Privileged Identity App Launcher and Session Recording

Transcription

1 Privileged Identity App Launcher and Session Recording 2018 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners. TC:5/21/2018

2 Table of Contents Application Launcher and Session Recording 4 Start Here: Installation and Upgrade Roadmap 5 Installation Roadmap 5 Upgrade Roadmap 5 Planning Your Session Recording Installation 5 Installing Application Launcher & Session Recording Prerequisites 8 Understanding Prerequisites 9 Recommended Knowledge 9 Product Requirements Overview 10 Application Launcher Requirements 11 Session Recorder Requirements 12 Media Server Requirements 13 Service Account Requirements 14 Port Requirements 16 Step 1. Install Remote Desktop Services 17 Installing Remote Desktop Services for 2012 R2 17 Installing Remote Desktop Services for 2008 R2 22 Step 2. Install Desktop Experience 26 Installing Desktop Experience for 2012 R2 26 Installing Desktop Experience for 2008 R2 27 Step 3. Install the Application Launcher and Session Recording Software 29 Session Recording and the Application Launcher 29 Session Recording on the Transcoder Host 34 Session Recording Media Server 39 Step 4. Setup RDS for Application Launching 42 Configuring Remote App for 2012 R2 42 Configuring Remote App for 2008 R2 44 Step 5. Configure IIS to Host Recorded Sessions 47 Configuring Application Launching and Session Recording 48 Configure an Application Launch Server Logon Account 49 Configure the Web Launcher Settings 62 CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 2

3 Configure the Application Launch Server Settings 64 Configure the Application Launch Server Host 67 Configure Session Recording Settings 68 Configure the Web Application Settings for Session Playback 70 Configure Applications for Launching 71 Adding Application Launching Scripts 71 Configuring Privileged Identity to Launch Applications 72 Variables for App Launching 75 Maintaining Application Launching Scripts 77 Multi-Tab Support 79 Multi-Tab Support Configuration 81 Multi-Tab AutoIT Script Examples 84 Configure Application Sets 87 Shadow Accounts 90 Using Application Launching 94 Setting User Permissions to Launch Applications 94 Using the Application Launcher 94 Auditing Application Launching 97 Upgrading Application Launcher & Session Recording Software 98 Privileged Identity Limited Warranty 99 Privileged Identity License Agreement 100 CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 3

4 Application Launcher and Session Recording Application Launcher is designed to launch a wide range of programs and processes. The web application user will click a link in the web application (or follow a series of steps via the REST or SOAP APIs or PowerShell), and be connected to a target endpoint through a jump server using specific credentials that are not disclosed to the user. Additionally, the application launcher provides free session recording to capture the entire session in a video that can be played back later through a streaming media server. The goal of application launching is to put a user into a privileged session, limiting that user to just the application and the singular connection. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 4

5 Start Here: Installation and Upgrade Roadmap This chapter outlines what is required to install or upgrade application launcher and session recording for Privileged Identity. Installation Roadmap The following roadmap outlines the steps to follow to install application launching and session recording for Privileged Identity. 1. Install and register Privileged Identity, the web application and web service. 2. Make note of the web service URI as it will be required for the application launcher and session recording to work. 3. Understand the product requirements prior to installation. Prepare for the installation by Planning Your Session Recording Installation and reading Understanding Prerequisites. 4. Install the application launcher and optionally the session recording software. 5. Install streaming media services for IIS. 6. Configure application launching settings via the management console. Upgrade Roadmap The following roadmap outlines the steps to follow to upgrade application launching and session recording for Privileged Identity. 1. Upgrade Privileged Identity, the web application and web service. 2. Make note of the web service URI as it will be required for the application launcher and session recording to work. 3. Understand the product requirements prior to installation. Prepare for the upgrade by reading Understanding Prerequisites. 4. Upgrade the application launcher and optionally the session recording software. Planning Your Session Recording Installation The application launching capability of Privileged Identity is a licensed capability which requires an Application Launch Server (also called a jump server). An Application Launch Server in the context of Privileged Identity is a Windows Remote Desktop Session Services machine that will proxy connections to specific target systems. The general configuration for application launcher includes the Privileged Identity installation, and a separate (recommended) jump server or multiple jump servers to launch the applications. When session recording is enabled for an application there are four steps to be concerned with: Recording - The Session Recorder component on the Application Launch Server records the session and copies the resulting file(s) for video transcoding to the machine/folder functioning as the video transcoder. Transcoding - The Video Transcoding Service component compresses the raw video file and processes it for streaming. We recommend installing the transcoding component on a machine not functioning as a the jump server due to potential storage and CPU usage concerns, however a single server configuration is fully supported. Transcoding videos requires significant overhead in terms of CPU usage. The transcoder service will then copy the final files to permanent storage. Storage - A transcoded file will be moved to permanent storage. This could be the file system of the transcoder or another system or device that will provide access of the final files to the streaming media services machine. Streaming - The Media Server component streams the video files for viewing on demand and will require access to the storage where the video files will be located. This machine may be a shared machine or a separate machine. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 5

6 High Availability High availability for any of these components is achieved by deploying multiple instances of them and configuring load balancing. For example: Jump Server - The application launcher relies on Microsoft remote desktop services (RDS). RDS uses Network Load Balancing (NLB) to achieve high availability. Transcoding - Transcoding may occur on the jump server or another machine. If transcoding is performed on the jump server and the jump server is already configured as part of a NLB cluster, simply install the transcoder on each host. If the transcoder is installed on another machine that is not the jump server, then install multiple transcoders and have them pointing to shared storage where the recorder will place the raw non-transcoded files. Storage - To retain multiple live copies of the recorded sessions, use a replicated storage solution like the Distributed File System (DFS) to have the data replicate. Streaming - Have multiple instances of the media server (IIS) configured as an NLB cluster which points to the same shared storage. Do keep in mind, the recorded files are simply video files located in the file system of the host operating machine. A simply backup strategy can also go a long way towards simplifying the deployment process. Also note that while each component is spelled out separately above, most installations combine roles. Deployment Strategy There are several permutations for deployment strategies when working with the application launcher session recording. Without session recording the strategy is fairly easy to understand as there are really only three pieces: the main solution installation, jump server, target server. Once the included session recording is added into the design is when several more deployment permutations must be considered. Following are three potential deployment scenarios. Deployment 1 places the recording, transcoding, and streaming components on the Application Launch Server. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 6

7 Deployment 2 places the recording and transcoding components on the Application Launcher Server, and the streaming component on the web server. This deployment may make sense if the CPU on the Application Launcher Server is powerful and can quickly process the raw video for streaming. Note that this deployment model does not require IIS on the Application Launch Server. Deployment 3 places the recording component on the Application Launch Server, and the transcoding and streaming components on the web server. Of the three models presented, this model is recommended, provided that the web server is sized to handle the demands placed on it by the video transcoding service. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 7

8 Installing Application Launcher & Session Recording Prerequisites This chapter documents the installation prerequisites for Privileged Identity Application Launcher and Session Recording. Based on your starting host system configuration, your actual installation experience may vary. The following topics are not covered in this guide: Installation of Windows Installation of Microsoft.Net Framework Installation of Privileged Identity CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 8

9 Understanding Prerequisites This section describes the requirements and prerequisites necessary to install Application Launching and Session Recording for Privileged Identity. Recommended Knowledge While Bomgar Lieberman provides documentation and support to set up and configure Application Launching and Session Recording for Privileged Identity in conjunction with the various technologies that it uses, product administrators should have knowledge in the following areas: Knowledge of the Windows IIS web server technologies Network administration System administration Privileged Identity component host servers should be patched, secured, and properly configured in conjunction with your corporate patching strategy to help ensure that the password store system will not be compromised. CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 9

10 Product Requirements Overview Application launcher and session recording components can and should be (resources permitting) distributed across multiple systems. The primary components are: Privileged Identity - Includes the web application and web service. Application launcher - The jump server host that will launch the applications and connect to the target systems on the requesting user's behalf. Session recording - optional. Records sessions launched via the jump server. o o Transcoder - performs conversion of the raw files to a format playable by auditors. Streaming media server - streams the finalized video recordings to the auditor. If any components will be shared on a single host, then simply combine the requirements. The application launcher in particular should be placed on a separate system, relative to Privileged Identity to improve resource utilization. The product is supported in a physical, virtual (cloud), or physical-virtual mixed environment. The virtual host platform is irrelevant to the support of the product. All virtualization platforms are supported. Virtual host and virtual machine configurations, however, can severely impact or impede the ability of the product to work because virtual host and guest configurations do affect every component of the virtual guest that is running the product. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 10

11 Application Launcher Requirements This section covers requirements for the application launcher tier of Privileged Identity and does not include requirements for session recording. Platform Requirements A Windows Server operating system is required for any installation of the application launcher. The solution is fully supported on a physical server or a virtual machine, regardless of the virtual host platform. All service pack levels and editions are supported except where specifically noted. We recommend using Windows Server 2012 R2 as the host platform. Supported versions of Windows Server are: Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Hardware and Software Requirements In addition to the requirements needed to support the host system, the product itself requires at least the following: Web Service installed and configured with a valid and trusted SSL certificate. Any certificate error will cause this functionality to not work. Microsoft.Net Framework or later. Remote Desktop Services. Remote Desktop Services licensing. Please contact your Microsoft representative for more information. Desktop Experience and related components. RAM and CPU sizing considerations relative to the number of simultaneous expected users and applications being launcher. Please refer to Microsoft documentation for sizing considerations when using remote desktop services. Additional software requirements relative to the programs being launched. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 11

12 Session Recorder Requirements This section covers requirements for the session recording software for use with the application launcher in Privileged Identity. Platform Requirements A Windows Server operating system is required for any installation of the session recording component. The solution is fully supported on a physical server or a virtual machine, regardless of the virtual host platform. All service pack levels and editions are supported except where specifically noted. We recommend using Windows Server 2012 R2 as the host platform. Supported versions of Windows Server are: Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Hardware and Software Requirements In addition to the requirements needed to support the host system, the product itself requires at least the following: Microsoft.Net Framework or later. Microsoft.Net Framework 3.5 SP1. Desktop Experience and related components. Multi-core CPUs. 2GB of RAM or more. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 12

13 Media Server Requirements This section covers requirements for the streaming media services required to play back recorded sessions using the included session recording software. Platform Requirements A Windows Server operating system is required for any installation of streaming media services. The solution is fully supported on a physical server or a virtual machine, regardless of the virtual host platform. All service pack levels and editions are supported except where specifically noted. We recommend using Windows Server 2012 R2 as the host platform. Supported versions of Windows Server are: Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Hardware and Software Requirements In addition to the requirements needed to support the host system, the product itself requires at least the following: Internet Information Services (IIS). 2GB of RAM or more. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 13

