[enterprise] random password manager...erpm/rpm provide more functionality beyond password...
TRANSCRIPT
[Enterprise] Random Password Manager
Application Launching & Session Recording
4.83.8
Copyright © 2003-2014 Lieberman Software Corporation.
All rights reserved.
The software contains proprietary information of Lieberman Software Corporation; it is provided under a
license agreement containing restrictions on use and disclosure and is also protected by copyright
law. Reverse engineering of the software is prohibited.
Due to continued product development this information may change without notice. The information
and intellectual property contained herein is confidential between Lieberman Software and the client
and remains the exclusive property of Lieberman Software. If there are any problems in the
documentation, please report them to Lieberman Software in writing. Lieberman Software does not
warrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written
permission of Lieberman Software.
Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. Other brands and product names are trademarks of their respective owners.
Lieberman Software Corporation
1900 Avenue of the Stars
Suite 425
Los Angeles
CA 90067
310.550.8575
Internet E-Mail: [email protected]
Website: http://www.liebsoft.com
iii
CONTENTS
INTRODUCTION .............................................................................................................................5
License Agreement .............................................................................................................................. 5
Limited Warranty ................................................................................................................................ 6
Overview ............................................................................................................................................. 7
Background and Goals ......................................................................................................................... 8
PRE-REQUISITES ............................................................................................................................9
INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING WITH A BASTION HOST ............. 11
1. Installing Remote Desktop Services ..............................................................................................12
Installing Remote Desktop Services for Server 2012 (R2) ............................................................12 Installing Remote Desktop Services for Server 2008 R2 ..............................................................27
2. Installing Desktop Experience .......................................................................................................37
Installing Desktop Experience for Server 2012 (R2) .....................................................................37 Installing Desktop Experience for Server 2008 R2 .......................................................................40
3. Installing Application Launcher and Session Recording ................................................................45
1. On the Transcoder Host ...........................................................................................................45 2. On the Bastion Host .................................................................................................................57
4. Setting up RDS for Application Launching .....................................................................................70
Configuring Remote App for Server 2012 (R2) ............................................................................70 Configuring Remote App for Server 2008 R2 ...............................................................................76
5. Setting Up Streaming Media Services ...........................................................................................81
6. Configuring IIS to Host Recorded Sessions ....................................................................................86
CONFIGURING APPLICATION LAUNCHING .................................................................................... 89
Configuring a Bastion Host Login Account ........................................................................................89
Configure ERPM Web Settings ........................................................................................................114
Configure a Bastion Host Object .....................................................................................................116
Configure a Session Recording Host Object ....................................................................................119
Configure ERPM Website for Session Playback ..............................................................................123
Configure Applications for Launching .............................................................................................128
Variables for App Launching ......................................................................................................132
USING APPLICATION LAUNCHING .............................................................................................. 135
AUDITING APPLICATION LAUNCHING ......................................................................................... 141
INDEX ....................................................................................................................................... 143
5
This manual makes reference to both Random Password Manager (RPM) and Enterprise Random
Password Manager (ERPM). The concepts and steps outlined in this manual are applicable to both
ERPM and RPM except as where expressly noted.
This chapter includes an overview of ERPM and RPM, what problems it is designed to solve, performance
information, expected pre-requisite knowledge, and some background information on Windows.
This chapter also includes the license and warranty information for ERPM and RPM.
IN THIS CHAPTER
License Agreement .................................................................................... 5
Limited Warranty ...................................................................................... 6
Overview ................................................................................................... 7
Background and Goals ............................................................................... 8
LICENSE AGREEMENT
This is a legal and binding contract between you, the end user, and Lieberman Software Corporation.
By using this software, you agree to be bound by the terms of this agreement. If you do not agree to
the terms of this agreement, you should return the software and documentation as well as all
accompanying items promptly for a refund.
1. Your Rights: Lieberman Software Corporation hereby grants you the right to use a single copy of
[Enterprise] Random Password Manager to control the licensed number of systems and/or devices.
2. Copyright. The SOFTWARE is owned by Lieberman Software Corporation and is protected by United
States copyright law and international treaty provisions. Therefore, you must treat the software like
any other copyrighted material (e.g. a book or musical recording) except that you may either (a) make
one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer the SOFTWARE to a
single hard disk provided you keep the original solely for backup and archival purposes. The manual is
a copyrighted work also--you may not make copies of the manual for any purpose other than the use of
the software.
3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer,
de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE files). If
the SOFTWARE is an update, any transfer must include the update and all prior versions.
INTRODUCTION
Introduction 6
4. Notice: This software contains functionality designed to periodically notify Lieberman Software
Corporation of demo usage and of the detection of suspected pirated license keys. By using this
software, you consent to allow the software to send information to Lieberman Software Corporation
under these circumstances, and you agree to not hold Lieberman Software Corporation responsible for
the use of any or all of the information by Lieberman Software Corporation or any third party.
When used lawfully, this software periodically transmits to us the serial number and network
identification information of the machine running the software. No personally identifiable information
or usage details are transmitted to us in this case. The program does not contain any spyware or
remote control functionality that may be activated remotely by us or any other 3rd party.
Lieberman Software Corporation
1900 Avenue of the Stars
Suite 425
Los Angeles
CA 90067
310.550.8575
Internet E-Mail: [email protected]
Website: http://www.liebsoft.com
LIMITED WARRANTY
The media (optional) and manual that make up this software are warranted by Lieberman Software
Corporation to be free of defects in materials and workmanship for a period of 30-days from the date of
your purchase. If you notify us within the warranty period of such defects in material and workmanship,
we will replace the defective manual or media.
The sole remedy for breach of this warranty is limited to replacement of defective materials and/or
refund of purchase price and does not include any other kinds of damages.
Apart from the foregoing limited warranty, the software programs are provided "AS-IS", without
warranty of any kind, either expressed or implied. The entire risk as to the performance of the programs
is with the purchaser. Lieberman Software does not warrant that the operation will be uninterrupted or
error-free. Lieberman Software assumes no responsibility or liability of any kind for errors in the
programs or documentation of/for consequences of any such errors.
Introduction 7
This agreement is governed by the laws of the State of California.
Should you have any questions concerning this Agreement, or if you wish to contact Lieberman
Software, please write:
Lieberman Software Corporation
1900 Avenue of the Stars
Suite 425
Los Angeles
CA 90067
You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com or
e-mail us at: [email protected].
OVERVIEW
This manual makes reference to both Random Password Manager (RPM) and Enterprise Random
Password Manager (ERPM). The concepts and steps outlined in this manual are applicable to both
ERPM and RPM except as where expressly noted.
Random Password Manager is designed to randomize and store the passwords for accounts on target
systems on a regular recurring basis. Because these passwords are stored and managed by the
program, they can be retrieved via a delegated web interface. Access to the password store as well as
other web interface features can be limited to specific Windows groups, Windows users, or explicit
accounts.
Enterprise Random Password Manager builds on the concepts introduced with Random Password
Manager by automatically discovering all references to the specified account, such as services, tasks,
COM and DCOM objects, and more, and following a password change for a users account, whether
domain or local, propagating the new password to all those references.
ERPM/RPM provide more functionality beyond password management, password vaulting, and session
management. ERPM/RPM also provide for:
Account escalation - the ability to add a user to a pre-defined group with higher privileges than the
user would normally have on a target system and then automatically remove that access.
Secure file storage - the ability to upload and store as an encrypted data blob in the programs secure
data store, any file such as password spread sheets, digital certificates, instructions, and more. After
the files are uploaded, an ACL system identifies what users will be able to retrieve the files while
auditing access to the files.
Orchestration - ERPM can run headless; being controlled programmatically. This permits tight
integration in other systems such as work-flow engines, run book orchestration for user and system
provisioning and de-provisioning, programmatic access to almost all functions, and much more. This
Introduction 8
control os provided via SOAP based web services and PowerShell. User's may tie into ERPM using any
program or language which can call the web service or PowerShell.
Privileged Account Management - providing session based control to privileged accounts to run
specific programs against specific hosts. Via the optional bastion server model, any program,
website, script, etc., may be run in a controlled and secured environment to allow users from
network access to specific systems or other trusted or untrusted networks using specific tools with
specific feature sets. This allows access to the tool set need to get a job done without providing
direct physical access or access to the credential.
Session Recoding - building on the concept of privileged account management, when using the
optional bastion host, these sessions can be recorded for later playback and auditing of the user
actions that took place during a user's session. This further helps to comply with auditing mandates
as well as training procedures.
BACKGROUND AND GOALS
The Need for Strong Local Credentials
Organizations with a need for the most basic access security should use unique local logon credentials
customized for each workstation and server in their environment. Unfortunately, most organizations
use common credentials (same user name and password for the built-in administrator account) for each
system for the ease of creating and managing those systems by the IT Department without any concern
as to the consequences to the organization should these common credentials be compromised.
With the mandates of PCI-DSS, Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, California Security Breach
Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD 5015.2 and others, the implementation of
reasonably hard to compromise local logon credentials is mandatory for most organizations as a means
for protecting not only the confidentiality of their data, but also to protect against tampering.
Creating Strong Local Credentials
Lieberman Software’s program: ERPM and RPM can change any common account on all workstations
and servers in just a few minutes without the need for scripts or any other type of program. The new
common credentials can be stored in a local or remote SQL Server database and can be recovered on
demand using the password recovery website.
Random Password Manager can be configured to regularly change the passwords of common accounts
on all target systems (i.e. workstation built-in administrator account) according to a schedule so that
each account receives a fresh cryptographically strong password regularly. This product feature
protects the overall security of an organization so that the compromise of a single machine’s local
administrator password does not lead to the total compromise of the entire organization’s security.
Pre-requisites 9
Enterprise Random Password Manager builds on the concepts introduced with Random Password
Manager by automatically discovering all references to the specified account, such as services, tasks,
COM and DCOM objects, and more, and following a password change for a users account, whether
domain or local, propagating the new password to all those references.
Delegated Password Recovery
ERPM and RPM also contains a web interface to allow the remote recovery of passwords. The web
interface is web application comprised of ASP and ASP.NET web pages that allows any user with the
appropriate group memberships the right to use the application as well as the right to recover passwords
for accounts managed by the program. All access to the web application as well as all password
recoveries are logged and the history is also available via the same web interface to authorized users.
