[enterprise] random password manager...erpm/rpm provide more functionality beyond password...

[Enterprise] Random Password Manager

Application Launching & Session Recording

4.83.8

Copyright © 2003-2014 Lieberman Software Corporation.

All rights reserved.

The software contains proprietary information of Lieberman Software Corporation; it is provided under a

license agreement containing restrictions on use and disclosure and is also protected by copyright

law. Reverse engineering of the software is prohibited.

Due to continued product development this information may change without notice. The information

and intellectual property contained herein is confidential between Lieberman Software and the client

and remains the exclusive property of Lieberman Software. If there are any problems in the

documentation, please report them to Lieberman Software in writing. Lieberman Software does not

warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or

by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written

permission of Lieberman Software.

Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either

registered trademarks or trademarks of Microsoft Corporation in the United States and/or other

countries. Other brands and product names are trademarks of their respective owners.

Lieberman Software Corporation

1900 Avenue of the Stars

Suite 425

Los Angeles

CA 90067

310.550.8575

Internet E-Mail: [email protected]

Website: http://www.liebsoft.com

iii

CONTENTS

INTRODUCTION .............................................................................................................................5

License Agreement .............................................................................................................................. 5

Limited Warranty ................................................................................................................................ 6

Overview ............................................................................................................................................. 7

Background and Goals ......................................................................................................................... 8

PRE-REQUISITES ............................................................................................................................9

INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING WITH A BASTION HOST ............. 11

1. Installing Remote Desktop Services ..............................................................................................12

Installing Remote Desktop Services for Server 2012 (R2) ............................................................12 Installing Remote Desktop Services for Server 2008 R2 ..............................................................27

2. Installing Desktop Experience .......................................................................................................37

Installing Desktop Experience for Server 2012 (R2) .....................................................................37 Installing Desktop Experience for Server 2008 R2 .......................................................................40

3. Installing Application Launcher and Session Recording ................................................................45

1. On the Transcoder Host ...........................................................................................................45 2. On the Bastion Host .................................................................................................................57

4. Setting up RDS for Application Launching .....................................................................................70

Configuring Remote App for Server 2012 (R2) ............................................................................70 Configuring Remote App for Server 2008 R2 ...............................................................................76

5. Setting Up Streaming Media Services ...........................................................................................81

6. Configuring IIS to Host Recorded Sessions ....................................................................................86

CONFIGURING APPLICATION LAUNCHING .................................................................................... 89

Configuring a Bastion Host Login Account ........................................................................................89

Configure ERPM Web Settings ........................................................................................................114

Configure a Bastion Host Object .....................................................................................................116

Configure a Session Recording Host Object ....................................................................................119

Configure ERPM Website for Session Playback ..............................................................................123

Configure Applications for Launching .............................................................................................128

Variables for App Launching ......................................................................................................132

USING APPLICATION LAUNCHING .............................................................................................. 135

AUDITING APPLICATION LAUNCHING ......................................................................................... 141

INDEX ....................................................................................................................................... 143

5

This manual makes reference to both Random Password Manager (RPM) and Enterprise Random

Password Manager (ERPM). The concepts and steps outlined in this manual are applicable to both

ERPM and RPM except as where expressly noted.

This chapter includes an overview of ERPM and RPM, what problems it is designed to solve, performance

information, expected pre-requisite knowledge, and some background information on Windows.

This chapter also includes the license and warranty information for ERPM and RPM.

IN THIS CHAPTER

License Agreement .................................................................................... 5

Limited Warranty ...................................................................................... 6

Overview ................................................................................................... 7

Background and Goals ............................................................................... 8

LICENSE AGREEMENT

This is a legal and binding contract between you, the end user, and Lieberman Software Corporation.

By using this software, you agree to be bound by the terms of this agreement. If you do not agree to

the terms of this agreement, you should return the software and documentation as well as all

accompanying items promptly for a refund.

1. Your Rights: Lieberman Software Corporation hereby grants you the right to use a single copy of

[Enterprise] Random Password Manager to control the licensed number of systems and/or devices.

2. Copyright. The SOFTWARE is owned by Lieberman Software Corporation and is protected by United

States copyright law and international treaty provisions. Therefore, you must treat the software like

any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make

one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a

single hard disk provided you keep the original solely for backup and archival purposes. The manual is

a copyrighted work also--you may not make copies of the manual for any purpose other than the use of

the software.

3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer,

de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). If

the SOFTWARE is an update, any transfer must include the update and all prior versions.

INTRODUCTION

Introduction 6

4. Notice: This software contains functionality designed to periodically notify Lieberman Software

Corporation of demo usage and of the detection of suspected pirated license keys. By using this

software, you consent to allow the software to send information to Lieberman Software Corporation

under these circumstances, and you agree to not hold Lieberman Software Corporation responsible for

the use of any or all of the information by Lieberman Software Corporation or any third party.

When used lawfully, this software periodically transmits to us the serial number and network

identification information of the machine running the software. No personally identifiable information

or usage details are transmitted to us in this case. The program does not contain any spyware or

remote control functionality that may be activated remotely by us or any other 3rd party.



Suite 425

Los Angeles

CA 90067

310.550.8575

Internet E-Mail: [email protected]

Website: http://www.liebsoft.com

LIMITED WARRANTY

The media (optional) and manual that make up this software are warranted by Lieberman Software

Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of

your purchase. If you notify us within the warranty period of such defects in material and workmanship,

we will replace the defective manual or media.

The sole remedy for breach of this warranty is limited to replacement of defective materials and/or

refund of purchase price and does not include any other kinds of damages.

Apart from the foregoing limited warranty, the software programs are provided "AS-IS", without

warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs

is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or

error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the

programs or documentation of/for consequences of any such errors.

Introduction 7

This agreement is governed by the laws of the State of California.

Should you have any questions concerning this Agreement, or if you wish to contact Lieberman

Software, please write:



Suite 425

Los Angeles

CA 90067

You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com or

e-mail us at: [email protected].

OVERVIEW

This manual makes reference to both Random Password Manager (RPM) and Enterprise Random

Password Manager (ERPM). The concepts and steps outlined in this manual are applicable to both

ERPM and RPM except as where expressly noted.

Random Password Manager is designed to randomize and store the passwords for accounts on target

systems on a regular recurring basis. Because these passwords are stored and managed by the

program, they can be retrieved via a delegated web interface. Access to the password store as well as

other web interface features can be limited to specific Windows groups, Windows users, or explicit

accounts.

Enterprise Random Password Manager builds on the concepts introduced with Random Password

Manager by automatically discovering all references to the specified account, such as services, tasks,

COM and DCOM objects, and more, and following a password change for a users account, whether

domain or local, propagating the new password to all those references.

ERPM/RPM provide more functionality beyond password management, password vaulting, and session

management. ERPM/RPM also provide for:

Account escalation - the ability to add a user to a pre-defined group with higher privileges than the

user would normally have on a target system and then automatically remove that access.

Secure file storage - the ability to upload and store as an encrypted data blob in the programs secure

data store, any file such as password spread sheets, digital certificates, instructions, and more. After

the files are uploaded, an ACL system identifies what users will be able to retrieve the files while

auditing access to the files.

Orchestration - ERPM can run headless; being controlled programmatically. This permits tight

integration in other systems such as work-flow engines, run book orchestration for user and system

provisioning and de-provisioning, programmatic access to almost all functions, and much more. This

Introduction 8

control os provided via SOAP based web services and PowerShell. User's may tie into ERPM using any

program or language which can call the web service or PowerShell.

Privileged Account Management - providing session based control to privileged accounts to run

specific programs against specific hosts. Via the optional bastion server model, any program,

website, script, etc., may be run in a controlled and secured environment to allow users from

network access to specific systems or other trusted or untrusted networks using specific tools with

specific feature sets. This allows access to the tool set need to get a job done without providing

direct physical access or access to the credential.

Session Recoding - building on the concept of privileged account management, when using the

optional bastion host, these sessions can be recorded for later playback and auditing of the user

actions that took place during a user's session. This further helps to comply with auditing mandates

as well as training procedures.

BACKGROUND AND GOALS

The Need for Strong Local Credentials

Organizations with a need for the most basic access security should use unique local logon credentials

customized for each workstation and server in their environment. Unfortunately, most organizations

use common credentials (same user name and password for the built-in administrator account) for each

system for the ease of creating and managing those systems by the IT Department without any concern

as to the consequences to the organization should these common credentials be compromised.

With the mandates of PCI-DSS, Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, California Security Breach

Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD 5015.2 and others, the implementation of

reasonably hard to compromise local logon credentials is mandatory for most organizations as a means

for protecting not only the confidentiality of their data, but also to protect against tampering.

Creating Strong Local Credentials

Lieberman Software’s program: ERPM and RPM can change any common account on all workstations

and servers in just a few minutes without the need for scripts or any other type of program. The new

common credentials can be stored in a local or remote SQL Server database and can be recovered on

demand using the password recovery website.

Random Password Manager can be configured to regularly change the passwords of common accounts

on all target systems (i.e. workstation built-in administrator account) according to a schedule so that

each account receives a fresh cryptographically strong password regularly. This product feature

protects the overall security of an organization so that the compromise of a single machine’s local

administrator password does not lead to the total compromise of the entire organization’s security.

Pre-requisites 9

Enterprise Random Password Manager builds on the concepts introduced with Random Password

Manager by automatically discovering all references to the specified account, such as services, tasks,

COM and DCOM objects, and more, and following a password change for a users account, whether

domain or local, propagating the new password to all those references.

