Host 75 On the Parameters tab, set the Command-line Parameters option to Allow any command-line parameters. The LiebsoftLauncher will differ every single time it is run based on many factors including session IDs, programs being run and parameters included when launching the programs.

76 Installing Application Launcher and Session Recording with a Bastion Host 76 On the User Assignment tab, it is highly recommended to change the User Assignment option to be a specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated account (which should be managed by ERPM). This is the only account that will require access to run the program. This account will be covered later in the Configuring Application Launching section. The account assigned here will require any permissions and rights to launch the desired programs. Click OK when done. CONFIGURING REMOTE APP FOR SERVER 2008 R2 Open Server Manager and expand the Remote Desktop Services RemoteApp Manager nodes in the left pane.

77 Installing Application Launcher and Session Recording with a Bastion Host 77 In the RemoteApp Programs area, right-click and select Add RemoteApp Programs. Click Next on the Welcome page then click Browse on the Choose programs to add to the RemoteApp Programs list page.

78 Installing Application Launcher and Session Recording with a Bastion Host 78 Select LiebsoftLauncher.exe from the application launcher installation location on the bastion host (configured in step 3 previously). The default directory for this file is: C:\Program Files (x86)\lieberman\roulette\launchapp. Then click Next.

79 Installing Application Launcher and Session Recording with a Bastion Host 79 On the Review Settings page, click Finish. Once the LiebsoftLauncher application is added, right-click on it in the RemoteApp Programs list and select Properties. CAUTION! DO NOT CHANGE THE ALIAS value. De-select the check box for RemoteApp program in RD Web Access. Although everything will work fine if this is not done, there is no need to publicize this application.

80 Installing Application Launcher and Session Recording with a Bastion Host 80 Set the Command-line arguments option to Allow any command-line parameters. The LiebsoftLauncher will differ every single time it is run based on many factors including session IDs, programs being run and parameters included when launching the programs.

81 Installing Application Launcher and Session Recording with a Bastion Host 81 On the User Assignment tab, it is highly recommended to change the User Assignment option to be a specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated account (which should be managed by ERPM). This is the only account that will require access to run the program. This account will be covered later in the Configuring Application Launching section. The account assigned here will require any permissions and rights to launch the desired programs. Click OK when done. 5. SETTING UP STREAMING MEDIA SERVICES Streaming Media Services is used to provide smooth streaming of the recorded sessions from the transcoder host (typically the ERPM web server) to the client's browser and video player.

82 Installing Application Launcher and Session Recording with a Bastion Host 82 Installation of this component is only required if session recording will be used. If not using the Lieberman Software free session recording module, installation of this component is not required. To begin installing the streaming media software on the machine that will function as the video transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory, typically "%programfiles (x86)\lieberman\roulette". Copy IISMEdia64.msi to the machine that will function as the transcoder and launch the installer. The installation of IIS Media services requires a basic stock installation of IIS be available on the same host server. Click Next on the welcome page.

83 Installing Application Launcher and Session Recording with a Bastion Host 83 Read and accept the terms of the license agreement, then click Next.

84 Installing Application Launcher and Session Recording with a Bastion Host 84 Leave the default options selected then click Next.

85 Installing Application Launcher and Session Recording with a Bastion Host 85 Click Install.

86 Installing Application Launcher and Session Recording with a Bastion Host 86 Click Finish. 6. CONFIGURING IIS TO HOST RECORDED SESSIONS This step is only required if session recording has been enabled. If session recording is not enabled, then do not perform this step. This will likely be configured on the same system where Streaming Media Services was installed. When an application is launched via a bastion host / jump server and that application is configured to also record the session, the recorded sessions will first be placed into a pre-configured directory on the machine which will ultimately host the videos for later playback. When using the Microsoft Expressions session recorder, the files will first be copied locally to the file system. The Lieberman Software File Watcher Service will then move the raw files to a share called "Source" on a machine that is configured as the video transcoder (typically the ERPM web server, but could be any machine). Once the raw XESC files are copied to the transcoder, the Lieberman Software File Watcher service on that machine will transcode the videos to WMV format and move the compiled files into the "SessionRecording" share on the same system. It is this directory that will be hosted in IIS and made available via the ERPM website.

87 Installing Application Launcher and Session Recording with a Bastion Host 87 To configure IIS on the machine which will host the compiled videos, not much work is required as the application launcher installer will have configured most of the required elements: The default website will have a new virtual directory added to it called SessionRecording. This directory will point to %inetpub%\wwwroot\sessionrecording. The only change that may need to be made is to set the authentication scheme to anonymous. To do this, open IIS, expend the default website, and open the Authentication area. Right click on the authentication types and enable Anonymous Authentication and disable all others.

88

89 89 CONFIGURING APPLICATION LAUNCHING Once the pre-requisites are installed for application launching, there are four mandatory additional steps and two optional steps to setting up ERPM to use the application launcher and the session recorder: 1) Configure an account for login to the bastion host. 2) Configure ERPM web settings with information about the web launcher service. 3) Configure a bastion host object in ERPM. 4) Optionally configure a session recording host object in ERPM. 5) Configure applications for launching and grant permissions to those applications as necessary. 6) Optionally configure the ERPM website to playback recorded sessions. The following sub-sections will outline these steps. IN THIS CHAPTER Configuring a Bastion Host Login Account Configure ERPM Web Settings Configure a Bastion Host Object Configure a Session Recording Host Object Configure ERPM Website for Session Playback Configure Applications for Launching CONFIGURING A BASTION HOST LOGIN ACCOUNT ERPM will use a standard login account to login to the target bastion host and launch the LiebsoftLauncher application which will in turn launch the target application. The LiebsoftLauncher in turn connects to a web service (WebLauncherBackendService.svc) to obtain the necessary program settings and credentials from ERPM. The logon account should have its password managed regularly by ERPM. Regularly should be often such as daily or weekly. Setting the rotation schedule to hourly could possibly invalidate the logon account's session. The account can be a local account but if possible, a domain account is recommended. This account will need any rights necessary to launch the final target application; it does not necessarily need local or domain admin privileged. It will need the ability to remotely log on to the target bastion host. That means if the account is not an administrator, it must be added to the Remote Desktop Users group on the bastion host.