Because this application protects and provides extremely sensitive information, it is essential that
particular attention be payed to the security settings of the application and also use appropriate
encryption such as SSL based on the scope of access provided.
For more information on security hardening, please refer to the proposed options for server hardening:
http://forum.liebsoft.com/enterprise-random-password-manager-knowledgebase/546-server-hardeni
ng-guide.html.
Windows Server operating system for bastion host and session recording:
Windows Server 2012 R2 (recommended)
Windows Server 2012
Windows Server 2008 R2
It is highly recommended for all servers in the ERPM system to be fully patched.
Note: Earlier versions of Windows Server are not supported. Windows workstation platforms are not
supported for hosting the application launcher.
The following items will be required for application launching and session recording:
PRE-REQUISITES
Pre-requisites 10
Remote Desktop Session Host server role.*
Desktop Experience if using session recording.
Existing ERPM installation and installed files (SupplementalInstallers directory)
ERPM Web Service installed with SSL and no certificate errors and accessible from the bastion host.
If using self-signed certificates, the certificate from the issuing web server should be added to the
Trusted Root Certification Authorities on the machines hosting the Web Service, Bastion Host, and
client systems.
Dot Net framework 4.x on bastion and transcoder hosts.
Dot Net framework 4.x on machines connecting to run an application.
* Microsoft Remote Desktop Services (RDS) will require additional licensing be purchased from
Microsoft.
11
The following sections outline the steps to prepare for and install the Lieberman Software Application
Launcher and optional session recording components.
Application Launching is an add-on for ERPM. Application Launching can be configured with or without
the Session Recording component. Lieberman Software provides SessionRecording for free when the
Application Launcher add-on is purchased. However, the provided session recording only works with
applications launched via the Lieberman Software application launcher.
The sections describing the installation of these components are broken down as follows:
1) Installing Remote Desktop Services
2) Installing Desktop Experience - only required if using session recording
3) Installing Application Launcher and Session Recording - session recording is optional
4) Setting up Remote Desktop Services for Application Launching
5) Setting up Streaming Media Services - required if using session recording
6) Configuring IIS to Host Recorded Sessions - required if using session recording
Sections 1, 2, & 4 all have subsections detailing how to perform the steps on Windows Server 2008 R2 or
Windows Server 2012 (R2). Section 3 has additional steps detailing how to install the application
launcher and optional session recording across multiple systems.
IN THIS CHAPTER
1. Installing Remote Desktop Services .................................................... 12
2. Installing Desktop Experience ............................................................. 37
3. Installing Application Launcher and Session Recording ...................... 45
4. Setting up RDS for Application Launching ........................................... 70
5. Setting Up Streaming Media Services ................................................. 81
6. Configuring IIS to Host Recorded Sessions .......................................... 86
INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING WITH A BASTION HOST
Installing Application Launcher and Session Recording with a Bastion Host 12
1. INSTALLING REMOTE DESKTOP SERVICES
The following sub-sections show the installation of Remote Desktop Services on both a Windows Server
2008 R2 and Windows Server 2012 [R2] host. If multiple jump servers will be employed they do not need
to all be the same operating system, though they do all need to be Windows Server 2008 R2 or later
(2012 R2 recommended).
INSTALLING REMOTE DESKTOP SERVICES FOR SERVER 2012 (R2)
This section covers installation of the pre-requisites on a Windows Server 2012 and Windows Server
2012 R2 host which will function as a bastion host for the purposes of launching applications.
Open Server Manager and select Add Roles and Features.
Click Next on the Before You Begin page.
Installing Application Launcher and Session Recording with a Bastion Host 13
On the Select installation type page select Remote Desktop Services installation then click Next.
On the Select deployment type page, choose a deployment type and click Next.
Installing Application Launcher and Session Recording with a Bastion Host 14
The steps present go through a standard deployment where the admin will be required to configure a
collection post RDS installation. The Quick Start method will be faster while automatically creation a
collection, but it will also add and publish additional applications that are unnecessary and will not
provide any configuration options.
Installing Application Launcher and Session Recording with a Bastion Host 15
On the Select deployment scenario page, select Session-based desktop deployment, the click Next.
Installing Application Launcher and Session Recording with a Bastion Host 16
Click Next on the Role Services page.
Installing Application Launcher and Session Recording with a Bastion Host 17
On the Specify RD Connection Broker server page, select the server from the Server Pool field, then add
it to the selected computer field by clicking the right arrow head between the two fields.
Installing Application Launcher and Session Recording with a Bastion Host 18
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 19
On the Specify RD Web Access server page, select the server from the Server Pool field, then add it to
the selected computer field by clicking the right arrow head between the two fields.
Installing Application Launcher and Session Recording with a Bastion Host 20
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 21
On the Confirm selections page, click Deploy. Restart the host if required.
Upon restart, open Server Manager and click on Remote Desktop Services from the right pane, then click
on Collections from the center pane. A new collection must be made to publish the Lieberman Software
application used to launch software from the bastion host.
At the top right corner, select Tasks and click Creation Session Collection.
Installing Application Launcher and Session Recording with a Bastion Host 22
On the Before you begin page, click Next.
Installing Application Launcher and Session Recording with a Bastion Host 23
On the Name the collection page, supply a friendly name for the collection and click Next.
Installing Application Launcher and Session Recording with a Bastion Host 24
On the Specify RD Session Host server page, select the server from the Server Pool field, then add it to
the selected computer field by clicking the right arrow head between the two fields. Then click Next.
ERPM will use a proxy account to connect to the bastion host prior to launching the selected application.
This account will either need to be added to a group which can RDP to the target bastion host and launch
subsequent applications, or should be added directly as a user which can connect to the RD Session host
server. Description of this account is covered in the parent section, 1. Installing Remote Desktop
Services.
Installing Application Launcher and Session Recording with a Bastion Host 25
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 26
On the Specify user profile disks page, click Next.
Installing Application Launcher and Session Recording with a Bastion Host 27
On the Confirm selections page, click Create.
An empty collection will be created. The installation and configuration of the launcher application will be
described later in this document.
INSTALLING REMOTE DESKTOP SERVICES FOR SERVER 2008 R2
This section covers installation of Remote Desktop Services on a Windows Server 2008 R2 host as
required for bastion host services.
Installing Application Launcher and Session Recording with a Bastion Host 28
Start Server Manager and select Add Roles. Click Next on the welcome page and select Remote Desktop
Services then click Next.
Installing Application Launcher and Session Recording with a Bastion Host 29
Click Next on the Introduction to Remote Desktop Services page.
Installing Application Launcher and Session Recording with a Bastion Host 30
On the Select Role Services page, select Remote Desktop Session Host, then click Next.
Installing Application Launcher and Session Recording with a Bastion Host 31
Click Next on the Uninstall and Reinstall Applications for Compatibility page.
Installing Application Launcher and Session Recording with a Bastion Host 32
On the Specify Authentication Method for Remote Desktop Session Host page, choose the option that
best suits your company's needs. The option to Require Network Level Authentication will provide
greater security but may only work properly for newer hosts and if all incoming connections are properly
verified. The option Do not require Network Level Authentication will provide greater compatibility for
all connecting system but may reduce overall security of the bastion host. Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 33
On the Specify Licensing Mode page, a remote desktop session license mode must be selected. If RDS
client access licenses are not yet available but will be soon, select Configure later. If unsure about what
option to choose, select Configure later, and then contact your Microsoft licensing services manager.
RDS will function for 120 days without a proper licensing server. If RDS CALs are available, then choose
the proper Per Device or Per User model for your organization.
ERPM will use a proxy account to connect to the bastion host prior to launching the selected application.
This account will either need to be added to a group which can RDP to the target bastion host and launch
subsequent applications, or should be added directly as a user which can connect to the RD Session host
server. Description of this account is covered in the parent section, 1. Installing Remote Desktop
Services.
Installing Application Launcher and Session Recording with a Bastion Host 34
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 35
On the Configure Client Experience page, it is recommended to leave all options deselected. Click Next
to continue.
Installing Application Launcher and Session Recording with a Bastion Host 36
On the Confirm Installation Selections page, examine the installation selections. If everything is correct,
click Install. The server will need to reboot after installation
The installation and configuration of the launcher application will be described later in this document.
Installing Application Launcher and Session Recording with a Bastion Host 37
2. INSTALLING DESKTOP EXPERIENCE
The Desktop Experience will be required if session recording is to be enabled. If the Lieberman Software
provided free session recording will not be enabled, Desktop Experience will not be required.
Session recording will involve a bastion host to capture the session, and a system to function as a video
transcoder. These could be the same machine or separate systems. If they are separate systems, then
Desktop Experience will be installed on both systems. More information on this will be provided in later
sections.
INSTALLING DESKTOP EXPERIENCE FOR SERVER 2012 (R2)
If session recording will be configured then the Desktop Experience must be installed. To add the
Desktop Experience, open Server Manager and select Add Features.
On the Features Page, expand User Interfaces and Infrastructure, and select Desktop Experience.
Installing Application Launcher and Session Recording with a Bastion Host 38
If prompted for additional components, click Add Features.
Installing Application Launcher and Session Recording with a Bastion Host 39
Add any other requirements that other applications that will be launched from this system may require
(such as .net framework 3.51 or 4.x) and click Next.
Installing Application Launcher and Session Recording with a Bastion Host 40
Continue through to the end of the wizard. Click Close when done. Installation of the Desktop Experience
will require a restart of the host.
INSTALLING DESKTOP EXPERIENCE FOR SERVER 2008 R2
If session recording will be configured then the Desktop Experience must be installed. To add the
Desktop Experience, open Server Manager and select Add Features.
Installing Application Launcher and Session Recording with a Bastion Host 41
On the Features Page, select Desktop Experience.
Installing Application Launcher and Session Recording with a Bastion Host 42
If prompted for additional components, click Add Required Features.
Installing Application Launcher and Session Recording with a Bastion Host 43
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 44
Once the installation is complete, click Close and restart the server.
Installing Application Launcher and Session Recording with a Bastion Host 45
3. INSTALLING APPLICATION LAUNCHER AND SESSION RECORDING
This step includes installation of session recoding options. The particular session recording options may
be safely omitted if the Lieberman Software provided free session recording will not be enabled. If the
Lieberman Software free session recording will not be installed, then skip the session titled On the
Transcoder Host and go straight to the section titled On the Bastion Host.