Delegated Password Recovery

ERPM and RPM also contains a web interface to allow the remote recovery of passwords. The web

interface is web application comprised of ASP and ASP.NET web pages that allows any user with the

appropriate group memberships the right to use the application as well as the right to recover passwords

for accounts managed by the program. All access to the web application as well as all password

recoveries are logged and the history is also available via the same web interface to authorized users.

Because this application protects and provides extremely sensitive information, it is essential that

particular attention be payed to the security settings of the application and also use appropriate

encryption such as SSL based on the scope of access provided.

For more information on security hardening, please refer to the proposed options for server hardening:

http://forum.liebsoft.com/enterprise-random-password-manager-knowledgebase/546-server-hardeni

ng-guide.html.

Windows Server operating system for bastion host and session recording:

Windows Server 2012 R2 (recommended)

Windows Server 2012

Windows Server 2008 R2

It is highly recommended for all servers in the ERPM system to be fully patched.

Note: Earlier versions of Windows Server are not supported. Windows workstation platforms are not

supported for hosting the application launcher.

The following items will be required for application launching and session recording:

PRE-REQUISITES

Pre-requisites 10

Remote Desktop Session Host server role.*

Desktop Experience if using session recording.

Existing ERPM installation and installed files (SupplementalInstallers directory)

ERPM Web Service installed with SSL and no certificate errors and accessible from the bastion host.

If using self-signed certificates, the certificate from the issuing web server should be added to the

Trusted Root Certification Authorities on the machines hosting the Web Service, Bastion Host, and

client systems.

Dot Net framework 4.x on bastion and transcoder hosts.

Dot Net framework 4.x on machines connecting to run an application.

* Microsoft Remote Desktop Services (RDS) will require additional licensing be purchased from

Microsoft.

11

The following sections outline the steps to prepare for and install the Lieberman Software Application

Launcher and optional session recording components.

Application Launching is an add-on for ERPM. Application Launching can be configured with or without

the Session Recording component. Lieberman Software provides SessionRecording for free when the

Application Launcher add-on is purchased. However, the provided session recording only works with

applications launched via the Lieberman Software application launcher.

The sections describing the installation of these components are broken down as follows:

1) Installing Remote Desktop Services

2) Installing Desktop Experience - only required if using session recording

3) Installing Application Launcher and Session Recording - session recording is optional

4) Setting up Remote Desktop Services for Application Launching

5) Setting up Streaming Media Services - required if using session recording

6) Configuring IIS to Host Recorded Sessions - required if using session recording

Sections 1, 2, & 4 all have subsections detailing how to perform the steps on Windows Server 2008 R2 or

Windows Server 2012 (R2). Section 3 has additional steps detailing how to install the application

launcher and optional session recording across multiple systems.

IN THIS CHAPTER

1. Installing Remote Desktop Services .................................................... 12

2. Installing Desktop Experience ............................................................. 37

3. Installing Application Launcher and Session Recording ...................... 45

4. Setting up RDS for Application Launching ........................................... 70

5. Setting Up Streaming Media Services ................................................. 81

6. Configuring IIS to Host Recorded Sessions .......................................... 86

INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING WITH A BASTION HOST

Installing Application Launcher and Session Recording with a Bastion Host 12

1. INSTALLING REMOTE DESKTOP SERVICES

The following sub-sections show the installation of Remote Desktop Services on both a Windows Server

2008 R2 and Windows Server 2012 [R2] host. If multiple jump servers will be employed they do not need

to all be the same operating system, though they do all need to be Windows Server 2008 R2 or later

(2012 R2 recommended).

INSTALLING REMOTE DESKTOP SERVICES FOR SERVER 2012 (R2)

This section covers installation of the pre-requisites on a Windows Server 2012 and Windows Server

2012 R2 host which will function as a bastion host for the purposes of launching applications.

Open Server Manager and select Add Roles and Features.

Click Next on the Before You Begin page.


On the Select installation type page select Remote Desktop Services installation then click Next.

On the Select deployment type page, choose a deployment type and click Next.


The steps present go through a standard deployment where the admin will be required to configure a

collection post RDS installation. The Quick Start method will be faster while automatically creation a

collection, but it will also add and publish additional applications that are unnecessary and will not

provide any configuration options.


On the Select deployment scenario page, select Session-based desktop deployment, the click Next.


Click Next on the Role Services page.


On the Specify RD Connection Broker server page, select the server from the Server Pool field, then add

it to the selected computer field by clicking the right arrow head between the two fields.


Click Next to continue.


On the Specify RD Web Access server page, select the server from the Server Pool field, then add it to

the selected computer field by clicking the right arrow head between the two fields.


On the Confirm selections page, click Deploy. Restart the host if required.

Upon restart, open Server Manager and click on Remote Desktop Services from the right pane, then click

on Collections from the center pane. A new collection must be made to publish the Lieberman Software

application used to launch software from the bastion host.

At the top right corner, select Tasks and click Creation Session Collection.


On the Before you begin page, click Next.


On the Name the collection page, supply a friendly name for the collection and click Next.


On the Specify RD Session Host server page, select the server from the Server Pool field, then add it to

the selected computer field by clicking the right arrow head between the two fields. Then click Next.

ERPM will use a proxy account to connect to the bastion host prior to launching the selected application.

This account will either need to be added to a group which can RDP to the target bastion host and launch

subsequent applications, or should be added directly as a user which can connect to the RD Session host

server. Description of this account is covered in the parent section, 1. Installing Remote Desktop

Services.


On the Specify user profile disks page, click Next.


On the Confirm selections page, click Create.

An empty collection will be created. The installation and configuration of the launcher application will be

described later in this document.

INSTALLING REMOTE DESKTOP SERVICES FOR SERVER 2008 R2

This section covers installation of Remote Desktop Services on a Windows Server 2008 R2 host as

required for bastion host services.


Start Server Manager and select Add Roles. Click Next on the welcome page and select Remote Desktop

Services then click Next.


Click Next on the Introduction to Remote Desktop Services page.


On the Select Role Services page, select Remote Desktop Session Host, then click Next.


Click Next on the Uninstall and Reinstall Applications for Compatibility page.


On the Specify Authentication Method for Remote Desktop Session Host page, choose the option that

best suits your company's needs. The option to Require Network Level Authentication will provide

greater security but may only work properly for newer hosts and if all incoming connections are properly

verified. The option Do not require Network Level Authentication will provide greater compatibility for

all connecting system but may reduce overall security of the bastion host. Click Next to continue.


On the Specify Licensing Mode page, a remote desktop session license mode must be selected. If RDS

client access licenses are not yet available but will be soon, select Configure later. If unsure about what

option to choose, select Configure later, and then contact your Microsoft licensing services manager.

RDS will function for 120 days without a proper licensing server. If RDS CALs are available, then choose

the proper Per Device or Per User model for your organization.

ERPM will use a proxy account to connect to the bastion host prior to launching the selected application.

This account will either need to be added to a group which can RDP to the target bastion host and launch

subsequent applications, or should be added directly as a user which can connect to the RD Session host

server. Description of this account is covered in the parent section, 1. Installing Remote Desktop

Services.


On the Configure Client Experience page, it is recommended to leave all options deselected. Click Next

to continue.


On the Confirm Installation Selections page, examine the installation selections. If everything is correct,

click Install. The server will need to reboot after installation

The installation and configuration of the launcher application will be described later in this document.


2. INSTALLING DESKTOP EXPERIENCE

The Desktop Experience will be required if session recording is to be enabled. If the Lieberman Software

provided free session recording will not be enabled, Desktop Experience will not be required.

Session recording will involve a bastion host to capture the session, and a system to function as a video

transcoder. These could be the same machine or separate systems. If they are separate systems, then

Desktop Experience will be installed on both systems. More information on this will be provided in later

sections.

INSTALLING DESKTOP EXPERIENCE FOR SERVER 2012 (R2)

If session recording will be configured then the Desktop Experience must be installed. To add the

Desktop Experience, open Server Manager and select Add Features.

On the Features Page, expand User Interfaces and Infrastructure, and select Desktop Experience.


If prompted for additional components, click Add Features.


Add any other requirements that other applications that will be launched from this system may require

(such as .net framework 3.51 or 4.x) and click Next.


Continue through to the end of the wizard. Click Close when done. Installation of the Desktop Experience

will require a restart of the host.

INSTALLING DESKTOP EXPERIENCE FOR SERVER 2008 R2

If session recording will be configured then the Desktop Experience must be installed. To add the

Desktop Experience, open Server Manager and select Add Features.


On the Features Page, select Desktop Experience.


If prompted for additional components, click Add Required Features.


Once the installation is complete, click Close and restart the server.


3. INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING

This step includes installation of session recoding options. The particular session recording options may

be safely omitted if the Lieberman Software provided free session recording will not be enabled. If the

Lieberman Software free session recording will not be installed, then skip the session titled On the

Transcoder Host and go straight to the section titled On the Bastion Host.

The application launching capability of ERPM is best utilized with a bastion host. A bastion host in the

context of ERPM is a Windows Remote Desktop Session Services machine (formerly Terminal Services)

that will proxy connection attempts made to specific target systems. The bastion host will have all

programs used to connect to target systems installed on it. ERPM will use a proxy account to connect to

the bastion host. This account can and should be managed by ERPM, but automated management is not

necessary as a static un-stored password may also be used.

Session recording for ERPM is a feature that accompanies the application launcher such that remote

sessions initiated by ERPM through the bastion host may be recorded. Recorded sessions will be copied

from the bastion host to a machine functioning as a video transcoder. Videos will be converted from the

raw format to one that may be played back by the machine functioning as a streaming media server.

