Resource | Description |
---|---|
Publisher | Optional application that can be used to make it easier to publish your remote applications. |
Launcher | Required component that must be published to securely launch and inject credentials into target applications. |
AutoIt | Sample AutoIT scripts and examples for injecting passwords into Windows forms and web applications. |
Go chromedp | chromedp is a library in Go for automating browsers. It can be used to automate credential injections in web forms. |
Deprecated Publisher | Before the Publisher, this tool was used to create published RDP applications to launch with the One Identity Safeguard remote application Launcher. |
SCALUS | Optional component. After completing approval workflow, there are two ways for the end user to start an SPP-initiated RDP application session: 1) download the RDP file from Safeguard, 2) click the launch button to invoke a custom URL via Session Client Application Launch Uri System (SCALUS). |
Read the Background below, then
After you are familiar with the basic tutorial, the following resources will be helpful to create your own RDP application launching scenario.
Those links will explain how those launching scenarios are built.
The RDP Applications solution consists of multiple components working together to provide seamless privileged access to published RDP applications. The solution may be configured to require approvals via SPP access request workflow and credential injection for both the RDP connection and the published RDP application. The end user requests session access and starts the session in the normal way, but only the requested remote application appears on the screen rather than a full remote desktop session.
Component | Description |
---|---|
SPP | Safeguard for Privileged Passwords appliance used for RDP Application policy definition, access request workflow, and privileged credential vaulting. |
SPS | Safeguard for Privileged Sessions appliance used for session proxy and credential injection. |
Jump Host | Windows server (or desktop**) used to configure the published RDP application and hosts the RDP session connection. |
Target Server | Any server that hosts the target application. In the diagram this is a server with a database installed, but it could be a server with an application server or could even be a cloud target. The important thing to note is that the critical application does not have to be installed on the Jump Host. |
Launcher | One Identity Safeguard remote application Launcher (OI-SG-RemoteApp-Launcher.exe); this is an installable component downloadable from the One Identity support site. This component is published as the RDP application, because it can communicate securely with SPS to retrieve the application credential and use it to launch the target application. |
Client | The client program used to access the target application. In the diagram, this is a database client such as SQL Server Management Studio, DBeaver, or MySQL Workbench. This client is invoked by the Launcher and the application credentials are passed via the command line. |
Wrapper | A script or executable used to wrap the client program to help inject credentials. There are many application clients that do not support credentials from the command line. In these cases, AutoIt and other technologies can be used to populate forms and submit credentials. Much of the content of this section is dedicated to samples and documentation for how this may be accomplished. |
Publisher | The Remote Application Publisher component is not depicted in the diagram. It is an open source project that facilitates the RDP application configuration necessary to publish the Launcher and required command line as a published RDP application on Windows. This configuration can be created manually or using Microsoft's tools, but the Publisher component |
NOTE: Published RDP applications are stored in the Windows registry at:HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList\Applications
.
USE CASE #1: Privileged access to a database containing sensitive data
Setup required by the admin:
- Install the
OI-SG-RemoteApp-Launcher.exe
(aka the Launcher) on the jump host. - Install the client program,
DBeaver
, which will be used to access the target database. - Use the Remote Application Publisher or the native Microsoft tooling to register
OI-SG-RemoteApp-Launcher.exe
as a remote application.- You will need to design command-line arguments to
OI-SG-RemoteApp-Launcher.exe
that will in turn launchDBeaver
and pass the username, password, and target database on the command-line. - Use the
--cmd <CMD>
and--args <ARGS>
parameters respectively to specify the full path to theDBeaver
client program and argument string forDBeaver
. - Use the
--enable-debug
parameter for debugging. Debug logs for each launch will be created in%AppData%\OneIdentity\OI-SG-RemoteApp-Launcher\
.
- You will need to design command-line arguments to
The following is a description of how the solution works for an end-user:
- The end user navigates to the SPP portal to request privileged access to the Postgres database running on
dbms.dan.vas
as theadmin
account. This can be done either using a favorite or by searching for "dbms.dan.vas admin". - The necessary approval workflow as configured in the RDP Application access policy must be satisfied to grant privileged access.
- The end user may start the session by downloading an RDP file from the SPP portal or by clicking on the
Launch Session
button in the SPP portal. TheLaunch Session
button requires a up-to-date version of SCALUS. - The end user client computer will establish an RDP connection to the SPS, which uses in-band destination selection to create the RDP connection to the jump host,
jumprdp.dan.vas
. Credentials required to authenticate to the jump host are securely retrieved from SPP and played into the RDP connection. The credentials for the RDP connection could be a local account onjumprdp.dan.vas
or an AD account in thedan.vas
domain. Additional information and credentials necessary to access the target system (the Postgres database) are also retrieved from SPP. In this case, the credentials are the password for theadmin
account ondbms.dan.vas
. - When the RDP session is authenticated and connected, instead of creating a full desktop session, only the
OI-SG-RemoteApp-Launcher.exe
application (aka the Launcher) is started. - The Launcher securely retrieves the target system credentials from SPS and uses them to execute the command line specified in the registered remote application command line. The specified command line will contain the client program along with credential information necessary to access the target system (the Postgres database).
- The end user sees the client program,
DBeaver
, appear on their local desktop, even though it is actually running on the jump host. This is because the RDP drawing channel coming from the jump host is rendered directly on their local desktop, and the keyboard and mouse events are sent over RDP to the jump host. - After the end user closes the client program, the RDP connection is closed. There will be a recording of the end user activity available from the SPS search interface.
VIDEO:
Coming soon...
USE CASE #2: Privileged access to a MS SQL Server via SQL Server Management Studio
Setup required by the admin:
- Install the
OI-SG-RemoteApp-Launcher.exe
(aka the Launcher) on the jump host. - Install the client program,
SQL Server Management Studio
, which will be used to access the target database. - Use the Remote Application Publisher or the native Microsoft tooling to register
OI-SG-RemoteApp-Launcher.exe
as a remote application. (see notes in USE CASE #1) - Because
SQL Server Management Studio
cannot take a password on the command line, the password must be entered in via automation.- Use AutoIt as a wrapper to launch the client program, wait for the prompt, and play it in.
- Write the script and compile it as an executable. Use this AutoIT example.
The end-user experience will be the same as in USE CASE #1. The only difference will be that instead of loading DBeaver
, the end-user will see SQL Server Management Studio
load.
VIDEO:
Coming soon...
USE CASE #3: Privileged access to SPS admin account
Setup required by the admin:
- Install the
OI-SG-RemoteApp-Launcher.exe
(aka the Launcher) on the jump host. - Install a browser to be the client program--chrome or edge work well.
- Use the Remote Application Publisher or the native Microsoft tooling to register
OI-SG-RemoteApp-Launcher.exe
as a remote application. (see notes in USE CASE #1) - Because the web browser cannot take a password on the command line, the password must be entered in via automation.
- Use Go chromedp as a wrapper to launch the browser and play in the credential
- Write the script and compile it as an executable. Use this sps example.
VIDEO:
Coming soon...