The application launching capability of ERPM is best utilized with a bastion host. A bastion host in the
context of ERPM is a Windows Remote Desktop Session Services machine (formerly Terminal Services)
that will proxy connection attempts made to specific target systems. The bastion host will have all
programs used to connect to target systems installed on it. ERPM will use a proxy account to connect to
the bastion host. This account can and should be managed by ERPM, but automated management is not
necessary as a static un-stored password may also be used.
Session recording for ERPM is a feature that accompanies the application launcher such that remote
sessions initiated by ERPM through the bastion host may be recorded. Recorded sessions will be copied
from the bastion host to a machine functioning as a video transcoder. Videos will be converted from the
raw format to one that may be played back by the machine functioning as a streaming media server.
The bastion may function as both recorder and transcoder and streaming media server. However,
transcoding of videos requires significant overhead in terms of CPU usage. It is recommended to use the
system functioning as ERPM web server to also function as the streaming media server and possibly as
the video transcoder.
This section outlines the installation of session recording for application launching on two separate
machines functioning independently. In sub-section 5, the installation of streaming media services will
be detailed for the purposes of streaming the final recorded sessions.
1. ON THE TRANSCODER HOST
To begin installing the session recording software on the machine that will function as the video
transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory, typically
"%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to the machine
that will function as the transcoder and launch the installer.
Installing Application Launcher and Session Recording with a Bastion Host 46
Click Next on the welcome page.
Installing Application Launcher and Session Recording with a Bastion Host 47
Read and accept the license agreement to continue installation. Then click Next to continue.
Enter the full SSL secured URL to ERPM application launcher web service. The web service is a separate
installation, typically on the ERPM web server. The application launcher web service is installed is
installed with the standard ERPMWebService installer package. The URL is typically
https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.
Click Test to validate the URL. Any certificate issues must be corrected before installation can properly
succeed. If the web page does not appear at all, validate the URL and try again or install the web service.
Installation instructions for the web service are included in the administrators guide within the SDK
section.
Installing Application Launcher and Session Recording with a Bastion Host 48
If the page tests without issue or errors, click Next to continue.
For the transcoder host, select to install:
Installing Application Launcher and Session Recording with a Bastion Host 49
Microsoft Expression 4 Encoder SP2
Session Recorder and File Watcher Service
Select the installation directory. Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 50
On the transcoder host, make note of the source and destination directories. This directory will be used
in later instructions when setting up the application launcher and streaming media services. This
directory will also be shared between the transcoder and bastion hosts if they are on two separate
systems.
On the transcoder host, set the service identity to run as either Local System or as a Specific User.
Local system offers the benefit of already having proper access and no password management
requirements.
Running as a specific user will offer the path of least privilege but will require configuring NTFS
permissions on the Source directory from the previous step for read, write, and delete files (Modify)
and will also require a password be managed (which ERPM has the ability to do automatically).
Running the File Watcher service as Local System is recommended on the transcoder host.
Installing Application Launcher and Session Recording with a Bastion Host 51
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 52
Click Install to continue.
Installing Application Launcher and Session Recording with a Bastion Host 53
Click Finish to complete the first part of the installation.
After the initial installation is complete, A separate installation for the Microsoft Expressions recorder
will be initiated automatically.
Installing Application Launcher and Session Recording with a Bastion Host 54
Accept the License agreement for the Microsoft Expressions recorder.
Click Next on the Enter product key page. There is no product key to enter.
Installing Application Launcher and Session Recording with a Bastion Host 55
Elect to join the Microsoft customer experience or not. Click Next to continue.
Select to install Expression Encoder 4 and click Install.
Installing Application Launcher and Session Recording with a Bastion Host 56
Click Finish to complete the installation.
IMPORTANT NOTES REGARDING THIS INSTALLATION!
This installation will take additional actions that are not visible in the installer:
Installing Application Launcher and Session Recording with a Bastion Host 57
A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is
taking place on a domain controller, the group is created in the Users container.
The Domain Admins group will be added to this WriteRecordingGroup.
The installer will create and share the following directory: %inetpub%\wwwroot\SessionRecording
as SessionRecording. This directory is used to copy compiled session recordings from the bastion to
the transcoder host. This scenario would apply if using the FFMPeg video recorder rather than the
Expressions recorder. If the transcoder and bastion host is the same system, or if the Expression
session recorder is the only used session recorder, this share may be safely deleted. This share
directory will be required when configuring the bastion host for app launching with session
recording.
The installer will create and share the following directory: %programfiles
(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be used
by the bastion hosts to copy raw session recording files to the transcoder host(s). If the transcoder
and bastion host is the same system this share can be safely deleted. This scenario would apply if
using the Expressions 4 recording software. This share directory will be required when configuring
the bastion host for app launching with session recording.
Each of the shared directory share permissions will be set to allow the WriteRecordingGroup "Full
Control". Minimum permissions required are "Change".
2. ON THE BASTION HOST
To begin installing the session recording software on the machine that will function as the video
transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory, typically
"%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to the machine
that will function as the transcoder and launch the installer.
Installing Application Launcher and Session Recording with a Bastion Host 58
Click Next on the welcome page.
Installing Application Launcher and Session Recording with a Bastion Host 59
Read and accept the license agreement to continue installation. Then click Next to continue.
Enter the full SSL secured URL to ERPM application launcher web service. The web service is a separate
installation, typically on the ERPM web server. The application launcher web service is installed is
installed with the standard ERPMWebService installer package. The URL is typically
https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.
Click Test to validate the URL. Any certificate issues must be corrected before installation can properly
succeed. If the web page does not appear at all, validate the URL and try again or install the web service.
Installation instructions for the web service are included in the administrators guide within the SDK
section.
Installing Application Launcher and Session Recording with a Bastion Host 60
If the page tests without issue or errors, click Next to continue.
For the bastion host, if session recording WILL BE enabled, select to install:
Microsoft Expression 4 Encoder SP2
Session Recorder and File Watcher Service
Application Launcher
If session recording will NOT be enabled, select to install:
Installing Application Launcher and Session Recording with a Bastion Host 61
Application Launcher
Select the installation directory. Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 62
Click Next on the video transcoder paths.
On the bastion host, set the service identity to run as a Specific User, Network Service, or Local System.
Local system offers the benefit of already having proper access and no password management
requirements. If the transcoder is running on a separate system and Local system is used, then the
computer account of the bastion host must be granted Modify access to the source directory on the
transcoder host.
Network service provides for less rights than Local system and offers the benefit of already having
proper access and no password management requirements. If the transcoder is running on a
separate system and network service is used, then the computer account of the bastion host must
be granted Modify access to the source directory on the transcoder host. "NT Authority\Network
Service" must also be granted Modify access to the Session Recording directory.
Running as a specific user will offer the path of least privilege but will require configuring NTFS
permissions on the Source directory from the previous step for read, write, and delete files (Modify)
and will also require a password be managed (which ERPM has the ability to do automatically).
Running as a specific user is recommended for running the File Watcher service on the bastion host
when the transcoder is on a separate system.
Installing Application Launcher and Session Recording with a Bastion Host 63
Click Next to continue.
Installing Application Launcher and Session Recording with a Bastion Host 64
Click Install to continue.
Installing Application Launcher and Session Recording with a Bastion Host 65
Click Finish to complete the first part of the installation.
After the initial installation is complete, A separate installation for the Microsoft Expressions recorder
will be initiated automatically.
Installing Application Launcher and Session Recording with a Bastion Host 66
Accept the License agreement for the Microsoft Expressions recorder.
Click Next on the Enter product key page. There is no product key to enter.
Installing Application Launcher and Session Recording with a Bastion Host 67
Elect to join the Microsoft customer experience or not. Click Next to continue.
Select to install Expression Encoder 4 and click Install.
Installing Application Launcher and Session Recording with a Bastion Host 68
Click Finish to complete the installation.
This installation will take additional actions that are not visible in the installer:
Installing Application Launcher and Session Recording with a Bastion Host 69
A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is
taking place on a domain controller, the group is created in the Users container. This group may be
safely deleted from the bastion host if it is also functioning as the transcoder host.
The Domain Admins group will be added to this WriteRecordingGroup.
The installer will create and share the following directory: %inetpub%\wwwroot\SessionRecording
as SessionRecording. This directory is used to copy compiled session recordings from the bastion to
the transcoder host. This scenario would apply if using the FFMPeg video recorder rather than the
Expressions recorder. This share directory will be required when configuring the bastion host for app
launching with session recording. If the transcoder and bastion host is the same system this share
can be safely deleted.
The installer will create and share the following directory: %programfiles
(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be used
by the bastion hosts to copy raw session recording files to the transcoder host(s). This scenario
would apply if using the Expressions 4 recording software. This share directory will be required when
configuring the bastion host for app launching with session recording. If the transcoder and bastion
host is the same system this share can be safely deleted.
Each of the shared directory share permissions will be set to allow the WriteRecordingGroup "Full
Control". Minimum permissions required are "Change".
Installing Application Launcher and Session Recording with a Bastion Host 70
4. SETTING UP RDS FOR APPLICATION LAUNCHING
The section details configuring Remote App on the Remote Session host to launch the Lieberman
Software Application Launcher. The application launcher is a boot strapper used to launch and provide
authentication information for configured applications.
When a user uses the Launch App links in the ERPM web interface, this application will be called which
will obtain the necessary credential information for the application to launch, and launch the application
from the bastion host. In turn, VDI will display the remote application on the user's workstation as if it
were a local application.
CONFIGURING REMOTE APP FOR SERVER 2012 (R2)
Open Server Manager and click the Remote Desktop Services link on the left pane.
Then click on Collections.
The select the collection to configure the Lieberman Software Application Launcher for.
Installing Application Launcher and Session Recording with a Bastion Host 71
In the REMOTEAPP PROGRAMS area, click Tasks and select Publish RemoteApp Programs. Then click
Add on the Publish RemoteApp programs dialog.
Installing Application Launcher and Session Recording with a Bastion Host 72
Select LiebsoftLauncher.exe from the application launcher installation location on the bastion host
(configured in step 3 previously). The default directory for this file is: C:\Program Files
(x86)\Lieberman\Roulette\LaunchApp. Then click Next.