14 Service Account Requirements Multiple service accounts may be used during this process. If one service account is used for more than one component, combine the rights and permissions requirements for the account. Application Launcher Service Accounts The application launcher uses a single account to log into the jump server on behalf of the user and launch a given application. This account should be a domain joined account. This account can be managed by Privileged Identity provided it is not also running deferred or zone processing services as well. This account has no explicit requirements other than to be allowed to remote desktop to the jump server host. This typically only requires membership in the Remote Desktop Users group on the jump server. Other considerations for this service account are: If the web service is leveraging Windows Integrated Authentication, this account must be able to connect to the web service without being prompted for a username and password. There can be no SSL trust issues when connecting to the web service with this account. This account may require additional permissions on the jump server depending on the application being launched. For example, if the application being launched requires administrative privileges to run on the jump server, this service account must have administrative group membership on the jump server. Session Recording Service Accounts Session recording service account requirements vary based on the actual deployment. Deployment: All roles on same server If session recording and transcoding and media service roles are installed on the jump server, it is sufficient to configure the application to use "Local System" as no network access is required. Deployment: Recorder role on jump server, media server and transcoder services on a separate host Jump Server login account must have network access and modify permissions to the Source share on the transcoder host. On the jump server, Session recording service account, should be configured as Network Service as it won't be used in this scenario. Session recording services may be disabled post install through the Windows services snap-in as it won't be used in this scenario. Transcoding host service account may be configured as Local System or a named account. If running as a named account, this account must be granted logon as a service. No network access will be required from the transcoder host for the video files as the media server is on the same host. Transcoding host service account must be granted modify access to the Source, Working, and SessionRecording directories on the transcoder host. The actual paths will be defined during installation. Deployment: Recorder role on jump server, transcoder on a separate host, media server on a separate host with local storage Jump Server login account must have network access and modify permissions to the Source share on the transcoder host. On the jump server, Session recording service account, should be configured as Network Service as it won't be used in this scenario. Session recording services may be disabled post install through the Windows services snap-in as it won't be used in this scenario. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 14

15 Transcoding host service account must be configured as a named account. Transcoding host service account account must be granted logon as a service. Transcoding host service account must be granted modify access to the Source and Working directory on the transcoder host. The actual paths will be defined during installation. Transcoding host service account must be granted write access to the SessionRecording share on the media server host. Deployment: Recorder role on jump server, transcoder on separate host, media server on separate host with remote storage Jump Server login account must have network access and modify permissions to the Source share on the transcoder host. On the jump server, Session recording service account, should be configured as Network Service as it won't be used in this scenario. Session recording services may be disabled post install through the Windows services snap-in as it won't be used in this scenario. Transcoding host service account must be configured as a named account. Transcoding host service account account must be granted logon as a service. Transcoding host service account must be granted modify access to the Source and Working directory on the transcoder host. The actual paths will be defined during installation. Transcoding host service account must be granted write access to the SessionRecording share on the storage system the media server host is connecting to. If the storage system for the media server is a remote server rather than the local, configure the SessionRecording virtual directory in IIS with network credentials valid on the remote storage system and grant read permissions to that directory for the account. It is possible to configure every component to use the same service account. Because there are different access requirements to the different components, this is a recommended setup. However, this can make the configuration and maintenance unnecessarily complex. Therefore, using a single service account for all components is fully supported and most often the deployed methodology. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 15

16 Port Requirements Application launcher and session recording make use of a small number of well known ports. Actual port usage will vary based on your specific configurations. Note: The following ports are the standard well known ports for the various protocols. These ports may have been changed on the target systems. It is the solution Administrator's responsibility to determine if any of the target ports have been changed and reflect that changed port when password change jobs or account discovery jobs are performed TCP/UDP, outbound, DNS - used for name resolution to target hosts TCP/UDP, outbound, Kerberos - used by jump server to authenticate login user when authenticating with Kerberos TCP, outbound, HTTPS - used by the application launcher and web service to communicate with the Privileged Identity web service TCP, outbound, SMB - used by session recording components to copy recorded files to other session recording component hosts when hosted across multiple servers TCP/UDP, outbound, Kerberos - used by jump server to authenticate login user when authenticating with Kerberos TCP/UDP, inbound, RDP - used by the end user to connect to a stream remote applications installed on the jump server to their desktop. 389/636 - TCP, outbound, LDAP/LDAPS - used by the jump server to communicate with active directory during login of the application launcher login account. Other - TCP/UDP, outbound, unknown - ports leveraged by the launched application will require ports specific to their function and are not defined by Privileged Identity. If web services or the web application on on non-default ports for their HTTP/S configuration, the firewalls must be configured to allow communication on those ports. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 16

17 Step 1. Install Remote Desktop Services The following sub-sections document how to install Remote Desktop Services on both a Windows Server 2008 R2 and Windows Server 2012 (R2) host. If multiple Application Launch Servers will be employed, Privileged Identity does not require them all to run on the same operating system, but they do all need to be Windows Server 2008 R2 or later (2012 R2 recommended). Privileged Identity will use a singular logon account to connect to the application launch server. This account will be used to launch applications. It does not necessarily need to be an administrator unless a specific application requires administrative rights to run. If the account is not configured as an administrator of the application launch host, it will need to be granted the rights to logon via remote desk services. This is typically granted by adding the account to the Remote Desktop Users local group. Installing Remote Desktop Services for 2012 R2 This section covers installation of the prerequisites on a Windows Server 2012 and Windows Server 2012 R2 host which will function as an Application Launch Server for the purposes of launching applications. 1. Open Server Manager and select Add Roles and Features. 2. Click Next on the Before You Begin page. 3. On the Select installation type page select Remote Desktop Services installation then click Next. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 17

18 4. On the Select deployment type page, choose a deployment type and click Next. 5. The steps present go through a standard deployment where the admin will be required to configure a collection post RDS installation. The Quick Start method will be faster while automatically creation a collection, but it will also add and publish additional applications that are unnecessary and will not provide any configuration options. 6. On the Select deployment scenario page, select Sessionbased desktop deployment, the click Next. 7. Click Next on the Role Services page. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 18

19 8. On the Specify RD Connection Broker server page, select the server from the Server Pool field, then add it to the selected computer field by clicking the right arrow head between the two fields. 9. Click Next to continue. 10. On the Specify RD Web Access server page, select the server from the Server Pool field, then add it to the selected computer field by clicking the right arrow head between the two fields. 11. Click Next to continue. CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 19

20 12. On the Confirm selections page, click Deploy. Restart the host if required. 13. After restarting, open Server Manager and click on Remote Desktop Services from the right pane, then click on Collections from the center pane. A new collection must be made to publish the Privileged Identity application launcher program used to launch software from the Application Launch Server. 14. At the top right corner, select Tasks and click Creation Session Collection. 15. On the Before you begin page, click Next. 16. On the Name the collection page, supply a friendly name for the collection and click Next. The collection name should be 16 characters or less (due to Microsoft design limitations). CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 20

21 17. On the Specify RD Session Host server page, select the server from the Server Pool field, then add it to the selected computer field by clicking the right arrow head between the two fields. Then click Next. 18. A proxy account to connect to the Application Launch Server prior to launching the selected application. This account will either need to be added to a group which can RDP to the target Application Launch Server and launch subsequent applications, or should be added directly as a user which can connect to the RD Session host server. Description of this account is covered in the parent section, 1. Installing Remote Desktop Services. 19. Click Next to continue. 20. On the Specify user profile disks page, click Next. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 21

22 21. On the Confirm selections page, click Create. 22. An empty collection will be created. The installation and configuration of the launcher application will be described later in this document. Installing Remote Desktop Services for 2008 R2 This section covers installation of Remote Desktop Services on a Windows Server 2008 R2 host as required for Application Launch Server services. 1. Start Server Manager and select Add Roles. Click Next on the welcome page and select Remote Desktop Services then click Next. 2. Click Next on the Introduction to Remote Desktop Services page. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 22

23 3. On the Select Role Services page, select Remote Desktop Session Host, then click Next. 4. Click Next on the Uninstall and Reinstall Applications for Compatibility page. 5. On the Specify Authentication Method for Remote Desktop Session Host page, choose the option that best suits your company's needs. The option to Require Network Level Authentication will provide greater security but may only work properly for newer hosts and if all incoming connections are properly verified. The option Do not require Network Level Authentication will provide greater compatibility for all connecting system but may reduce overall security of the Application Launch Server. Click Next to continue. CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 23

24 6. On the Specify Licensing Mode page, a remote desktop session license mode must be selected. If RDS client access licenses are not yet available but will be soon, select Configure later. If unsure about what option to choose, select Configure later, and then contact your Microsoft licensing services manager. RDS will function for 120 days without a proper licensing server. If RDS CALs are available, then choose the proper Per Device or Per User model for your organization. 7. A proxy account to connect to the Application Launch Server prior to launching the selected application. This account will either need to be added to a group that can RDP to the target Application Launch Server and launch subsequent applications, or should be added directly as a user that can connect to the RD Session host server. Description of this account is covered in the parent section, 1. Installing Remote Desktop Services. 8. Click Next to continue. 9. On the Configure Client Experience page, it is recommended to leave all options deselected. Click Next to continue. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 24

25 10. On the Confirm Installation Selections page, examine the installation selections. If everything is correct, click Install. The server will need to reboot after installation The installation and configuration of the launcher application will be described later in this document. CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 25

26 Step 2. Install Desktop Experience If you are not going to enable session recording, you do not need to install the Desktop Experience feature. If you plan to enable session recording, install the Desktop Experience feature now. Microsoft Desktop Experience is included with Windows Server 2008 R2 and 2012 R2. If you installed Windows Server as a Server Core installation, Desktop Experience is not yet installed on your server. If you installed a Full Windows Server installation, Desktop Experience may already be installed on your server. For more information about Desktop Experience, see the following TechNet article: Desktop Experience is already installed with full installations of Windows Server If you install the video transcoding service and the Application Launcher & Session Recorder components on separate systems, install the Desktop Experience on the Application Launch Server and the system that runs the video transcoder. You do not need to install Desktop Experience on the streaming media server. Installing Desktop Experience for 2012 R2 If session recording will be configured then the Desktop Experience must be installed. To add the Desktop Experience, open Server Manager and select Add Features. 1. On the Features Page, expand User Interfaces and Infrastructure, and select Desktop Experience. 2. If prompted for additional components, click Add Features. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 26

27 3. Add any other requirements that other applications that will be launched from this system may require (such as.net framework 3.51 or 4.x) and click Next. 4. Continue through to the end of the wizard. Click Close when done. Installation of the Desktop Experience will require a restart of the host. Installing Desktop Experience for 2008 R2 If session recording will be configured then the Desktop Experience must be installed. To add the Desktop Experience, open Server Manager and select Add Features. 1. On the Features Page, select Desktop Experience. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 27

28 2. If prompted for additional components, click Add Required Features. 3. Click Next to continue. 4. Once the installation is complete, click Close and restart the server. CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 28

29 Step 3. Install the Application Launcher and Session Recording Software This step covers the installation of the application launcher and the optional session recoding feature. If you are not installing the session recording feature, skip the sections titled Session Recording on the Transcoder Host and Session Recording Media Server. Start the installation process by following the steps outlined in Session Recording and the Application Launcher. If you are installing the session recording feature, complete all sections under this chapter. An Application Launch Server in the context of Privileged Identity is a Windows Remote Desktop Session Services machine (formerly Terminal Services) that will proxy connection attempts made to specific target systems. The Application Launch Server will have all programs used to connect to target systems installed on it. A proxy account will be used to connect to the Application Launch Server. This account can and should be managed by Privileged Identity, but automated password management for this account, while recommended, is not necessary as a static un-stored password may also be used. The Session Recording software records sessions performed through the jump serve functionality. Recorded sessions are copied from the Application Launch Server to a machine functioning as a video transcoder. The transcoder converts videos from the raw format to one that can be played back by the machine functioning as a streaming media server. This section outlines the installation of session recording for application launching on two separate machines functioning independently. Session Recording and the Application Launcher To begin installing the session recording software on the machine that will function as the video transcoder, open the SupplementalInstallers sub-folder from the installation directory, typically "%programfiles (x86)\lieberman\roulette". Copy ERPMRemoteLauncherInstaller.exe to the machine that will function as the transcoder and launch the installer. 1. Click Next on the welcome page. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 29