90 Configuring Application Launching 90 If it is desired (as it is recommended) to have ERPM manage the password for the account, simply follow the basic procedures for a password change in ERPM (as per the administrative guide). There is no requirements for password propagation so password propagation can be safely turned off for the password change job. It is recommended to keep the password length to 80 characters or less as some versions of Windows will not allow long passwords to be used via RDP. This user account upon login will first launch the LiebsoftLauncher. Be sure in the RemoteApp settings that at a minimum this account or a group it belongs to was granted the permissions to launch the LiebsoftLauncher application. RemoteApp is generally found in Server Manager under the Roles Remote Desktop Services heading. This account can be heavily locked down as it generally doesn't need access to anything other than the application being locked. Caution! When launching an application, this account will be able to do anything that the target application lets them do. If this account comes from Active Directory, it is recommended to place this account into an organizational unit (OU) by itself or with other similarly locked down accounts. On this OU, create a policy and modify the User Settings portion of the policy to lock down this logon account. There is no need to place the bastion hosts in this OU as the policies that lockdown the user experience are user based, not system based. Following are some of the settings recommended to lock down the session. All policies should be tested to ensure they do not interfere with the required operation of a target application: User Configuration Policies Windows Settings Security Settings Software Restriction Policies Policy Setting Enforcement Apply Software Restriction Policies to the following Apply Software Restriction Policies to the following users When applying Software Restriction Policies All software files except libraries (such as DLLs) All users Ignore certificate rules Trusted Publishers

91 Configuring Application Launching 91 Trusted publisher management Certificate verification Allow all administrators and users to manage user's own Trusted Publishers None Software Restriction Policies/Security Levels Default Security Level Disallowed Software Restriction Policies/Additional Rules >> Path Rules %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Security Level = Unrestricted %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Security Level = Unrestricted C:\Program Files (x86)\lieberman\roulette\remoteapplauncher\liebsoftlauncher.exe Security Level = Unrestricted User Configuration Policies Administrative Templates Control Panel Prohibit access to Control Panel and PC settings Control Panel/Display Disable the Display Control Panel

92 Configuring Application Launching 92 Control Panel/Printers Browse a common web site to find printers Browse the network to find printers Prevent addition of printers Prevent deletion of printers Disabled Disabled Control Panel/Programs Hide "Get Programs" page Hide "Installed Updates" page Hide "Programs and Features" page Hide "Set Program Access and Computer Defaults" page Hide "Windows Features" Hide the Programs Control Panel Control Panel/Regional and Language Options Hide Regional and Language Options administrative options Hide the geographic location option Hide the select language group options Hide user locale selection and customization options Desktop

93 Configuring Application Launching 93 Don't save settings at exit Hide and disable all items on the desktop Hide Internet Explorer icon on desktop Hide Network Locations icon on desktop Prevent adding, dragging, dropping and closing the Taskbar's toolbars Prohibit adjusting desktop toolbars Prohibit User from manually redirecting Profile Folders Remove Computer icon on the desktop Remove Properties from the Computer icon context menu Remove Properties from the Recycle Bin context menu Remove Recycle Bin icon from desktop Turn off Aero Shake window minimizing mouse gesture Network/Network Connections Ability to change properties of an all user remote access connection Prohibit access to properties of a LAN connection Prohibit access to the Remote Access Preferences item on the Advanced menu Prohibit changing properties of a private remote access connection Prohibit connecting and disconnecting a remote access connection Prohibit renaming private remote access connections Disabled

94 Configuring Application Launching 94 Network/Offline Files Remove "Make Available Offline" command Remove "Work offline" command Network/Windows Connect Now Prohibit access of the Windows Connect Now wizards Start Menu and Taskbar Add Search Internet link to Start Menu Add the Run command to the Start Menu Clear history of recently opened documents on exit Clear history of tile notifications on exit Clear the recent programs list for new users Do not allow pinning items in Jump Lists Do not allow pinning programs to the Taskbar Do not display any custom toolbars in the taskbar Do not display or track items in Jump Lists from remote locations Do not keep history of recently opened documents Do not search communications Do not search for files Do not search Internet Disabled Disabled

95 Configuring Application Launching 95 Do not search programs and Control Panel items Do not use the search-based method when resolving shell shortcuts Do not use the tracking-based method when resolving shell shortcuts Hide the notification area Lock all taskbar settings Lock the Taskbar Prevent changes to Taskbar and Start Menu Settings Prevent users from adding or removing toolbars Prevent users from moving taskbar to another screen dock location Prevent users from rearranging toolbars Prevent users from uninstalling applications from Start Remove access to the context menus for the taskbar Remove All Programs list from the Start menu Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands Remove Clock from the system notification area Remove common program groups from Start Menu Remove Default Programs link from the Start menu. Remove Documents icon from Start Menu Remove Downloads link from Start Menu Remove drag-and-drop and context menus on the Start Menu Remove Favorites menu from Start Menu