Installing Application Launcher and Session Recording with a Bastion Host 73
On the Confirmation page, click Publish.
Once the LiebsoftLauncher application is published, right-click on it in the RemoteApp Programs list and
select Edit Properties.
Installing Application Launcher and Session Recording with a Bastion Host 74
On the General tab, set the Show the RemoteApp program in RD Web Access dialog to No. Although
everything will work fine if this is not done, there is no need to publicize this application.
Installing Application Launcher and Session Recording with a Bastion Host 75
On the Parameters tab, set the Command-line Parameters option to Allow any command-line
parameters. The LiebsoftLauncher will differ every single time it is run based on many factors including
session IDs, programs being run and parameters included when launching the programs.
Installing Application Launcher and Session Recording with a Bastion Host 76
On the User Assignment tab, it is highly recommended to change the User Assignment option to be a
specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated account
(which should be managed by ERPM). This is the only account that will require access to run the
program. This account will be covered later in the Configuring Application Launching section. The
account assigned here will require any permissions and rights to launch the desired programs.
Click OK when done.
CONFIGURING REMOTE APP FOR SERVER 2008 R2
Open Server Manager and expand the Remote Desktop Services | RemoteApp Manager nodes in the
left pane.
Installing Application Launcher and Session Recording with a Bastion Host 77
In the RemoteApp Programs area, right-click and select Add RemoteApp Programs. Click Next on the
Welcome page then click Browse on the Choose programs to add to the RemoteApp Programs list page.
Installing Application Launcher and Session Recording with a Bastion Host 78
Select LiebsoftLauncher.exe from the application launcher installation location on the bastion host
(configured in step 3 previously). The default directory for this file is: C:\Program Files
(x86)\Lieberman\Roulette\LaunchApp. Then click Next.
Installing Application Launcher and Session Recording with a Bastion Host 79
On the Review Settings page, click Finish.
Once the LiebsoftLauncher application is added, right-click on it in the RemoteApp Programs list and
select Properties.
CAUTION! DO NOT CHANGE THE ALIAS value.
De-select the check box for RemoteApp program in RD Web Access. Although everything will work fine
if this is not done, there is no need to publicize this application.
Installing Application Launcher and Session Recording with a Bastion Host 80
Set the Command-line arguments option to Allow any command-line parameters. The LiebsoftLauncher
will differ every single time it is run based on many factors including session IDs, programs being run and
parameters included when launching the programs.
Installing Application Launcher and Session Recording with a Bastion Host 81
On the User Assignment tab, it is highly recommended to change the User Assignment option to be a
specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated account
(which should be managed by ERPM). This is the only account that will require access to run the
program. This account will be covered later in the Configuring Application Launching section. The
account assigned here will require any permissions and rights to launch the desired programs.
Click OK when done.
5. SETTING UP STREAMING MEDIA SERVICES
Streaming Media Services is used to provide smooth streaming of the recorded sessions from the
transcoder host (typically the ERPM web server) to the client's browser and video player.
Installing Application Launcher and Session Recording with a Bastion Host 82
Installation of this component is only required if session recording will be used. If not using the
Lieberman Software free session recording module, installation of this component is not required.
To begin installing the streaming media software on the machine that will function as the video
transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory, typically
"%programfiles (x86)\Lieberman\Roulette". Copy IISMEdia64.msi to the machine that will function as
the transcoder and launch the installer.
The installation of IIS Media services requires a basic stock installation of IIS be available on the same
host server.
Click Next on the welcome page.
Installing Application Launcher and Session Recording with a Bastion Host 83
Read and accept the terms of the license agreement, then click Next.
Installing Application Launcher and Session Recording with a Bastion Host 84
Leave the default options selected then click Next.
Installing Application Launcher and Session Recording with a Bastion Host 85
Click Install.
Installing Application Launcher and Session Recording with a Bastion Host 86
Click Finish.
6. CONFIGURING IIS TO HOST RECORDED SESSIONS
This step is only required if session recording has been enabled. If session recording is not enabled, then
do not perform this step. This will likely be configured on the same system where Streaming Media
Services was installed.
When an application is launched via a bastion host / jump server and that application is configured to
also record the session, the recorded sessions will first be placed into a pre-configured directory on the
machine which will ultimately host the videos for later playback. When using the Microsoft Expressions
session recorder, the files will first be copied locally to the file system. The Lieberman Software File
Watcher Service will then move the raw files to a share called "Source" on a machine that is configured
as the video transcoder (typically the ERPM web server, but could be any machine). Once the raw XESC
files are copied to the transcoder, the Lieberman Software File Watcher service on that machine will
transcode the videos to WMV format and move the compiled files into the "SessionRecording" share on
the same system. It is this directory that will be hosted in IIS and made available via the ERPM website.
Installing Application Launcher and Session Recording with a Bastion Host 87
To configure IIS on the machine which will host the compiled videos, not much work is required as the
application launcher installer will have configured most of the required elements:
The default website will have a new virtual directory added to it called SessionRecording. This directory
will point to %inetpub%\wwwroot\SessionRecording.
The only change that may need to be made is to set the authentication scheme to anonymous. To do
this, open IIS, expend the default website, and open the Authentication area. Right click on the
authentication types and enable Anonymous Authentication and disable all others.
89
Once the pre-requisites are installed for application launching, there are four mandatory additional steps
and two optional steps to setting up ERPM to use the application launcher and the session recorder:
1) Configure an account for login to the bastion host.
2) Configure ERPM web settings with information about the web launcher service.
3) Configure a bastion host object in ERPM.
4) Optionally configure a session recording host object in ERPM.
5) Configure applications for launching and grant permissions to those applications as necessary.
6) Optionally configure the ERPM website to playback recorded sessions.
The following sub-sections will outline these steps.
IN THIS CHAPTER
Configuring a Bastion Host Login Account .............................................. 89
Configure ERPM Web Settings .............................................................. 114
Configure a Bastion Host Object ........................................................... 116
Configure a Session Recording Host Object .......................................... 119
Configure ERPM Website for Session Playback ..................................... 123
Configure Applications for Launching ................................................... 128
CONFIGURING A BASTION HOST LOGIN ACCOUNT
ERPM will use a standard login account to login to the target bastion host and launch the
LiebsoftLauncher application which will in turn launch the target application. The LiebsoftLauncher in
turn connects to a web service (WebLauncherBackendService.svc) to obtain the necessary program
settings and credentials from ERPM.
The logon account should have its password managed regularly by ERPM. Regularly should be often such
as daily or weekly. Setting the rotation schedule to hourly could possibly invalidate the logon account's
session. The account can be a local account but if possible, a domain account is recommended. This
account will need any rights necessary to launch the final target application; it does not necessarily need
local or domain admin privileged. It will need the ability to remotely log on to the target bastion host.
That means if the account is not an administrator, it must be added to the Remote Desktop Users group
on the bastion host.
CONFIGURING APPLICATION LAUNCHING
Configuring Application Launching 90
If it is desired (as it is recommended) to have ERPM manage the password for the account, simply follow
the basic procedures for a password change in ERPM (as per the administrative guide). There is no
requirements for password propagation so password propagation can be safely turned off for the
password change job. It is recommended to keep the password length to 80 characters or less as some
versions of Windows will not allow long passwords to be used via RDP.
This user account upon login will first launch the LiebsoftLauncher. Be sure in the RemoteApp settings
that at a minimum this account or a group it belongs to was granted the permissions to launch the
LiebsoftLauncher application. RemoteApp is generally found in Server Manager under the Roles |
Remote Desktop Services heading.
This account can be heavily locked down as it generally doesn't need access to anything other than the
application being locked.
Caution! When launching an application, this account will be able to do anything that the target
application lets them do.
If this account comes from Active Directory, it is recommended to place this account into an
organizational unit (OU) by itself or with other similarly locked down accounts. On this OU, create a
policy and modify the User Settings portion of the policy to lock down this logon account. There is no
need to place the bastion hosts in this OU as the policies that lockdown the user experience are user
based, not system based.
