Getting Started with Command Control Policies

This guide is designed for System Administrators to learn about PAM Command Control and how it can be used to govern which commands can or cannot be executed by users during remote sessions.

To complete the guide be sure that you have access to a PAM System Administrator account.

This Guide will be broken into two parts. The first part will describe how to setup a basic whitelist command policy and the second part will describe how to setup a blacklist command policy.

In the attempt to keep this guide short and quick, we will demonstrate the functionality and provide screenshots using a Windows Host remote session, but please keep in mind that the same setup can be applied to a Unix Host remote session as well.

Jump to Whitelist Command Policy

Jump to Blacklist Command Policy

Whitelist Command Policy

In the whitelist scenario, we want to permit a user to login to a production server, but limit their ability to execute only certain commands.

For this, we are going to implement a whitelist policy to include the command iisreset and then apply this policy to both this user and the production server.

Finally, we will login to this policy controlled remote session to demonstrate how it will work from a user’s perspective.

 

1. Creating a Command Control Policy

2. Applying the Policy to a Record

3. Executing Commands in a Policy Controlled Session

Stage 1: Creating a Command Control Policy

Command Control policies are used to define which command(s) and arguments are to be added to either a whitelist or blacklist.

 

  1. Login to the System as a System Administrator and navigate to Administrator > Command Control.
  2. Click the Create button
  3. Enter a user recognizable name in the Name field (required).
  4. Enter a description into the Description field (optional).
  5. In the Control Type dropdown menu, select Whitelist
  6. Click the Add Command button
  7. In the Command field, type the command iisreset.
  8. Click the Save button.
  9. CommandControl-Policy-Whitelist

Your Command Control Policy is now created.

Stage 2: Applying the Policy to a Record

Command Control policies are applied to records to ensure user commands are controlled when remote sessions are active.

 

  1. Navigate and open a Windows Host or Unix Host record that you wish to apply this policy to. You must be a System Administrator or an Owner on the record to assign or configure Command Controls.
  2. Click the Manage dropdown menu and then select the Command Controls option
  3. Click the Add button
  4. Enter your System Administrator (or another test account) in the Principal field and click Add
  5. In the Command Control dropdown menu select the Command Control Policy by name that was created in Stage 1 of this guide.
  6. Click the Select button.
  7. CommandControl-Policy-Assign-Whitelist

  8. The Command Control Policy will appear in the list. If you had another policy, you could repeat this process as many times as needed. When complete, click the Save button to assign the policy to this record.

    CommandControl-Policy-Assign-Whitelist-Save

Your record now has the Command Control Policy assigned to it.

Stage 3: Executing Commands in a Policy Controlled Session

Now that we created the policy and assigned it to both our user and a record, it’s time to Connect to this remote session and see how Command Control actually works.

 

  1. Return back to the record used in Stage 2 and click the Connect button. Command Control is supported in sessions with or without recording enabled.
  2. Once successfully connected to your Windows session, you should immediately realize that mouse control is disabled. This is to prevent the user from interfacing with the host outside of our whitelisted command(s). When a session is being controlled using a Command Control Policy, the user will only be able to issue commands using the System’s command input field located at the bottom of the session window and the actual session will be used to provide feedback.
  3. CommandControl-input-field

  4. To open a command prompt or PowerShell prompt, either enter the following commands or use the following quick launch options.

    1. For Command Prompt, type the command /cmd or select the cmd option from the command menu.

      CommandControl-cmd-input

    2. For PowerShell, type the command /powershell or select the ps option from the command menu.

      CommandControl-powershell-input

  5. When the application opens, enter your whitelisted command (iisreset) into the input field and hit the Enter key to execute the command. The command will be sent to command prompt or PowerShell and be executed. The results will display in the application just as if you typed them natively. The command was sent and executed because it was included in our Whitelist policy.

    CommandControl-iisreset-whitelist-input

  6. Commands not included in Whitelist will naturally be forbidden, so let’s now test that. Enter any command besides iisreset into the input field and hit the Enter key. Rather than sending and executing your typed command, the input field clears the command and displays the message Command forbidden by policy.

    CommandControl-cmd-forbidden

  7. Before disconnecting the session, explore the other options displayed in the Command menu to become familiar with the Quick Launch options.

