Imprivata Privileged Access Management Product Update 2.3.201910132229
October 13, 2019
PAM Update: Added support for SMS, TOTP Virtual MFA and single application access on Windows RDS
This update adds support for SMS and TOTP based shared Virtual MFA and support for single remote application sessions for Windows RDS servers.
Added support for SMS based shared Virtual MFA
The new update extends Virtual MFA support by adding an option to share the phone number to receive SMS notifications for second-factor authentication.
The option provides role-based access as well as just in time access to the shared privileged accounts protected with the second-factor authentication.
It allows enabling MFA option for privileged accounts significantly increasing the security of the IT infrastructure.
The SMS access is logged in the system audit log to track the use of the service.
The Virtual SMS MFA implementation is based on the Twilio service and requires a Twilio subscription.
The integration is implemented with Groovy script that could be adjusted after deployment to integrate with different SMS services.
Virtual SMS MFA is an PAM record type hidden in the default installations so it should be enabled in the Administration / Record Types list.
Records of the Virtual SMS MFA record type include the only field Number for the phone number that can receive SMS accessible using REST API implemented by the Groovy script.
When saved, the Virtual SMS MFA record includes the only available task in the Execute menu: Access SMS Code for MFA that pops up a window with the token visible on the screen.
To configure the Twilio SMS service use the following parameters in $PAM_HOME/web/conf/catalina.properites
xtam.integration.sms.user=ACCOUNT-SID
xtam.integration.sms.password=AUTH-TOKEN
xtam.integration.sms.url=https://api.twilio.com/2010-04-01/Accounts/{xtam.integration.sms.user}/Messages.json
xtam.integration.sms.script=Twilio IntegrationAdded support for TOTP based shared Virtual MFA
The new update adds the option to store the Time-based One-Time Password (TOTP) secret key in a record with the option to generate RFC 6238 TOTP tokens on demand. The option allows enabling multi-factor authentication for shared privileged accounts.
Shared MFA token generation is granted to selected users using role-based access control as well as location, time and approval-based workflow.
The TOTP generation is logged in the system audit log to track the use of the service.
Virtual TOTP MFA is an PAM record type hidden in the default installations so it should be enabled in the Administration / Record Types list.
Records of the Virtual TOTP MFA record type include the only field Secret Key.
When saved, the Virtual TOTP MFA record includes the only available task in the Execute menu: Generate TOTP Token that pops up a window with the token visible on the screen.
Users using the service need to have a View and Execute permission to Virtual TOTP MFA records.
This way, these users can generate TOTP without the option to unlock the secret key.
User access might further be restricted by applying Task Control workflow binding to limit the time, location of the service user or require a human or automatic approval process.
Added support for single remote application sessions for Windows RDS
The update added support for single remote application sessions published on Windows RDS servers including high-trust access as well as events and session recording.
The option allows running published applications on the RDS server using RDP RemoteApp protocol while providing role-based and just in time access to the application sessions using single-click action.
The system establishes a session to a single published application without the option to see or interact with the rest of the desktop.
To configure the launch of a remote application on the RDS server create a record type inherited from Windows Host record, set the Session Manager to RDP and add a String field with the name Command and display name RemoteApp Program Location.
When creating a record based on this record type, in addition to Windows Host host, user and password parameters specify the full path to the published application to run.
Example values include calc for a calculator (the executable will be found by the system PATH) or C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\ManagementStudio\Ssms.exe for the MS SQ Studio.