Following are some of the settings recommended to lock down the session. All policies should be tested
to ensure they do not interfere with the required operation of a target application:
User Configuration | Policies | Windows Settings | Security Settings | Software Restriction
Policies
Policy Setting
Enforcement
Apply Software Restriction Policies to the following All software files
except libraries (such
as DLLs)
Apply Software Restriction Policies to the following users All users
When applying Software Restriction Policies Ignore certificate rules
Trusted Publishers
Configuring Application Launching 91
Trusted publisher management Allow all administrators
and users to manage
user's own Trusted
Publishers
Certificate verification None
Software Restriction Policies/Security Levels
Default Security Level Disallowed
Software Restriction Policies/Additional Rules >> Path Rules
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Security Level =
Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Security Level =
Unrestricted
C:\Program Files (x86)\Lieberman\Roulette\RemoteAppLauncher\LiebsoftLauncher.exe Security Level =
Unrestricted
User Configuration | Policies | Administrative Templates
Control Panel
Prohibit access to Control Panel and PC settings Enabled
Control Panel/Display
Disable the Display Control Panel Enabled
Configuring Application Launching 92
Control Panel/Printers
Browse a common web site to find printers Disabled
Browse the network to find printers Disabled
Prevent addition of printers Enabled
Prevent deletion of printers Enabled
Control Panel/Programs
Hide "Get Programs" page Enabled
Hide "Installed Updates" page Enabled
Hide "Programs and Features" page Enabled
Hide "Set Program Access and Computer Defaults" page Enabled
Hide "Windows Features" Enabled
Hide the Programs Control Panel Enabled
Control Panel/Regional and Language Options
Hide Regional and Language Options administrative options Enabled
Hide the geographic location option Enabled
Hide the select language group options Enabled
Hide user locale selection and customization options Enabled
Desktop
Configuring Application Launching 93
Don't save settings at exit Enabled
Hide and disable all items on the desktop Enabled
Hide Internet Explorer icon on desktop Enabled
Hide Network Locations icon on desktop Enabled
Prevent adding, dragging, dropping and closing the Taskbar's toolbars Enabled
Prohibit adjusting desktop toolbars Enabled
Prohibit User from manually redirecting Profile Folders Enabled
Remove Computer icon on the desktop Enabled
Remove Properties from the Computer icon context menu Enabled
Remove Properties from the Recycle Bin context menu Enabled
Remove Recycle Bin icon from desktop Enabled
Turn off Aero Shake window minimizing mouse gesture Enabled
Network/Network Connections
Ability to change properties of an all user remote access connection Disabled
Prohibit access to properties of a LAN connection Enabled
Prohibit access to the Remote Access Preferences item on the Advanced menu Enabled
Prohibit changing properties of a private remote access connection Enabled
Prohibit connecting and disconnecting a remote access connection Enabled
Prohibit renaming private remote access connections Enabled
Configuring Application Launching 94
Network/Offline Files
Remove "Make Available Offline" command Enabled
Remove "Work offline" command Enabled
Network/Windows Connect Now
Prohibit access of the Windows Connect Now wizards Enabled
Start Menu and Taskbar
Add Search Internet link to Start Menu Disabled
Add the Run command to the Start Menu Disabled
Clear history of recently opened documents on exit Enabled
Clear history of tile notifications on exit Enabled
Clear the recent programs list for new users Enabled
Do not allow pinning items in Jump Lists Enabled
Do not allow pinning programs to the Taskbar Enabled
Do not display any custom toolbars in the taskbar Enabled
Do not display or track items in Jump Lists from remote locations Enabled
Do not keep history of recently opened documents Enabled
Do not search communications Enabled
Do not search for files Enabled
Do not search Internet Enabled
Configuring Application Launching 95
Do not search programs and Control Panel items Enabled
Do not use the search-based method when resolving shell shortcuts Enabled
Do not use the tracking-based method when resolving shell shortcuts Enabled
Hide the notification area Enabled
Lock all taskbar settings Enabled
Lock the Taskbar Enabled
Prevent changes to Taskbar and Start Menu Settings Enabled
Prevent users from adding or removing toolbars Enabled
Prevent users from moving taskbar to another screen dock location Enabled
Prevent users from rearranging toolbars Enabled
Prevent users from uninstalling applications from Start Enabled
Remove access to the context menus for the taskbar Enabled
Remove All Programs list from the Start menu Enabled
Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands Enabled
Remove Clock from the system notification area Enabled
Remove common program groups from Start Menu Enabled
Remove Default Programs link from the Start menu. Enabled
Remove Documents icon from Start Menu Enabled
Remove Downloads link from Start Menu Enabled
Remove drag-and-drop and context menus on the Start Menu Enabled
Remove Favorites menu from Start Menu Enabled
Configuring Application Launching 96
Remove frequent programs list from the Start Menu Enabled
Remove Games link from Start Menu Enabled
Remove Help menu from Start Menu Enabled
Remove Homegroup link from Start Menu Enabled
Remove links and access to Windows Update Enabled
Remove Logoff on the Start Menu Disabled
Remove Music icon from Start Menu Enabled
Remove Network Connections from Start Menu Enabled
Remove Network icon from Start Menu Enabled
Remove Pictures icon from Start Menu Enabled
Remove pinned programs from the Taskbar Enabled
Remove pinned programs list from the Start Menu Enabled
Remove programs on Settings menu Enabled
Remove Recent Items menu from Start Menu Enabled
Remove Recorded TV link from Start Menu Enabled
Remove Run menu from Start Menu Enabled
Remove See More Results / Search Everywhere link Enabled
Remove the Action Center icon Enabled
Remove the battery meter Enabled
Remove the networking icon Enabled
Remove the volume control icon Enabled
Configuring Application Launching 97
Remove user folder link from Start Menu Enabled
Remove user's folders from the Start Menu Enabled
Remove Videos link from Start Menu Enabled
Show "Run as different user" command on Start Disabled
Turn off all balloon notifications Enabled
Turn off automatic promotion of notification icons to the taskbar Enabled
Turn off feature advertisement balloon notifications Enabled
Turn off notification area cleanup Enabled
Turn off user tracking Enabled
Start Menu and Taskbar/Notifications
Turn off notifications network usage Enabled
System/Ctrl+Alt+Del Options
Remove Change Password Enabled
Remove Task Manager Enabled
System/Internet Communication Management/Internet Communication settings
Turn off access to the Store Enabled
Turn off downloading of print drivers over HTTP Enabled
Turn off handwriting recognition error reporting Enabled
Configuring Application Launching 98
Turn off Help Experience Improvement Program Enabled
Turn off Help Ratings Enabled
Turn off Internet download for Web publishing and online ordering wizards Enabled
Turn off Internet File Association service Enabled
Turn off printing over HTTP Enabled
Turn off the "Order Prints" picture task Enabled
Turn off the "Publish to Web" task for files and folders Enabled
Turn off the Windows Messenger Customer Experience Improvement Program Enabled
Turn off Windows Online Enabled
System/Removable Storage Access
All Removable Storage classes: Deny all access Enabled
CD and DVD: Deny read access Enabled
CD and DVD: Deny write access Enabled
Floppy Drives: Deny read access Enabled
Floppy Drives: Deny write access Enabled
Removable Disks: Deny read access Enabled
Removable Disks: Deny write access Enabled
Tape Drives: Deny read access Enabled
Tape Drives: Deny write access Enabled
WPD Devices: Deny read access Enabled
Configuring Application Launching 99
WPD Devices: Deny write access Enabled
System/Windows HotStart
Turn off Windows HotStart Enabled
Windows Components/Add features to Windows 8
Prevent the wizard from running. Enabled
Windows Components/App runtime
Block launching desktop apps associated with a file. Enabled
Block launching desktop apps associated with a protocol Enabled
Windows Components/Application Compatibility
Turn off Program Compatibility Assistant Enabled
Windows Components/Attachment Manager
Hide mechanisms to remove zone information Enabled
Windows Components/AutoPlay Policies
Disallow Autoplay for non-volume devices Enabled
Prevent AutoPlay from remembering user choices. Enabled
Configuring Application Launching 100
Set the default behavior for AutoRun Enabled
Default AutoRun Behavior Do not execute any autorun commands
Turn off Autoplay Enabled
Turn off Autoplay on All drives
Windows Components/Credential User Interface
Do not display the password reveal button Enabled
Windows Components/Desktop Gadgets
Restrict unpacking and installation of gadgets that are not digitally signed. Enabled
Turn off desktop gadgets Enabled
Turn Off user-installed desktop gadgets Enabled
Windows Components/Digital Locker
Do not allow Digital Locker to run Enabled
Windows Components/Edge UI
Turn off switching between recent apps Enabled
Turn off tracking of app usage Enabled
Windows Components/File Explorer
Configuring Application Launching 101
Display confirmation dialog when deleting files Enabled
Display the menu bar in File Explorer Enabled
Do not allow Folder Options to be opened from the Options button on the View tab of the
ribbon
Enabled
Do not display the Welcome Center at user logon Enabled
Do not request alternate credentials Enabled
Hide these specified drives in My Computer Enabled
Restrict all drives
Hides the Manage item on the File Explorer context menu Enabled
No Entire Network in Network Locations Enabled
Prevent access to drives from My Computer Enabled
Restrict all drives
Prevent users from adding files to the root of their Users Files folder. Enabled
Remove "Map Network Drive" and "Disconnect Network Drive" Enabled
Remove CD Burning features Enabled
Remove File Explorer's default context menu Enabled
Remove File menu from File Explorer Enabled
Remove Hardware tab Enabled
Remove Security tab Enabled
Remove the Search the Internet "Search again" link Enabled
Turn off display of recent search entries in the File Explorer search box Enabled
Turn off Windows+X hotkeys Enabled
Configuring Application Launching 102
Windows Components/File Explorer/Common Open File Dialog
Hide the common dialog back button Enabled
Hide the common dialog places bar Enabled
Hide the dropdown list of recent files Enabled
Windows Components/File Explorer/Explorer Frame Pane
Turn off Preview Pane Enabled
Turn on or off details pane Enabled
Configure details pane Always hide
Windows Components/File Explorer/Previous Versions
Prevent restoring previous versions from backups Enabled
Windows Components/IME
Turn off history-based predictive input Enabled
Turn off Internet search integration Enabled
Windows Components/Internet Explorer
Automatically activate newly installed add-ons Disabled
Configure Media Explorer Bar Enabled
Configuring Application Launching 103
Disable the Media Explorer Bar and auto-play feature Enabled
Auto-Play Media files in the Media bar whenEnabled Disabled
Disable AutoComplete for forms Enabled
Disable changing accessibility settings Enabled
Disable changing Advanced page settings Enabled
Disable changing Automatic Configuration settings Enabled
Disable changing Calendar and Contact settings Enabled
Disable changing certificate settings Enabled
Disable changing connection settings Enabled
Disable changing home page settings Enabled
Home Page Define a home page if
necessary
Disable changing language settings Enabled
Disable changing Messaging settings Enabled
Disable changing ratings settings Enabled
Disable changing Temporary Internet files settings Enabled
Disable Import/Export Settings wizard Enabled
Disable Internet Connection wizard Enabled
Do not allow users to enable or disable add-ons Enabled
Identity Manager: Prevent user from using Identities Enabled
Notify users if Internet Explorer is not the default web browser Disabled
Pop-up allow list Enabled
Configuring Application Launching 104
Enter the list of sites here. Define allowed sites list
if applicable such as
*.microsoft.com
Prevent "Fix settings" functionality Enabled
Prevent access to Internet Explorer Help Enabled
Prevent bypassing SmartScreen Filter warnings Enabled
Prevent bypassing SmartScreen Filter warnings about files that are not commonly
downloaded from the Internet
Enabled
Prevent changing pop-up filter level Enabled
Prevent changing proxy settings Enabled
Prevent changing the default search provider Enabled
Prevent configuration of how windows open Enabled
