Privileged Session Management Interface

The Privileged Session Management UI parameters of the Configuration Options determine how PSM-related items are displayed in the PVWA, as well as the user experience during PSM sessions.

User experience

The following general Privileged Session Management UI parameters configure the user experience for PSM sessions and define which method used to establish the connection:

Parameter

Description

ConnectPSMWithRDPActiveX

The parameter determines whether PSM connects with Microsoft RDP ActiveX or with an RDP file

Possible values:

Always:

  • Microsoft RDP ActiveX is always used to establish PSM connections, preventing connections from non-Internet Explorer browsers, such as Firefox.
  • RDP files are never used to establish connections.

ByBrowser:

  • Microsoft RDP ActiveX is used to establish connections through Internet Explorer.
  • An RDP file is used to establish PSM connections from non-Internet Explorer browsers, such as Firefox.

Never (Default):

  • Microsoft RDP ActiveX is never used to establish connections.
  • An RDP file is used to establish PSM connections from both Internet Explorer and non-Internet Explorer browsers.

UseRemoteApp

This parameter determines whether or not PSM sessions are displayed in a standard client window, facilitating an intuitive user experience. This is only relevant when PSM connections are established using an RDP file.

You can disable RemoteApp user experience for each connection component by setting the parameter DisableRemoteApp for the relevant connection component. For more information, refer to Connection Component Configuration.

You can configure PSM to provide secure remote access to a target machine through an HTML5 gateway. With HTML5 connections, the session to the remote machine is displayed in a browser regardless of the settings in the table above. For configuration details, see Secure Access with an HTML5 Gateway.

The following table shows the Remote app experience based on how the above parameters are set.

ConnectPSMWithRDPActiveX IE Non-IE

Remote app experience
Always Windows ActiveX Not supported

Not supported
ByBrowser Windows ActiveX RDP file

IE: Not supported

Non-IE: Supported
Never RDP file RDP file

Supported

Requirements for PSM connection using an RDP file

  • Requires PSM 9.2 or later and Vault/PVWA 9.2 or later.

  • RemoteApp user experience requires RDP client v6.1.7601 or above (RDP protocol  version v7.1 or later) on end user machines.

Enable multiple monitors

Use the native span method to extend a Remote Desktop Connection across multiple monitors to benefit from extra desktop space and near seamless experience with the client desktop. For end user details, see Multiple Monitors.

For details on the native span method, see https://www.nextofwindows.com/how-to-use-dual-monitors-in-remote-desktop-session-on-windows-7.

To enable your users to extend their desktop over multiple screens during a RDP session, enable the RemoteApp user experience by doing the following:

To enable multiple monitors in RDP connections

  1. In the PVWA go to Administration > Options > PIM Suite Configuration > Privileged Session Management UI and verify the following property settings:

    Property

    Setting

    NonIERemoteDesktopAccess

    RDPFile

    UseRemoteApp

    Yes

  2. Go to Administration > Options > PIM Suite Configuration > Connection Components > PSM-RDP > Component Parameters and verify the following:

    Property

    Setting

    DisableRemoteApp

    No

  3. Go to Administration > Options > PIM Suite Configuration > Connection Components > PSM-RDP > Target Setting > Client Specific. Right-click, select Add Parameter:

    Property

    Setting

    EnableMultiMonitor

    Yes
 

If you are working with the RemoteApp UX and you have enabled session video recording, PSM performance is affected by the client machine's resolution. This means as the number of screens on the client machines increases, PSM can support fewer concurrent sessions.

View high risk sessions

PSM can integrate with CyberArk Privileged Threat Analytics (PTA) in order to analyze the details of PSM privileged sessions and user activities in each session. The PTA receives details of each session and analyzes them, and then assigns a risk score. This score is sent to the Vault when it is created and when it is updated in real time as the session proceeds. The risk score is displayed in the PVWA MONITORING page, in the PSM recordings details for active sessions and for privileged sessions that have already finished. For more information about PTA functionality and risk scores, refer to the PTA Implementation Guide.

The following workflow describes how to configure PSM to integrate with PTA and display risk scores for privileged sessions.