The bastion may function as both recorder and transcoder and streaming media server. However,

transcoding of videos requires significant overhead in terms of CPU usage. It is recommended to use the

system functioning as ERPM web server to also function as the streaming media server and possibly as

the video transcoder.

This section outlines the installation of session recording for application launching on two separate

machines functioning independently. In sub-section 5, the installation of streaming media services will

be detailed for the purposes of streaming the final recorded sessions.

1. ON THE TRANSCODER HOST

To begin installing the session recording software on the machine that will function as the video

transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory, typically

"%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to the machine

that will function as the transcoder and launch the installer.


Click Next on the welcome page.


Read and accept the license agreement to continue installation. Then click Next to continue.

Enter the full SSL secured URL to ERPM application launcher web service. The web service is a separate

installation, typically on the ERPM web server. The application launcher web service is installed is

installed with the standard ERPMWebService installer package. The URL is typically

https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.

Click Test to validate the URL. Any certificate issues must be corrected before installation can properly

succeed. If the web page does not appear at all, validate the URL and try again or install the web service.

Installation instructions for the web service are included in the administrators guide within the SDK

section.


If the page tests without issue or errors, click Next to continue.

For the transcoder host, select to install:


Microsoft Expression 4 Encoder SP2

Session Recorder and File Watcher Service

Select the installation directory. Click Next to continue.


On the transcoder host, make note of the source and destination directories. This directory will be used

in later instructions when setting up the application launcher and streaming media services. This

directory will also be shared between the transcoder and bastion hosts if they are on two separate

systems.

On the transcoder host, set the service identity to run as either Local System or as a Specific User.

Local system offers the benefit of already having proper access and no password management

requirements.

Running as a specific user will offer the path of least privilege but will require configuring NTFS

permissions on the Source directory from the previous step for read, write, and delete files (Modify)

and will also require a password be managed (which ERPM has the ability to do automatically).

Running the File Watcher service as Local System is recommended on the transcoder host.


Click Install to continue.


Click Finish to complete the first part of the installation.

After the initial installation is complete, A separate installation for the Microsoft Expressions recorder

will be initiated automatically.


Accept the License agreement for the Microsoft Expressions recorder.

Click Next on the Enter product key page. There is no product key to enter.


Elect to join the Microsoft customer experience or not. Click Next to continue.

Select to install Expression Encoder 4 and click Install.


Click Finish to complete the installation.

IMPORTANT NOTES REGARDING THIS INSTALLATION!

This installation will take additional actions that are not visible in the installer:


A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is

taking place on a domain controller, the group is created in the Users container.

The Domain Admins group will be added to this WriteRecordingGroup.

The installer will create and share the following directory: %inetpub%\wwwroot\SessionRecording

as SessionRecording. This directory is used to copy compiled session recordings from the bastion to

the transcoder host. This scenario would apply if using the FFMPeg video recorder rather than the

Expressions recorder. If the transcoder and bastion host is the same system, or if the Expression

session recorder is the only used session recorder, this share may be safely deleted. This share

directory will be required when configuring the bastion host for app launching with session

recording.

The installer will create and share the following directory: %programfiles

(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be used

by the bastion hosts to copy raw session recording files to the transcoder host(s). If the transcoder

and bastion host is the same system this share can be safely deleted. This scenario would apply if

using the Expressions 4 recording software. This share directory will be required when configuring

the bastion host for app launching with session recording.

Each of the shared directory share permissions will be set to allow the WriteRecordingGroup "Full

Control". Minimum permissions required are "Change".

2. ON THE BASTION HOST

To begin installing the session recording software on the machine that will function as the video


"%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to the machine

that will function as the transcoder and launch the installer.


Read and accept the license agreement to continue installation. Then click Next to continue.

Enter the full SSL secured URL to ERPM application launcher web service. The web service is a separate

installation, typically on the ERPM web server. The application launcher web service is installed is

installed with the standard ERPMWebService installer package. The URL is typically

https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.

Click Test to validate the URL. Any certificate issues must be corrected before installation can properly

succeed. If the web page does not appear at all, validate the URL and try again or install the web service.

Installation instructions for the web service are included in the administrators guide within the SDK

section.


If the page tests without issue or errors, click Next to continue.

For the bastion host, if session recording WILL BE enabled, select to install:

Microsoft Expression 4 Encoder SP2

Session Recorder and File Watcher Service

Application Launcher

If session recording will NOT be enabled, select to install:


Application Launcher

Select the installation directory. Click Next to continue.


Click Next on the video transcoder paths.

On the bastion host, set the service identity to run as a Specific User, Network Service, or Local System.

Local system offers the benefit of already having proper access and no password management

requirements. If the transcoder is running on a separate system and Local system is used, then the

computer account of the bastion host must be granted Modify access to the source directory on the

transcoder host.

Network service provides for less rights than Local system and offers the benefit of already having

proper access and no password management requirements. If the transcoder is running on a

separate system and network service is used, then the computer account of the bastion host must

be granted Modify access to the source directory on the transcoder host. "NT Authority\Network

Service" must also be granted Modify access to the Session Recording directory.

Running as a specific user will offer the path of least privilege but will require configuring NTFS

permissions on the Source directory from the previous step for read, write, and delete files (Modify)

and will also require a password be managed (which ERPM has the ability to do automatically).

Running as a specific user is recommended for running the File Watcher service on the bastion host

when the transcoder is on a separate system.


Click Install to continue.


Click Finish to complete the first part of the installation.

After the initial installation is complete, A separate installation for the Microsoft Expressions recorder

will be initiated automatically.


Accept the License agreement for the Microsoft Expressions recorder.

Click Next on the Enter product key page. There is no product key to enter.


Elect to join the Microsoft customer experience or not. Click Next to continue.

Select to install Expression Encoder 4 and click Install.


Click Finish to complete the installation.

This installation will take additional actions that are not visible in the installer:


A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is

taking place on a domain controller, the group is created in the Users container. This group may be

safely deleted from the bastion host if it is also functioning as the transcoder host.

The Domain Admins group will be added to this WriteRecordingGroup.

The installer will create and share the following directory: %inetpub%\wwwroot\SessionRecording

as SessionRecording. This directory is used to copy compiled session recordings from the bastion to

the transcoder host. This scenario would apply if using the FFMPeg video recorder rather than the

Expressions recorder. This share directory will be required when configuring the bastion host for app

launching with session recording. If the transcoder and bastion host is the same system this share

can be safely deleted.

The installer will create and share the following directory: %programfiles

(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be used

by the bastion hosts to copy raw session recording files to the transcoder host(s). This scenario

would apply if using the Expressions 4 recording software. This share directory will be required when

configuring the bastion host for app launching with session recording. If the transcoder and bastion

host is the same system this share can be safely deleted.

Each of the shared directory share permissions will be set to allow the WriteRecordingGroup "Full

Control". Minimum permissions required are "Change".


4. SETTING UP RDS FOR APPLICATION LAUNCHING

The section details configuring Remote App on the Remote Session host to launch the Lieberman

Software Application Launcher. The application launcher is a boot strapper used to launch and provide

authentication information for configured applications.

When a user uses the Launch App links in the ERPM web interface, this application will be called which

will obtain the necessary credential information for the application to launch, and launch the application

from the bastion host. In turn, VDI will display the remote application on the user's workstation as if it

were a local application.

CONFIGURING REMOTE APP FOR SERVER 2012 (R2)

Open Server Manager and click the Remote Desktop Services link on the left pane.

Then click on Collections.

The select the collection to configure the Lieberman Software Application Launcher for.


In the REMOTEAPP PROGRAMS area, click Tasks and select Publish RemoteApp Programs. Then click

Add on the Publish RemoteApp programs dialog.


Select LiebsoftLauncher.exe from the application launcher installation location on the bastion host

(configured in step 3 previously). The default directory for this file is: C:\Program Files

(x86)\Lieberman\Roulette\LaunchApp. Then click Next.


On the Confirmation page, click Publish.

Once the LiebsoftLauncher application is published, right-click on it in the RemoteApp Programs list and

select Edit Properties.


On the General tab, set the Show the RemoteApp program in RD Web Access dialog to No. Although

everything will work fine if this is not done, there is no need to publicize this application.


On the Parameters tab, set the Command-line Parameters option to Allow any command-line

parameters. The LiebsoftLauncher will differ every single time it is run based on many factors including

session IDs, programs being run and parameters included when launching the programs.


On the User Assignment tab, it is highly recommended to change the User Assignment option to be a

specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated account

(which should be managed by ERPM). This is the only account that will require access to run the

program. This account will be covered later in the Configuring Application Launching section. The

account assigned here will require any permissions and rights to launch the desired programs.

Click OK when done.

CONFIGURING REMOTE APP FOR SERVER 2008 R2

Open Server Manager and expand the Remote Desktop Services | RemoteApp Manager nodes in the

left pane.


In the RemoteApp Programs area, right-click and select Add RemoteApp Programs. Click Next on the

Welcome page then click Browse on the Choose programs to add to the RemoteApp Programs list page.


Select LiebsoftLauncher.exe from the application launcher installation location on the bastion host

(configured in step 3 previously). The default directory for this file is: C:\Program Files

(x86)\Lieberman\Roulette\LaunchApp. Then click Next.


On the Review Settings page, click Finish.

Once the LiebsoftLauncher application is added, right-click on it in the RemoteApp Programs list and

select Properties.