96 Configuring Application Launching 96 Remove frequent programs list from the Start Menu Remove Games link from Start Menu Remove Help menu from Start Menu Remove Homegroup link from Start Menu Remove links and access to Windows Update Remove Logoff on the Start Menu Remove Music icon from Start Menu Remove Network Connections from Start Menu Remove Network icon from Start Menu Remove Pictures icon from Start Menu Remove pinned programs from the Taskbar Remove pinned programs list from the Start Menu Remove programs on Settings menu Remove Recent Items menu from Start Menu Remove Recorded TV link from Start Menu Remove Run menu from Start Menu Remove See More Results / Search Everywhere link Remove the Action Center icon Remove the battery meter Remove the networking icon Remove the volume control icon Disabled

97 Configuring Application Launching 97 Remove user folder link from Start Menu Remove user's folders from the Start Menu Remove Videos link from Start Menu Show "Run as different user" command on Start Turn off all balloon notifications Turn off automatic promotion of notification icons to the taskbar Turn off feature advertisement balloon notifications Turn off notification area cleanup Turn off user tracking Disabled Start Menu and Taskbar/Notifications Turn off notifications network usage System/Ctrl+Alt+Del Options Remove Change Password Remove Task Manager System/Internet Communication Management/Internet Communication settings Turn off access to the Store Turn off downloading of print drivers over HTTP Turn off handwriting recognition error reporting

98 Configuring Application Launching 98 Turn off Help Experience Improvement Program Turn off Help Ratings Turn off Internet download for Web publishing and online ordering wizards Turn off Internet File Association service Turn off printing over HTTP Turn off the "Order Prints" picture task Turn off the "Publish to Web" task for files and folders Turn off the Windows Messenger Customer Experience Improvement Program Turn off Windows Online System/Removable Storage Access All Removable Storage classes: Deny all access CD and DVD: Deny read access CD and DVD: Deny write access Floppy Drives: Deny read access Floppy Drives: Deny write access Removable Disks: Deny read access Removable Disks: Deny write access Tape Drives: Deny read access Tape Drives: Deny write access WPD Devices: Deny read access

99 Configuring Application Launching 99 WPD Devices: Deny write access System/Windows HotStart Turn off Windows HotStart Windows Components/Add features to Windows 8 Prevent the wizard from running. Windows Components/App runtime Block launching desktop apps associated with a file. Block launching desktop apps associated with a protocol Windows Components/Application Compatibility Turn off Program Compatibility Assistant Windows Components/Attachment Manager Hide mechanisms to remove zone information Windows Components/AutoPlay Policies Disallow Autoplay for non-volume devices Prevent AutoPlay from remembering user choices.

100 Configuring Application Launching 100 Set the default behavior for AutoRun Default AutoRun Behavior Do not execute any autorun commands Turn off Autoplay Turn off Autoplay on All drives Windows Components/Credential User Interface Do not display the password reveal button Windows Components/Desktop Gadgets Restrict unpacking and installation of gadgets that are not digitally signed. Turn off desktop gadgets Turn Off user-installed desktop gadgets Windows Components/Digital Locker Do not allow Digital Locker to run Windows Components/Edge UI Turn off switching between recent apps Turn off tracking of app usage Windows Components/File Explorer

101 Configuring Application Launching 101 Display confirmation dialog when deleting files Display the menu bar in File Explorer Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon Do not display the Welcome Center at user logon Do not request alternate credentials Hide these specified drives in My Computer Restrict all drives Hides the Manage item on the File Explorer context menu No Entire Network in Network Locations Prevent access to drives from My Computer Restrict all drives Prevent users from adding files to the root of their Users Files folder. Remove "Map Network Drive" and "Disconnect Network Drive" Remove CD Burning features Remove File Explorer's default context menu Remove File menu from File Explorer Remove Hardware tab Remove Security tab Remove the Search the Internet "Search again" link Turn off display of recent search entries in the File Explorer search box Turn off Windows+X hotkeys

102 Configuring Application Launching 102 Windows Components/File Explorer/Common Open File Dialog Hide the common dialog back button Hide the common dialog places bar Hide the dropdown list of recent files Windows Components/File Explorer/Explorer Frame Pane Turn off Preview Pane Turn on or off details pane Configure details pane Always hide Windows Components/File Explorer/Previous Versions Prevent restoring previous versions from backups Windows Components/IME Turn off history-based predictive input Turn off Internet search integration Windows Components/Internet Explorer Automatically activate newly installed add-ons Configure Media Explorer Bar Disabled

103 Configuring Application Launching 103 Disable the Media Explorer Bar and auto-play feature Auto-Play Media files in the Media bar when Disable AutoComplete for forms Disable changing accessibility settings Disable changing Advanced page settings Disable changing Automatic Configuration settings Disable changing Calendar and Contact settings Disable changing certificate settings Disable changing connection settings Disable changing home page settings Home Page Disable changing language settings Disable changing Messaging settings Disable changing ratings settings Disable changing Temporary Internet files settings Disable Import/Export Settings wizard Disable Internet Connection wizard Do not allow users to enable or disable add-ons Identity Manager: Prevent user from using Identities Notify users if Internet Explorer is not the default web browser Pop-up allow list Disabled Define a home page if necessary Disabled