30 2. Read and accept the license agreement to continue installation. Then click Next to continue. 3. Enter the full SSL-secured URL to the web service. Web Services are installed separately, typically on the web application server. The application launcher web service is installed with the standard ERPMWebService installer package. The URL is typically 4. Click Test to validate the URL. Any certificate issues must be corrected before installation can properly succeed. If the web page does not appear at all, validate the URL and try again or install Web Services. 5. If the page tests without issue or errors, click Next to continue. 6. If session recording WILL NOT be enabled, select to install: Application Launcher For the Application Launch Server host, if session recording WILL BE enabled, select to install: Microsoft Expression 4 Encoder SP2 Session Recorder and File Watcher Service Application Launcher 7. Select the installation directory. Click Next to continue. If session recording components are not enabled, clicking Next will install the application launcher software and complete the installation. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 30

31 8. If session recording components are being installed, the next dialog will configure the session recording paths: The destination directory is where completed video files will be placed once being transcoded. If this machine is functioning as the transcoder host as well and the the media server will be a separate machine, specify the network path to the SessionRecording share on the media server host. 9. Click Next on the video transcoder paths. 10. On the Application Launch Server host, set the service identity to run as a Specific User, Network Service, or Local System. Local system offers the benefit of already having proper access and no password management requirements. If the transcoder is running on a separate system and Local system is used, then the computer account of the Application Launch Server host must be granted Modify access to the source directory on the transcoder host. Network service provides for less rights than Local system and offers the benefit of already having proper access and no password management requirements. If the transcoder is running on a separate system and network service is used, then the computer account of the Application Launch Server host must be granted Modify access to the source directory on the transcoder host. "NT Authority\Network Service" must also be granted Modify access to the Session Recording directory. Running as a specific user will offer the path of least privilege but will require configuring NTFS permissions on the Source directory from the previous step for read, write, and delete files (Modify). Running as a specific user is recommended for running the File Watcher service on the Application Launch Server host when the transcoder is on a separate system. 11. Click Next to continue. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 31

32 12. Click Install to continue. 13. Click Finish to complete the first part of the installation. If session recording components were not selected during the installation process, the installer will now end its routine. If any of the session recording components were selected, a separate installation for the Microsoft Expressions recorder will be initiated automatically. 1. Accept the License agreement for the Microsoft Expressions recorder. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 32

33 2. Click Next on the Enter product key page. There is no product key to enter. 3. Elect to join the Microsoft customer experience or not. Click Next to continue. 4. Select to install Expression Encoder 4 and click Install. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 33

34 5. Click Finish to complete the installation. 6. This installation will take additional actions that are not visible in the installer: A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is taking place on a domain controller, the group is created in the Users container. This group may be safely deleted from the Application Launch Server host if it is also functioning as the transcoder host. The Domain Admins group will be added to this WriteRecordingGroup. The installer will create and share the following directory: %inetpub%\wwwroot\sessionrecording as SessionRecording. This directory is used to copy compiled session recordings from the Application Launch Server to the transcoder host. This scenario would apply if using the FFMPeg video recorder rather than the Expressions recorder. This share directory will be required when configuring the Application Launch Server host for app launching with session recording. If the transcoder and Application Launch Server host is the same system this share can be safely deleted. The installer will create and share the following directory: %programfiles (x86)%\lieberman\roulette\launchapp\transcoders\source as Source. This directory will be used by the Application Launch Server hosts to copy raw session recording files to the transcoder host(s). This scenario would apply if using the Expressions 4 recording software. This share directory will be required when configuring the Application Launch Server host for app launching with session recording. If the transcoder and Application Launch Server host is the same system this share can be safely deleted. Each of the shared directory share permissions will be set to allow the WriteRecordingGroup "Full Control". Minimum permissions required are "Change". Session Recording on the Transcoder Host Skip this step if you are not using the included session recording software. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 34

35 1. To begin installing the session recording software on the machine that will function as the video transcoder, open the SupplementalInstallers sub-folder from the installation directory, typically "%programfiles (x86)\lieberman\roulette". Copy ERPMRemoteLauncherInstaller.exe to the machine that will function as the transcoder and launch the installer. 2. Click Next on the welcome page. 3. Read and accept the license agreement to continue installation. Then click Next to continue. 4. Enter the full SSL-secured URL to the web service. Web Services are installed separately, typically on the web application server. The application launcher web service is installed with the standard ERPMWebService installer package. The URL is typically 5. Click Test to validate the URL. Any certificate issues must be corrected before installation can properly succeed. If the web page does not appear at all, validate the URL and try again or install Web Services. 6. If the page tests without issue or errors, click Next to continue. CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 35

36 7. For the transcoder host, select to install: Microsoft Expression 4 Encoder SP2 Session Recorder and File Watcher Service 8. Select the installation directory. Click Next to continue. 9. The destination directory is where completed video files will be placed once being transcoded. If this machine is functioning as the transcoder host as well and the the media server will be a separate machine, specify the network path to the SessionRecording share on the media server host. If this machine will also be the media server, the default path is correct. 10. Click Next to continue. 11. On the transcoder host, set the service identity to run as either Local System or as a Specific User. Local system offers the benefit of already having proper access and no password management requirements. Running as a specific user will offer the path of least privilege but will require configuring NTFS permissions on the Source directory from the previous step for read, write, and delete files (Modify). Running the File Watcher service as Local System is recommended on the transcoder host. 12. Click Next to continue. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 36

37 13. Click Install to continue. 14. Click Finish to complete the first part of the installation. After the initial installation is complete, A separate installation for the Microsoft Expressions recorder will be initiated automatically. 1. Accept the License agreement for the Microsoft Expressions recorder. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 37

38 2. Click Next on the Enter product key page. There is no product key to enter. 3. Elect to join the Microsoft customer experience or not. Click Next to continue. 4. Select to install Expression Encoder 4 and click Install. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 38

39 5. Click Finish to complete the installation. IMPORTANT NOTES REGARDING THIS INSTALLATION! This installation will take additional actions that are not visible in the installer: A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is taking place on a domain controller, the group is created in the Users container. The Domain Admins group will be added to this WriteRecordingGroup. The installer will create and share the following directory: %inetpub%\wwwroot\sessionrecording as SessionRecording. This directory is used to copy compiled session recordings from the Application Launch Server to the transcoder host. This scenario would apply if using the FFMPeg video recorder rather than the Expressions recorder. If the transcoder component is installed on the Application Launch Server, or if the Expression session recorder is the only used session recorder, this share may be safely deleted. This share directory will be required when configuring the Application Launch Server for app launching with session recording. The installer will create and share the following directory: %programfiles (x86)%\lieberman\roulette\launchapp\transcoders\source as Source. This directory will be used by the Application Launch Server to copy raw session recording files to the transcoder host(s). If the transcoder component is installed on the Application Launch Server, this share can be safely deleted. This scenario would apply if using the Expressions 4 recording software. This share directory will be required when configuring the Application Launch Server for app launching with session recording. Each of the shared directory share permissions will be set to allow the WriteRecordingGroup "Full Control". Minimum permissions required are "Change". Session Recording Media Server Skip this step if you are not using the included session recording software. Streaming Media Services is used to provide smooth streaming of the recorded sessions from the streaming host (typically the web application server) to the client's browser and video player. Installation of this component is only required if session recording will be used. To begin installing the streaming media software on the machine that will function as the streaming video server, open the SupplementalInstallers sub-folder from the installation directory, typically %programfiles (x86)\lieberman\roulette. Copy IISMEdia64.msi to the machine that will function as the streaming video server and launch the installer. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 39

40 The installation of IIS Media services requires a basic stock installation of IIS to be available on the same host server. 1. Click Next on the welcome page. 2. Read and accept the terms of the license agreement, then click Next. 3. Leave the default options selected then click Next. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 40

41 4. Click Install. 5. Click Finish. CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 41

42 Step 4. Setup RDS for Application Launching The section details configuring Remote App on the remote session host to launch the application launcher. The application launcher is a boot strapper used to launch and provide authentication information for configured applications. When a user uses the "Launch App" links in the web application, the launcher is called first. It will obtain the necessary credential information for the application to launch, and then launch the application from the Application Launch Server. In turn, VDI will display the remote application on the user's workstation as if it were a local application. Configuring Remote App for 2012 R2 Open Server Manager and click the Remote Desktop Services link on the left pane. Then click Collections. Select the collection to configure the application launcher application. 1. In the REMOTEAPP PROGRAMS area, click Tasks and select Publish RemoteApp Programs. Then click Add on the Publish RemoteApp programs dialog. 2. Select LiebsoftLauncher.exe from the application launcher installation location on the Application Launch Server (configured in step 3 previously). The default directory for this file is: C:\Program Files (x86)\lieberman\roulette\launchapp. Then click Next. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 42

43 3. On the Confirmation page, click Publish. 4. Once the LiebsoftLauncher application is published, right-click on it in the RemoteApp Programs list and select Edit Properties. 5. On the General tab, set the Show the RemoteApp program in RD Web Access dialog to No. Although everything will work fine if this is not done, there is no need to publicize this application. 6. On the Parameters tab, set the Command-line Parameters option to Allow any command-line parameters. The LiebsoftLauncher will differ every single time it is run based on many factors including session IDs, programs being run and parameters included when launching the programs. CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 43

44 7. On the User Assignment tab, it is highly recommended to change the User Assignment option to be a specific user or group of users. Specifically, you will be connected to the server as a pre-designated account (which can be managed by Privileged Identity). This is the only account that will require access to run the program. This account will be covered later in the Configuring Application Launching section. The account assigned here will require any permissions and rights to launch the desired programs. 8. Click OK when done. Configuring Remote App for 2008 R2 Open Server Manager and expand the Remote Desktop Services > RemoteApp Manager nodes in the left pane. 1. In the RemoteApp Programs area, right-click and select Add RemoteApp Programs. Click Next on the Welcome page then click Browse on the Choose programs to add to the RemoteApp Programs list page. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 44

45 2. Select LiebsoftLauncher.exe from the application launcher installation location on the Application Launch Server (configured in step 3 previously). The default directory for this file is: C:\Program Files (x86)\lieberman\roulette\launchapp. Then click Next. 3. On the Review Settings page, click Finish. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 45

46 4. Once the LiebsoftLauncher application is added, right-click on it in the RemoteApp Programs list and select Properties. CAUTION! Do not change the Alias value. 5. De-select the check box for RemoteApp program in RD Web Access. Although everything will work fine if this is not done, there is no need to publicize this application. 6. Set the Command-line arguments option to Allow any command-line parameters. The LiebsoftLauncher will differ every single time it is run based on many factors including session IDs, programs being run and parameters included when launching the programs. 7. On the User Assignment tab, it is highly recommended to change the User Assignment option to be a specific user or group of users. Specifically, the app launch software will connect to the server as a pre-designated account (which should be managed by Privileged Identity). This is the only account that will require access to run the program. This account will be covered later in the Configuring Application Launching section. The account assigned here will require any permissions and rights to launch the desired programs. 8. Click OK when done. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 46

47 Step 5. Configure IIS to Host Recorded Sessions This step is only required if session recording has been enabled. If session recording is not enabled, then do not perform this step. This will likely be configured on the same system where Streaming Media Services was installed. When an application is launched using the Application Launch Server and that application is configured to also record the session, the recorded sessions will first be placed into a pre-configured directory on the machine that will ultimately host the videos for later playback. When using the Microsoft Expressions session recorder, the files will first be copied locally to the file system. The File Watcher Service will then move the raw files to a share called "Source" on a machine that is configured as the video transcoder as an XESC file. Once the raw XESC files are copied to the transcoder, the File Watcher service on that machine will transcode the videos to WMV format and move the compiled files into the "SessionRecording" share on the same system. It is this directory that will be hosted in IIS and made available via the web application. To configure IIS on the machine that will host (stream) the compiled videos, not much work is required as the application launcher installer will have configured most of the required elements: The default website will have a new virtual directory added to it called SessionRecording. This directory will point to %inetpub%\wwwroot\sessionrecording. The only change that may need to be made is to set the authentication scheme to anonymous. To do this, open IIS, expend the default website, and open the Authentication area. Right click on the authentication types and enable Anonymous Authentication and disable all others. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 47