Select where to open links Open in existing
Internet Explorer
window
Prevent Internet Explorer Search box from appearing Enabled
Prevent managing pop-up exception list Enabled
Prevent managing SmartScreen Filter Enabled
Select SmartScreen Filter mode On
Prevent participation in the Customer Experience Improvement Program Enabled
Prevent per-user installation of ActiveX controls Enabled
Prevent running First Run wizard Enabled
Select your choice Go directly to home
page
Configuring Application Launching 105
Search: Disable Find Files via F3 within the browser Enabled
Search: Disable Search Customization Enabled
Specify default behavior for a new tab Enabled
New tab behavior Home page
Turn off ability to pin sites in Internet Explorer on the desktop Enabled
Turn off add-on performance notifications Enabled
Turn off browser geolocation Enabled
Turn off configuration of pop-up windows in tabbed browsing Enabled
Select tabbed browsing pop-up behavior Force pop-ups to open
in a new tab
Turn off Crash Detection Enabled
Turn off Favorites bar Enabled
Turn off Managing SmartScreen Filter for Internet Explorer 8 Enabled
Select SmartScreen Filter mode for Internet Explorer 8 On
Turn off pop-up management Enabled
Turn off Quick Tabs functionality Enabled
Turn off Reopen Last Browsing Session Enabled
Turn off suggestions for all user-installed providers Enabled
Turn off tabbed browsing Enabled
Turn off the auto-complete feature for web addresses Enabled
Turn off the quick pick menu Enabled
Turn on Suggested Sites Disabled
Configuring Application Launching 106
Turn on the auto-complete feature for user names and passwords on forms Disabled
Windows Components/Internet Explorer/Accelerators
Turn off Accelerators Enabled
Windows Components/Internet Explorer/Browser menus
Disable Open in New Window menu option Enabled
Disable Save this program to disk option Enabled
File menu: Disable closing the browser and Explorer windows Enabled
File menu: Disable New menu option Enabled
File menu: Disable Open menu option Enabled
File menu: Disable Save As Web Page Complete Enabled
File menu: Disable Save As... menu option Enabled
Help menu: Remove 'Send Feedback' menu option Enabled
Help menu: Remove 'Tour' menu option Enabled
Hide Favorites menu Enabled
Tools menu: Disable Internet Options... menu option Enabled
Turn off Print Menu Enabled
Turn off Shortcut Menu Enabled
View menu: Disable Full Screen menu option Enabled
View menu: Disable Source menu option Enabled
Configuring Application Launching 107
Windows Components/Internet Explorer/Delete Browsing History
Disable "Configuring History" Enabled
Days to keep pages in History 1
Windows Components/Internet Explorer/Internet Control Panel
Disable the Advanced page Enabled
Disable the Connections page Enabled
Disable the Content page Enabled
Disable the General page Enabled
Disable the Privacy page Enabled
Disable the Programs page Enabled
Disable the Security page Enabled
Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
Allow active content from CDs to run on user machines Disabled
Allow software to run or install even if the signature is invalid Disabled
Do not allow resetting Internet Explorer settings Enabled
Empty Temporary Internet Files folder when browser is closed Enabled
Windows Components/Internet Explorer/Internet Control Panel/General Page
Configuring Application Launching 108
Start Internet Explorer with tabs from last browsing session Disabled
Windows Components/Internet Explorer/Internet Control Panel/General Page/Browsing
History
Allow websites to store application caches on client computers Disabled
Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing
Turn off details in messages about Internet connection problems Enabled
Turn on script debugging Disabled
Windows Components/Internet Explorer/Internet Settings/Advanced settings/Multimedia
Allow Internet Explorer to play media files that use alternative codecs Disabled
Windows Components/Internet Explorer/Internet Settings/Advanced settings/Searching
Prevent configuration of search on Address bar Enabled
When searching from the address bar Do not search from the
address bar
Prevent configuration of top-result search on Address bar Enabled
When searching from the Address bar Disable top result
search
Windows Components/Internet Explorer/Internet Settings/Advanced settings/Signup
Settings
Configuring Application Launching 109
Turn on automatic signup Disabled
Windows Components/Internet Explorer/Internet Settings/AutoComplete
Turn off URL Suggestions Enabled
Turn off Windows Search AutoComplete Enabled
Turn on inline AutoComplete Disabled
Windows Components/Internet Explorer/Security Features/Restrict File Download
All Processes Enabled
Internet Explorer Processes Enabled
Windows Components/Internet Explorer/Toolbars
Configure Toolbar Buttons Enabled
Show Back button Enabled
Show Forward button Enabled
Show Stop button Enabled
Show Refresh button Enabled
Show Home button Enabled
Show Search button Disabled
Show Favorites button Disabled
Show History button Disabled
Configuring Application Launching 110
Show Folders button Disabled
Show Fullscreen button Disabled
Show Tools button Disabled
Show Mail button Disabled
Show Font size button Disabled
Show Print button Disabled
Show Edit button Disabled
Show Discussions button Disabled
Show Cut button Disabled
Show Copy button Disabled
Show Paste button Disabled
Show Encoding button Disabled
Disable customizing browser toolbar buttons Enabled
Disable customizing browser toolbars Enabled
Display tabs on a separate row Enabled
Hide the Command bar Enabled
Hide the status bar Enabled
Lock all toolbars Enabled
Lock location of Stop and Refresh buttons Enabled
Turn off Developer Tools Enabled
Turn off toolbar upgrade tool Enabled
Configuring Application Launching 111
Windows Components/Location and Sensors
Turn off location Enabled
Windows Components/Microsoft Management Console
Restrict the user from entering author mode Enabled
Windows Components/Network Sharing
Prevent users from sharing files within their profile. Enabled
Windows Components/Presentation Settings
Turn off Windows presentation settings Enabled
Windows Components/Sound Recorder
Do not allow Sound Recorder to run Enabled
Windows Components/Tablet PC/Accessories
Do not allow printing to Journal Note Writer Enabled
Do not allow Snipping Tool to run Enabled
Do not allow Windows Journal to be run Enabled
Configuring Application Launching 112
Windows Components/Tablet PC/Hardware Buttons
Prevent Back-ESC mapping Enabled
Prevent launch an application Enabled
Prevent press and hold Enabled
Turn off hardware buttons Enabled
Windows Components/Windows Error Reporting
Disable Windows Error Reporting Enabled
Windows Components/Windows Installer
Prevent removable media source for any installation Enabled
Prohibit rollback Enabled
Windows Components/Windows Logon Options
Set action to take when logon hours expire Enabled
Set action to take when logon hours expire Logoff
Windows Components/Windows Mail
Turn off the communities features Enabled
Turn off Windows Mail application Enabled
Configuring Application Launching 113
Windows Components/Windows Media Center
Do not allow Windows Media Center to run Enabled
Windows Components/Windows Media Player
Prevent CD and DVD Media Information Retrieval Enabled
Prevent Music File Media Information Retrieval Enabled
Windows Components/Windows Media Player/Networking
Hide Network Tab Enabled
Windows Components/Windows Media Player/Playback
Prevent Codec Download Enabled
Windows Components/Windows Messenger
Do not allow Windows Messenger to be run Enabled
Do not automatically start Windows Messenger initially Enabled
Windows Components/Windows Mobility Center
Turn off Windows Mobility Center Enabled
Windows Components/Windows Update
Configuring Application Launching 114
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog
box
Enabled
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled
CONFIGURE ERPM WEB SETTINGS
To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings |
Manage Web Application | Application Launch.
The Global tab identifies the ERPM web service and other related settings that will be used when
launching applications.
The Web service URL is the URL of the application launcher web service. When the web service is
installed (typically on the ERPM web server), [typically] a web service is installed at
[site]/erpmwebservice. The web service is called WebLauncherBackendService.svc. This full URL should
be entered in the Web service URL field including the protocol and port if applicable.
IMPORTANT! There should be no certificate or access errors when accessing this URL in a browser. It
should be tested as any user that will be accessing the web server. The best test is to login to the
bastion host as the bastion host login account configured int he previous section and attempt to access
this URL. If the account is prompted for credentials or certificate errors the application launcher will
fail.
The typical URL is
https://erpmwebservername.yourdomain.com/erpmwebservice/weblauncherbackendservice.svc.
Enable launching applications using stored passwords in the web application is required to enable
remote launching. If this option is not selected, then the Launch Application option will be unavailable in
the website.
Use thick terminal services client when connecting through RDP is an optional setting to use the
application launcher to launch the Window's client's local fat client for RDP connectivity. If this option is
not selected then ERPM will only be able to use the ActiveX control for launching RDP sessions. While
this may work fine for the majority of RDP connections, if the target system uses NLA (Network Level
Authentication) then the connection will fail. If the target system uses NLA, then this option must be
selected.
Enable launching applications on a remote server will enable the configured applications to launch via a
bastion host rather than launching only locally on the client. When the option is enabled and an
Configuring Application Launching 115
application is configured to use a bastion host, the applications can instead launch from the bastion host
and will use RemoteApp to display the program's UI to the users desktop as if it were a native
application.
[Script Launch] Path to script files on client systems is the path that the script automation files will be
copied to (manual copy). This path is used when local launch (rather than via bastion host) will be used
to launch web based applications such as Twitter, FaceBook, or other web based programs. If local
launching of these sorts of applications will not be launched directly from a client's machine (rather than
via bastion host) it will not be necessary to configure this path. The default location these scripts are
found are at C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation.
Configuring Application Launching 116
CONFIGURE A BASTION HOST OBJECT
To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings |
Manage Web Application | Application Launch.
The Remote Servers tab identifies the available bastion hosts and other related settings that will be used
for launching applications. The option Enable launching applications on a remote server must also be
selected on the Global tab to make use of these servers.
To add a new server, click the Add button in the lower right area of the dialog.
The following fields are mandatory:
Configuring Application Launching 117
Server configuration identifier - the friendly name of the server as it will appear in the application
launcher configuration.
Remote server system name - the actual name of the bastion host. This should be the name (FQDN
or simple or IP) as can be reach from the client systems that will be initiating the session.
Use RemoteApp to launch the liebsoft launcher on the server - this option must be selected to
remotely launch applications from the bastion host using RemoteApp as available in 2008 R2 and
newer.
Login credential system name - this value must be populated. If ERPM will be using stored
(managed) credentials to log into the bastion host, this is the name of the system/server as it
appears in ERPM from which to draw the credentials from. It is recommended to use a domain
credential for this purpose; see the section for configuring a bastion host login account.
Login credential account name - this is the name of the account that will be used to login to the
bastion host. It is recommended to use a domain credential for this purpose; see the section for
configuring a bastion host login account.
Login credential domain name - the domain to which the account belongs. If this is a local account
(not recommended) then this should be the simple (NetBIOS) name of the bastion host.
Load saved password for connection from password store - select this option to pull the managed
password from the ERPM password store. If it is desired to use a hard coded password instead, then
supply the actual password in the remote server logon password field.
