Enterprise Random Password Manager · management (PIM) and identity and access governance solutions. ERPM builds a configuration management database (CMDB) for the networks that it

Enterprise Random Password Manager

Application Launching & Session Recording

5.5.1

Copyright © 2003–2016 Lieberman Software Corporation.

All rights reserved.

The software contains proprietary information of Lieberman Software Corporation; it is provided

under a license agreement containing restrictions on use and disclosure and is also protected by

copyright law. Reverse engineering of the software is prohibited.

Due to continued product development this information may change without notice. The

information and intellectual property contained herein is confidential between Lieberman Software

and the client and remains the exclusive property of Lieberman Software. If there are any

problems in the documentation, please report them to Lieberman Software in writing. Lieberman

Software does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any

form or by any means, electronic, mechanical, photocopying, recording or otherwise without the

prior written permission of Lieberman Software.

Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either

registered trademarks or trademarks of Microsoft Corporation in the United States and/or other

countries. Other brands and product names are trademarks of their respective owners.

Lieberman Software Corporation

1875 Century Park East, Suite 1200

Los Angeles, CA 90067

(310) 550-8575

Internet E-Mail: [email protected]

Website: http://www.liebsoft.com

iii

Contents

CHAPTER 1 INTRODUCTION ...................................................................................................5

1.1 Overview................................................................................................................................... 5

1.2 Background and Goals .............................................................................................................. 6

1.3 Limited Warranty ..................................................................................................................... 8

1.4 License Agreement ................................................................................................................... 8

CHAPTER 2 UNDERSTANDING SESSION RECORDING ............................................................. 10

CHAPTER 3 INSTALLING THE APPLICATION LAUNCHER AND SESSION RECORDING FEATURES . 13

3.1 Application Launcher and Session Recording Installation Overview .....................................14

3.2 Application Launcher and Session Recording Installation Prerequisites ...............................19

3.3 Step 1. Install Remote Desktop Services ................................................................................20

3.3.1 Installing Remote Desktop Services for Server 2012 (R2) ..............................................20 3.3.2 Installing Remote Desktop Services for Server 2008 R2 ................................................35

3.4 Step 2. Install Desktop Experience .........................................................................................45

3.4.1 Installing Desktop Experience for Server 2012 (R2) .......................................................45 3.4.2 Installing Desktop Experience for Server 2008 R2 .........................................................49

3.5 Step 3. Install the Application Launcher and Session Recording Feature ..............................54

3.5.1 Installing on the Transcoder Host ..................................................................................54 3.5.2 Installing on the Application Launch Server ...................................................................65

3.6 Step 4. Set up RDS for Application Launching ........................................................................77

3.6.1 Configuring Remote App for Server 2012 (R2) ...............................................................77 3.6.2 Configuring Remote App for Server 2008 R2 .................................................................83

3.7 Step 5. Set Up Streaming Media Services ..............................................................................88

3.8 Step 6. Configure IIS to Host Recorded Sessions ....................................................................93

CHAPTER 4 CONFIGURING APPLICATION LAUNCHING AND SESSION RECORDING .................. 95

4.1 Configure an Application Launch Server Logon Account .......................................................96

4.2 Configure the Web Launcher Settings ..................................................................................122

4.3 Configure the Application Launch Server Settings ...............................................................125

4.4 Configure the Application Launch Server Host ....................................................................130

4.5 Configure Session Recording Settings ..................................................................................132

4.6 Configure the ERPM Web Client for Session Playback .........................................................136

4.7 Configure Applications for Launching ..................................................................................139

4.7.1 Adding Application Launching Scripts ..........................................................................139 4.7.2 Configuring ERPM to Launch Applications ...................................................................140 4.7.3 Variables for App Launching .........................................................................................146

iv Contents

4.7.4 Maintaining Application Launching Scripts ..................................................................147 4.7.5 Multi-Tab Support ........................................................................................................149 4.7.6 Multi-Tab Support Configuration .................................................................................153

4.7.6.1 Multi-Tab AutoIT Script Examples ......................................................................................... 158

4.8 Configure Application Sets ...................................................................................................162

4.9 Shadow Accounts .................................................................................................................168

CHAPTER 5 USING APPLICATION LAUNCHING ..................................................................... 179

5.1 Setting User Permissions to Launch Applications ................................................................179

5.2 Using the Application Launcher ...........................................................................................180

CHAPTER 6 AUDITING APPLICATION LAUNCHING ............................................................... 185

5

This chapter includes an overview of Enterprise Random Password Manager (ERPM), what problems

it is designed to solve, performance information, expected prerequisite knowledge, and some

background information on Windows.

This chapter also includes the license and warranty information for ERPM.

IN THIS CHAPTER

Overview ................................................................................................... 5

Background and Goals ............................................................................... 6

Limited Warranty ...................................................................................... 8

License Agreement .................................................................................... 8

1.1 OVERVIEW Enterprise Random Password Manager (ERPM) fills the gaps found in other privileged identity

management (PIM) and identity and access governance solutions. ERPM builds a configuration

management database (CMDB) for the networks that it can access. It catalogs systems and devices,

their user accounts, attributes, SSH keys, and certificates, and manages credentials and keys, as well

as user access to them.