104 Configuring Application Launching 104 Enter the list of sites here. Prevent "Fix settings" functionality Prevent access to Internet Explorer Help Prevent bypassing SmartScreen Filter warnings Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet Prevent changing pop-up filter level Prevent changing proxy settings Prevent changing the default search provider Prevent configuration of how windows open Select where to open links Prevent Internet Explorer Search box from appearing Prevent managing pop-up exception list Prevent managing SmartScreen Filter Select SmartScreen Filter mode Prevent participation in the Customer Experience Improvement Program Prevent per-user installation of ActiveX controls Prevent running First Run wizard Select your choice Define allowed sites list if applicable such as *.microsoft.com Open in existing Internet Explorer window On Go directly to home page

105 Configuring Application Launching 105 Search: Disable Find Files via F3 within the browser Search: Disable Search Customization Specify default behavior for a new tab New tab behavior Turn off ability to pin sites in Internet Explorer on the desktop Turn off add-on performance notifications Turn off browser geolocation Turn off configuration of pop-up windows in tabbed browsing Select tabbed browsing pop-up behavior Turn off Crash Detection Turn off Favorites bar Turn off Managing SmartScreen Filter for Internet Explorer 8 Select SmartScreen Filter mode for Internet Explorer 8 Turn off pop-up management Turn off Quick Tabs functionality Turn off Reopen Last Browsing Session Turn off suggestions for all user-installed providers Turn off tabbed browsing Turn off the auto-complete feature for web addresses Turn off the quick pick menu Turn on Suggested Sites Home page Force pop-ups to open in a new tab On Disabled

106 Configuring Application Launching 106 Turn on the auto-complete feature for user names and passwords on forms Disabled Windows Components/Internet Explorer/Accelerators Turn off Accelerators Windows Components/Internet Explorer/Browser menus Disable Open in New Window menu option Disable Save this program to disk option File menu: Disable closing the browser and Explorer windows File menu: Disable New menu option File menu: Disable Open menu option File menu: Disable Save As Web Page Complete File menu: Disable Save As... menu option Help menu: Remove 'Send Feedback' menu option Help menu: Remove 'Tour' menu option Hide Favorites menu Tools menu: Disable Internet Options... menu option Turn off Print Menu Turn off Shortcut Menu View menu: Disable Full Screen menu option View menu: Disable Source menu option

107 Configuring Application Launching 107 Windows Components/Internet Explorer/Delete Browsing History Disable "Configuring History" Days to keep pages in History 1 Windows Components/Internet Explorer/Internet Control Panel Disable the Advanced page Disable the Connections page Disable the Content page Disable the General page Disable the Privacy page Disable the Programs page Disable the Security page Windows Components/Internet Explorer/Internet Control Panel/Advanced Page Allow active content from CDs to run on user machines Allow software to run or install even if the signature is invalid Do not allow resetting Internet Explorer settings Empty Temporary Internet Files folder when browser is closed Disabled Disabled Windows Components/Internet Explorer/Internet Control Panel/General Page

108 Configuring Application Launching 108 Start Internet Explorer with tabs from last browsing session Disabled Windows Components/Internet Explorer/Internet Control Panel/General Page/Browsing History Allow websites to store application caches on client computers Disabled Windows Components/Internet Explorer/Internet Settings/Advanced settings/browsing Turn off details in messages about Internet connection problems Turn on script debugging Disabled Windows Components/Internet Explorer/Internet Settings/Advanced settings/multimedia Allow Internet Explorer to play media files that use alternative codecs Disabled Windows Components/Internet Explorer/Internet Settings/Advanced settings/searching Prevent configuration of search on Address bar When searching from the address bar Prevent configuration of top-result search on Address bar When searching from the Address bar Do not search from the address bar Disable top result search Windows Components/Internet Explorer/Internet Settings/Advanced settings/signup Settings

109 Configuring Application Launching 109 Turn on automatic signup Disabled Windows Components/Internet Explorer/Internet Settings/AutoComplete Turn off URL Suggestions Turn off Windows Search AutoComplete Turn on inline AutoComplete Disabled Windows Components/Internet Explorer/Security Features/Restrict File Download All Processes Internet Explorer Processes Windows Components/Internet Explorer/Toolbars Configure Toolbar Buttons Show Back button Show Forward button Show Stop button Show Refresh button Show Home button Show Search button Show Favorites button Show History button Disabled Disabled Disabled

110 Configuring Application Launching 110 Show Folders button Show Fullscreen button Show Tools button Show Mail button Show Font size button Show Print button Show Edit button Show Discussions button Show Cut button Show Copy button Show Paste button Show Encoding button Disable customizing browser toolbar buttons Disable customizing browser toolbars Display tabs on a separate row Hide the Command bar Hide the status bar Lock all toolbars Lock location of Stop and Refresh buttons Turn off Developer Tools Turn off toolbar upgrade tool Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled

111 Configuring Application Launching 111 Windows Components/Location and Sensors Turn off location Windows Components/Microsoft Management Console Restrict the user from entering author mode Windows Components/Network Sharing Prevent users from sharing files within their profile. Windows Components/Presentation Settings Turn off Windows presentation settings Windows Components/Sound Recorder Do not allow Sound Recorder to run Windows Components/Tablet PC/Accessories Do not allow printing to Journal Note Writer Do not allow Snipping Tool to run Do not allow Windows Journal to be run

112 Configuring Application Launching 112 Windows Components/Tablet PC/Hardware Buttons Prevent Back-ESC mapping Prevent launch an application Prevent press and hold Turn off hardware buttons Windows Components/Windows Error Reporting Disable Windows Error Reporting Windows Components/Windows Installer Prevent removable media source for any installation Prohibit rollback Windows Components/Windows Logon Options Set action to take when logon hours expire Set action to take when logon hours expire Logoff Windows Components/Windows Mail Turn off the communities features Turn off Windows Mail application