[Script Launch] Path to script files on client systems is the path that the script automation files will
be copied to during installation of the AppLauncher. This path is used when launching web based
applications such as Twitter, FaceBook, or other web based programs. The default location these
scripts are found are at C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation.
Configuring Application Launching 118
Configuring Application Launching 119
Once the entries are validated, click OK to add the bastion host object. If the option to Load saved
password for connection from password store is selected and a stored password for the target account
does not exist, a warning indicating such will appear to the user otherwise the dialog will close without
incident.
Any of these settings can be changed at any time without having to make any changes to IIS or
performing IISReset or other administrative actions.
CONFIGURE A SESSION RECORDING HOST OBJECT
To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings |
Manage Web Application | Application Launch.
The Session Recorders tab identifies configured session recording servers. There will typically be a one to
one relationship with the servers configured on the Remote Servers tab.
Configuring Application Launching 120
Session recording only works for applications launched via the LiebsoftLauncher application. That means
any users which retrieve passwords will and connect directly will not have their sessions recorded when
using this session recording technology.
The session recording system consists of two components specific to the session recording: session
recording and video transcoding. When a session is recorded on a bastion host that is done by the
session recorder. These files are created in a raw format and placed into the configured source directory.
The Lieberman file watcher server picks up the raw files and moves them to the working directory where
they are formatted and converted and watermarked. Completed files are then moved to the
SessionRecording directory. Typically it is recommended to have the transcoder NOT be the same system
as the bastion host/session recorder due to resource constraints (CPU specifically).
To add a new server, click the Add button in the lower right area of the dialog.
The following fields are mandatory:
Configuring Application Launching 121
Configuration label - the friendly name of the server as it will appear in the application launcher
configuration.
Basic configuration - use this option if the session recording host will perform both recording and
transcoding duties. Recorder options include Expressions 4, VLC, and Windows Problem Steps
Recorder. It is recommended to choose the Expressions 4 recorder option. The output path will
default a default local path if this option is selected.
Advanced configuration - use this option if it is desired to put recordings in a custom location or if
video transcoding will occur on a separate host (typical). It is not recommended to change the
Assembly path or Type in Assembly values.
Abort application launch if session recording fails - with this option selected, if session recording
fails to initialize, the remote session will be logged off and no remote app launch will occur.
Output path - if using the bastion host for both session recording and video transcoding and it is
desired to place the recordings to an alternate location, specify the path here. If transcoding is
occurring on a separate host, then this should be a network UNC path (\\server\source) to the
Source share on the transcoder host.
File name template - the default value is SessionRecording-$(SessionID). In this scenario
SessionRecording- is the filename prefix and $(SessionID) is a variable for the session ID of the
remote app launch session. If the names of the recordings should be changed, this is acceptable but
to not remote the $(SessionID) value from the name. There should also be no extension listed for the
file name.
Configuring Application Launching 122
Configuring Application Launching 123
Once the entries are validated, click OK to add the session recorder host object.
Any of these settings can be changed at any time without having to make any changes to IIS or
performing IISReset or other administrative actions.
CONFIGURE ERPM WEBSITE FOR SESSION PLAYBACK
In order to playback recorded sessions, ERPM will need to know the location of the machine with the
completed session recordings. From the previous sections, this will most likely be the video transcoder
host, which is also most likely the ERPM web server.
For reference session recording consists of two pieces: recorder and transcoder. The recorder is typically
the bastion host while the transcoder is recommended to be another machine (due to CPU and RAM
constraints). The transcoder host is typically the ERPM web server and will convert the raw video from
the session recorder to playable video. These videos will be played back via streaming media services
through the ERPM website.
Configuring Application Launching 124
The flow for session recording is as follows:
1) Application is launched on a bastion host and session recording is initiated.
2) After the session exits, the file will be copied to the source directory on the transcoder host.
3) Raw video will be converted and placed into the SessionRecording directory on that host.
4) IIS and Media Server will stream the videos to requesting authorized users.
The machine performing the video transcoding will have configured IIS with a virtual directory under the
default root website called SessionRecording. It is this URL that will be provided to the ERPM website
configuration. The SessionRecording URL may be presented with or without SSL but should be configured
to use anonymous authentication.
To configure ERPM with the SessionRecording URL open the admin console, and click on the Manage
Web App button on the left action pane. Go to the Options | Configure default web application options
menu.
On the User/Session Management tab, enter the URL for the transcoder/media server where the videos
are hosted from in the Session playback URL field. If using HTTPS, be sure to enter the valid name of the
server that matches the assigned name on the certificate to avoid certificate errors. A typical URL will be
similar to https://server.your.domain/sessionrecording/. Be aware that the system is expecting a
trailing forward slash at the end of the URL.
Configuring Application Launching 125
Click OK once the URL is entered.
Configuring Application Launching 126
If updating an existing website with this new information, right-click on the website instance and select
Replace instance options with default web application options. There is no need to restart any servers
or components after making this change.
Once the URL is added and once any sessions have been recorded, users with access to the auditing
section of the ERPM website will be able to playback any recorded sessions that exist. Such recored
sessions will be visible in the ERPM auditing section with a camera icon next to their audit entry.
Configuring Application Launching 127
Simply click on the camera icon to playback the recorded sessions.
Configuring Application Launching 128
CONFIGURE APPLICATIONS FOR LAUNCHING
To configure the web launcher settings for the ERPM website(s), in the admin console, go to Settings |
Manage Web Application | Application Launch.
The Applications tab identifies the applications which can be made available to launch from the ERPM
website and other related settings that will be used when launching these applications. Once an
application is added, it must be properly configured before it may be launched.
Lieberman Software ships a number of pre-configured application objects available. Most will still
require additional configurations before they could be used for launching the specified target
application. To add the pre-defined applications, click the Add Defaults button in the lower left area of
the dialog. Add new applications by clicking the Add button. Duplicate or edit existing explications by
using the Copy or Edit buttons respectively.
When editing a dialog, there are many elements to fill out. The required elements for a basic application
configuration to be valid are:
Configuring Application Launching 129
Remote application label - this is the friendly name of the application as it will appear in the ERPM
website.
Remote launch type - select from the available launch types:
LAUNCH APPLICATION WITH COMMAND LINE PARAMETERS - use this for any application which can be
launched with command line options such as SQL Management Studio, PuTTy, VMware vCenter,
etc.
OPEN WEB APPLICATION WITH FORM POST - use this for websites which only require a basic form post
and does not make use of JSON, YAML or other technologies for passing the user name and
password information.
LAUNCH TERMINAL SERVICES CLIENT - use this for launching the Microsoft Terminal Services client.
LAUNCH APP THROUGH .NET ASSEMBLY - used when an external .net assembly will be used to perform
the connection and credential passing.
LAUNCH APP THROUGH SCRIPT AUTOMATION - this is most frequently used for launching MMCs,
websites which does not pass user name and password information basic form post (see most
web examples in the default list), fat clients which do not make use of command line parameters,
etc.
Configure Allowable Types - this defines for which account types the application will be available. At
least one account type must be selected. This is what specifically makes an application available to
Windows but not Linux or MS SQL but not Oracle.
The above elements are the basic, always required elements. Keep reading to find out more about the
other elements.
Configuring Application Launching 130
To set a custom icon for the application, locate the physical ERPM website installation files. Typically, this
will be at %inetpub%\wwwroot\PWCWeb. All file paths defined for the icons will be relative to this path.
It is recommended to create a custom folder (example "CompanyIcons") and add your icons to this
folder so they will persist through website upgrades. Then for the icon path, simply add the
FolderName\IconName.gif. All GIF files should be 32x32 pixels.
Run on the jump server - use this option to launch the target application from a bastion host/jump
server (configured previously). If this option is not selected then the application will attempt to launch
locally on the user's local workstation. If this option is selected, then the application will be launched on
the jump server. The application must be installed on the jump server at that time. This is a
per-application setting.
Enable session recording - if a session recording host is configured, this option will be available. When
configured, the launching of this application on a jump server will record just this application being run.
This is a per-application setting.
Always use the specified account when starting this application - when this option is NOT selected
(default), the application will be made available for the selected account type(s) (Configure Allowable
Account Types). That means potentially any account could be used to launch this application. If the
option is enabled, ERPM will pull a predefined credential from the account store and always use that
account to launch the application. Also, the application will not be available in the Launch App section of
the ERPM website, rather, it will be made available in the Applications section of the website for the
users that have permission to launch the application. The Launch App section is accessible when viewing
specific managed passwords. Applications is always available regardless of managed passwords.
Depending on the selected Remote launch type, additional parameters will be required. The following
text outlines what these other parameters are.
Launch application with command line parameters
APPLICATION - mandatory - The application name is simply the name of the executable without the
path.
COMMAND LINE - mandatory - Command line is the parameters to launch the executable with.
APPLICATION LOCATION - optional - An application location must also be defined but can either be a
full physical path in the application location field or be setup to search for and even to download
a ready to run executable from a predefined network path (At launch download file from path). A
physical path MUST be defined when launching the application from a jump server. If a physical
path is not defined in the application location field, then the option to Search for application on
local system should be enabled. Sub-options for application search include searching for the
application on the system root or program files directories. In addition, subsequent include and
exclude directories may be defined. Multiple values should be segregated by a semi-colon. There
Configuring Application Launching 131
is no variable replacement such as %systemroot% or %inetpub% so full physical locations must
be used.
ONLY RUN SIGNED EXECUTABLES - optional - will ensure the program has a digital signature on it. If
the option is enabled, an additional verification can be configured to validate specific fields of the
digital signature such as the certificate serial number, certificate issuer or other signing bits.
ONLY RUN EXECUTABLES WITH EXPECTED HASHES - optional - allows the admin to define hashes of a
target application. This is useful to ensure that someone did not rename a malicious executable
or that only a specific patched version runs. Multiple hashes can be calculated and defined from
this dialog.
APPLICATION USES STORED PRIVATE KEY - optional - this option allows programs which can use
certificates (such as SSH clients) to define which certificate to use when connecting. These
certificates must have been pre-imported and assigned via the administrative console from
Settings | User Keys | Import Keys.
APPLICATION USES GATEWAY SERVER - optional - if an SSH proxy/gateway is defined (Admin console at
Settings | Manage Web Application | Remote Gateway Servers) this option will be available. This
option is useful when a client must first connect to an SSH proxy first before connecting to the
final SSH target. This process will make use of plink.exe. The plink.exe download location must
also be specified with the path on the jump server where the plink.exe executable resides.