CAUTION! DO NOT CHANGE THE ALIAS value.

De-select the check box for RemoteApp program in RD Web Access. Although everything will work fine

if this is not done, there is no need to publicize this application.


Set the Command-line arguments option to Allow any command-line parameters. The LiebsoftLauncher

will differ every single time it is run based on many factors including session IDs, programs being run and

parameters included when launching the programs.


On the User Assignment tab, it is highly recommended to change the User Assignment option to be a

specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated account

(which should be managed by ERPM). This is the only account that will require access to run the

program. This account will be covered later in the Configuring Application Launching section. The

account assigned here will require any permissions and rights to launch the desired programs.

Click OK when done.

5. SETTING UP STREAMING MEDIA SERVICES

Streaming Media Services is used to provide smooth streaming of the recorded sessions from the

transcoder host (typically the ERPM web server) to the client's browser and video player.


Installation of this component is only required if session recording will be used. If not using the

Lieberman Software free session recording module, installation of this component is not required.

To begin installing the streaming media software on the machine that will function as the video


"%programfiles (x86)\Lieberman\Roulette". Copy IISMEdia64.msi to the machine that will function as

the transcoder and launch the installer.

The installation of IIS Media services requires a basic stock installation of IIS be available on the same

host server.



Read and accept the terms of the license agreement, then click Next.


Leave the default options selected then click Next.


Click Install.


Click Finish.

6. CONFIGURING IIS TO HOST RECORDED SESSIONS

This step is only required if session recording has been enabled. If session recording is not enabled, then

do not perform this step. This will likely be configured on the same system where Streaming Media

Services was installed.

When an application is launched via a bastion host / jump server and that application is configured to

also record the session, the recorded sessions will first be placed into a pre-configured directory on the

machine which will ultimately host the videos for later playback. When using the Microsoft Expressions

session recorder, the files will first be copied locally to the file system. The Lieberman Software File

Watcher Service will then move the raw files to a share called "Source" on a machine that is configured

as the video transcoder (typically the ERPM web server, but could be any machine). Once the raw XESC

files are copied to the transcoder, the Lieberman Software File Watcher service on that machine will

transcode the videos to WMV format and move the compiled files into the "SessionRecording" share on

the same system. It is this directory that will be hosted in IIS and made available via the ERPM website.


To configure IIS on the machine which will host the compiled videos, not much work is required as the

application launcher installer will have configured most of the required elements:

The default website will have a new virtual directory added to it called SessionRecording. This directory

will point to %inetpub%\wwwroot\SessionRecording.

The only change that may need to be made is to set the authentication scheme to anonymous. To do

this, open IIS, expend the default website, and open the Authentication area. Right click on the

authentication types and enable Anonymous Authentication and disable all others.

89

Once the pre-requisites are installed for application launching, there are four mandatory additional steps

and two optional steps to setting up ERPM to use the application launcher and the session recorder:

1) Configure an account for login to the bastion host.

2) Configure ERPM web settings with information about the web launcher service.

3) Configure a bastion host object in ERPM.

4) Optionally configure a session recording host object in ERPM.

5) Configure applications for launching and grant permissions to those applications as necessary.

6) Optionally configure the ERPM website to playback recorded sessions.

The following sub-sections will outline these steps.

IN THIS CHAPTER

Configuring a Bastion Host Login Account .............................................. 89

Configure ERPM Web Settings .............................................................. 114

Configure a Bastion Host Object ........................................................... 116

Configure a Session Recording Host Object .......................................... 119

Configure ERPM Website for Session Playback ..................................... 123

Configure Applications for Launching ................................................... 128

CONFIGURING A BASTION HOST LOGIN ACCOUNT

ERPM will use a standard login account to login to the target bastion host and launch the

LiebsoftLauncher application which will in turn launch the target application. The LiebsoftLauncher in

turn connects to a web service (WebLauncherBackendService.svc) to obtain the necessary program

settings and credentials from ERPM.

The logon account should have its password managed regularly by ERPM. Regularly should be often such

as daily or weekly. Setting the rotation schedule to hourly could possibly invalidate the logon account's

session. The account can be a local account but if possible, a domain account is recommended. This

account will need any rights necessary to launch the final target application; it does not necessarily need

local or domain admin privileged. It will need the ability to remotely log on to the target bastion host.

That means if the account is not an administrator, it must be added to the Remote Desktop Users group

on the bastion host.

CONFIGURING APPLICATION LAUNCHING

Configuring Application Launching 90

If it is desired (as it is recommended) to have ERPM manage the password for the account, simply follow

the basic procedures for a password change in ERPM (as per the administrative guide). There is no

requirements for password propagation so password propagation can be safely turned off for the

password change job. It is recommended to keep the password length to 80 characters or less as some

versions of Windows will not allow long passwords to be used via RDP.

This user account upon login will first launch the LiebsoftLauncher. Be sure in the RemoteApp settings

that at a minimum this account or a group it belongs to was granted the permissions to launch the

LiebsoftLauncher application. RemoteApp is generally found in Server Manager under the Roles |

Remote Desktop Services heading.

This account can be heavily locked down as it generally doesn't need access to anything other than the

application being locked.

Caution! When launching an application, this account will be able to do anything that the target

application lets them do.

If this account comes from Active Directory, it is recommended to place this account into an

organizational unit (OU) by itself or with other similarly locked down accounts. On this OU, create a

policy and modify the User Settings portion of the policy to lock down this logon account. There is no

need to place the bastion hosts in this OU as the policies that lockdown the user experience are user

based, not system based.

Following are some of the settings recommended to lock down the session. All policies should be tested

to ensure they do not interfere with the required operation of a target application:

User Configuration | Policies | Windows Settings | Security Settings | Software Restriction

Policies

Policy Setting

Enforcement

Apply Software Restriction Policies to the following All software files

except libraries (such

as DLLs)

Apply Software Restriction Policies to the following users All users

When applying Software Restriction Policies Ignore certificate rules

Trusted Publishers


Trusted publisher management Allow all administrators

and users to manage

user's own Trusted

Publishers

Certificate verification None

Software Restriction Policies/Security Levels

Default Security Level Disallowed

Software Restriction Policies/Additional Rules >> Path Rules

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Security Level =

Unrestricted

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Security Level =

Unrestricted

C:\Program Files (x86)\Lieberman\Roulette\RemoteAppLauncher\LiebsoftLauncher.exe Security Level =

Unrestricted

User Configuration | Policies | Administrative Templates

Control Panel

Prohibit access to Control Panel and PC settings Enabled

Control Panel/Display

Disable the Display Control Panel Enabled


Control Panel/Printers

Browse a common web site to find printers Disabled

Browse the network to find printers Disabled

Prevent addition of printers Enabled

Prevent deletion of printers Enabled

Control Panel/Programs

Hide "Get Programs" page Enabled

Hide "Installed Updates" page Enabled

Hide "Programs and Features" page Enabled

Hide "Set Program Access and Computer Defaults" page Enabled

Hide "Windows Features" Enabled

Hide the Programs Control Panel Enabled

Control Panel/Regional and Language Options

Hide Regional and Language Options administrative options Enabled

Hide the geographic location option Enabled

Hide the select language group options Enabled

Hide user locale selection and customization options Enabled

Desktop


Don't save settings at exit Enabled

Hide and disable all items on the desktop Enabled

Hide Internet Explorer icon on desktop Enabled

Hide Network Locations icon on desktop Enabled

Prevent adding, dragging, dropping and closing the Taskbar's toolbars Enabled

Prohibit adjusting desktop toolbars Enabled

Prohibit User from manually redirecting Profile Folders Enabled

Remove Computer icon on the desktop Enabled

Remove Properties from the Computer icon context menu Enabled

Remove Properties from the Recycle Bin context menu Enabled

Remove Recycle Bin icon from desktop Enabled

Turn off Aero Shake window minimizing mouse gesture Enabled

Network/Network Connections

Ability to change properties of an all user remote access connection Disabled

Prohibit access to properties of a LAN connection Enabled

Prohibit access to the Remote Access Preferences item on the Advanced menu Enabled

