PSM post-installation tasks
This section describes post installation task procedures. Use this reference to troubleshoot your automatic installation or manually perform these steps.
Check the installation log files
During installation, a log file, <Windows installation directory>\Temp\PSM\PSMInstall.log, is created to monitor the installation process and to enable you to ensure that Privileged Session Manager was installed successfully.
This log file is created in the Temp\PSM folder and it contains a list of all the activities performed when the PSM environment in the Vault is created during the installation procedure. Other log files that are used for internal purposes are created in the same folder during installation.
Connect to a target system directly from desktop
When NLA is enabled in your environment, end users that need to connect through PSM to their target systems using an RDP Client application, must be members of the Remote Desktop Users group in the PSM server.
This membership does not allow them to actually log into the hardened PSM server, but only to connect remotely to it.
Enable maintenance users to log on remotely
Maintenance users who need to log on remotely to the PSM server must be members of the RemoteDesktopUsers group in the PSM server and must also be added to the list of users with the “Allow log on through Remote Desktop Services” permission in the Windows security policy. For more information about updating this setting, refer to the relevant section:
Disable the screen saver for the PSM local users
During installation, the following two Windows users are created for the PSM environment on the PSM machine:
|
User
|
Description
|
|
PSMConnect
|
A Windows user that is created in order to start PSM sessions on the PSM machine.
|
|
PSMAdminConnect
|
A Windows user that is created in order to monitor live privileged sessions.
|
After the PSM has been installed successfully, the Screen Saver for these users must be disabled.
Disable the screen saver for the PSM local users
|
1.
|
Display the Microsoft Management Console (MMC). |
|
2.
|
From the File menu, select Add or Remove Snap-ins; the Add or Remove Snap-ins window appears. |
|
3.
|
Select Group Policy Object, then click Add; the Select Group Policy Object window appears. |
|
4.
|
Click Browse; the Browse for a Group Policy Object window appears. |
|
5.
|
In the Users tab, select the PSMConnect user, then click OK; the Select Group Policy Object window appears |
|
6.
|
Click Finish; the Add or Remove Snap-ins window appears. |
|
7.
|
Select Group Policy Object, then click Add; the Select Group Policy Object window appears. |
|
8.
|
Click Browse; the Browse for a Group Policy Object window appears. |
|
9.
|
In the Users tab, select the PSMAdminConnect user, then click OK; the Select Group Policy Object window appears. |
|
10.
|
Click Finish; the Add or Remove Snap-ins window appears. |
|
11.
|
Click OK; the main MMC window appears and displays the User configurations for the PSMConnect user. |
|
12.
|
Select the following parameter: |
User Configuration\Administrative Templates\Control Panel\Personalization\Enable Screen Saver
|
13.
|
Disable the screen saver for the PSMConnect user and the PSMAdminConnect user. |
The PSMConnect and PSMAdminConnect Windows users are created on the PSM Server machine during PSM installation.
Configure PSMConnect and PSMAdminConnect users for PSM sessions
|
1.
|
Display Local Users and Groups, and then Users; the Users’ details are displayed. |
|
2.
|
Configure the PSMConnect user: |
|
a.
|
Right-click on the PSMConnect user and select Properties; the PSMConnect Properties window appears. |
|
b.
|
In the General tab, select Password never expires. |
| |
The PSMConnect password can be managed by the CPM and is changed periodically.
|
|
c.
|
In the Sessions tab, specify the following: |
|
■
|
In End a disconnected session, specify 1 minute. |
|
■
|
In Active session limit, specify Never. |
| |
You can configure the maximum PSM session duration in PSM configuration in the PVWA.
|
|
■
|
Select Disconnect from session, in the section When a session limit is reached or connection is broken. |
|
■
|
Select From originating client only, in the section Allow Reconnection. |
|
d.
|
Click OK to save the new settings. |
|
3.
|
Configure the PSMAdminConnect user: |
|
a.
|
Right-click on the PSMAdminConnect user and select Properties; the PSMAdminConnect Properties window appears. |
|
b.
|
In the General tab, select Password never expires. |
| |
The PSMAdminConnect password can be managed by the CPM and is changed periodically.
|
|
c.
|
In the Sessions tab, specify the following: |
|
■
|
In End a disconnected session, specify 1 minute. |
|
■
|
In Active session limit, specify Never. |
| |
You can configure the maximum PSM session duration in PSM configuration in the PVWA.
|
|
■
|
In When a session limit is reached or connection is broken, select Disconnect from session. |
|
■
|
In Allow reconnection, select From originating client only. |
|
d.
|
Click OK to save the new settings and return to the Server Manager window. |
Install PSM in a Load-Balancing Environment
Installing multiple PSM in an load balancing configuration offers customers enhanced availability, improved performance and better utilization of hardware resources compared to an active-passive cluster.
For details, see Install PSM in a Load-Balancing Environment.
This procedure describes how to configure the PSMConnect and PSMAdminConnect users’ passwords so that they are managed by the CPM.
Configure the PSM Users’ Passwords
|
1.
|
Click POLICIES to display the Policies page, then click Access Control (Safes); a list of Safes is displayed. |
|
2.
|
Select the relevant Safe, then click Members; the Safe Details page appears. |
|
3.
|
Click Add Member, and add users who will manage the account as Safe members, with the following authorizations: |
|
■
|
Use Password/Use accounts |
|
■
|
Retrieve Files/Retrieve accounts |
|
■
|
List Files/List accounts |
|
■
|
Update Files/Update password value |
|
4.
|
Click Edit; the Edit Safe page appears. |
|
5.
|
Assign the PSM Safe to the relevant CPM: |
|
a.
|
In the Safes List, select PSM; the Safe Details page for the PSM Safe appears. |
|
b.
|
Click Edit; the Edit Safe page for the PSM Safe appears. |
|
c.
|
In Assigned to CPM, select the CPM that will manage the PSM Safe, then click Save; the PSM Safe will be assigned to the specified CPM. |
|
6.
|
Assign the PSMConnect and PSMAdminConnect users’ accounts to the WinServerLocal platform. For the first PSM that is installed, by default, this account is called PSMServer. Accounts for subsequent PSM servers are called according to the name of the machine where the PSM is installed. |
|
a.
|
In the Accounts List, select the PSMConnect account; the Accounts Details page for the selected password appears. |
|
b.
|
Click Edit; the Edit Account page appears. |
|
c.
|
In the Policy ID drop-down box, select WinServerLocal. |
|
d.
|
Repeat this step for the PSMAdminConnect account. |
|
7.
|
(Optional) It is recommended to configure these password changes to take place during the night or at another time when user access to accounts in the Safe is minimal. |
In the System Configuration page, display the WinServerLocal platform and specify the following parameter values:
|
■
|
In the Password Change parameters:
|
| Parameter |
Value |
| FromHour |
2 |
| ToHour |
5 |
|
■
|
In the Password Verification parameters: |
| Parameter |
Value |
| VFFromHour |
2 |
| VFToHour |
5 |
|
8.
|
Click Apply to save the changes and apply them immediately. |
Infognition ScreenPressor
The Infognition ScreenPressor codec is installed on the PSM server with PSM, and appears in the list of installed programs.
PSM uses this program to run. Do not uninstall it.
Microsoft security updates
If PSM is installed on Windows 2016, make sure to apply SQL Microsoft security updates regularly.