113 Configuring Application Launching 113 Windows Components/Windows Media Center Do not allow Windows Media Center to run Windows Components/Windows Media Player Prevent CD and DVD Media Information Retrieval Prevent Music File Media Information Retrieval Windows Components/Windows Media Player/Networking Hide Network Tab Windows Components/Windows Media Player/Playback Prevent Codec Download Windows Components/Windows Messenger Do not allow Windows Messenger to be run Do not automatically start Windows Messenger initially Windows Components/Windows Mobility Center Turn off Windows Mobility Center Windows Components/Windows Update

114 Configuring Application Launching 114 Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box CONFIGURE ERPM WEB SETTINGS To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings Manage Web Application Application Launch. The Global tab identifies the ERPM web service and other related settings that will be used when launching applications. The Web service URL is the URL of the application launcher web service. When the web service is installed (typically on the ERPM web server), [typically] a web service is installed at [site]/erpmwebservice. The web service is called WebLauncherBackendService.svc. This full URL should be entered in the Web service URL field including the protocol and port if applicable. IMPORTANT! There should be no certificate or access errors when accessing this URL in a browser. It should be tested as any user that will be accessing the web server. The best test is to login to the bastion host as the bastion host login account configured int he previous section and attempt to access this URL. If the account is prompted for credentials or certificate errors the application launcher will fail. The typical URL is Enable launching applications using stored passwords in the web application is required to enable remote launching. If this option is not selected, then the Launch Application option will be unavailable in the website. Use thick terminal services client when connecting through RDP is an optional setting to use the application launcher to launch the Window's client's local fat client for RDP connectivity. If this option is not selected then ERPM will only be able to use the ActiveX control for launching RDP sessions. While this may work fine for the majority of RDP connections, if the target system uses NLA (Network Level Authentication) then the connection will fail. If the target system uses NLA, then this option must be selected. Enable launching applications on a remote server will enable the configured applications to launch via a bastion host rather than launching only locally on the client. When the option is enabled and an

115 Configuring Application Launching 115 application is configured to use a bastion host, the applications can instead launch from the bastion host and will use RemoteApp to display the program's UI to the users desktop as if it were a native application. [Script Launch] Path to script files on client systems is the path that the script automation files will be copied to (manual copy). This path is used when local launch (rather than via bastion host) will be used to launch web based applications such as Twitter, FaceBook, or other web based programs. If local launching of these sorts of applications will not be launched directly from a client's machine (rather than via bastion host) it will not be necessary to configure this path. The default location these scripts are found are at C:\Program Files (x86)\lieberman\roulette\launchapp\webautomation.

116 Configuring Application Launching 116 CONFIGURE A BASTION HOST OBJECT To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings Manage Web Application Application Launch. The Remote Servers tab identifies the available bastion hosts and other related settings that will be used for launching applications. The option Enable launching applications on a remote server must also be selected on the Global tab to make use of these servers. To add a new server, click the Add button in the lower right area of the dialog. The following fields are mandatory:

117 Configuring Application Launching 117 Server configuration identifier - the friendly name of the server as it will appear in the application launcher configuration. Remote server system name - the actual name of the bastion host. This should be the name (FQDN or simple or IP) as can be reach from the client systems that will be initiating the session. Use RemoteApp to launch the liebsoft launcher on the server - this option must be selected to remotely launch applications from the bastion host using RemoteApp as available in 2008 R2 and newer. Login credential system name - this value must be populated. If ERPM will be using stored (managed) credentials to log into the bastion host, this is the name of the system/server as it appears in ERPM from which to draw the credentials from. It is recommended to use a domain credential for this purpose; see the section for configuring a bastion host login account. Login credential account name - this is the name of the account that will be used to login to the bastion host. It is recommended to use a domain credential for this purpose; see the section for configuring a bastion host login account. Login credential domain name - the domain to which the account belongs. If this is a local account (not recommended) then this should be the simple (NetBIOS) name of the bastion host. Load saved password for connection from password store - select this option to pull the managed password from the ERPM password store. If it is desired to use a hard coded password instead, then supply the actual password in the remote server logon password field. [Script Launch] Path to script files on client systems is the path that the script automation files will be copied to during installation of the AppLauncher. This path is used when launching web based applications such as Twitter, FaceBook, or other web based programs. The default location these scripts are found are at C:\Program Files (x86)\lieberman\roulette\launchapp\webautomation.

118 Configuring Application Launching 118

119 Configuring Application Launching 119 Once the entries are validated, click OK to add the bastion host object. If the option to Load saved password for connection from password store is selected and a stored password for the target account does not exist, a warning indicating such will appear to the user otherwise the dialog will close without incident. Any of these settings can be changed at any time without having to make any changes to IIS or performing IISReset or other administrative actions. CONFIGURE A SESSION RECORDING HOST OBJECT To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings Manage Web Application Application Launch. The Session Recorders tab identifies configured session recording servers. There will typically be a one to one relationship with the servers configured on the Remote Servers tab.