Plink.exe is installed the launch app folder on the bastion host if the PuTTy files are also installed
when installing the application launcher. Plink.exe can also be downloaded from
http://www.putty.org.
Open web application with form post - use this for websites which only require a basic form post
and does not make use of JSON, YAML or other technologies for passing the user name and
password information.
WEB PAGE - mandatory - the name of the login page including protocol such as
http://webserver/pwcweb/login.asp.
NAME-VALUE PAIR - mandatory - the variables for the user name and password.
Launch terminal services client - use this for launching the Microsoft Terminal Services client. There
are no additional requirements to setup this launch type.
Launch app through .net assembly - used when an external .net assembly will be used to perform
the connection and credential passing.
ASSEMBLY PATH - mandatory - the full physical file patch to the .net assembly.
TYPE NAME - mandatory - the name of the .net interface.
Launch app through script automation - this is most frequently used for launching MMCs, websites
which does not pass user name and password information basic form post (see most web examples
in the default list), fat clients which do not make use of command line parameters, etc. When using a
Configuring Application Launching 132
web page, the scripts defined in the script path will use the Internet Explorer DOM to drive the IE
browser interface looking for specifically named fields and buttons.
Script path - mandatory - the script path is the name of the script to run including the extension.
For example, login_azuremgmt.vbs.
Automation URL - mandatory - the path supplied here will be found in the [Script Launch] Path
to script files element of the bastion host configuration dialog (see Configure a Bastion Host
Object section). For example, http://manage.windowsazure.com or for a device,
https://$(RemoteAccessTarget_TargetName)/login.html.
See the next sub-section for replaceable variables in the command line or automation URL paths.
VARIABLES FOR APP LAUNCHING
When launching an application from the command line or via web automation scripts, there are many
available variables for ERPM to use to pass the user name, password, target server and more. What
follows is a list of available variables which can be used for replacement.
As the process works, DEMO\Broberts logs into the ERPM web application. DEMO\Broberts clicks on
launch app. This causes a secondary account (DEMO\BastionLogin) to connect to the bastion host and
initiate and launch the liebsoftlauncher.exe program. Liebsoflauncher connects back to the web service
and retrieves program settings including target system, target user name, and target password. For
this example example, connecting to a server called DB2012 as SA with with the SA password.
For this example the following elements are defined by the following variables:
DEMO\Broberts = $(SourceAppLogin) or $(UserEnteredLoginUsername)
DEMO\BastionLogin = NOT EXPOSED
DB2012 = $(RemoteAccessTarget_TargetName)
SA = $(Username) or $(AccountName_FullyQualified)
SA Password = $(Password) or $(Password_Raw)
Following is a list of all possible variables
Configuring Application Launching 133
$(UserEnteredLoginUsername) - same as $(SourceAppLogin), is the account used to login to the
ERPM web application.
$(UserEnteredLoginUsername:RemoveNTSyleNamespace) - This element prunes the domain name
from the user name. From the example above, DEMO\Broberts becomes simply Broberts.
$(UserEnteredLoginUsername:ReplaceBackslashWithDot) - This element retains the domain name
with the user name but replaces the slash with a dot. From the example above, DEMO\Broberts
becomes DEMO.Broberts. Use this variable when a name is required that will no be interpreted as a
path for creating directories.
$(SourceAppLogin) - same as $(UserEnteredLoginUsername), is the account used to login to the app
[component] which is triggering the launcher, i.e. the RDP user to the bastion host.
$(SourceAppLogin:RemoveNTSyleNamespace) - This element prunes the domain name from the
user name. From the example above, DEMO\Broberts becomes simply Broberts.
$(SourceAppLogin:ReplaceBackslashWithDot) - This element retains the domain name with the user
name but replaces the slash with a dot. From the example above, DEMO\Broberts becomes
DEMO.Broberts. Use this variable when a name is required that will no be interpreted as a path for
creating directories.
$(Username) - this is the name of the target account. From the example above, SA.
$(AccountName_FullyQualified) - building on the $(Username) variable, this will pre-pend the
domain pre-fix to the account name if applicable.
$(Password) - the regex escaped password (e.g. pass\"word ).
$(Password_Raw) - the raw un-escaped password.
$(RemoteAccessTarget_TargetName) - the target host to which the application will connect.
$(LauncherPath) - the path to the application launcher.
$(SessionID) - GUID for the launcher link.
$(PrivateKey) - the file path for the DER encoded private key (if available).
$(PrivateKeyPassphrase) - the pass phrase, if present for $(PrivateKey).
$(PuttyKey) - the file path for the putty encoded private key (if available).
These variables are used in line and replaced by ERPM at the time the application is launched. For
example, if in the website the user were to go to the MSSQL database instance on a server called DB2012
and connect with the built-in (and managed) SA account, the command line syntax would be:
-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password) -nosplash
The switches ( -S, -U and -P ) are part of the SMSS.EXE executable. The subsequent values of
$(RemoteAccessTarget_TargetName), $(Username), and $(Password) would be replaced by the name of
the server (DB2012), the name of the account (SA), and the password for SA respectively.
135
As of ERPM version 4.83.8 To launch an application user with either of the following sets of permissions
will be able to launch applications:
1) All Access
2) View account, recover password, remote sessions, and permissions for the specific application being
launched.
USING APPLICATION LAUNCHING
Using Application Launching 136
When the user does not have all access, not only are permission required to retrieve the password, but
additional permissions are required to even launch a specific application. To define these permissions,
use the admin console and go to Delegation | Web application remote application permissions. Click
Add in the lower left corner, then select an available identity, click OK, then select one or more
applications the user can launch.
There are two types of application launching in ERPM: launching with variable account and system
information and launching with pre-define account and system information. The difference in app
configuration is the option in the lower right corner of the application that says to always use the
specified account being selected or not. If the option is selected, the application will appear in the
Using Application Launching 137
applications portion of the website. If the option is not selected, the user must go to the Launch App
section next to the system/account they wish to use to connect.
Launching an App as a Pre-Configured Application
To launch an application which has been pre-configured for a specific account and target, such as a
company's Twitter or Facebook page, the user will click the Applications link on the left pane then click
on the application to launch. Only applications that are pre-configured to always launch as a specific user
and that the login user has access to will be shown on this page. If an application is not shown it is a sign
of at least one of two possible causes:
Using Application Launching 138
The user has no permission to launch an application
There are no apps configured to always run as a specific user
Launching an App Using Variable Target and Account Information
Once the the target system and account to connect as are located in the Managed Password section of
the website, click Launch App.
All applications available to the user for the specific account type will then be shown. If the RDP icon
appears at the right edge of the black title bar, that indicates the application is configured to launch via a
bastion host. if the camera icon appears at the right edge of the black title bar, that indicates the session
will be recorded.
To launch the application, click Launch. What happens next will depend on whether the application is
configured to launch locally or from a bastion host and whether or not the user has performed this
process previously. If connecting via a bastion host, the system will initiate a series of calls to the bastion
host and the LiebsoftLauncher on that host. This will be visible to the user. If the user has not previously
Using Application Launching 139
launched an app from the machine/profile they are currently logged into, they will likely receive a couple
of security prompts.
Using Application Launching 140
Each application also has an Advanced launch configuration. Clicking advanced will allow the interactive
user to specify alternate credentials to connect to the target system as. These could be static credentials
or they could be other stored credentials in ERPM (if they have the rights to retrieve the password).
Generally, it will not be necessary to manipulate the advanced settings.
141
Once any sessions have been recorded, users with access to the auditing section of the ERPM website
will be able to playback any recorded sessions that exist. Such recored sessions will be visible in the
ERPM auditing section with a camera icon next to their audit entry.
Simply click on the camera icon to playback the recorded sessions.
The session properties page will identify user, IP address, and time stamp information and more. To
playback the recording, simply chose the desired recording and click Play Recording.
AUDITING APPLICATION LAUNCHING
Auditing Application Launching 142
The video will open on the systems preferred media player and begin streaming automatically.
143
1
1. INSTALLING REMOTE DESKTOP SERVICES
• 12
1. ON THE TRANSCODER HOST • 48
2
2. INSTALLING DESKTOP EXPERIENCE • 39
2. ON THE BASTION HOST • 60
3
3. INSTALLING APPLICATION LAUNCHER
AND SESSION RECORDING • 48
4
4. SETTING UP RDS FOR APPLICATION
LAUNCHING • 73
5
5. SETTING UP STREAMING MEDIA SERVICES
• 84
6
6. CONFIGURING IIS TO HOST RECORDED
SESSIONS • 89
A
AUDITING APPLICATION LAUNCHING •
147
B
BACKGROUND AND GOALS • 8
C
CONFIGURE A BASTION HOST OBJECT •
119
CONFIGURE A SESSION RECORDING HOST
OBJECT • 124
CONFIGURE APPLICATIONS FOR
LAUNCHING • 133
CONFIGURE ERPM WEB SETTINGS • 116
CONFIGURE ERPM WEBSITE FOR SESSION
PLAYBACK • 129
CONFIGURING A BASTION HOST LOGIN
ACCOUNT • 91
CONFIGURING APPLICATION LAUNCHING
• 91
CONFIGURING REMOTE APP FOR SERVER
2008 R2 • 80
CONFIGURING REMOTE APP FOR SERVER
2012 (R2) • 73
I
INSTALLING APPLICATION LAUNCHER
AND SESSION RECORDING WITH A
BASTION HOST • 11
INSTALLING DESKTOP EXPERIENCE FOR
SERVER 2008 R2 • 43
INSTALLING DESKTOP EXPERIENCE FOR
SERVER 2012 (R2) • 39
INSTALLING REMOTE DESKTOP SERVICES
FOR SERVER 2008 R2 • 29
INSTALLING REMOTE DESKTOP SERVICES
FOR SERVER 2012 (R2) • 12
INTRODUCTION • 5
INDEX
Index 144
L
LICENSE AGREEMENT • 5
LIMITED WARRANTY • 6
O
OVERVIEW • 7
P
PRE-REQUISITES • 9
U
USING APPLICATION LAUNCHING • 141
V
VARIABLES FOR APP LAUNCHING • 139