Imprivata Privileged Access Management Product Update 2.3.202007122310

July 12, 2020

PAM Update: Added request approval shortcuts to notification emails and Remote Applications support to RDP Proxy

This update added the option to approve or reject access requests by using shortcuts in the notification email, added support for remote applications run on the Windows RDS application host through RDP Proxy using native RDP clients, and added the option to enforce session and session event recording for assets located in personal vaults.

Added request approval shortcuts to notification emails

Added the option to approve or reject access requests by using shortcuts in the notification email.

The option simplifies the approval process and encourages the adoption of just in time principle of privileged access minimizing exposure and improving the visibility of sensitive data access.

To inject shortcuts to notification email template use email place-holders {{approve.path}} and {{reject.path}} for the links leading directly to request approve and request pages. The update adds placeholders to the default notification email template.

Note that these shortcut links require approver authentication in the system prior to the request approval or rejection possibly with two-factor authentication.

In addition to the shortcuts that require approver authentication, the update added the option to inject one-time short-lived shortcut links including uniquely generated paths to allow approvers to approve or reject requests without the need to authenticate in the system further simplifying the approval cycle.

To enable unique anonymous links approval shortcuts use the following placeholders in the notification email template: {{anonymous.approve.path}} and {{anonymous.reject.path}} for the links leading directly to request approve and request pages without requesting approver authentication.

Added Remote Applications support to RDP Proxy

Remote application technology enables high-trust login with session recordings to the Windows desktop applications run on the dedicated Windows RDS infrastructure. Using this technology, the System server on behalf of a user opens a regular RDP session to Windows RDS server, launches a desktop application (such as Internet Explorer or Chrome browser, MS SQL Studio, SAP or Cisco client or any other application), populates user credentials to login to the application and only after that transfers control over the session to the user.

Remote applications technology was available for a long time for WEB RDP Sessions established using client-side browsers.

This update brings the same functionality to the sessions established using native RDP clients (mstsc, mRemoteNG, TS+, etc) sending RDP traffic through RDP Proxy.

RDP Proxy uses the same configuration in the Vault used by WEB Sessions.

The option facilitates the adoption of zero trust just in time access following the principles of the least privileges by allowing end-users to utilize familiar RDP client experience to access shared privileged applications.

Read more about applications and configuration of Remote App technology: Remote Apps Getting Started Guide.

Existing users of the Remote Application technology should update RDS host with the application launcher downloaded using the following link https://bin.xtontech.com/product/XtAutoShell.exe

Added recording enforcement for Personal Vaults

The update added the option to require session and session events recording for all assets created in users personal vaults.

The option enables tight control over the devices in isolated data-centers, air gap networks or Virtual Private Clouds even for the users using personal accounts with privileged access.

The option is controlled by two global parameters located in the Administration / Settings / Parameters / Sessions category: Personal Vault Session Recording and Personal Vault Event Recordings.

When set to Enforced these parameters overwrite the default records permission scheme to enforce sessions or session events recordings respectively.

Added the option to terminate disconnected RDP sessions

Sometimes users close remote RDP sessions without a proper logoff procedure leaving open disconnected sessions on the remote computers waiting to timeout.

This update added the Windows Logoff Disconnected Sessions script that could be used in the After Session event trigger to forcefully log off disconnected inactive sessions from Windows computers.

The script assumes PowerShell access to the remote endpoint with the option to terminate sessions.

The script could be scheduled to run using a shadow account with administrator privileges.

The option allows maintaining data security on the remote servers by minimizing the time of opened RDP sessions.