Prohibit changing properties of a private remote access connection Enabled

Prohibit connecting and disconnecting a remote access connection Enabled

Prohibit renaming private remote access connections Enabled


Network/Offline Files

Remove "Make Available Offline" command Enabled

Remove "Work offline" command Enabled

Network/Windows Connect Now

Prohibit access of the Windows Connect Now wizards Enabled

Start Menu and Taskbar

Add Search Internet link to Start Menu Disabled

Add the Run command to the Start Menu Disabled

Clear history of recently opened documents on exit Enabled

Clear history of tile notifications on exit Enabled

Clear the recent programs list for new users Enabled

Do not allow pinning items in Jump Lists Enabled

Do not allow pinning programs to the Taskbar Enabled

Do not display any custom toolbars in the taskbar Enabled

Do not display or track items in Jump Lists from remote locations Enabled

Do not keep history of recently opened documents Enabled

Do not search communications Enabled

Do not search for files Enabled

Do not search Internet Enabled


Do not search programs and Control Panel items Enabled

Do not use the search-based method when resolving shell shortcuts Enabled

Do not use the tracking-based method when resolving shell shortcuts Enabled

Hide the notification area Enabled

Lock all taskbar settings Enabled

Lock the Taskbar Enabled

Prevent changes to Taskbar and Start Menu Settings Enabled

Prevent users from adding or removing toolbars Enabled

Prevent users from moving taskbar to another screen dock location Enabled

Prevent users from rearranging toolbars Enabled

Prevent users from uninstalling applications from Start Enabled

Remove access to the context menus for the taskbar Enabled

Remove All Programs list from the Start menu Enabled

Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands Enabled

Remove Clock from the system notification area Enabled

Remove common program groups from Start Menu Enabled

Remove Default Programs link from the Start menu. Enabled

Remove Documents icon from Start Menu Enabled

Remove Downloads link from Start Menu Enabled

Remove drag-and-drop and context menus on the Start Menu Enabled

Remove Favorites menu from Start Menu Enabled


Remove frequent programs list from the Start Menu Enabled

Remove Games link from Start Menu Enabled

Remove Help menu from Start Menu Enabled

Remove Homegroup link from Start Menu Enabled

Remove links and access to Windows Update Enabled

Remove Logoff on the Start Menu Disabled

Remove Music icon from Start Menu Enabled

Remove Network Connections from Start Menu Enabled

Remove Network icon from Start Menu Enabled

Remove Pictures icon from Start Menu Enabled

Remove pinned programs from the Taskbar Enabled

Remove pinned programs list from the Start Menu Enabled

Remove programs on Settings menu Enabled

Remove Recent Items menu from Start Menu Enabled

Remove Recorded TV link from Start Menu Enabled

Remove Run menu from Start Menu Enabled

Remove See More Results / Search Everywhere link Enabled

Remove the Action Center icon Enabled

Remove the battery meter Enabled

Remove the networking icon Enabled

Remove the volume control icon Enabled


Remove user folder link from Start Menu Enabled

Remove user's folders from the Start Menu Enabled

Remove Videos link from Start Menu Enabled

Show "Run as different user" command on Start Disabled

Turn off all balloon notifications Enabled

Turn off automatic promotion of notification icons to the taskbar Enabled

Turn off feature advertisement balloon notifications Enabled

Turn off notification area cleanup Enabled

Turn off user tracking Enabled

Start Menu and Taskbar/Notifications

Turn off notifications network usage Enabled

System/Ctrl+Alt+Del Options

Remove Change Password Enabled

Remove Task Manager Enabled

System/Internet Communication Management/Internet Communication settings

Turn off access to the Store Enabled

Turn off downloading of print drivers over HTTP Enabled

Turn off handwriting recognition error reporting Enabled


Turn off Help Experience Improvement Program Enabled

Turn off Help Ratings Enabled

Turn off Internet download for Web publishing and online ordering wizards Enabled

Turn off Internet File Association service Enabled

Turn off printing over HTTP Enabled

Turn off the "Order Prints" picture task Enabled

Turn off the "Publish to Web" task for files and folders Enabled

Turn off the Windows Messenger Customer Experience Improvement Program Enabled

Turn off Windows Online Enabled

System/Removable Storage Access

All Removable Storage classes: Deny all access Enabled

CD and DVD: Deny read access Enabled

CD and DVD: Deny write access Enabled

Floppy Drives: Deny read access Enabled

Floppy Drives: Deny write access Enabled

Removable Disks: Deny read access Enabled

Removable Disks: Deny write access Enabled

Tape Drives: Deny read access Enabled

Tape Drives: Deny write access Enabled

WPD Devices: Deny read access Enabled


WPD Devices: Deny write access Enabled

System/Windows HotStart

Turn off Windows HotStart Enabled

Windows Components/Add features to Windows 8

Prevent the wizard from running. Enabled

Windows Components/App runtime

Block launching desktop apps associated with a file. Enabled

Block launching desktop apps associated with a protocol Enabled

Windows Components/Application Compatibility

Turn off Program Compatibility Assistant Enabled

Windows Components/Attachment Manager

Hide mechanisms to remove zone information Enabled

Windows Components/AutoPlay Policies

Disallow Autoplay for non-volume devices Enabled

Prevent AutoPlay from remembering user choices. Enabled


Set the default behavior for AutoRun Enabled

Default AutoRun Behavior Do not execute any autorun commands

Turn off Autoplay Enabled

Turn off Autoplay on All drives

Windows Components/Credential User Interface

Do not display the password reveal button Enabled

Windows Components/Desktop Gadgets

Restrict unpacking and installation of gadgets that are not digitally signed. Enabled

Turn off desktop gadgets Enabled

Turn Off user-installed desktop gadgets Enabled

Windows Components/Digital Locker

Do not allow Digital Locker to run Enabled

Windows Components/Edge UI

Turn off switching between recent apps Enabled

Turn off tracking of app usage Enabled

Windows Components/File Explorer


Display confirmation dialog when deleting files Enabled

Display the menu bar in File Explorer Enabled

Do not allow Folder Options to be opened from the Options button on the View tab of the

ribbon

Enabled

Do not display the Welcome Center at user logon Enabled

Do not request alternate credentials Enabled

Hide these specified drives in My Computer Enabled

Restrict all drives

Hides the Manage item on the File Explorer context menu Enabled

No Entire Network in Network Locations Enabled

Prevent access to drives from My Computer Enabled

Restrict all drives

Prevent users from adding files to the root of their Users Files folder. Enabled

Remove "Map Network Drive" and "Disconnect Network Drive" Enabled

Remove CD Burning features Enabled

Remove File Explorer's default context menu Enabled

Remove File menu from File Explorer Enabled

Remove Hardware tab Enabled

Remove Security tab Enabled

Remove the Search the Internet "Search again" link Enabled

Turn off display of recent search entries in the File Explorer search box Enabled

Turn off Windows+X hotkeys Enabled


Windows Components/File Explorer/Common Open File Dialog

Hide the common dialog back button Enabled

Hide the common dialog places bar Enabled

Hide the dropdown list of recent files Enabled

Windows Components/File Explorer/Explorer Frame Pane

Turn off Preview Pane Enabled

Turn on or off details pane Enabled

Configure details pane Always hide

Windows Components/File Explorer/Previous Versions

Prevent restoring previous versions from backups Enabled

Windows Components/IME

Turn off history-based predictive input Enabled

Turn off Internet search integration Enabled

Windows Components/Internet Explorer

Automatically activate newly installed add-ons Disabled

Configure Media Explorer Bar Enabled


Disable the Media Explorer Bar and auto-play feature Enabled

Auto-Play Media files in the Media bar whenEnabled Disabled

Disable AutoComplete for forms Enabled

Disable changing accessibility settings Enabled

Disable changing Advanced page settings Enabled

Disable changing Automatic Configuration settings Enabled

Disable changing Calendar and Contact settings Enabled

Disable changing certificate settings Enabled

Disable changing connection settings Enabled

Disable changing home page settings Enabled

Home Page Define a home page if

necessary

Disable changing language settings Enabled

Disable changing Messaging settings Enabled

Disable changing ratings settings Enabled

Disable changing Temporary Internet files settings Enabled

Disable Import/Export Settings wizard Enabled

Disable Internet Connection wizard Enabled

Do not allow users to enable or disable add-ons Enabled

Identity Manager: Prevent user from using Identities Enabled

Notify users if Internet Explorer is not the default web browser Disabled

Pop-up allow list Enabled


Enter the list of sites here. Define allowed sites list

if applicable such as

*.microsoft.com

Prevent "Fix settings" functionality Enabled

Prevent access to Internet Explorer Help Enabled

Prevent bypassing SmartScreen Filter warnings Enabled

Prevent bypassing SmartScreen Filter warnings about files that are not commonly

downloaded from the Internet

Enabled

Prevent changing pop-up filter level Enabled

Prevent changing proxy settings Enabled

Prevent changing the default search provider Enabled

Prevent configuration of how windows open Enabled

Select where to open links Open in existing

Internet Explorer

window

Prevent Internet Explorer Search box from appearing Enabled

Prevent managing pop-up exception list Enabled

Prevent managing SmartScreen Filter Enabled

Select SmartScreen Filter mode On

Prevent participation in the Customer Experience Improvement Program Enabled

Prevent per-user installation of ActiveX controls Enabled

Prevent running First Run wizard Enabled

Select your choice Go directly to home

page


Search: Disable Find Files via F3 within the browser Enabled

Search: Disable Search Customization Enabled

Specify default behavior for a new tab Enabled

New tab behavior Home page

Turn off ability to pin sites in Internet Explorer on the desktop Enabled

Turn off add-on performance notifications Enabled

Turn off browser geolocation Enabled

Turn off configuration of pop-up windows in tabbed browsing Enabled

Select tabbed browsing pop-up behavior Force pop-ups to open

in a new tab

Turn off Crash Detection Enabled

Turn off Favorites bar Enabled

Turn off Managing SmartScreen Filter for Internet Explorer 8 Enabled

Select SmartScreen Filter mode for Internet Explorer 8 On

Turn off pop-up management Enabled

Turn off Quick Tabs functionality Enabled

Turn off Reopen Last Browsing Session Enabled

Turn off suggestions for all user-installed providers Enabled

Turn off tabbed browsing Enabled

Turn off the auto-complete feature for web addresses Enabled

Turn off the quick pick menu Enabled

Turn on Suggested Sites Disabled


Turn on the auto-complete feature for user names and passwords on forms Disabled

Windows Components/Internet Explorer/Accelerators

Turn off Accelerators Enabled

Windows Components/Internet Explorer/Browser menus

Disable Open in New Window menu option Enabled

Disable Save this program to disk option Enabled

File menu: Disable closing the browser and Explorer windows Enabled

File menu: Disable New menu option Enabled

File menu: Disable Open menu option Enabled

File menu: Disable Save As Web Page Complete Enabled

File menu: Disable Save As... menu option Enabled

Help menu: Remove 'Send Feedback' menu option Enabled

Help menu: Remove 'Tour' menu option Enabled

Hide Favorites menu Enabled

Tools menu: Disable Internet Options... menu option Enabled

Turn off Print Menu Enabled

Turn off Shortcut Menu Enabled

View menu: Disable Full Screen menu option Enabled

View menu: Disable Source menu option Enabled


Windows Components/Internet Explorer/Delete Browsing History

Disable "Configuring History" Enabled

Days to keep pages in History 1

Windows Components/Internet Explorer/Internet Control Panel

Disable the Advanced page Enabled

Disable the Connections page Enabled

Disable the Content page Enabled

Disable the General page Enabled

Disable the Privacy page Enabled

Disable the Programs page Enabled

Disable the Security page Enabled

Windows Components/Internet Explorer/Internet Control Panel/Advanced Page

Allow active content from CDs to run on user machines Disabled

Allow software to run or install even if the signature is invalid Disabled

Do not allow resetting Internet Explorer settings Enabled

Empty Temporary Internet Files folder when browser is closed Enabled

Windows Components/Internet Explorer/Internet Control Panel/General Page


Start Internet Explorer with tabs from last browsing session Disabled

Windows Components/Internet Explorer/Internet Control Panel/General Page/Browsing