48 Configuring Application Launching and Session Recording Following installation, there are five mandatory configuration steps that are required to use the application launcher and the session recorder. The following steps are mandatory. The remaining steps in this sections are optional. 1. "Configure an Application Launch Server Logon Account" on page "Configure the Web Launcher Settings" on page "Configure the Application Launch Server Settings" on page "Configure the Application Launch Server Host" on page "Configure Applications for Launching" on page 71 CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 48

49 Configure an Application Launch Server Logon Account Application launcher uses a standard logon account to log on to the target Application Launch Server and launch the LiebsoftLauncher application. The LiebsoftLauncher application then launches the target application and connects to a web service (WebLauncherBackendService.svc) to obtain the necessary program settings and credentials. Logon Account Requirements The logon account has the following requirements: A domain account is recommended, but the logon account can be a local account. The account needs to be able to remotely log on to the target Application Launch Server. That means that if the account is not an administrator, it must be added to the Remote Desktop Users group on the Application Launch Server. Because the user account launches the LiebsoftLauncher application upon login, be sure that the account has the permissions required for the launch. Set the permissions in RemoteApp settings, which typically are found in Server Manager under the Roles > Remote Desktop Services heading. The permissions can be assigned directly to the user, or assigned to a group that the user belongs to. The account needs all of the same rights necessary to launch the final target application. It does not necessarily need local or domain admin privileges. Securing the Logon Account The password for application launching should have its password rotated frequently by Privileged Identity, for example daily or weekly. (Setting the rotation schedule to hourly could possibly invalidate the logon account's session). Follow the basic procedures for a Windows account password change as depicted in the administrator's guide. Presuming this account does nothing other than provide the logon session for the application launcher, there is no requirements for password propagation, so turn off password propagation for the password change job. We recommend keeping the password length to 80 characters or less because some versions of Windows will not allow longer passwords to be used via RDP. CAUTION! When launching an application, this account will be able to do anything that the target application lets it do. Recommended Policy Settings for the Logon Account This account can be heavily locked down as it generally doesn't need access to anything other than the application being locked. If this account is located in Active Directory, we recommend placing the account into an organizational unit (OU) by itself or with other similarly locked down accounts. On this OU, create a policy and modify the User Settings portion of the policy to lock down this logon account. There is no need to place the Application Launch Servers in this OU as the policies that lock down the user experience are user based, not system based. Following are some of the settings recommended to lock down the session. All policies should be tested to ensure they do not interfere with the required operation of a target application: User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Enforcement Apply Software Restriction Policies to the following Policy Setting All software files except libraries (such as DLLs) CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 49

50 User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Apply Software Restriction Policies to the following users When applying Software Restriction Policies Trusted Publishers Trusted publisher management Certificate verification Software Restriction Policies/Security Levels Default Security Level Software Restriction Policies/Additional Rules >> Path Rules %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% %HKEY_LOCAL_ MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% C:\Program Files (x86)\lieberman\roulette\remoteapplauncher\liebsoftlauncher.exe User Configuration Policies Administrative Templates Control Panel Prohibit access to Control Panel and PC settings Control Panel/Display Disable the Display Control Panel Control Panel/Printers Browse a common web site to find printers Browse the network to find printers Prevent addition of printers Prevent deletion of printers Control Panel/Programs Hide "Get Programs" page Hide "Installed Updates" page Hide "Programs and Features" page Hide "Set Program Access and Computer Defaults" page Hide "Windows Features" Hide the Programs Control Panel Control Panel/Regional and Language Options Hide Regional and Language Options administrative options Hide the geographic location option Hide the select language group options Hide user locale selection and customization options All users Ignore certificate rules Policy Setting Allow all administrators and users to manage user's own Trusted Publishers None Disallowed Security Level = Unrestricted Security Level = Unrestricted Security Level = Unrestricted Disabled Disabled CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 50

51 User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Desktop Don't save settings at exit Hide and disable all items on the desktop Hide Internet Explorer icon on desktop Hide Network Locations icon on desktop Prevent adding, dragging, dropping and closing the Taskbar's toolbars Prohibit adjusting desktop toolbars Prohibit User from manually redirecting Profile Folders Remove Computer icon on the desktop Remove Properties from the Computer icon context menu Remove Properties from the Recycle Bin context menu Remove Recycle Bin icon from desktop Turn off Aero Shake window minimizing mouse gesture Network/Network Connections Ability to change properties of an all user remote access connection Prohibit access to properties of a LAN connection Prohibit access to the Remote Access Preferences item on the Advanced menu Prohibit changing properties of a private remote access connection Prohibit connecting and disconnecting a remote access connection Prohibit renaming private remote access connections Network/Offline Files Remove "Make Available Offline" command Remove "Work offline" command Network/Windows Connect Now Prohibit access of the Windows Connect Now wizards Start Menu and Taskbar Add Search Internet link to Start Menu Add the Run command to the Start Menu Clear history of recently opened documents on exit Clear history of tile notifications on exit Clear the recent programs list for new users Do not allow pinning items in Jump Lists Do not allow pinning programs to the Taskbar Do not display any custom toolbars in the taskbar Do not display or track items in Jump Lists from remote locations Disabled Disabled Disabled Policy Setting CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 51

52 User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Do not keep history of recently opened documents Do not search communications Do not search for files Do not search Internet Do not search programs and Control Panel items Do not use the search-based method when resolving shell shortcuts Do not use the tracking-based method when resolving shell shortcuts Hide the notification area Lock all taskbar settings Lock the Taskbar Prevent changes to Taskbar and Start Menu Settings Prevent users from adding or removing toolbars Prevent users from moving taskbar to another screen dock location Prevent users from rearranging toolbars Prevent users from uninstalling applications from Start Remove access to the context menus for the taskbar Remove All Programs list from the Start menu Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands Remove Clock from the system notification area Remove common program groups from Start Menu Remove Default Programs link from the Start menu. Remove Documents icon from Start Menu Remove Downloads link from Start Menu Remove drag-and-drop and context menus on the Start Menu Remove Favorites menu from Start Menu Remove frequent programs list from the Start Menu Remove Games link from Start Menu Remove Help menu from Start Menu Remove Homegroup link from Start Menu Remove links and access to Windows Update Remove Logoff on the Start Menu Remove Music icon from Start Menu Remove Network Connections from Start Menu Remove Network icon from Start Menu Disabled Policy Setting CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 52

53 User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Remove Pictures icon from Start Menu Remove pinned programs from the Taskbar Remove pinned programs list from the Start Menu Remove programs on Settings menu Remove Recent Items menu from Start Menu Remove Recorded TV link from Start Menu Remove Run menu from Start Menu Remove See More Results / Search Everywhere link Remove the Action Center icon Remove the battery meter Remove the networking icon Remove the volume control icon Remove user folder link from Start Menu Remove user's folders from the Start Menu Remove Videos link from Start Menu Show "Run as different user" command on Start Turn off all balloon notifications Turn off automatic promotion of notification icons to the taskbar Turn off feature advertisement balloon notifications Turn off notification area cleanup Turn off user tracking Start Menu and Taskbar/Notifications Turn off notifications network usage System/Ctrl+Alt+Del Options Remove Change Password Remove Task Manager System/Internet Communication Management/Internet Communication settings Turn off access to the Store Turn off downloading of print drivers over HTTP Turn off handwriting recognition error reporting Turn off Help Experience Improvement Program Turn off Help Ratings Turn off Internet download for Web publishing and online ordering wizards Turn off Internet File Association service Turn off printing over HTTP Disabled Policy Setting CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 53

54 User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Turn off the "Order Prints" picture task Turn off the "Publish to Web" task for files and folders Turn off the Windows Messenger Customer Experience Improvement Program Turn off Windows Online System/Removable Storage Access All Removable Storage classes: Deny all access CD and DVD: Deny read access CD and DVD: Deny write access Floppy Drives: Deny read access Floppy Drives: Deny write access Removable Disks: Deny read access Removable Disks: Deny write access Tape Drives: Deny read access Tape Drives: Deny write access WPD Devices: Deny read access WPD Devices: Deny write access System/Windows HotStart Turn off Windows HotStart Windows Components/Add features to Windows 8 Prevent the wizard from running. Windows Components/App runtime Block launching desktop apps associated with a file. Block launching desktop apps associated with a protocol Windows Components/Application Compatibility Turn off Program Compatibility Assistant Windows Components/Attachment Manager Hide mechanisms to remove zone information Windows Components/AutoPlay Policies Disallow Autoplay for non-volume devices Prevent AutoPlay from remembering user choices. Set the default behavior for AutoRun Default AutoRun Behavior Do not execute any autorun commands Turn off Autoplay Turn off Autoplay on Windows Components/Credential User Interface Do not display the password reveal button All drives Policy Setting CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 54

55 User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Windows Components/Desktop Gadgets Restrict unpacking and installation of gadgets that are not digitally signed. Turn off desktop gadgets Turn Off user-installed desktop gadgets Windows Components/Digital Locker Do not allow Digital Locker to run Windows Components/Edge UI Turn off switching between recent apps Turn off tracking of app usage Windows Components/File Explorer Display confirmation dialog when deleting files Display the menu bar in File Explorer Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon Do not display the Welcome Center at user logon Do not request alternate credentials Hide these specified drives in My Computer Restrict all drives Hides the Manage item on the File Explorer context menu No Entire Network in Network Locations Prevent access to drives from My Computer Restrict all drives Prevent users from adding files to the root of their Users Files folder. Remove "Map Network Drive" and "Disconnect Network Drive" Remove CD Burning features Remove File Explorer's default context menu Remove File menu from File Explorer Remove Hardware tab Remove Security tab Remove the Search the Internet "Search again" link Turn off display of recent search entries in the File Explorer search box Turn off Windows+X hotkeys Windows Components/File Explorer/Common Open File Dialog Hide the common dialog back button Hide the common dialog places bar Hide the dropdown list of recent files Policy Setting CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 55

56 User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Windows Components/File Explorer/Explorer Frame Pane Turn off Preview Pane Turn on or off details pane Configure details pane Windows Components/File Explorer/Previous Versions Prevent restoring previous versions from backups Windows Components/IME Turn off history-based predictive input Turn off Internet search integration Windows Components/Internet Explorer Automatically activate newly installed add-ons Configure Media Explorer Bar Disable the Media Explorer Bar and auto-play feature Auto-Play Media files in the Media bar when Disable AutoComplete for forms Disable changing accessibility settings Disable changing Advanced page settings Disable changing Automatic Configuration settings Disable changing Calendar and Contact settings Disable changing certificate settings Disable changing connection settings Disable changing home page settings Home Page Disable changing language settings Disable changing Messaging settings Disable changing ratings settings Disable changing Temporary Internet files settings Disable Import/Export Settings wizard Disable Internet Connection wizard Do not allow users to enable or disable add-ons Identity Manager: Prevent user from using Identities Notify users if Internet Explorer is not the default web browser Pop-up allow list Enter the list of sites here. Prevent "Fix settings" functionality Always hide Disabled Disabled Policy Setting Define a home page if necessary Disabled Define allowed sites list if applicable such as *.microsoft.com CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 56