120 Configuring Application Launching 120 Session recording only works for applications launched via the LiebsoftLauncher application. That means any users which retrieve passwords will and connect directly will not have their sessions recorded when using this session recording technology. The session recording system consists of two components specific to the session recording: session recording and video transcoding. When a session is recorded on a bastion host that is done by the session recorder. These files are created in a raw format and placed into the configured source directory. The Lieberman file watcher server picks up the raw files and moves them to the working directory where they are formatted and converted and watermarked. Completed files are then moved to the SessionRecording directory. Typically it is recommended to have the transcoder NOT be the same system as the bastion host/session recorder due to resource constraints (CPU specifically). To add a new server, click the Add button in the lower right area of the dialog. The following fields are mandatory:

121 Configuring Application Launching 121 Configuration label - the friendly name of the server as it will appear in the application launcher configuration. Basic configuration - use this option if the session recording host will perform both recording and transcoding duties. Recorder options include Expressions 4, VLC, and Windows Problem Steps Recorder. It is recommended to choose the Expressions 4 recorder option. The output path will default a default local path if this option is selected. Advanced configuration - use this option if it is desired to put recordings in a custom location or if video transcoding will occur on a separate host (typical). It is not recommended to change the Assembly path or Type in Assembly values. Abort application launch if session recording fails - with this option selected, if session recording fails to initialize, the remote session will be logged off and no remote app launch will occur. Output path - if using the bastion host for both session recording and video transcoding and it is desired to place the recordings to an alternate location, specify the path here. If transcoding is occurring on a separate host, then this should be a network UNC path (\\server\source) to the Source share on the transcoder host. File name template - the default value is SessionRecording-$(SessionID). In this scenario SessionRecording- is the filename prefix and $(SessionID) is a variable for the session ID of the remote app launch session. If the names of the recordings should be changed, this is acceptable but to not remote the $(SessionID) value from the name. There should also be no extension listed for the file name.

122 Configuring Application Launching 122

123 Configuring Application Launching 123 Once the entries are validated, click OK to add the session recorder host object. Any of these settings can be changed at any time without having to make any changes to IIS or performing IISReset or other administrative actions. CONFIGURE ERPM WEBSITE FOR SESSION PLAYBACK In order to playback recorded sessions, ERPM will need to know the location of the machine with the completed session recordings. From the previous sections, this will most likely be the video transcoder host, which is also most likely the ERPM web server. For reference session recording consists of two pieces: recorder and transcoder. The recorder is typically the bastion host while the transcoder is recommended to be another machine (due to CPU and RAM constraints). The transcoder host is typically the ERPM web server and will convert the raw video from the session recorder to playable video. These videos will be played back via streaming media services through the ERPM website.

124 Configuring Application Launching 124 The flow for session recording is as follows: 1) Application is launched on a bastion host and session recording is initiated. 2) After the session exits, the file will be copied to the source directory on the transcoder host. 3) Raw video will be converted and placed into the SessionRecording directory on that host. 4) IIS and Media Server will stream the videos to requesting authorized users. The machine performing the video transcoding will have configured IIS with a virtual directory under the default root website called SessionRecording. It is this URL that will be provided to the ERPM website configuration. The SessionRecording URL may be presented with or without SSL but should be configured to use anonymous authentication. To configure ERPM with the SessionRecording URL open the admin console, and click on the Manage Web App button on the left action pane. Go to the Options Configure default web application options menu. On the User/Session Management tab, enter the URL for the transcoder/media server where the videos are hosted from in the Session playback URL field. If using HTTPS, be sure to enter the valid name of the server that matches the assigned name on the certificate to avoid certificate errors. A typical URL will be similar to Be aware that the system is expecting a trailing forward slash at the end of the URL.

125 Configuring Application Launching 125 Click OK once the URL is entered.

126 Configuring Application Launching 126 If updating an existing website with this new information, right-click on the website instance and select Replace instance options with default web application options. There is no need to restart any servers or components after making this change. Once the URL is added and once any sessions have been recorded, users with access to the auditing section of the ERPM website will be able to playback any recorded sessions that exist. Such recored sessions will be visible in the ERPM auditing section with a camera icon next to their audit entry.

127 Configuring Application Launching 127 Simply click on the camera icon to playback the recorded sessions.

128 Configuring Application Launching 128 CONFIGURE APPLICATIONS FOR LAUNCHING To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings Manage Web Application Application Launch. The Applications tab identifies the applications which can be made available to launch from the ERPM website and other related settings that will be used when launching these applications. Once an application is added, it must be properly configured before it may be launched. Lieberman Software ships a number of pre-configured application objects available. Most will still require additional configurations before they could be used for launching the specified target application. To add the pre-defined applications, click the Add Defaults button in the lower left area of the dialog. Add new applications by clicking the Add button. Duplicate or edit existing explications by using the Copy or Edit buttons respectively. When editing a dialog, there are many elements to fill out. The required elements for a basic application configuration to be valid are:

129 Configuring Application Launching 129 Remote application label - this is the friendly name of the application as it will appear in the ERPM website. Remote launch type - select from the available launch types: LAUNCH APPLICATION WITH COMMAND LINE PARAMETERS - use this for any application which can be launched with command line options such as SQL Management Studio, PuTTy, VMware vcenter, etc. OPEN WEB APPLICATION WITH FORM POST - use this for websites which only require a basic form post and does not make use of JSON, YAML or other technologies for passing the user name and password information. LAUNCH TERMINAL SERVICES CLIENT - use this for launching the Microsoft Terminal Services client. LAUNCH APP THROUGH.NET ASSEMBLY - used when an external.net assembly will be used to perform the connection and credential passing. LAUNCH APP THROUGH SCRIPT AUTOMATION - this is most frequently used for launching MMCs, websites which does not pass user name and password information basic form post (see most web examples in the default list), fat clients which do not make use of command line parameters, etc. Configure Allowable Types - this defines for which account types the application will be available. At least one account type must be selected. This is what specifically makes an application available to Windows but not Linux or MS SQL but not Oracle. The above elements are the basic, always required elements. Keep reading to find out more about the other elements.

