Privileged Session Management Interface
The Privileged Session Management UI parameters of the Web Access Options determine how PSM-related items will be displayed in the PVWA, as well as the user experience during PSM sessions.
User experience
The following general Privileged Session Management UI parameters configure the user experience for PSM sessions and define which method will be used to establish the connection:
|
Parameter |
Description |
|---|---|
|
ConnectPSMWithRDPActiveX |
The parameter determines whether PSM will connect with Microsoft RDP ActiveX or with an RDP file Possible values: Always:
ByBrowser:
Never (Default):
|
|
UseRemoteApp |
This parameter determines whether or not PSM sessions are displayed in a standard client window, facilitating an intuitive user experience. This is only relevant when PSM connections are established using an RDP file. You can disable RemoteApp user experience for each connection component by setting the parameter DisableRemoteApp for the relevant connection component. For more information, refer to Connection Component Configuration. |
You can configure PSM to provide secure remote access to a target machine through an HTML5 gateway. With HTML5 connections, the session to the remote machine is displayed in a browser regardless of the settings in the table above. For configuration details, see Secure Access with an HTML5 Gateway.
The following table shows the Remote app experience based on how the above parameters are set.
| ConnectPSMWithRDPActiveX | IE | Non-IE |
Remote app experience |
|---|---|---|---|
| Always | Windows ActiveX | Not supported |
Not supported |
| ByBrowser | Windows ActiveX | RDP file |
IE: Not supported Non-IE: Supported |
| Never | RDP file | RDP file |
Supported |
Requirements for PSM connection using an RDP file
-
Requires PSM 9.2 or later and Vault/PVWA 9.2 or later.
-
RemoteApp user experience requires RDP client v6.1.7601 or above (RDP protocol version v7.1 or later) on end user machines.
Enable multiple monitors
Use the native span method to extend a Remote Desktop Connection across multiple monitors to benefit from extra desktop space and near seamless experience with the client desktop. For end user details, see Multiple Monitors.
For details on the native span method, see https://www.nextofwindows.com/how-to-use-dual-monitors-in-remote-desktop-session-on-windows-7.
To enable your users to extend their desktop over multiple screens during a RDP session, enable the RemoteApp user experience by doing the following:
-
Login to PVWA as a Vault administrator.
-
Go to Administration > Options > Privileged Session Management UI and verify the following property settings:
Property
Setting
NonIERemoteDesktopAccess
RDPFile
UseRemoteApp
Yes
-
Go to Administration > Connection Components > PSM-RDP > Component Parameters and verify the following:
Property
Setting
DisableRemoteApp
No
-
Go to Administration > Options > Connection Components > PSM-RDP > Target Setting > Client Specific. Right-click, select Add Parameter:
Property
Setting
EnableMultiMonitor
Yes
|
If you are working with the RemoteApp UX and you have enabled session video recording, PSM performance is affected by the client machine's resolution. This means as the number of screens on the client machines increases, PSM can support fewer concurrent sessions. |
View high risk sessions
PSM can integrate with CyberArk Privileged Threat Analytics (PTA) in order to analyze the details of PSM privileged sessions and user activities in each session. The PTA receives details of each session and analyzes them, and then assigns a risk score. This score is sent to the Vault when it is created and when it is updated in real time as the session proceeds. The risk score is displayed in the PVWA MONITORING page, in the PSM recordings details for active sessions and for privileged sessions that have already finished. For more information about PTA functionality and risk scores, refer to the PTA Implementation Guide.
The following workflow describes how to configure PSM to integrate with PTA and display risk scores for privileged sessions.
| 1. | Configure PSM connections so that users can access remote machines through the PSM. |
| 2. | Make sure that PSM detailed audit capabilities are enabled. For more information, refer to Configure detailed audit in PSM. |
| 3. | Install PTA and configure it to integrate with PSM. For more information, refer to the PTA Implementation Guide. |
| 4. | In the PVWA, configure PSM integration with PTA: |
| a. | Click ADMINISTRATION, then in the System Configuration page, click Options; the Web Access Options page appears. |
| b. | Display the Privileged Session Management UI parameters and configure the following property: |
| Property | Description |
|---|---|
| PSMandPTAIntegration | The parameter determines whether or not security incident data received from PTA will be displayed. This includes the risk score column in the Sessions List and the incident details in the Recording Details page. |
| 5. | Define the Security Incident details that will be displayed in the Recording Details page and the Active Sessions page. |
| a. | Under the Privileged Session Management UI parameters, expand the Recording Details parameters, and then Recordings Security Incidents Properties. |
| b. | Select the Displayed Properties parameters, and set the following properties: |
| Property | Description |
|---|---|
| IncidentName |
The name of the security incident.