57 User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Prevent access to Internet Explorer Help Prevent bypassing SmartScreen Filter warnings Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet Prevent changing pop-up filter level Prevent changing proxy settings Prevent changing the default search provider Prevent configuration of how windows open Select where to open links Prevent Internet Explorer Search box from appearing Prevent managing pop-up exception list Prevent managing SmartScreen Filter Select SmartScreen Filter mode Prevent participation in the Customer Experience Improvement Program Prevent per-user installation of ActiveX controls Prevent running First Run wizard Select your choice Search: Disable Find Files via F3 within the browser Search: Disable Search Customization Specify default behavior for a new tab New tab behavior Turn off ability to pin sites in Internet Explorer on the desktop Turn off add-on performance notifications Turn off browser geolocation Turn off configuration of pop-up windows in tabbed browsing Select tabbed browsing pop-up behavior Turn off Crash Detection Turn off Favorites bar Turn off Managing SmartScreen Filter for Internet Explorer 8 Select SmartScreen Filter mode for Internet Explorer 8 Turn off pop-up management Turn off Quick Tabs functionality Turn off Reopen Last Browsing Session Turn off suggestions for all user-installed providers Turn off tabbed browsing Policy Setting Open in existing Internet Explorer window On Go directly to home page Home page Force pop-ups to open in a new tab On CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 57

58 User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Turn off the auto-complete feature for web addresses Turn off the quick pick menu Turn on Suggested Sites Turn on the auto-complete feature for user names and passwords on forms Windows Components/Internet Explorer/Accelerators Turn off Accelerators Windows Components/Internet Explorer/Browser menus Disable Open in New Window menu option Disable Save this program to disk option File menu: Disable closing the browser and Explorer windows File menu: Disable New menu option File menu: Disable Open menu option File menu: Disable Save As Web Page Complete File menu: Disable Save As... menu option Help menu: Remove 'Send Feedback' menu option Help menu: Remove 'Tour' menu option Hide Favorites menu Tools menu: Disable Internet Options... menu option Turn off Print Menu Turn off Shortcut Menu View menu: Disable Full Screen menu option View menu: Disable Source menu option Windows Components/Internet Explorer/Delete Browsing History Disable "Configuring History" Days to keep pages in History 1 Windows Components/Internet Explorer/Internet Control Panel Disable the Advanced page Disable the Connections page Disable the Content page Disable the General page Disable the Privacy page Disable the Programs page Disable the Security page Windows Components/Internet Explorer/Internet Control Panel/Advanced Page Allow active content from CDs to run on user machines Disabled Disabled Disabled Policy Setting CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 58

59 User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Allow software to run or install even if the signature is invalid Do not allow resetting Internet Explorer settings Empty Temporary Internet Files folder when browser is closed Windows Components/Internet Explorer/Internet Control Panel/General Page Start Internet Explorer with tabs from last browsing session Disabled Disabled Windows Components/Internet Explorer/Internet Control Panel/General Page/Browsing History Allow websites to store application caches on client computers Disabled Windows Components/Internet Explorer/Internet Settings/Advanced settings/browsing Turn off details in messages about Internet connection problems Turn on script debugging Disabled Windows Components/Internet Explorer/Internet Settings/Advanced settings/multimedia Allow Internet Explorer to play media files that use alternative codecs Disabled Windows Components/Internet Explorer/Internet Settings/Advanced settings/searching Prevent configuration of search on Address bar When searching from the address bar Prevent configuration of top-result search on Address bar When searching from the Address bar Policy Setting Do not search from the address bar Disable top result search Windows Components/Internet Explorer/Internet Settings/Advanced settings/signup Settings Turn on automatic signup Windows Components/Internet Explorer/Internet Settings/AutoComplete Turn off URL Suggestions Turn off Windows Search AutoComplete Turn on inline AutoComplete Windows Components/Internet Explorer/Security Features/Restrict File Download All Processes Internet Explorer Processes Windows Components/Internet Explorer/Toolbars Configure Toolbar Buttons Show Back button Show Forward button Show Stop button Show Refresh button Show Home button Show Search button Show Favorites button Show History button Disabled Disabled Disabled Disabled Disabled CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 59

60 User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Show Folders button Show Fullscreen button Show Tools button Show Mail button Show Font size button Show Print button Show Edit button Show Discussions button Show Cut button Show Copy button Show Paste button Show Encoding button Disable customizing browser toolbar buttons Disable customizing browser toolbars Display tabs on a separate row Hide the Command bar Hide the status bar Lock all toolbars Lock location of Stop and Refresh buttons Turn off Developer Tools Turn off toolbar upgrade tool Windows Components/Location and Sensors Turn off location Windows Components/Microsoft Management Console Restrict the user from entering author mode Windows Components/Network Sharing Prevent users from sharing files within their profile. Windows Components/Presentation Settings Turn off Windows presentation settings Windows Components/Sound Recorder Do not allow Sound Recorder to run Windows Components/Tablet PC/Accessories Do not allow printing to Journal Note Writer Do not allow Snipping Tool to run Do not allow Windows Journal to be run Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Policy Setting CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 60

61 User Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies Windows Components/Tablet PC/Hardware Buttons Prevent Back-ESC mapping Prevent launch an application Prevent press and hold Turn off hardware buttons Windows Components/Windows Error Reporting Disable Windows Error Reporting Windows Components/Windows Installer Prevent removable media source for any installation Prohibit rollback Windows Components/Windows Logon Options Set action to take when logon hours expire Set action to take when logon hours expire Windows Components/Windows Mail Turn off the communities features Turn off Windows Mail application Windows Components/Windows Media Center Do not allow Windows Media Center to run Windows Components/Windows Media Player Prevent CD and DVD Media Information Retrieval Prevent Music File Media Information Retrieval Windows Components/Windows Media Player/Networking Hide Network Tab Windows Components/Windows Media Player/Playback Prevent Codec Download Windows Components/Windows Messenger Do not allow Windows Messenger to be run Do not automatically start Windows Messenger initially Windows Components/Windows Mobility Center Turn off Windows Mobility Center Windows Components/Windows Update Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Logoff Policy Setting CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 61

62 Configure the Web Launcher Settings To configure the web launcher settings for the web application, open the management console and go to Settings Manage Web Application Application Launch in the management console. The "Launch Application with Credentials Settings" dialog opens. Configuring the Global Settings The Global tab identifies the URL for the web service and other related settings that are used when launching applications. Launcher Web Service Config Web service URL - The URL of the application launcher web service. When the web service is installed (typically on the web application server), a web service is normally created at [site]/erpmwebservice. The web service is called WebLauncherBackendService.svc. Enter the full URL in the Web service URL field, including the protocol and port if applicable. The typical URL is: Test Connection - Click to verify that the web service URL is correct and the web service is properly responding to requests. IMPORTANT! There should be no certificate or access errors when accessing this URL in a browser. Test the URL to verify that it works for users that will be accessing the web server. The best test is to log in to the Application Launch Server using the Application Launch Server login account (configured in the previous section) and attempt to access the URL (provided below). If the account is prompted for credentials or certificate errors, the application launcher will fail. Launcher Related Web App Options Enable launching applications using stored passwords in the web application - Required to enable remote launching. If this option is not selected, then the Launch Application option will be unavailable in the website. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 62

63 Remote Launch Enable launching applications on a remote server - Enable the configured applications to launch via an Application Launch Server rather than launching only locally on the client. When the option is enabled and an application is configured to use an Application Launch Server, the applications can instead launch from the Application Launch Server and will use RemoteApp to display the program's UI to the user's desktop as if it were a native application. Other Settings [Script Launch] Path to script files on client systems - The path that the script automation files will be copied to (manual copy). This path is used when local launch (rather than via the Application Launch Server) will be used to launch webbased applications such as Twitter, Facebook, or other web-based programs. If local launching of these sorts of applications will not be launched directly from a client's machine (rather than via the Application Launch Server) it will not be necessary to configure this path. The default location where these scripts are found is: C:\Program Files (x86)\lieberman\roulette\launchapp\webautomation. Sign generated RDP files with certificate identified by thumbprint - When RDP files are generated, they will be signed with the identified certificate. This helps avoid unknown/untrusted RDP connection warnings and errors. For this option to function, the following must be true: o o o o The certificate needs to be on the client workstation to generate RDP files to connect to the Application Launch Server. The certificate also needs to be on the Application Launch Server if RDP connections are configured to go through the Application Launch Server. The certificate must be accessible to the user that's running the process creating and launching the RDP file. The security policy of the machine must be configured to require signed RDP files for this setting to have any effect (it is not by default). CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 63

64 Configure the Application Launch Server Settings From the management console, navigate to Settings Manage Web Application Application Launch in the management console. Select the Remote Servers tab. Configuring Remote Servers The Remote Servers tab identifies the available Application Launch Servers and other related settings that will be used for launching applications. The option Enable launching applications on a remote server must also be selected on the Global tab to make use of these servers. The first time this dialog is opened, there will be no remote servers configured for application launching. To add a new server, click the Add button in the lower right area of the dialog. Configuring the "Remote Application Server Configuration" Dialog The following fields are mandatory: Server configuration identifier - The friendly name of the server as it will appear in the application launcher configuration. Remote server system name - The actual name of the Application Launch Server. This should be the name (FQDN or simple name or IP) as can be reached from the client systems that will be initiating the session. Use RemoteApp to launch the liebsoft launcher on the server - This option must be selected to remotely launch applications from the Application Launch Server using RemoteApp as available in Windows Server 2008 R2 and newer. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 64

65 o o Launcher path on jump server - The path to the launcher component on the jump server. This option will be unavailable if the option to Use RemoteApp to launch the liebsoft launcher on the server is enabled. Use RemoteApp connection broker (RDS only) Connection broker - The fully qualified domain name (FQDN) of the connection broker. For example, 2k8r2-3.demo.msft. Load balancer info - The loadbalanceinfo value from the.rdp file. For example, tsv://ms Terminal Services Plugin.1.lsc.example. WARNING! Be careful that your RDS collection name does not exceed 16 characters. Microsoft truncates names that exceed 16 characters when storing the name in the registry. If the truncated name does not match the configured load balancer info value, the following error message is returned: "Your computer can't connect to the remote computer because the connection broker couldn't validate the settings in your RDP file." Use integrated Windows credentials to login to the jump server - When used in conjunction with a Windows Server 2012 Application Launch Server that is properly configured for web single server sign on and where the web application is also configured for use with integrated authentication and where the user actually logs in using integrated authentication, then this feature will connect to the Application Launch Server using the user's credentials rather than a specific Application Launch Server login. The login user must have proper permissions to launch the application and RDP to the server. Prompt for login credentials to application server - Will cause credentials to not be automatically provided when connecting to the Application Launch Server. The user performing the application launch must provide credentials that are valid for the Application Launch Server. o o o o o Login credential system name - This value must be populated. If the application launcher will be using stored (managed) credentials to log into the Application Launch Server, this is the name of the system/server as it appears in Privileged Identity from which to draw the credentials from. It is recommended to use a domain credential for this purpose; see the section for configuring an Application Launch Server login account. Login credential account name - This is the name of the account that will be used to log in to the Application Launch Server. It is recommended to use a domain credential for this purpose; see the section for configuring an Application Launch Server login account. Login credential domain name - The domain to which the account belongs. If this is a local account (not recommended) then this should be the simple (NetBIOS) name of the Application Launch Server. Load saved password for connection from password store - Select this option to pull the managed password from the solution's password store. If it is desired to use a hard coded password instead, then supply the actual password in the remote server logon password field. [Script Launch] Path to script files on client systems - The path that the script automation files will be copied to during installation of the AppLauncher. This path is used when launching web based applications such as Twitter, FaceBook, or other web based programs. The default location where these scripts are found is: C:\Program Files (x86)\lieberman\roulette\launchapp\webautomation Update OIT agent data for agent running on the server - Only provides functionality when the session recorder is provided by ObserveIT. Selecting this option will change certain metadata attributes to more accurately reflect which user account is performing certain actions. This affects auditing information stored within OIT. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 65