Historically, the core functionality of ERPM revolves around its ability to randomize and store

passwords for accounts on target systems on a regular recurring basis. ERPM expanded its

capabilities with True Discovery technology, which determines where service accounts are used,

and when executing password change jobs for these accounts, propagates changed passwords to

every location where an account is used. This provides the mechanism and methods to maintain not

only company up-time during service account changes, but also makes it possible for risk-averse

companies to follow proper security practices and achieve a state of continuous compliance rather

than point-in-time compliance.

Because privileged passwords are stored and managed by ERPM, they can be retrieved using a thick

client, a thin (web) client, an orchestration system, and more. Access to the password store and

Chapter 1 Introduction

6 Introduction

other web interface features can be limited to specific groups, users, explicit accounts, and other

identities, with or without two-factor authentication.

ERPM provides more functionality beyond password management, password vaulting, and session

management. ERPM also provides for:

Account escalation – The ability to add a user to a pre-defined group with higher privileges than

the user would normally have on a target system, and then automatically remove that access.

Secure file storage – The ability to upload and store as an encrypted data blob in the program's

secure data store any file, such as password spread sheets, digital certificates, instructions, and

more. After the files are uploaded, an ACL system identifies what users will be able to retrieve

the files while auditing access to the files.

Orchestration – ERPM can run headless and can be controlled programmatically. This permits

tight integration with other systems, such as work-flow engines, run-book orchestration for user

and system provisioning and de-provisioning, programmatic access to almost all functions, and

much more. This control is provided using either a SOAP-based or REST-based web service

and/or using PowerShell commands. Users may tie into ERPM using any program or language

that can call a web service or interact with PowerShell.

Privileged Account Management – ERPM provides session-based control over privileged

accounts to run specific programs against specific hosts. Using the optional Application Launch

Server model, any program, website, or script may be run in a controlled and secured

environment and give users access to specific systems or networks using specific tools with

specific feature sets. This allows access to the tool set needed to get a job done, but without

providing access to the credential or direct physical access to the system.

Session Recording – When using the optional Application Launch Server, administrative sessions

can be recorded for later playback. Screen recording audits the user's actions during a session

and can be helpful when developing training procedures. Visually recording an administrator's

actions can help satisfy the requirements of auditing mandates.

1.2 BACKGROUND AND GOALS

The Need for Strong Local Credentials

Organizations with a need for the most basic access security should use unique local logon

credentials customized for each workstation and server in their environment. Unfortunately, most

organizations use common credentials (same user name and password for the built-in administrator

account) for each system for the ease of creating and managing those systems by the IT Department

Introduction 7

without any concern as to the consequences to the organization should these common credentials

be compromised.

With the mandates of PCI-DSS, Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, California Security

Breach Information Acts, NASD 3010, SEC 17a-4, 21 CFR Part 11, DoD 5015.2 and others, the

implementation of reasonably hard to compromise local logon credentials is mandatory for most

organizations as a means for protecting not only the confidentiality of their data, but also to protect

against tampering.

Creating Strong Local Credentials

Enterprise Random Password Manager can change any common account on all workstations and

servers in just a few minutes without the need for scripts or any other type of program. The new

common credentials can be stored in a local or remote SQL Server database and can be recovered

on demand using the web client.

ERPM can be configured to regularly change the passwords of common accounts on all target

systems (i.e. workstation built-in administrator account) according to a schedule so that each

account receives a fresh cryptographically strong password regularly. This product feature protects

the overall security of an organization so that the compromise of a single machine’s local

administrator password does not lead to the total compromise of the entire organization’s security.

ERPM further builds on these concepts by automatically discovering all references to the specified

account, such as services, tasks, COM and DCOM objects, and more, and following a password

change for a user's account, whether domain or local, propagating the new password to all those

references.

Delegated Password Recovery

ERPM also contains a web client to allow the remote recovery of passwords, access to privileges

sessions, and more. The web client is a web application comprised of ASP and ASP.NET web pages

that allows any user with the appropriate group memberships the right to use the application, as

well as the right to recover passwords for accounts managed by the program. All access to the

ERPM web client and all actions taken therein are logged, and the history is also available via the

same web interface to authorized users.

Because this application protects and provides extremely sensitive information, it is essential that

particular attention be payed to the security settings of the application and also use appropriate

encryption such as SSL based on the scope of access provided.

For more information on security hardening, please refer to the proposed options for server

hardening:

8 Introduction

http://forum.liebsoft.com/forum/products/enterprise-random-password-manager/enterprise-rand

om-password-manager-knowledgebase/180-server-hardening-guide

1.3 LIMITED WARRANTY The media (optional) and manual that make up this software are warranted by Lieberman Software

Corporation to be free of defects in materials and workmanship for a period of 30-days from the

date of your purchase. If you notify us within the warranty period of such defects in material and

workmanship, we will replace the defective manual or media (if either were supplied).

The sole remedy for breach of this warranty is limited to replacement of defective materials and/or

refund of purchase price and does not include any other kinds of damages.