Default value: Name |
| IncidentID |
The unique ID of the security incident.
Default value: ID |
| IncidentLink |
A link to the PTA page that displays more information about the security incident.
Default value: URL |
| RiskScore |
The risk score that was allocated to the security incident.
Default value: Risk Score |
| IncidentStartDate |
The date and time when the security incident began.
Default value: Incident Start Date |
| Activity |
The activity that caused a security incident.
Default value: Highest Risk Activity |
| ActivityOffset |
The length of time after the privileged session started that the risk activity was performed.
Default value: Activity Offset from Start of Session |
| 6. | Click Apply to save these configurations and apply them. |
Search for session recordings
Search Session Recordings
These parameters, in the Privileged Session Management UI parameters, configure the Search for Sessions page.
The following General parameters configure the search criteria that users will be able to specify in order to locate session recordings.
|
Parameter |
Description |
|---|---|
| DefaultFilterByDates | Determines whether or not the ‘Filter by dates’ section will be enabled by default. By default, this parameter is set to ‘No’. |
| DefaultFromTime | Specifies the default filter time for the search if a ‘From date’ is specified. By default, searches include recordings that occurred after 08:00. |
| DefaultToTime | Specifies the default filter time for the search if a ‘To date’ is specified. By default, searches include recordings that occurred before 23:45. |
| DisplaySafeInSearch | Determines whether or not an additional text box will be displayed in the search bar to enable users to specify a Safe pattern. This will be used to filter Safes during a search. By default, this parameter is set to ‘No’. |
| OptimizeRecordingsSearch |
Specifies whether or not recording searches will be optimized. Specify ‘Yes’ to enable faster searches, with the following limitations:
|
Recordings Displayed Columns
These parameters define the columns displayed in the list of recordings as a result of the search process.
|
Parameter |
Description |
|---|---|
| SortBy | Specifies the name of the column by which to sort the recordings displayed in the search results. By default, the recordings are sorted by the Safe column. |
The specified columns are properties of the password or recording. By default, the following columns can be specified to locate session recordings:
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
The following parameters define each column that will be displayed:
|
Parameter |
Description |
|---|---|
| Name | Specifies the name of the property that will be displayed in this column |
| DisplayName | Specifies the title of the column that will be displayed. If this is not specified, the default property name will be displayed. |
| Width | Specifies the width of the column in pixels. |
| DataType | Specifies the type of information that will be displayed in the column. The data type can be a string, date, or image. |
| Visible | Determines whether or not the column will be visible. |
View recording details
Recording Details
These parameters, in the Privileged Session Management UI parameters, configure the Recording Details page.
The parameters define the buttons that appear on the toolbar in the Recording Details page. You can specify the name of each button and whether or not it will be displayed.
|
Parameters |
Description |
|---|---|
| Recording Descriptor Properties | Define the recording properties that will comprise the display name of the PSM recordings. You can specify the name of each property and whether or not it will be displayed. |
| Recording Details Properties | Define the recording properties that are displayed in the Recording Details page. You can specify the name of each property, the display name, and whether or not it will be displayed. |
| Recording Details Password Properties | Define the properties of the password that was used during the recording session that will be displayed. You can specify the name of each property, the display name, and whether or not it will be displayed. |
| Toolbar Actions Recording Details Tabs |
Define the tabs that are displayed in the Recording Details page. For each tab, you can specify the following:
|
View account recordings
The Account Details Session Recordings parameters, in the Privileged Session Management UI parameters, define the columns that will be displayed in the Recordings tab in the Account Details page.