66 IMPORTANT! If using the built-in session recording, instead of the session recording offering from ObserveIT, DO NOT check the Update OIT agent data for agent running on the server. This will prevent the built-in session recorder from working. Once the entries are validated, click OK to add the Application Launch Server object. If the option to Load saved password for connection from password store is selected and a stored password for the target account does not exist, a warning indicating such will appear to the user otherwise the dialog will close without incident. Any of these settings can be changed at any time without having to make any changes to IIS or performing IISReset or other administrative actions. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 66

67 Configure the Application Launch Server Host This section lists two configuration updates that should be made on the Application Launch Server host. To Configure the Host Machine for Multiple Application Launcher Sessions The following configuration change is needed to allow multiple application launcher sessions to run concurrently. 1. Log on to the Application Launcher Server host machine. 2. Open the Run dialog using the Win+R keyboard shortcut. 3. Type gpedit.msc and press OK. The Local Group Policy Editor window opens. 4. Choose Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections : Restrict Remote Desktop Services users to a single Remote Desktop Services session. 5. Right-click Restrict Remote Desktop Services users to a single Remote Desktop Services session and choose Edit. A dialog opens to configure the policy. 6. Select Disabled, then click OK. To Configure the Host Machine to Prevent Transcoding Problems The following configuration change is needed to prevent a problem that could potentially result in your session recordings failing to be processed by the transcoder. 1. Open the Run dialog on the Application Launcher Server host using the Win+R keyboard shortcut. 2. Type gpedit.msc and press OK. The Local Group Policy Editor window opens. 3. Choose Computer Configuration > Administrative Templates > System > User Profiles: Do not forcefully unload the user registry at logoff. 4. Right-click Do not forcefully unload the user registry at logoff and choose Edit. A dialog opens to configure the policy. 5. Select, then click OK. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 67

68 Configure Session Recording Settings From the management console, navigate to Settings Manage Web Application Application Launch. Select the Session Recorders tab. The Session Recorders tab identifies configured session recording servers. There will typically be a one-to-one relationship with the servers configured on the Remote Servers tab. To add a new server, click the Add button in the lower right area of the dialog. The following fields are mandatory: Configuration label - the friendly name of the server as it will appear in the application launcher configuration. Basic configuration - use this option if the session recording host will perform both recording and transcoding duties. Recorder options include Expressions 4, VLC, and Windows Problem Steps Recorder. It is recommended to choose the Expressions 4 recorder option. The output path will default a default local path if this option is selected. Advanced configuration - use this option if it is desired to put recordings in a custom location or if video transcoding will occur on a separate host (typical). It is not recommended to change the Assembly path or Type in Assembly values. Abort application launch if session recording fails - with this option selected, if session recording fails to initialize, the remote session will be logged off and no remote app launch will occur. Output path - This is the path for the raw session recording files on the machine functioning as the transcoding host. If using the Application Launch Server for both session recording and video transcoding, specify a local path here. The default location is c:\program files x86)\lieberman\roulette\launchapp\transcoders\source. If the transcoder is on a separate host, specify the UNC path to the Source share on that server (\\server\source). DO NOT place a back slash after the last directory name. File name template - the default value is SessionRecording-$(SessionID). In this scenario SessionRecording- is the filename prefix and $(SessionID) is a variable for the session ID of the remote app launch session. If the names of the recordings should be changed, this is acceptable but to not remote the $(SessionID) value from the name. There should also be no extension listed for the file name. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 68

69 Once the entries are validated, click OK to add the session recorder host object. Any of these settings can be changed at any time without having to make any changes to IIS or performing IISReset or other administrative actions. Configuring the Transcoder to Record Multiple Videos at the Same Time The session recording transcoder is set to record a maximum of one video at a time by default. To configure the transcoder to record multiple concurrent videos, complete the following steps 1. Go to the system where the Application Launcher and Session Recorder components are installed and choose Start Bomgar Lieberman Settings. The "Session Recording Configuration" dialog opens. 2. If necessary, expand the File Watcher Transcoder Service Settings section and locate Setting: Maximum Concurrent Encoders. 3. Type the maximum number of simultaneous recordings that the transcoder should allow, then click Push. 4. Close the Session Recording Configuration dialog. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 69

70 Configure the Web Application Settings for Session Playback To play back recorded sessions, the web application needs to be configured with the video playback URL where the final recorded sessions are stored. The media server will have configured IIS with a virtual directory under the default root website called SessionRecording. It is this URL that will be provided on the User/Session Management dialog. The SessionRecording URL may be presented with or without SSL, but should be configured to use anonymous authentication. To Configure the Session playback URL 1. Open the management console and click Manage Web App in the left action pane. 2. Double click an existing web application to edit it of change the default options by opening Options Configure default web application options from the menu. 3. Click the User/Session Management tab. 4. Locate the Session playback URL field and enter the URL for the media server where the videos are hosted from. If using HTTPS, be sure to enter the valid name of the server that matches the assigned name on the certificate to avoid certificate errors. A typical URL will be similar to Be aware that the system is expecting a trailing forward slash at the end of the URL. 5. Click OK once the URL is entered. 6. If updating an existing website with this new information, simply click OK and the new settings will be pushed to the web instance and its COM+ application restarted. If changing the default web application settings and it is now required to push the new settings to an existing web application, right-click on the website instance and select Replace instance options with default web application options. There is no need to restart any servers or additional components after making this change. Once the URL is added and sessions have been recorded, users with access to the auditing section of the web application will be able to play back any recorded sessions that exist. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 70

71 Configure Applications for Launching This section describes how to configure applications for use with application launching. Adding Application Launching Scripts Privileged Identity includes a number of application launching scripts. Most scripts require additional configuration before they can be used to launch the target application. To Add the Application Launching Scripts 1. In the management console, choose Settings > Manage Web Application > Application Launch. The Launch Application with Credentials Settings dialog opens. 2. Click the Applications tab. 3. Click Add Defaults. 4. To add new applications, click the Add button. Duplicate or edit existing items by using the Copy or Edit buttons respectively. After adding an application you have to configure it before it can be launched. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 71

72 Configuring Privileged Identity to Launch Applications This section documents how to configure Privileged Identity for app launching. To Configure Privileged Identity to Launch Specific Applications 1. Open the management console and choose Settings > Manage Web Application > Application Launch. The Launch Application with Credentials Settings dialog opens. 2. Click the Applications tab. The Applications tab identifies the applications that can be made available to launch from the web application and other related settings that will be used when launching these applications. 3. Select an application launch type item and click Edit. The Remote Application Configuration dialog opens. 4. Complete the form. Editing the Remote Application Configuration Dialog Remote application label - Required. This is the friendly name of the application as it will appear in the web application. Remote application description - Optional. Enter a description for the application that will appear in the web application. Remote application icon path - Optional. To set a custom icon for the application, identify the location of the physical web application installation files. Typically, this will be at %inetpub%\wwwroot\pwcweb. All file paths defined for the icons will be relative to this path. It is recommended to create a custom folder (example "CompanyIcons") and add your icons to this folder so that they persist through website upgrades. Then, for the icon path, simply add the path using the following convention: FolderName\IconName.gif. All GIF files should be 32x32 pixels. Remote launch type - Required. Select from the available launch types: o o o o o Launch application with command line parameters - Use this for any application which can be launched with command line options such as SQL Management Studio, PuTTy, VMware vcenter, and so on. Open web application with form post - Use this for websites that only require a basic form post and does not make use of JSON, YAML, or other technologies for passing the user name and password information. When this is selected, fill out the Web Page and Name-Value pair fields. The web page is the name of the login page, including the protocol, such as The name-value pair should consist of the variables for the user name and password. Launch terminal services client - Use this for launching the Microsoft Terminal Services client. There are no additional requirements to set up this launch type. Launch app through.net assembly - Used when an external.net assembly will be used to perform the connection and credential passing. Supply the Assembly Path and Type Name values. The assembly path is the full physical file patch to the.net assembly. Type name is the name of the.net interface. Launch app through script automation - This is most frequently used for launching MMCs, websites that do not pass user name and password information basic form post (see most web examples in the default list), fat clients that do not make use of command line parameters, and so on. Supply the Script Path and Automation URL. Script path is the name of the script to run, including the extension. For example, login_azuremgmt.vbs. This script must be found in the pre-defined script automation directory on the global options or Application Launch Server configuration dialogs for the app launcher. Automation URL is the target URL. For example, or for a device, Run on the jump server - Optional. Use to launch the target application from the Application Launch Server (configured previously) or from the user's workstation. If this option is not selected then the application will attempt to launch locally on the user's local workstation. If this option is selected, then the application will be launched on the Application Launch Server. The application must be installed on the Application Launch Server at that time. This is a per-application setting. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 72

73 o o o Use the targeted account to connect to the jump server - If the Application Launch Server is used and the account being targeted to launch the application is a domain account or a valid local Application Launch Server host account, this option will establish a connection with those credentials rather than the pre-configured Application Launch Server connection credentials. If the credentials are not valid on the Application Launch Server host then the connection will not succeed. Do not use this option for non-windows systems. Application supports multi-tab - A special set of configurations and launch scripts for applications which have multibranch or multi-tab capabilities. See the Multi-tab Support section for more information on configuration and use. Load user profile when starting application (Configure RDP connection parameters) - When selected will load the connecting user's user profile on the Application Launch Server host which will enable additional elements to available via RDP to become available such as color depth, mapped drives, clipboard capability and so on. Enable session recording - Optional. If a session recording host is configured, this option will be available. When configured, the launching of this application on an Application Launch Server will record just this application being run. This is a per-application setting. Application - Mandatory. The application name is simply the name of the executable without the path. For example, SSMS.EXE. Command line - Mandatory. Command line is the parameters to launch the executable with. Parameters are specific to the program being launched and not Privileged Identity. Specific replacement variables variables are provided by Privileged Identity that can be used in place of otherwise static values, such as $(RemoteAccessTarget_TargetName) instead of the target's actual host name. See the following sub-section for more information. See "Variables for App Launching" on page 75 for more information. Application location - Optional. An application location must also be defined but can either be a full physical path in the application location field or be setup to search for and even to download a ready to run executable from a predefined network path (At launch download file from path). A physical path MUST be defined when launching the application from an Application Launch Server. If a physical path is not defined in the application location field, then the option to Search for application on local system should be enabled. Sub-options for application search include searching for the application on the system root or program files directories. In addition, subsequent include and exclude directories may be defined. Multiple values should be segregated by a semi-colon. There is no variable replacement such as %systemroot% or %inetpub% so full physical locations must be used. Search for application on local system - Optional. Will cause the application launcher to search the Application Launch Server or the calling workstation's file system for the executable being launched, and launch the first valid application it comes across. If this option is deselected, then the Application location field above it becomes active where a static path can be defined. Using the search mechanism adds time to launch the application. The locations it can search are the Program Files directories or the system root directory. Searching is controlled by the subsequent options on this dialog. o o o o o Search for application on local system root directs the product to search the %systemroot% location on the Application Launch Server or the calling workstation's file system when launching an application. Search for application under the program files directory directs the product to search %programfiles% and %programfiles(x86)% on the Application Launch Server or the calling workstation's file system when launching an application. Subdirectory restriction is the directories to not search when searching the program files directory structure. Additional search directories is the additional directories to search if there are any other directories on the system to search. The list is semi-colon delimited. Working Directory is the default search starting point. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 73