History

Allow websites to store application caches on client computers Disabled

Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing

Turn off details in messages about Internet connection problems Enabled

Turn on script debugging Disabled

Windows Components/Internet Explorer/Internet Settings/Advanced settings/Multimedia

Allow Internet Explorer to play media files that use alternative codecs Disabled

Windows Components/Internet Explorer/Internet Settings/Advanced settings/Searching

Prevent configuration of search on Address bar Enabled

When searching from the address bar Do not search from the

address bar

Prevent configuration of top-result search on Address bar Enabled

When searching from the Address bar Disable top result

search

Windows Components/Internet Explorer/Internet Settings/Advanced settings/Signup

Settings


Turn on automatic signup Disabled

Windows Components/Internet Explorer/Internet Settings/AutoComplete

Turn off URL Suggestions Enabled

Turn off Windows Search AutoComplete Enabled

Turn on inline AutoComplete Disabled

Windows Components/Internet Explorer/Security Features/Restrict File Download

All Processes Enabled

Internet Explorer Processes Enabled

Windows Components/Internet Explorer/Toolbars

Configure Toolbar Buttons Enabled

Show Back button Enabled

Show Forward button Enabled

Show Stop button Enabled

Show Refresh button Enabled

Show Home button Enabled

Show Search button Disabled

Show Favorites button Disabled

Show History button Disabled


Show Folders button Disabled

Show Fullscreen button Disabled

Show Tools button Disabled

Show Mail button Disabled

Show Font size button Disabled

Show Print button Disabled

Show Edit button Disabled

Show Discussions button Disabled

Show Cut button Disabled

Show Copy button Disabled

Show Paste button Disabled

Show Encoding button Disabled

Disable customizing browser toolbar buttons Enabled

Disable customizing browser toolbars Enabled

Display tabs on a separate row Enabled

Hide the Command bar Enabled

Hide the status bar Enabled

Lock all toolbars Enabled

Lock location of Stop and Refresh buttons Enabled

Turn off Developer Tools Enabled

Turn off toolbar upgrade tool Enabled


Windows Components/Location and Sensors

Turn off location Enabled

Windows Components/Microsoft Management Console

Restrict the user from entering author mode Enabled

Windows Components/Network Sharing

Prevent users from sharing files within their profile. Enabled

Windows Components/Presentation Settings

Turn off Windows presentation settings Enabled

Windows Components/Sound Recorder

Do not allow Sound Recorder to run Enabled

Windows Components/Tablet PC/Accessories

Do not allow printing to Journal Note Writer Enabled

Do not allow Snipping Tool to run Enabled

Do not allow Windows Journal to be run Enabled


Windows Components/Tablet PC/Hardware Buttons

Prevent Back-ESC mapping Enabled

Prevent launch an application Enabled

Prevent press and hold Enabled

Turn off hardware buttons Enabled

Windows Components/Windows Error Reporting

Disable Windows Error Reporting Enabled

Windows Components/Windows Installer

Prevent removable media source for any installation Enabled

Prohibit rollback Enabled

Windows Components/Windows Logon Options

Set action to take when logon hours expire Enabled

Set action to take when logon hours expire Logoff

Windows Components/Windows Mail

Turn off the communities features Enabled

Turn off Windows Mail application Enabled


Windows Components/Windows Media Center

Do not allow Windows Media Center to run Enabled

Windows Components/Windows Media Player

Prevent CD and DVD Media Information Retrieval Enabled

Prevent Music File Media Information Retrieval Enabled

Windows Components/Windows Media Player/Networking

Hide Network Tab Enabled

Windows Components/Windows Media Player/Playback

Prevent Codec Download Enabled

Windows Components/Windows Messenger

Do not allow Windows Messenger to be run Enabled

Do not automatically start Windows Messenger initially Enabled

Windows Components/Windows Mobility Center

Turn off Windows Mobility Center Enabled

Windows Components/Windows Update


Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog

box

Enabled

Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled

CONFIGURE ERPM WEB SETTINGS

To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings |

Manage Web Application | Application Launch.

The Global tab identifies the ERPM web service and other related settings that will be used when

launching applications.

The Web service URL is the URL of the application launcher web service. When the web service is

installed (typically on the ERPM web server), [typically] a web service is installed at

[site]/erpmwebservice. The web service is called WebLauncherBackendService.svc. This full URL should

be entered in the Web service URL field including the protocol and port if applicable.

IMPORTANT! There should be no certificate or access errors when accessing this URL in a browser. It

should be tested as any user that will be accessing the web server. The best test is to login to the

bastion host as the bastion host login account configured int he previous section and attempt to access

this URL. If the account is prompted for credentials or certificate errors the application launcher will

fail.

The typical URL is

https://erpmwebservername.yourdomain.com/erpmwebservice/weblauncherbackendservice.svc.

Enable launching applications using stored passwords in the web application is required to enable

remote launching. If this option is not selected, then the Launch Application option will be unavailable in

the website.

Use thick terminal services client when connecting through RDP is an optional setting to use the

application launcher to launch the Window's client's local fat client for RDP connectivity. If this option is

not selected then ERPM will only be able to use the ActiveX control for launching RDP sessions. While

this may work fine for the majority of RDP connections, if the target system uses NLA (Network Level

Authentication) then the connection will fail. If the target system uses NLA, then this option must be

selected.

Enable launching applications on a remote server will enable the configured applications to launch via a

bastion host rather than launching only locally on the client. When the option is enabled and an


application is configured to use a bastion host, the applications can instead launch from the bastion host

and will use RemoteApp to display the program's UI to the users desktop as if it were a native

application.

[Script Launch] Path to script files on client systems is the path that the script automation files will be

copied to (manual copy). This path is used when local launch (rather than via bastion host) will be used

to launch web based applications such as Twitter, FaceBook, or other web based programs. If local

launching of these sorts of applications will not be launched directly from a client's machine (rather than

via bastion host) it will not be necessary to configure this path. The default location these scripts are

found are at C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation.


CONFIGURE A BASTION HOST OBJECT



The Remote Servers tab identifies the available bastion hosts and other related settings that will be used

for launching applications. The option Enable launching applications on a remote server must also be

selected on the Global tab to make use of these servers.

To add a new server, click the Add button in the lower right area of the dialog.

The following fields are mandatory:


Server configuration identifier - the friendly name of the server as it will appear in the application

launcher configuration.

Remote server system name - the actual name of the bastion host. This should be the name (FQDN

or simple or IP) as can be reach from the client systems that will be initiating the session.

Use RemoteApp to launch the liebsoft launcher on the server - this option must be selected to

remotely launch applications from the bastion host using RemoteApp as available in 2008 R2 and

newer.

Login credential system name - this value must be populated. If ERPM will be using stored

(managed) credentials to log into the bastion host, this is the name of the system/server as it

appears in ERPM from which to draw the credentials from. It is recommended to use a domain

credential for this purpose; see the section for configuring a bastion host login account.

Login credential account name - this is the name of the account that will be used to login to the

bastion host. It is recommended to use a domain credential for this purpose; see the section for

configuring a bastion host login account.

Login credential domain name - the domain to which the account belongs. If this is a local account

(not recommended) then this should be the simple (NetBIOS) name of the bastion host.

Load saved password for connection from password store - select this option to pull the managed

password from the ERPM password store. If it is desired to use a hard coded password instead, then

supply the actual password in the remote server logon password field.

[Script Launch] Path to script files on client systems is the path that the script automation files will

be copied to during installation of the AppLauncher. This path is used when launching web based

applications such as Twitter, FaceBook, or other web based programs. The default location these

scripts are found are at C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation.


Once the entries are validated, click OK to add the bastion host object. If the option to Load saved

password for connection from password store is selected and a stored password for the target account

does not exist, a warning indicating such will appear to the user otherwise the dialog will close without

incident.

Any of these settings can be changed at any time without having to make any changes to IIS or

performing IISReset or other administrative actions.

CONFIGURE A SESSION RECORDING HOST OBJECT



The Session Recorders tab identifies configured session recording servers. There will typically be a one to

one relationship with the servers configured on the Remote Servers tab.


Session recording only works for applications launched via the LiebsoftLauncher application. That means

any users which retrieve passwords will and connect directly will not have their sessions recorded when

using this session recording technology.