1. Configure PSM connections so that users can access remote machines through the PSM.
2. Make sure that PSM detailed audit capabilities are enabled. For more information, refer to Configure detailed audit in PSM.
3. Install PTA and configure it to integrate with PSM. For more information, refer to the PTA Implementation Guide.
4. In the PVWA, configure PSM integration with PTA:
a. Click ADMINISTRATION, then in the System Configuration page, click Options; the Web Access Options page appears.
b. Display the Privileged Session Management UI parameters and configure the following property:
Property Description
PSMandPTAIntegration The parameter determines whether or not security incident data received from PTA will be displayed. This includes the risk score column in the Sessions List and the incident details in the Recording Details page.
5. Define the Security Incident details that will be displayed in the Recording Details page and the Active Sessions page.
a. Under the Privileged Session Management UI parameters, expand the Recording Details parameters, and then Recordings Security Incidents Properties.
b. Select the Displayed Properties parameters, and set the following properties:
Property Description
IncidentName The name of the security incident.
Default value: Name
IncidentID The unique ID of the security incident.
Default value: ID
IncidentLink A link to the PTA page that displays more information about the security incident.
Default value: URL
RiskScore The risk score that was allocated to the security incident.
Default value: Risk Score
IncidentStartDate The date and time when the security incident began.
Default value: Incident Start Date
Activity The activity that caused a security incident.
Default value: Highest Risk Activity
ActivityOffset The length of time after the privileged session started that the risk activity was performed.
Default value: Activity Offset from Start of Session
6. Click Apply to save these configurations and apply them.

Search for session recordings

Search Session Recordings

These parameters, in the Privileged Session Management UI parameters, configure the Search for Sessions page.

The following General parameters configure the search criteria that users can specify in order to locate session recordings.

Parameter

Description
DefaultFilterByDates Determines whether or not the ‘Filter by dates’ section is enabled. By default, this parameter is set to ‘No’.
DefaultFromTime Specifies the default filter time for the search if a ‘From date’ is specified. By default, searches include recordings that occurred after 08:00.
DefaultToTime Specifies the default filter time for the search if a ‘To date’ is specified. By default, searches include recordings that occurred before 23:45.
DisplaySafeInSearch Determines whether or not an additional text box is displayed in the search bar to enable users to specify a Safe pattern. This used to filter Safes during a search. By default, this parameter is set to ‘No’.
OptimizeRecordingsSearch

Specifies whether or not recording searches are optimized. Specify ‘Yes’ to enable faster searches, with the following limitations:

  • The searched values are matched as prefixes. For example, a search for "admin" matches "administrator" but does not match "123admin".

  • Only the first 50 characters of each search keyword are considered when trying to match them against the session properties.

Recordings Displayed Columns

These parameters define the columns displayed in the list of recordings as a result of the search process.

Parameter

Description
SortBy Specifies the name of the column by which to sort the recordings displayed in the search results. By default, the recordings are sorted by the Safe column.

The specified columns are properties of the password or recording. By default, the following columns can be specified to locate session recordings:

File
PIMSuCWD
AccountUsername
Duration
Safe
RemoteMachine
AccountAddress
VideoSize
Folder
ClientApp
AccountPolicyID
TextSize
User
Protocol
Start
LockedBy
FromIP
AccountDetails
End
TicketID
PIMSuCommand
RiskScore
   

The following parameters define each column that are displayed:

Parameter

Description
Name Specifies the name of the property that are displayed in this column
DisplayName Specifies the title of the column that are displayed. If this is not specified, the default property name is displayed.
Width Specifies the width of the column in pixels.
DataType Specifies the type of information that is displayed in the column. The data type can be a string, date, or image.
Visible Determines whether or not the column is visible.

View recording details

These parameters, in the Privileged Session Management UI parameters, configure the Recording Details page.

The parameters define the buttons that appear on the toolbar in the Recording Details page. You can specify the name of each button and whether or not it is displayed.

Parameters

Description
Recording Descriptor Properties Define the recording properties that comprise the display name of the PSM recordings. You can specify the name of each property and whether or not it is displayed.
Recording Details Properties Define the recording properties that are displayed in the Recording Details page. You can specify the name of each property, the display name, and whether or not it is displayed.
Recording Details Password Properties Define the properties of the password that was used during the recording session that is displayed. You can specify the name of each property, the display name, and whether or not it is displayed.
Toolbar Actions Recording Details Tabs

Define the tabs that are displayed in the Recording Details page. For each tab, you can specify the following:

  • The General parameter, ReportPeriod, specifies the default number of days that is included in the list.

  • The Displayed Columns parameters define the columns that are displayed in the tab.

  • The SortBy parameter specifies the name of the column by which to sort the recordings in the tab. By default, the recordings are sorted by the Time column.