74 Only run signed executables - Optional. Will ensure the program has a digital signature on it. If the option is enabled, an additional verification can be configured to validate specific fields of the digital signature such as the certificate serial number, certificate issuer or other signing bits. o Verify certificate fields of signing certificate - Becomes available if the option to Only run signed executables is selected. The resulting dialog allows defining which fields to verify in the signing certificate. Only run executables with expected hashes - Optional. Allows the admin to define hashes of a target application. This is useful to ensure that someone did not rename a malicious executable or that only a specific patched version runs. Multiple hashes can be calculated and defined from this dialog. At launch, download the file from path - Optional. Defines a network path or URL to download the application from if it is not already present on the host system. Settings apply to client system configuration - Applies only to applications launched from the users workstation and has no effect for applications launched using the Application Launch Server host. Consider that a 32-bit application running on a 32-bit Windows host will typically install to c:\program files\application. Yet that same 32-bit application running on a 64-bit Windows host will typically install to c:\program files (x86)\application. This setting permits configuration of only one application to launch with multiple possible settings. When these settings are configured, the launcher will determine what host it is running on and retrieve the appropriate settings, such as launch directory. Application uses stored private key - Optional. This option allows programs that can use certificates (such as SSH clients) to define which certificate to use when connecting. These certificates must have been pre-imported and assigned via the management console by choosing Settings > User Keys > Import Keys. Application uses gateway server - Optional. If an SSH proxy/gateway is defined (in the management console by choosing Settings Manage Web Application Remote Gateway Servers) this option is available. This option is useful when a client must first connect to an SSH proxy first before connecting to the final SSH target. This process uses plink.exe. The plink.exe download location must also be specified with the path on the Application Launch Server where the plink.exe executable resides. Plink.exe is installed in the launch app folder on the Application Launch Server if the PuTTy files are also installed when installing the application launcher. Plink.exe can also be downloaded from Configure Allowable Types - Mandatory. This defines which account types in the application will be available. At least one account type must be selected. This is what specifically makes an application available to MySQL or Windows but not Linux or SQL Server or Oracle. Always use the specified account when starting this application - Optional. When this option is NOT selected (default), the application is available for the selected account type(s) (Configure Allowable Account Types). That means potentially any account could be used to launch this application. If the option is enabled, the solution will pull a predefined credential from the account store and always use that account to launch the application. Also, the application will not be available in the Launch App section of the web application. Rather, it will be made available in the Applications section of the website for the users that have permission to launch the application. The Launch App section is accessible when viewing specific managed passwords. Applications is always available regardless of managed passwords. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 74

75 Variables for App Launching Privileged Identity provides variables for you to use to pass the user name, password, target server, and so on when launching an application from the command line or via web automation scripts. Consider the following scenario: 1. DEMO\Broberts logs into the web application. 2. DEMO\Broberts clicks on launch app. This causes a secondary account (DEMO\AppLaunchLogin) to connect to the Application Launch Server and initiate and launch the liebsoftlauncher.exe program. 3. Liebsoftlauncher connects back to the web service and retrieves program settings (including target system), target user name, and target password. For this example, connecting to a server called DB2012 as SA with with the SA password. In this scenario the following elements are defined using the following variables: DEMO\Broberts = $(SourceAppLogin) or $(UserEnteredLoginUsername) DEMO\AppLaunchLogin = NOT EXPOSED DB2012 = $(RemoteAccessTarget_TargetName) SA = $(Username) or $(AccountName_FullyQualified) SA Password = $(Password) or $(Password_Raw) Following is a list of all possible variables $(UserEnteredLoginUsername) - Same as $(SourceAppLogin), is the account used to log in to the web application. $(UserEnteredLoginUsername:RemoveNTSyleNamespace) - This element prunes the domain name from the user name. From the example above, DEMO\Broberts becomes simply Broberts. $(UserEnteredLoginUsername:ReplaceBackslashWithDot) - This element retains the domain name with the user name but replaces the slash with a dot. From the example above, DEMO\Broberts becomes DEMO.Broberts. Use this variable when a name is required that will no be interpreted as a path for creating directories. $(SourceAppLogin) - Same as $(UserEnteredLoginUsername), is the account used to login to the app [component] that is triggering the launcher (that is, the RDP user to the Application Launch Server). $(SourceAppLogin:RemoveNTSyleNamespace) - This element prunes the domain name from the user name. From the example above, DEMO\Broberts becomes simply Broberts. $(SourceAppLogin:ReplaceBackslashWithDot) - This element retains the domain name with the user name but replaces the slash with a dot. From the example above, DEMO\Broberts becomes DEMO.Broberts. Use this variable when a name is required that will no be interpreted as a path for creating directories. $(Username) - This is the name of the target account. From the example above, SA. $(AccountName_FullyQualified) - Building on the $(Username) variable, this will pre-pend the domain prefix to the account name, if applicable. $(Password) - The regex escaped password (for example, pass\"word ). $(Password_Raw) - The raw un-escaped password. $(RemoteAccessTarget_TargetName) - The target host to which the application will connect. $(LauncherPath) - The path to the application launcher. $(SessionID) - The GUID for the launcher link. $(PrivateKey) - The file path for the DER encoded private key (if available). $(PrivateKeyPassphrase) - The pass phrase, if present for $(PrivateKey). $(PuttyKey) - The file path for the putty encoded private key (if available). CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 75

76 These variables are used in line and replaced by Privileged Identity at the time the application is launched. For example, if in the website the user were to go to the SQL Server database instance on a server called DB2012 and connect with the built-in (and managed) SA account, the command-line syntax would be: -S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password) - nosplash The switches ( -S, -U, and -P ) are part of the SMSS.EXE executable. The subsequent values of $(RemoteAccessTarget_ TargetName), $(Username), and $(Password) would be replaced by the name of the server (DB2012), the name of the account (SA), and the password for SA respectively. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 76

77 Maintaining Application Launching Scripts As a courtesy to our customers, updated scripts that support common online business applications are periodically made available. This section describes how to download and install those files, and keep the script directory in sync across multiple launchers if script updates are required. To Install New Application Launching Scripts 1. Download updated scripts from the Privileged Identity product download page: Scripts are distributed as a single.zip archive file. 2. Customize the scripts as needed and test that they work. Scripts are generic and may need to be customized to work in your environment. See "Variables for App Launching" on page 75 for additional information. 3. Copy updated and customized automation scripts to the WebAutomation location. Be sure to also copy scripts to any secondary launchers. To verify that you are copying scripts to the correct location, see "To Verify the Script Launch Path Configured on Your Remote Application Server" later in this section. The following table lists the default file installation locations. Application Launcher File(s) Application launcher files to be installed on a bastion host LiebSoftLauncher.exe The automation scripts Default installation location %ProgramFiles(x86)%\Lieberman\Roulette\LaunchApp %ProgramFiles (x86)%\lieberman\roulette\launchapp\webautomation Note: If you add your own compiled scripts to the WebAutomation folder, the defined login account must be able to read and execute the scripts. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 77

78 To Verify the Script Launch Path Configured on Your Remote Application Server 1. In the management console, choose Settings Manage Web Application Application Launch. 2. Click the Remote Servers tab. 3. Select the remote application server and click Edit. The Remote Application Server Configuration dialog opens. 4. Refer to the [Script Launch] Path to script files field to view the path. CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 78

79 Multi-Tab Support A lot of administrative tools support several connections to the target systems from one tool window. It can be implemented as separate tabs (like in SecureCRT) or like branches in tree-view navigation pane (like in Microsoft SQL Management Studio). The following shows SecureCRT with two connections. The following shows SQL Management Studio with two servers. These applications can use different credentials for each target system connection. However, some applications have limitations when using multiple tabs or branches. For example it is possible to use integrated windows authentication to connect SQL Management Studio to some MS SQL servers, while others require an explicit SQL account using SQL authentication. In the case of SQL Management Studio, when the tool is launched and integrated, Windows authentication is used and it is not possible to re-use the existing instantiation of the tool. However, if one connection uses integrated authentication and the secondary connections use SQL authentication, or if all connections use SQL authentication, then you can re-use the currently running instance. Privileged Identity supports this functionality using the Multi-tab Configuration window in Remote Application Configuration. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 79

80 If multi-tab is not used, when a user launches a tool like SecureCRT or SQL Management Studio, it establishes one session on the Application Launch Server and one instance of the application in that session. This is a more secure scenario as it segregates the data and session information so it cannot be shared within the tool and any systems the user may be accessing. The trade-off is that a secondary launch of the same tool, just to a new system, will cause a second session to be created, which can be slow and will consume more resources. If multi-tab is used, when a user launches a tool such as SecureCRT or SQL Management Studio, it establishes one session on the Application Launch Server, and one instance of the application in that session. Then, when a user launches the same tool again to connect to another system, it re-uses the existing session and simply adds a tab or another tree to the tool. This reduces resource consumption on the Application Launch Server host and can speed up the use of the tool. The trade-off is that the application can now share information from all servers with anything it is connected to. Consider launching a web application to your company's Twitter feed, logging in, and then launching a new tab to another site that has been compromised. Now the cache and in-memory information is available to all tabs in the browser. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 80

81 Multi-Tab Support Configuration To configure multi-tab support, first establish the Application Launch Server and basic application settings as previously described in the Configure Applications for Launching section. Note: Mutli-tab is only supported when launching from the Application Launch Server(s). Enable the Application supports multi-tab option on the left side of the Remote Application Configuration dialog, then click the ellipses (...) Click Add in the lower left corner of the dialog. Fill out all the information on the Multi-tab Configuration dialog. Multi-tab configuration label is a label that will be shown in the Multi-tab configuration selection drop down list in the Remote application configuration window. The name should be indicative of the multi-tab application settings being used. Multi-tab automation local executable path is a path to compiled AutoIT script which is able to open a new tab/establish a connection to new target system. Automation executable arguments are new-tab-executable specific. Usually the ProcessID is used to find the HWND (handle to a window) of the application window, target system is transferred to provide it to the application for new connection. If is used in this case user name and password are not needed. Allow this multi-tab automation for existing application launches by EXE name controls how launched application instance will be detected. If it is unchecked, the only instances of the applications this multi-tab configuration is selected for will be assumed as previously launched. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 81

82 In the example of using SQL Management Studio, there are two different application configurations: one for Integrated Windows Authentication and another one for SQL server authentication. Both scenarios use the same executable, ssms.exe. In case of multitab configuration for Integrated Windows Authentication, where different Windows accounts are being used to connect to target database servers, the option to Allow this multi-tab automation for existing application launches by EXE name should be unchecked because it is impossible to connect to secondary instance of MS SQL using the existing instance of smss.exe server using integrated Windows authentication if SSMS process was initially launched from another user. In this case the automation executable arguments will be similar to this: $(RemoteAccessTarget_TargetName) nouser nopasswords $(ProcessID) ProcessID is the ID that will be used to reuse the currently running executable. In the SQL Management Studio case where SQL Authentication is being used or similar types of connections, the option to Allow this multi-tab automation for existing application launches by EXE name can be selected. In this case the automation executable arguments will be similar to this: -S $(RemoteAccessTarget_TargetName) -U $(Username) - P $(Password_Raw) In the commands above, $(RemoteAccessTargget_TargetName), $(Username), and $(Password_Raw) are standard variables. $(ProcessID) is a variable that returns the PID of the initial launched application. The nouser and nopasswwords values are fake values for user name and passwords arguments. Because we use IWA, we do not need user name and password arguments. SSMSNewTabIwa.exe and SSMSNewTabSql.exe are compiled AutoIT scripts that we use to interact with Microsoft SQL Server to open new connections that use Integrated Windows Authentication or SQL authentication respectively. The listing of these scripts is below. Users may create their own AutoIT scripts or Bomgar Lieberman will provide the scripts. Click OK when finished. Then select the appropriate multi-tab configuration settings for the target application. Multi-tab scripts have been compiled for the following applications: RunAs and wait until process finishes = RunAsWait DHCP Manager = RunDHCP DHCP Manager = RunDHCPNewTab DNS Manager = RunDNS DNS Manager = RunDNSNewTab File Server Resource Manager = RunFSRM Hyper-V Manager = RunHyperV Hyper-V Manager = RunHyperVNewTab MS Terminal Services = RunMstsc Network File Services Management = RunNFSMGMT CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 82