    CommandControl-Command-QuickLaunch-options

  8. When you are finished, you can disconnect your remote session by either executing the /logout command or select the logout option from the command menu.

    CommandControl-logout-input

Blacklist Command Policy

In the blacklist scenario, we want to permit a user to login to a production server, but limit their ability to open a remote desktop session to another server (commonly referred to a Server Jumping).

For this, we are going to implement a blacklist policy to include the command mstsc and then apply this policy to both this user and the production server.

Finally, we will login to this policy controlled remote session to demonstrate how it will work from a user’s perspective.

1. Creating a Command Control Policy

2. Applying the Policy to a Record

3. Executing Commands in a Policy Controlled Session

Stage 1: Creating a Command Control Policy

Command Control policies are used to define which command(s) and arguments are to be added to either a whitelist or blacklist.

  1. Login to the System as a System Administrator and navigate to Administrator > Command Control.
  2. Click the Create button
  3. Enter a user recognizable name in the Name field (required).
  4. Enter a description into the Description field (optional).
  5. In the Control Type dropdown menu, select Blacklist
  6. Click the Add Command button.
  7. In the Command field, type the command mstsc
  8. In the Type dropdown menu select Include/Exclude (optional).
  9. Click the Save button.
  10. CommandControl-Policy-Blacklist

Your Command Control Policy is now created.

Stage 2: Applying the Policy to a Record

Command Control policies are applied to records to ensure user commands are controlled when remote sessions are active.

 

  1. Navigate and open a Windows Host or Unix Host record that you wish to apply this policy to. You must be a System Administrator or an Owner on the record to assign or configure Command Controls.
  2. Click the Manage dropdown menu and then select the Command Controls option
  3. Click the Add button
  4. Enter your System Administrator (or another test account) in the Principal field and click Add
  5. In the Command Control dropdown menu select the Command Control Policy by name that was created in Stage 1 of this guide.
  6. Click the Select button
  7. CommandControl-Policy-Assign-Blacklist

  8. The Command Control Policy will appear in the list. If you had another policy, you could repeat this process as many times as needed. When complete, click the Save button to assign the policy to this record.

    CommandControl-Policy-Assign-Blacklist-Save

Your record now has the Command Control Policy assigned to it.

Stage 3: Executing Commands in a Policy Controlled Session

Now that we created the policy and assigned it to both our user and a record, it’s time to Connect to this remote session and see how Command Control actually works.

 

  1. Return back to the record used in Stage 2 and click the Connect button. Command Control is supported in sessions with or without recording enabled.
  2. Once successfully connected to your Windows session, you should immediately realize that mouse control is disabled. This is to prevent the user from interfacing with the host outside of our whitelisted command(s). When a session is being controlled using a Command Control Policy, the user will only be able to issue commands using the System’s command input field located at the bottom of the session window and the actual session will be used to provide feedback.
  3. CommandControl-input-field

  4. To open a command prompt or PowerShell prompt, either enter the following commands or use the following quick launch options.

    1. For Command Prompt, type the command /cmd or select the cmd option from the command menu.

      CommandControl-cmd-input

    2. For PowerShell, type the command /powershell or select the ps option from the command menu.

      CommandControl-powershell-input

  5. When the application opens, enter your blacklisted command (mstsc) into the input field and hit the Enter key to execute the command.

    Rather than sending and executing your typed mstsc command, the input field clears the command and displays the message Command forbidden by policy. The command was not sent and executed because it was included in our Blacklist policy.

    CommandControl-cmd-forbidden

  6. Commands not included in Blacklist will naturally be permitted, so let’s now test that. Enter any command besides mstsc into the input field and hit the Enter key. The command will be sent to command prompt or PowerShell and be executed. The results will display in the application just as if you typed them natively. The command was sent and executed because it was not included in our Blacklist policy.

  7. Before disconnecting the session, explore the other options displayed in the Command menu to become familiar with the Quick Launch options.

    CommandControl-Command-QuickLaunch-options

  8. When you are finished, you can disconnect your remote session by either executing the /logout command or select the logout option from the command menu.

    CommandControl-logout-input