130 Configuring Application Launching 130 To set a custom icon for the application, locate the physical ERPM website installation files. Typically, this will be at %inetpub%\wwwroot\pwcweb. All file paths defined for the icons will be relative to this path. It is recommended to create a custom folder (example "CompanyIcons") and add your icons to this folder so they will persist through website upgrades. Then for the icon path, simply add the FolderName\IconName.gif. All GIF files should be 32x32 pixels. Run on the jump server - use this option to launch the target application from a bastion host/jump server (configured previously). If this option is not selected then the application will attempt to launch locally on the user's local workstation. If this option is selected, then the application will be launched on the jump server. The application must be installed on the jump server at that time. This is a per-application setting. Enable session recording - if a session recording host is configured, this option will be available. When configured, the launching of this application on a jump server will record just this application being run. This is a per-application setting. Always use the specified account when starting this application - when this option is NOT selected (default), the application will be made available for the selected account type(s) (Configure Allowable Account Types). That means potentially any account could be used to launch this application. If the option is enabled, ERPM will pull a predefined credential from the account store and always use that account to launch the application. Also, the application will not be available in the Launch App section of the ERPM website, rather, it will be made available in the Applications section of the website for the users that have permission to launch the application. The Launch App section is accessible when viewing specific managed passwords. Applications is always available regardless of managed passwords. Depending on the selected Remote launch type, additional parameters will be required. The following text outlines what these other parameters are. Launch application with command line parameters APPLICATION - mandatory - The application name is simply the name of the executable without the path. COMMAND LINE - mandatory - Command line is the parameters to launch the executable with. APPLICATION LOCATION - optional - An application location must also be defined but can either be a full physical path in the application location field or be setup to search for and even to download a ready to run executable from a predefined network path (At launch download file from path). A physical path MUST be defined when launching the application from a jump server. If a physical path is not defined in the application location field, then the option to Search for application on local system should be enabled. Sub-options for application search include searching for the application on the system root or program files directories. In addition, subsequent include and exclude directories may be defined. Multiple values should be segregated by a semi-colon. There

131 Configuring Application Launching 131 is no variable replacement such as %systemroot% or %inetpub% so full physical locations must be used. ONLY RUN SIGNED EXECUTABLES - optional - will ensure the program has a digital signature on it. If the option is enabled, an additional verification can be configured to validate specific fields of the digital signature such as the certificate serial number, certificate issuer or other signing bits. ONLY RUN EXECUTABLES WITH EXPECTED HASHES - optional - allows the admin to define hashes of a target application. This is useful to ensure that someone did not rename a malicious executable or that only a specific patched version runs. Multiple hashes can be calculated and defined from this dialog. APPLICATION USES STORED PRIVATE KEY - optional - this option allows programs which can use certificates (such as SSH clients) to define which certificate to use when connecting. These certificates must have been pre-imported and assigned via the administrative console from Settings User Keys Import Keys. APPLICATION USES GATEWAY SERVER - optional - if an SSH proxy/gateway is defined (Admin console at Settings Manage Web Application Remote Gateway Servers) this option will be available. This option is useful when a client must first connect to an SSH proxy first before connecting to the final SSH target. This process will make use of plink.exe. The plink.exe download location must also be specified with the path on the jump server where the plink.exe executable resides. Plink.exe is installed the launch app folder on the bastion host if the PuTTy files are also installed when installing the application launcher. Plink.exe can also be downloaded from Open web application with form post - use this for websites which only require a basic form post and does not make use of JSON, YAML or other technologies for passing the user name and password information. WEB PAGE - mandatory - the name of the login page including protocol such as NAME-VALUE PAIR - mandatory - the variables for the user name and password. Launch terminal services client - use this for launching the Microsoft Terminal Services client. There are no additional requirements to setup this launch type. Launch app through.net assembly - used when an external.net assembly will be used to perform the connection and credential passing. ASSEMBLY PATH - mandatory - the full physical file patch to the.net assembly. TYPE NAME - mandatory - the name of the.net interface. Launch app through script automation - this is most frequently used for launching MMCs, websites which does not pass user name and password information basic form post (see most web examples in the default list), fat clients which do not make use of command line parameters, etc. When using a

132 Configuring Application Launching 132 web page, the scripts defined in the script path will use the Internet Explorer DOM to drive the IE browser interface looking for specifically named fields and buttons. Script path - mandatory - the script path is the name of the script to run including the extension. For example, login_azuremgmt.vbs. Automation URL - mandatory - the path supplied here will be found in the [Script Launch] Path to script files element of the bastion host configuration dialog (see Configure a Bastion Host Object section). For example, or for a device, See the next sub-section for replaceable variables in the command line or automation URL paths. VARIABLES FOR APP LAUNCHING When launching an application from the command line or via web automation scripts, there are many available variables for ERPM to use to pass the user name, password, target server and more. What follows is a list of available variables which can be used for replacement. As the process works, DEMO\Broberts logs into the ERPM web application. DEMO\Broberts clicks on launch app. This causes a secondary account (DEMO\BastionLogin) to connect to the bastion host and initiate and launch the liebsoftlauncher.exe program. Liebsoflauncher connects back to the web service and retrieves program settings including target system, target user name, and target password. For this example example, connecting to a server called DB2012 as SA with with the SA password. For this example the following elements are defined by the following variables: DEMO\Broberts = $(SourceAppLogin) or $(UserEnteredLoginUsername) DEMO\BastionLogin = NOT EXPOSED DB2012 = $(RemoteAccessTarget_TargetName) SA = $(Username) or $(AccountName_FullyQualified) SA Password = $(Password) or $(Password_Raw) Following is a list of all possible variables