83 Performance Monitor = RunPERFMON Server Manager = RunServerManager Storage Explorer = RunStorageExplorer Storage Manager = RunStorageMgmt Task Scheduler = RunTaskScheduler Run process and wait until finished = RunWait WBAdmin (Backup) = RunWBADMIN WINS Manager = RunWINS WINS Manager = RunWINSNewTab SecureCRT = ARM_SCRTStart SecureCRT = SCRTNewTabSSH2 SecureCRT = SCRTNewTabTELNET SecureCRT = SCRTStart SQL Mgmt Studio = SSMSNewTabIwa SQL Mgmt Studio = SSMSNewTabSql A simple test script = TestParams Remote Desktop = UnlockMstsc Remote Desktop for ARM = UnlockMstscARM CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 83

84 Multi-Tab AutoIT Script Examples SSMSNewTabIwa.au3 #include <MsgBoxConstants.au3> local $paramcount = $CmdLine[0] local $systemname = $CmdLine[1] local $domainusername = $CmdLine[2] local $password = $CmdLine[3] local $ssmspid = $CmdLine[4] if $paramcount = 4 Then opennewtab($ssmspid, $systemname, $domainusername, $password) EndIf Func opennewtab($p_ssmspid, $p_systemname, $p_domainusername, $p_password) Opt("WinTitleMatchMode", 2) local $ssmswindows = WinList("Microsoft SQL Server Management Studio") for $i=1 To $ssmswindows[0][0] If $ssmspid=wingetprocess($ssmswindows[$i][1]) Then local $delay = 5 WinActivate($ssmsWindows[$i][1]) WinWaitActive($ssmsWindows[$i][1]) Send('!f') Sleep($delay) Send('e') Sleep($delay) Send('+{TAB}') Sleep($delay) Send('+d') Sleep($delay) Send('{TAB}') Sleep($delay) Send($systemName) Sleep($delay) Send('{TAB}') Sleep($delay) Send('+w') Sleep($delay) Send('{ENTER}') EndIf CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 84

85 EndFunc Next SSMSNewTabSql.au3 #include <MsgBoxConstants.au3> local $paramcount = $CmdLine[0] local $systemname = $CmdLine[1] local $domainusername = $CmdLine[2] local $password = $CmdLine[3] local $ssmspid = $CmdLine[4] if $paramcount = 4 Then opennewtab($ssmspid, $systemname, $domainusername, $password) EndIf Func opennewtab($p_ssmspid, $p_systemname, $p_domainusername, $p_password) Opt("WinTitleMatchMode", 2) local $ssmswindows = WinList("Microsoft SQL Server Management Studio") for $i=1 To $ssmswindows[0][0] If $ssmspid=wingetprocess($ssmswindows[$i][1]) Then local $delay = 5 WinActivate($ssmsWindows[$i][1]) WinWaitActive($ssmsWindows[$i][1]) Send('!f') Sleep($delay) Send('e') Sleep($delay) Send('+{TAB}') Sleep($delay) Send('+d') Sleep($delay) Send('{TAB}') Sleep($delay) Send($systemName) Sleep($delay) Send('{TAB}') Sleep($delay) Send('+s') Sleep($delay) Send('{TAB}') CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 85

86 EndFunc Next Sleep($delay) Send($domainUserName) Sleep($delay) Send('{TAB}') Sleep($delay) Send($password) Sleep($delay) Send('{ENTER}') EndIf CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 86

87 Configure Application Sets Application sets are simply pre-defined collections of applications to launch. They can be created to group types of applications together, such as DB management products or remote terminal products, or they can be created based on job duties. To Create an Application Set 1. Open the management console and navigate to Settings Manage Web Application Application Launch. The Launch Application with Credentials Settings dialog opens. 2. Click App Sets on the Applications tab. The Remote Application Sets dialog opens. 3. Click Add Set in the lower-left corner, supply a proper name, then click OK and the new list will be added to the dialog. 4. To add applications to the application set, right-click the application set and select Add applications to set. The Remote Applications dialog opens. 5. Select all the desired applications then click OK. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 87

88 6. To view the applications added to an application set, expand the application set. Once application sets are defined, in order for users who do not have" All Access" privileges to be able to use the groupings, application set permissions must be defined in addition to the application permissions. To Define Application Permissions When the user does not have "All Access" privileges, additional permissions are required to launch a specific application. Use the management console to define these permissions. 1. Open the management console and choose Delegation Web Application Remote Application Permissions. The Web Application Remote Application Permissions dialog opens. 2. Click Add in the lower-left corner. The Select Enrolled Identities dialog opens. 3. Select an available identity, click OK, then select one or more applications that the user can launch. To Define Application Set Permissions 1. Open the management console and choose Delegation > Web application Remote Application Set Permissions. 2. Click the Add button to add an identity that will have permissions to an application set and add the identity and click OK. 3. Select from the available application sets, then click OK again. A prompt will appear to use a shadow account. (See "Shadow Accounts" on page 90 for details.) 4. If a Shadow Account will be used, click Yes and continue to supply the required information; otherwise, click No. After shadow accounts, another prompt will appear asking if there will be system restrictions. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 88

89 5. If there will be system restrictions for these applications, click Yes and continue to supply the required information; otherwise, click No. 6. When the user goes to the website, they will be able to select from among the available application set filters when attempting to launch an application. CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 89

90 Shadow Accounts Shadow accounts allow a user to connect to a system with a specific app and choose from among one or more accounts to connect with. Consider the normal paradigm where a user must go to the Managed Passwords Area, find the target system and local account for the application to connect with. While this works for many scenarios, it is not very flexible and it does not address the need be able to connect with domain or directory accounts to other systems or applications. This is specifically what shadow accounts do. With a shadow account, a user will go to the system or application in question in the systems view of the web application and choose to launch an application. An available list of applications will be presented to the user and the user can determine which account, local or central (domain or directory) to connect with to the system or application. To use shadow accounts requires the View Systems and Allow Remote Sessions global delegation permission. Once permissions are granted, additional configuration to map shadow accounts must be performed. Shadow accounts are first mapped and then associated with application permissions, even when a user has All Access. To use Shadow Accounts, a per application rule must be established for the target user. Use the following steps to add a new shadow account mapping. 1. Open the management console and go to Delegation Web Application Identity to Shadow Account Mappings. 2. Click the Add Mapping button in the lower left corner of the dialog. 3. Select the target identity from the list of available identities, then click OK. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 90

91 4. Select from the available [previously] managed/stored identities and click OK. The new mappings will now be in the list of available mappings. 5. Click OK to close the Shadow Account Mappings dialog. 6. Next add the application permissions. Go to Delegation Web Application Remote Application Permissions. 7. Click Add in the lower left corner of the Remote Application Permissions dialog to add a new application permission. The first dialog to appear will be for the identity that will be granted the permissions to use an application with a shadow account. Select the identity then click OK. 8. Next a list of remote applications will be presented to the user. Select the target application(s) that will be established for the user then click OK. 9. You will receive a prompt to use a Shadow Account. Click Yes to assign one or more shadow accounts that the target user may use when launching the specified application. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 91

92 10. Based on the selected user, a list of available corresponding mappings will be presented Select the mapping(s) that should be configured for the target user and selected applications, then click OK. 11. You will receive a prompt to restrict the applications permissions & configured shadow account mappings to specific management sets. If it is desired to restrict the applications and or shadow account mappings to specific lists of systems, click Yes. Otherwise, click No. 12. If Yes was selected, then a list of management sets will be presented. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 92

93 13. Select from the desired management set(s) and click OK. 14. The new mapping will be presented in the Web Application Remote Application Permissions dialog. Any undesired mappings may be deleted or reports may be generated from this page. 15. To use the mappings, the user must go to the Systems view in the web application (View systems permission required). 16. Click Launch App next to the desired target system. If Launch App is not visible it means the user does not have either the Allow Remote Sessions permission or a Shadow Account Mapping is not present. The user will be able to select from among the applications and launch accounts to launch the application. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 93

94 Using Application Launching Setting User Permissions to Launch Applications To launch an application a user must have one of the following sets of permissions: All Access, or View accounts, Allow Remote Sessions, and permissions for the specific application being launched To Set Permission to Launch Applications To define the additional permissions that are required to launch a specific application if a user does not have All Access permissions, do the following: 1. Open the management console and choose Delegation Web application remote application permissions. 2. Click Add in the lower left corner, then select an available identity. 3. Click OK, then select one or more applications the user can launch. Using the Application Launcher There are two types of application launching in Privileged Identity: Launching with variable account and system information Launching with pre-define account and system information CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 94

95 The difference in app configuration is the option in the lower right corner of the application that says to always use the specified account being selected or not. If the option is selected, the application will appear in the applications portion of the website. If the option is not selected, the user must go to the Launch App section next to the system/account they wish to use to connect. To Launch an App as a Pre-Configured Application To launch an application that has been pre-configured for a specific account and target, such as a company's Twitter or Facebook page, the user will click the Operations > Applications link, then click on the application to launch. Only applications that are preconfigured to always launch as a specific user and that the login user has access to will be shown on this page. If an application is not shown it is a sign of at least one of two possible causes: The user has no permission to launch an application There are no apps configured to always run as a specific user To Launch an App Using Variable Target and Account Information Once the the target system and account to connect as are located in the Passwords > Managed Password section of the website, click the play button. All applications available to the user for the specific account type will then be shown. If the RDP icon appears at the right edge of the black title bar, that indicates the application is configured to launch via the Application Launch Server. If the camera icon appears at the right edge of the black title bar, that indicates the session will be recorded. To launch the application, click Launch. What happens next will depend on whether the application is configured to launch locally or from an Application Launch Server, and whether or not the user has performed this process previously. If connecting via an Application Launch Server, the system will initiate a series of calls to the Application Launch Server and the LiebsoftLauncher on that host. This will be visible to the user. If the user has not previously launched an app from the machine/profile that they are currently logged into, they will likely receive a couple of security prompts. Use the filter options at the top of the page to search for applications, show only a set of applications, or change the layout of application launcher page. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 95

96 Each application also has an Advanced launch configuration. Clicking the ear icon will allow the interactive user to specify alternate credentials to connect to the target system as. These could be static credentials or they could be other stored credentials in Privileged Identity (if they have the rights to retrieve the password). Generally, it will not be necessary to manipulate the advanced settings. CONTACT BOMGAR (US) +44 (0) (UK/EMEA) BOMGAR.COM 96

97 Auditing Application Launching Once any sessions have been recorded, users with access to the auditing section of the web application will be able to playback any recorded sessions that exist. Such recorded sessions will be visible in the auditing section with a camera icon next to their audit entry. Simply click on the camera icon to playback the recorded sessions. The session properties page will identify user, IP address, and time stamp information and more. To playback the recording, simply chose the desired recording and click Play Recording. The video will open on the systems preferred media player and begin streaming automatically. CONTACT BOMGAR info@bomgar.com (US) +44 (0) (UK/EMEA) BOMGAR.COM 97