    You can specify the following parameters for each column:

    • Name - specifies the name of the property that is displayed in this column.

    • DisplayName - specifies the title of the column that is displayed. If this is not specified, the default property name is displayed.

    • Width - specifies the width of the column in pixels.

    • DataType - specifies the type of information that is displayed in the column. The data type can be a string, date, or image.

    • Visible - determines whether or not the column is visible.

View account recordings

The Account Details Session Recordings parameters, in the Privileged Session Management UI parameters, define the columns that are displayed in the Recordings tab in the Account Details page.

The SortBy parameter specifies the name of the column by which to sort the recordings in the tab. By default, the recordings are sorted by the Safe column.

You can specify the following parameters for each column:

Parameter Description
Name Specifies the name of the property that is displayed in this column.
DisplayName Specifies the title of the column that is displayed. If this is not specified, the default property name is displayed.
Width Specifies the width of the column in pixels.
DataType Specifies the type of information that is displayed in the column. The data type can be a string, date, or image.
Visible Determines whether or not the column is visible.

Display active sessions

The following Active Sessions Displayed Columns parameters define the columns displayed in the list of active sessions.

The SortBy parameter specifies the name of the column by which to sort the sessions. By default, the sessions are sorted by the Safe column.

The specified columns are properties of the password or sessions. By default, the following columns can be specified to locate active sessions:

File
FromIP
AccountDetails
Start
Safe
RemoteMachine
AccountUsername
TicketID
Folder
ClientApp
AccountAddress
Risk Score
User
Protocol
AccountPolicyID
 

The following parameters define each column that are displayed:

Parameter

Description
Name Specifies the name of the property that is displayed in this column.
DisplayName Specifies the title of the column that is displayed. If this is not specified, the default property name is displayed.
Width Specifies the width of the column in pixels.
DataType Specifies the type of information that is displayed in the column. The data type can be a string, date, or image.
Visible Determines whether or not the column is visible.

Configure direct playback in the PVWA

The JumpOffset parameter in the Commands parameters in the Privileged Session Management UI parameters, defines the time (in seconds) prior to the location of a selected command that the recording will begin to play.

The Streaming parameters, in the Privileged Session Management UI parameters, define the embedded video player that is used to play PSM recordings directly in the PVWA.

 

The embedded video player requires that Adobe Flash player 10.0 browser add-on or later is installed on the end users’ browser.

Parameter

Description
Enabled Determines whether or not authorized users can play recordings directly in the PVWA . If this parameter is set to Yes, users will be able to play recordings using an embedded video player. If this parameter is set to No, recordings are downloaded and played using the default media player. The default value is Yes.
Width Determines the width of the embedded video player that is displayed. The default value is 800 pixels.
Height Determines the height of the embedded video player that is displayed. The default value is 600 pixels.
AutoPlay Determines whether direct playback starts automatically after selecting the recording to play, or whether the embedded video player is displayed and the user is able to start playback by clicking the Play button. The default value is Yes, indicating that the direct playback starts playing automatically.
AllowFullScreen Determines whether or not users can expand the video display area to utilize the entire screen. The default value is Yes.
AllowDownload Determines whether or not users can download recordings as files when streaming is enabled. The default value is Yes.
BufferSize Specifies the size, in megabytes, that the video player requests from the server on each data request. The default value is 1 (one) megabyte.

Display notification when remote session starts

A notification can be displayed when a remote session is opened and the PSM starts recording it, and ensures that users know that their session is being recorded. This notification is displayed at the bottom right corner of the remote session window.

This notification can be configured with the following parameters in the Privileged Session Management parameters of each platform configured for PSM:

Parameter

Description
ShowRecordedSessionNotification Determines whether or not a notification are displayed when the PSM starts recording a remote session. The default value is Yes. 
RecordedSessionNotificationDisplayTime Determines the number of seconds that the recorded session notification is displayed. The default value is 5 seconds. If 0 (zero) is specified, the notification is not closed automatically and is displayed until the user closes it.
Display a notification when a session is recorded

  1. In the PVWA, go to Administration > Platform Management.

  2. Select the platform to configure, then click Edit; the settings page for the selected platform appears.

  3. Expand UI & Workflows, and then right-click Privileged Session Management.

  4. In the Properties list, specify a value for the ShowRecordedSessionNotification property.

  5. Specify a value for the RecordedSessionNotificationDisplayTime property.

  6. Save your changes.