133 Configuring Application Launching 133 $(UserEnteredLoginUsername) - same as $(SourceAppLogin), is the account used to login to the ERPM web application. $(UserEnteredLoginUsername:RemoveNTSyleNamespace) - This element prunes the domain name from the user name. From the example above, DEMO\Broberts becomes simply Broberts. $(UserEnteredLoginUsername:ReplaceBackslashWithDot) - This element retains the domain name with the user name but replaces the slash with a dot. From the example above, DEMO\Broberts becomes DEMO.Broberts. Use this variable when a name is required that will no be interpreted as a path for creating directories. $(SourceAppLogin) - same as $(UserEnteredLoginUsername), is the account used to login to the app [component] which is triggering the launcher, i.e. the RDP user to the bastion host. $(SourceAppLogin:RemoveNTSyleNamespace) - This element prunes the domain name from the user name. From the example above, DEMO\Broberts becomes simply Broberts. $(SourceAppLogin:ReplaceBackslashWithDot) - This element retains the domain name with the user name but replaces the slash with a dot. From the example above, DEMO\Broberts becomes DEMO.Broberts. Use this variable when a name is required that will no be interpreted as a path for creating directories. $(Username) - this is the name of the target account. From the example above, SA. $(AccountName_FullyQualified) - building on the $(Username) variable, this will pre-pend the domain pre-fix to the account name if applicable. $(Password) - the regex escaped password (e.g. pass\"word ). $(Password_Raw) - the raw un-escaped password. $(RemoteAccessTarget_TargetName) - the target host to which the application will connect. $(LauncherPath) - the path to the application launcher. $(SessionID) - GUID for the launcher link. $(PrivateKey) - the file path for the DER encoded private key (if available). $(PrivateKeyPassphrase) - the pass phrase, if present for $(PrivateKey). $(PuttyKey) - the file path for the putty encoded private key (if available). These variables are used in line and replaced by ERPM at the time the application is launched. For example, if in the website the user were to go to the MSSQL database instance on a server called DB2012 and connect with the built-in (and managed) SA account, the command line syntax would be: -S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password) -nosplash The switches ( -S, -U and -P ) are part of the SMSS.EXE executable. The subsequent values of $(RemoteAccessTarget_TargetName), $(Username), and $(Password) would be replaced by the name of the server (DB2012), the name of the account (SA), and the password for SA respectively.

134

135 135 USING APPLICATION LAUNCHING As of ERPM version To launch an application user with either of the following sets of permissions will be able to launch applications: 1) All Access 2) View account, recover password, remote sessions, and permissions for the specific application being launched.

136 Using Application Launching 136 When the user does not have all access, not only are permission required to retrieve the password, but additional permissions are required to even launch a specific application. To define these permissions, use the admin console and go to Delegation Web application remote application permissions. Click Add in the lower left corner, then select an available identity, click OK, then select one or more applications the user can launch. There are two types of application launching in ERPM: launching with variable account and system information and launching with pre-define account and system information. The difference in app configuration is the option in the lower right corner of the application that says to always use the specified account being selected or not. If the option is selected, the application will appear in the

137 Using Application Launching 137 applications portion of the website. If the option is not selected, the user must go to the Launch App section next to the system/account they wish to use to connect. Launching an App as a Pre-Configured Application To launch an application which has been pre-configured for a specific account and target, such as a company's Twitter or Facebook page, the user will click the Applications link on the left pane then click on the application to launch. Only applications that are pre-configured to always launch as a specific user and that the login user has access to will be shown on this page. If an application is not shown it is a sign of at least one of two possible causes:

138 Using Application Launching 138 The user has no permission to launch an application There are no apps configured to always run as a specific user Launching an App Using Variable Target and Account Information Once the the target system and account to connect as are located in the Managed Password section of the website, click Launch App. All applications available to the user for the specific account type will then be shown. If the RDP icon appears at the right edge of the black title bar, that indicates the application is configured to launch via a bastion host. if the camera icon appears at the right edge of the black title bar, that indicates the session will be recorded. To launch the application, click Launch. What happens next will depend on whether the application is configured to launch locally or from a bastion host and whether or not the user has performed this process previously. If connecting via a bastion host, the system will initiate a series of calls to the bastion host and the LiebsoftLauncher on that host. This will be visible to the user. If the user has not previously

139 Using Application Launching 139 launched an app from the machine/profile they are currently logged into, they will likely receive a couple of security prompts.

140 Using Application Launching 140 Each application also has an Advanced launch configuration. Clicking advanced will allow the interactive user to specify alternate credentials to connect to the target system as. These could be static credentials or they could be other stored credentials in ERPM (if they have the rights to retrieve the password). Generally, it will not be necessary to manipulate the advanced settings.

141 141 AUDITING APPLICATION LAUNCHING Once any sessions have been recorded, users with access to the auditing section of the ERPM website will be able to playback any recorded sessions that exist. Such recored sessions will be visible in the ERPM auditing section with a camera icon next to their audit entry. Simply click on the camera icon to playback the recorded sessions. The session properties page will identify user, IP address, and time stamp information and more. To playback the recording, simply chose the desired recording and click Play Recording.

142 Auditing Application Launching 142 The video will open on the systems preferred media player and begin streaming automatically.