The session recording system consists of two components specific to the session recording: session

recording and video transcoding. When a session is recorded on a bastion host that is done by the

session recorder. These files are created in a raw format and placed into the configured source directory.

The Lieberman file watcher server picks up the raw files and moves them to the working directory where

they are formatted and converted and watermarked. Completed files are then moved to the

SessionRecording directory. Typically it is recommended to have the transcoder NOT be the same system

as the bastion host/session recorder due to resource constraints (CPU specifically).

To add a new server, click the Add button in the lower right area of the dialog.

The following fields are mandatory:


Configuration label - the friendly name of the server as it will appear in the application launcher

configuration.

Basic configuration - use this option if the session recording host will perform both recording and

transcoding duties. Recorder options include Expressions 4, VLC, and Windows Problem Steps

Recorder. It is recommended to choose the Expressions 4 recorder option. The output path will

default a default local path if this option is selected.

Advanced configuration - use this option if it is desired to put recordings in a custom location or if

video transcoding will occur on a separate host (typical). It is not recommended to change the

Assembly path or Type in Assembly values.

Abort application launch if session recording fails - with this option selected, if session recording

fails to initialize, the remote session will be logged off and no remote app launch will occur.

Output path - if using the bastion host for both session recording and video transcoding and it is

desired to place the recordings to an alternate location, specify the path here. If transcoding is

occurring on a separate host, then this should be a network UNC path (\\server\source) to the

Source share on the transcoder host.

File name template - the default value is SessionRecording-$(SessionID). In this scenario

SessionRecording- is the filename prefix and $(SessionID) is a variable for the session ID of the

remote app launch session. If the names of the recordings should be changed, this is acceptable but

to not remote the $(SessionID) value from the name. There should also be no extension listed for the

file name.


Once the entries are validated, click OK to add the session recorder host object.

Any of these settings can be changed at any time without having to make any changes to IIS or

performing IISReset or other administrative actions.

CONFIGURE ERPM WEBSITE FOR SESSION PLAYBACK

In order to playback recorded sessions, ERPM will need to know the location of the machine with the

completed session recordings. From the previous sections, this will most likely be the video transcoder

host, which is also most likely the ERPM web server.

For reference session recording consists of two pieces: recorder and transcoder. The recorder is typically

the bastion host while the transcoder is recommended to be another machine (due to CPU and RAM

constraints). The transcoder host is typically the ERPM web server and will convert the raw video from

the session recorder to playable video. These videos will be played back via streaming media services

through the ERPM website.


The flow for session recording is as follows:

1) Application is launched on a bastion host and session recording is initiated.

2) After the session exits, the file will be copied to the source directory on the transcoder host.

3) Raw video will be converted and placed into the SessionRecording directory on that host.

4) IIS and Media Server will stream the videos to requesting authorized users.

The machine performing the video transcoding will have configured IIS with a virtual directory under the

default root website called SessionRecording. It is this URL that will be provided to the ERPM website

configuration. The SessionRecording URL may be presented with or without SSL but should be configured

to use anonymous authentication.

To configure ERPM with the SessionRecording URL open the admin console, and click on the Manage

Web App button on the left action pane. Go to the Options | Configure default web application options

menu.

On the User/Session Management tab, enter the URL for the transcoder/media server where the videos

are hosted from in the Session playback URL field. If using HTTPS, be sure to enter the valid name of the

server that matches the assigned name on the certificate to avoid certificate errors. A typical URL will be

similar to https://server.your.domain/sessionrecording/. Be aware that the system is expecting a

trailing forward slash at the end of the URL.


Click OK once the URL is entered.


If updating an existing website with this new information, right-click on the website instance and select

Replace instance options with default web application options. There is no need to restart any servers

or components after making this change.

Once the URL is added and once any sessions have been recorded, users with access to the auditing

section of the ERPM website will be able to playback any recorded sessions that exist. Such recored

sessions will be visible in the ERPM auditing section with a camera icon next to their audit entry.


Simply click on the camera icon to playback the recorded sessions.


CONFIGURE APPLICATIONS FOR LAUNCHING



The Applications tab identifies the applications which can be made available to launch from the ERPM

website and other related settings that will be used when launching these applications. Once an

application is added, it must be properly configured before it may be launched.

Lieberman Software ships a number of pre-configured application objects available. Most will still

require additional configurations before they could be used for launching the specified target

application. To add the pre-defined applications, click the Add Defaults button in the lower left area of

the dialog. Add new applications by clicking the Add button. Duplicate or edit existing explications by

using the Copy or Edit buttons respectively.

When editing a dialog, there are many elements to fill out. The required elements for a basic application

configuration to be valid are:


Remote application label - this is the friendly name of the application as it will appear in the ERPM

website.

Remote launch type - select from the available launch types:

LAUNCH APPLICATION WITH COMMAND LINE PARAMETERS - use this for any application which can be

launched with command line options such as SQL Management Studio, PuTTy, VMware vCenter,

etc.

OPEN WEB APPLICATION WITH FORM POST - use this for websites which only require a basic form post

and does not make use of JSON, YAML or other technologies for passing the user name and

password information.

LAUNCH TERMINAL SERVICES CLIENT - use this for launching the Microsoft Terminal Services client.

LAUNCH APP THROUGH .NET ASSEMBLY - used when an external .net assembly will be used to perform

the connection and credential passing.

LAUNCH APP THROUGH SCRIPT AUTOMATION - this is most frequently used for launching MMCs,

websites which does not pass user name and password information basic form post (see most

web examples in the default list), fat clients which do not make use of command line parameters,

etc.

Configure Allowable Types - this defines for which account types the application will be available. At

least one account type must be selected. This is what specifically makes an application available to

Windows but not Linux or MS SQL but not Oracle.

The above elements are the basic, always required elements. Keep reading to find out more about the

other elements.


To set a custom icon for the application, locate the physical ERPM website installation files. Typically, this

will be at %inetpub%\wwwroot\PWCWeb. All file paths defined for the icons will be relative to this path.

It is recommended to create a custom folder (example "CompanyIcons") and add your icons to this

folder so they will persist through website upgrades. Then for the icon path, simply add the

FolderName\IconName.gif. All GIF files should be 32x32 pixels.

Run on the jump server - use this option to launch the target application from a bastion host/jump

server (configured previously). If this option is not selected then the application will attempt to launch

locally on the user's local workstation. If this option is selected, then the application will be launched on

the jump server. The application must be installed on the jump server at that time. This is a

per-application setting.

Enable session recording - if a session recording host is configured, this option will be available. When

configured, the launching of this application on a jump server will record just this application being run.

This is a per-application setting.

Always use the specified account when starting this application - when this option is NOT selected

(default), the application will be made available for the selected account type(s) (Configure Allowable

Account Types). That means potentially any account could be used to launch this application. If the

option is enabled, ERPM will pull a predefined credential from the account store and always use that

account to launch the application. Also, the application will not be available in the Launch App section of

the ERPM website, rather, it will be made available in the Applications section of the website for the

users that have permission to launch the application. The Launch App section is accessible when viewing

specific managed passwords. Applications is always available regardless of managed passwords.

Depending on the selected Remote launch type, additional parameters will be required. The following

text outlines what these other parameters are.

Launch application with command line parameters

APPLICATION - mandatory - The application name is simply the name of the executable without the

path.

COMMAND LINE - mandatory - Command line is the parameters to launch the executable with.

APPLICATION LOCATION - optional - An application location must also be defined but can either be a

full physical path in the application location field or be setup to search for and even to download

a ready to run executable from a predefined network path (At launch download file from path). A

physical path MUST be defined when launching the application from a jump server. If a physical

path is not defined in the application location field, then the option to Search for application on

local system should be enabled. Sub-options for application search include searching for the

application on the system root or program files directories. In addition, subsequent include and

exclude directories may be defined. Multiple values should be segregated by a semi-colon. There


is no variable replacement such as %systemroot% or %inetpub% so full physical locations must

be used.

ONLY RUN SIGNED EXECUTABLES - optional - will ensure the program has a digital signature on it. If

the option is enabled, an additional verification can be configured to validate specific fields of the

digital signature such as the certificate serial number, certificate issuer or other signing bits.

ONLY RUN EXECUTABLES WITH EXPECTED HASHES - optional - allows the admin to define hashes of a

target application. This is useful to ensure that someone did not rename a malicious executable

or that only a specific patched version runs. Multiple hashes can be calculated and defined from

this dialog.

APPLICATION USES STORED PRIVATE KEY - optional - this option allows programs which can use

certificates (such as SSH clients) to define which certificate to use when connecting. These

certificates must have been pre-imported and assigned via the administrative console from

Settings | User Keys | Import Keys.

APPLICATION USES GATEWAY SERVER - optional - if an SSH proxy/gateway is defined (Admin console at

Settings | Manage Web Application | Remote Gateway Servers) this option will be available. This

option is useful when a client must first connect to an SSH proxy first before connecting to the

final SSH target. This process will make use of plink.exe. The plink.exe download location must

also be specified with the path on the jump server where the plink.exe executable resides.

Plink.exe is installed the launch app folder on the bastion host if the PuTTy files are also installed

when installing the application launcher. Plink.exe can also be downloaded from

http://www.putty.org.

Open web application with form post - use this for websites which only require a basic form post

and does not make use of JSON, YAML or other technologies for passing the user name and

password information.

WEB PAGE - mandatory - the name of the login page including protocol such as

http://webserver/pwcweb/login.asp.

NAME-VALUE PAIR - mandatory - the variables for the user name and password.