The SortBy parameter specifies the name of the column by which to sort the recordings in the tab. By default, the recordings are sorted by the Safe column.
You can specify the following parameters for each column:
| Parameter | Description |
|---|---|
| Name | Specifies the name of the property that will be displayed in this column. |
| DisplayName | Specifies the title of the column that will be displayed. If this is not specified, the default property name will be displayed. |
| Width | Specifies the width of the column in pixels. |
| DataType | Specifies the type of information that will be displayed in the column. The data type can be a string, date, or image. |
| Visible | Determines whether or not the column will be visible. |
Display active sessions
The following Active Sessions Displayed Columns parameters define the columns displayed in the list of active sessions.
The SortBy parameter specifies the name of the column by which to sort the sessions. By default, the sessions are sorted by the Safe column.
The specified columns are properties of the password or sessions. By default, the following columns can be specified to locate active sessions:
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
|
|
||||||||||||
|
|
|
The following parameters define each column that will be displayed:
|
Parameter |
Description |
|---|---|
| Name | Specifies the name of the property that will be displayed in this column. |
| DisplayName | Specifies the title of the column that will be displayed. If this is not specified, the default property name will be displayed. |
| Width | Specifies the width of the column in pixels. |
| DataType | Specifies the type of information that will be displayed in the column. The data type can be a string, date, or image. |
| Visible | Determines whether or not the column will be visible. |
Direct playback in the PVWA
The JumpOffset parameter in the Commands parameters in the Privileged Session Management UI parameters, defines the time (in seconds) prior to the location of a selected command that the recording will begin to play.
The Streaming parameters, in the Privileged Session Management UI parameters, define the embedded video player that is used to play PSM recordings directly in the PVWA.
|
The embedded video player requires that Adobe Flash player 10.0 browser add-on or later is installed on the end users’ browser. |
|
Parameter |
Description |
|---|---|
| Enabled | Determines whether or not authorized users can play recordings directly in the PVWA. If this parameter is set to Yes, users will be able to play recordings using an embedded video player. If this parameter is set to No, recordings will be be downloaded and played using the default media player. The default value is Yes. |
| Width | Determines the width of the embedded video player that is displayed. The default value is 800 pixels. |
| Height | Determines the height of the embedded video player that is displayed. The default value is 600 pixels. |
| AutoPlay | Determines whether direct playback will start automatically after selecting the recording to play, or whether the embedded video player will be displayed and the user will be able to start playback by clicking the Play button. The default value is Yes, indicating that the direct playback will start playing automatically. |
| AllowFullScreen | Determines whether or not users will be able to expand the video display area to utilize the entire screen. The default value is Yes. |
| AllowDownload | Determines whether or not users will still be able to download recordings as files when streaming is enabled. The default value is Yes. |
| BufferSize | Specifies the size, in megabytes, that the video player will request from the server on each data request. The default value is 1 (one) megabyte. |
Notifications
A notification can be displayed when a remote session is opened and the PSM starts recording it, and ensures that users know that their session is being recorded. This notification is displayed at the bottom right corner of the remote session window.
This notification can be configured with the following parameters in the Privileged Session Management parameters of each platform configured for PSM:
|
Parameter |
Description |
|---|---|
| ShowRecordedSessionNotification | Determines whether or not a notification will be displayed when the PSM starts recording a remote session. The default value is Yes. |
| RecordedSessionNotificationDisplayTime | Determines the number of seconds that the recorded session notification is displayed. The default value is 5 seconds. If 0 (zero) is specified, the notification will not be closed automatically and will be displayed until the user closes it. |
-
Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.
-
Select the platform to configure, then click Edit; the settings page for the selected platform appears.
-
Expand UI & Workflows, and then right-click Privileged Session Management.
-
In the Properties list, specify a value for the ShowRecordedSessionNotification property.
-
Specify a value for the RecordedSessionNotificationDisplayTime property.
-
Save the changes:
- Click Apply to save and apply these configurations and stay in the platform settings page
- Click Save to save these configurations and return to the System Configuration page.
These changes will be applied the next time the PSM refreshes the configuration, according to the value of the ConfigurationRefreshInterval parameter in the Privileged Session Management configuration.