Launch terminal services client - use this for launching the Microsoft Terminal Services client. There

are no additional requirements to setup this launch type.

Launch app through .net assembly - used when an external .net assembly will be used to perform

the connection and credential passing.

ASSEMBLY PATH - mandatory - the full physical file patch to the .net assembly.

TYPE NAME - mandatory - the name of the .net interface.

Launch app through script automation - this is most frequently used for launching MMCs, websites

which does not pass user name and password information basic form post (see most web examples

in the default list), fat clients which do not make use of command line parameters, etc. When using a


web page, the scripts defined in the script path will use the Internet Explorer DOM to drive the IE

browser interface looking for specifically named fields and buttons.

Script path - mandatory - the script path is the name of the script to run including the extension.

For example, login_azuremgmt.vbs.

Automation URL - mandatory - the path supplied here will be found in the [Script Launch] Path

to script files element of the bastion host configuration dialog (see Configure a Bastion Host

Object section). For example, http://manage.windowsazure.com or for a device,

https://$(RemoteAccessTarget_TargetName)/login.html.

See the next sub-section for replaceable variables in the command line or automation URL paths.

VARIABLES FOR APP LAUNCHING

When launching an application from the command line or via web automation scripts, there are many

available variables for ERPM to use to pass the user name, password, target server and more. What

follows is a list of available variables which can be used for replacement.

As the process works, DEMO\Broberts logs into the ERPM web application. DEMO\Broberts clicks on

launch app. This causes a secondary account (DEMO\BastionLogin) to connect to the bastion host and

initiate and launch the liebsoftlauncher.exe program. Liebsoflauncher connects back to the web service

and retrieves program settings including target system, target user name, and target password. For

this example example, connecting to a server called DB2012 as SA with with the SA password.

For this example the following elements are defined by the following variables:

DEMO\Broberts = $(SourceAppLogin) or $(UserEnteredLoginUsername)

DEMO\BastionLogin = NOT EXPOSED

DB2012 = $(RemoteAccessTarget_TargetName)

SA = $(Username) or $(AccountName_FullyQualified)

SA Password = $(Password) or $(Password_Raw)

Following is a list of all possible variables


$(UserEnteredLoginUsername) - same as $(SourceAppLogin), is the account used to login to the

ERPM web application.

$(UserEnteredLoginUsername:RemoveNTSyleNamespace) - This element prunes the domain name

from the user name. From the example above, DEMO\Broberts becomes simply Broberts.

$(UserEnteredLoginUsername:ReplaceBackslashWithDot) - This element retains the domain name

with the user name but replaces the slash with a dot. From the example above, DEMO\Broberts

becomes DEMO.Broberts. Use this variable when a name is required that will no be interpreted as a

path for creating directories.

$(SourceAppLogin) - same as $(UserEnteredLoginUsername), is the account used to login to the app

[component] which is triggering the launcher, i.e. the RDP user to the bastion host.

$(SourceAppLogin:RemoveNTSyleNamespace) - This element prunes the domain name from the

user name. From the example above, DEMO\Broberts becomes simply Broberts.

$(SourceAppLogin:ReplaceBackslashWithDot) - This element retains the domain name with the user

name but replaces the slash with a dot. From the example above, DEMO\Broberts becomes

DEMO.Broberts. Use this variable when a name is required that will no be interpreted as a path for

creating directories.

$(Username) - this is the name of the target account. From the example above, SA.

$(AccountName_FullyQualified) - building on the $(Username) variable, this will pre-pend the

domain pre-fix to the account name if applicable.

$(Password) - the regex escaped password (e.g. pass\"word ).

$(Password_Raw) - the raw un-escaped password.

$(RemoteAccessTarget_TargetName) - the target host to which the application will connect.

$(LauncherPath) - the path to the application launcher.

$(SessionID) - GUID for the launcher link.

$(PrivateKey) - the file path for the DER encoded private key (if available).

$(PrivateKeyPassphrase) - the pass phrase, if present for $(PrivateKey).

$(PuttyKey) - the file path for the putty encoded private key (if available).

These variables are used in line and replaced by ERPM at the time the application is launched. For

example, if in the website the user were to go to the MSSQL database instance on a server called DB2012

and connect with the built-in (and managed) SA account, the command line syntax would be:

-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password) -nosplash

The switches ( -S, -U and -P ) are part of the SMSS.EXE executable. The subsequent values of

$(RemoteAccessTarget_TargetName), $(Username), and $(Password) would be replaced by the name of

the server (DB2012), the name of the account (SA), and the password for SA respectively.

135

As of ERPM version 4.83.8 To launch an application user with either of the following sets of permissions

will be able to launch applications:

1) All Access

2) View account, recover password, remote sessions, and permissions for the specific application being

launched.

USING APPLICATION LAUNCHING

Using Application Launching 136

When the user does not have all access, not only are permission required to retrieve the password, but

additional permissions are required to even launch a specific application. To define these permissions,

use the admin console and go to Delegation | Web application remote application permissions. Click

Add in the lower left corner, then select an available identity, click OK, then select one or more

applications the user can launch.

There are two types of application launching in ERPM: launching with variable account and system

information and launching with pre-define account and system information. The difference in app

configuration is the option in the lower right corner of the application that says to always use the

specified account being selected or not. If the option is selected, the application will appear in the


applications portion of the website. If the option is not selected, the user must go to the Launch App

section next to the system/account they wish to use to connect.

Launching an App as a Pre-Configured Application

To launch an application which has been pre-configured for a specific account and target, such as a

company's Twitter or Facebook page, the user will click the Applications link on the left pane then click

on the application to launch. Only applications that are pre-configured to always launch as a specific user

and that the login user has access to will be shown on this page. If an application is not shown it is a sign

of at least one of two possible causes:


The user has no permission to launch an application

There are no apps configured to always run as a specific user

Launching an App Using Variable Target and Account Information

Once the the target system and account to connect as are located in the Managed Password section of

the website, click Launch App.

All applications available to the user for the specific account type will then be shown. If the RDP icon

appears at the right edge of the black title bar, that indicates the application is configured to launch via a

bastion host. if the camera icon appears at the right edge of the black title bar, that indicates the session

will be recorded.

To launch the application, click Launch. What happens next will depend on whether the application is

configured to launch locally or from a bastion host and whether or not the user has performed this

process previously. If connecting via a bastion host, the system will initiate a series of calls to the bastion

host and the LiebsoftLauncher on that host. This will be visible to the user. If the user has not previously


launched an app from the machine/profile they are currently logged into, they will likely receive a couple

of security prompts.


Each application also has an Advanced launch configuration. Clicking advanced will allow the interactive

user to specify alternate credentials to connect to the target system as. These could be static credentials

or they could be other stored credentials in ERPM (if they have the rights to retrieve the password).

Generally, it will not be necessary to manipulate the advanced settings.

141

Once any sessions have been recorded, users with access to the auditing section of the ERPM website

will be able to playback any recorded sessions that exist. Such recored sessions will be visible in the

ERPM auditing section with a camera icon next to their audit entry.

Simply click on the camera icon to playback the recorded sessions.

The session properties page will identify user, IP address, and time stamp information and more. To

playback the recording, simply chose the desired recording and click Play Recording.

AUDITING APPLICATION LAUNCHING

Auditing Application Launching 142

The video will open on the systems preferred media player and begin streaming automatically.

143

1

1. INSTALLING REMOTE DESKTOP SERVICES

• 12

1. ON THE TRANSCODER HOST • 48

2

2. INSTALLING DESKTOP EXPERIENCE • 39

2. ON THE BASTION HOST • 60

3

3. INSTALLING APPLICATION LAUNCHER

AND SESSION RECORDING • 48

4

4. SETTING UP RDS FOR APPLICATION

LAUNCHING • 73

5

5. SETTING UP STREAMING MEDIA SERVICES

• 84

6

6. CONFIGURING IIS TO HOST RECORDED

SESSIONS • 89

A

AUDITING APPLICATION LAUNCHING •

147

B

BACKGROUND AND GOALS • 8

C

CONFIGURE A BASTION HOST OBJECT •

119

CONFIGURE A SESSION RECORDING HOST

OBJECT • 124

CONFIGURE APPLICATIONS FOR

LAUNCHING • 133

CONFIGURE ERPM WEB SETTINGS • 116

CONFIGURE ERPM WEBSITE FOR SESSION

PLAYBACK • 129

CONFIGURING A BASTION HOST LOGIN

ACCOUNT • 91

CONFIGURING APPLICATION LAUNCHING

• 91

CONFIGURING REMOTE APP FOR SERVER

2008 R2 • 80

CONFIGURING REMOTE APP FOR SERVER

2012 (R2) • 73

I

INSTALLING APPLICATION LAUNCHER

AND SESSION RECORDING WITH A

BASTION HOST • 11

INSTALLING DESKTOP EXPERIENCE FOR

SERVER 2008 R2 • 43

INSTALLING DESKTOP EXPERIENCE FOR

SERVER 2012 (R2) • 39

INSTALLING REMOTE DESKTOP SERVICES

FOR SERVER 2008 R2 • 29

INSTALLING REMOTE DESKTOP SERVICES

FOR SERVER 2012 (R2) • 12

INTRODUCTION • 5

INDEX

Index 144

L

LICENSE AGREEMENT • 5

LIMITED WARRANTY • 6

O

OVERVIEW • 7

P

PRE-REQUISITES • 9

U

USING APPLICATION LAUNCHING • 141

V

VARIABLES FOR APP LAUNCHING • 139