Apart from the foregoing limited warranty, the software programs are provided "AS-IS," without

warranty of any kind, either expressed or implied. The entire risk as to the performance of the

programs is with the purchaser. Lieberman Software does not warrant that the operation will be

uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind

for errors in the programs or documentation of/for consequences of any such errors.

This agreement is governed by the laws of the State of California.

Should you have any questions concerning this Agreement, or if you wish to contact Lieberman

Software, please write:




You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com or

e-mail us at: [email protected].

1.4 LICENSE AGREEMENT This is a legal and binding contract between you, the end user, and Lieberman Software

Corporation. By using this software, you agree to be bound by the terms of this agreement. If you

do not agree to the terms of this agreement, you should return the software and documentation, as

well as all accompanying items promptly for a refund.

1. Your Rights: Lieberman Software Corporation hereby grants you the right to use a single copy of

Enterprise Random Password Manager to control the licensed number of systems and/or devices.

Introduction 9

2. Copyright. The SOFTWARE is owned by Lieberman Software Corporation and is protected by

United States copyright law and international treaty provisions. Therefore, you must treat the

software like any other copyrighted material (e.g. a book or musical recording) except that you may

either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer

the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival

purposes. The manual is a copyrighted work. Also–you may not make copies of the manual for any

purpose other than the use of the software.

3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer,

de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE

files). If the SOFTWARE is an update, any transfer must include the update and all prior versions.

When used lawfully, this software periodically transmits to us the serial number and network

identification information of the machine running the software. No personally identifiable

information or usage details are transmitted to us in this case. The program does not contain any

spyware or remote control functionality that may be activated remotely by us or any other third

party.




310.550.8575

Internet E-Mail: [email protected]

Website: http://www.liebsoft.com

10 Understanding Session Recording

Session recording consists of two pieces: the recorder and the transcoder. The recorder is the

Application Launch Server. The transcoder component converts the raw video from the session

recorder to playable video. These videos will be played back via streaming media services through

the ERPM website.

Note: Session recording only works for applications launched via the

LiebsoftLauncher application. That means that any users that retrieve

passwords and connect directly will not have their sessions recorded

when using this session recording technology.

The flow for session recording is as follows:

1) The application is launched on the Application Launch Server and session recording is initiated.

2) After the session exits, the raw recorded files are copied to the designated source directory on

the transcoder host.

3) The ERPM file watcher server picks up the raw files and moves them to the working directory

where they are formatted, converted, and watermarked.

4) Completed files are moved to the SessionRecording directory on the transcoder host.

5) IIS and Media Server will stream the videos to requesting authorized users.

Recorded sessions are available in the ERPM auditing section with a camera icon next to their audit

entry.

Chapter 2 Understanding

Session Recording

Understanding Session Recording 11

To play back the recorded sessions, the user clicks the film icon.

13

The following sections outline the steps to prepare for and install the Application Launcher and

optional session recording components. Application Launching is an add-on for ERPM. Application

Launching can be configured with or without the Session Recording component. Session Recording

is provided for free when the Application Launcher add-on is purchased. However, the provided

session recording only works with applications launched using the ERPM application launcher.

Note: Instructions for upgrading the Application Launcher and Session Recording

components are located in the ERPM Installation Guide. See the Upgrade the

Application Launcher topic.

IN THIS CHAPTER

Application Launcher and Session Recording Installation Overview ....... 14

Application Launcher and Session Recording Installation Prerequisites . 19

Step 1. Install Remote Desktop Services .................................................. 20

Step 2. Install Desktop Experience ........................................................... 45

Step 3. Install the Application Launcher and Session Recording

Feature ..................................................................................................... 54

Step 4. Set up RDS for Application Launching ......................................... 77

Step 5. Set Up Streaming Media Services ................................................ 88

Step 6. Configure IIS to Host Recorded Sessions ..................................... 93

Chapter 3 Installing the

Application Launcher and

Session Recording Features

14 Installing the Application Launcher and Session Recording Features

3.1 APPLICATION LAUNCHER AND SESSION RECORDING INSTALLATION OVERVIEW

Planning Your Installation

The application launching capability of ERPM requires an Application Launch Server (also called a

jump server). An Application Launch Server in the context of ERPM is a Windows Remote Desktop

Session Services machine that will proxy connections to specific target systems.

Session recording is an optional feature that requires additional resources to install and operate.

Session recording processes video files in three phases:

Recording. The Session Recorder component on the Application Launch Server records the

session and copies the resulting file(s) for video transcoding.

Transcoding. The Video Transcoding Service component compresses the raw video file and

processes it for streaming. We recommend installing the transcoding component on the web

server running ERPM (provided the hardware can support it), but it can be installed on the

Application Launch Server or on another server. Transcoding videos requires significant

overhead in terms of CPU usage. We recommend installing the video transcoding component to

the ERPM web server because the web server is usually under-utilized, but you can install it on

any machine with adequate resources.

Streaming. The Media Server component streams the video file for viewing on demand. We

recommend installing the media server on the web server running ERPM, but it can be installed

on any server that has IIS installed.

Installing the Application Launcher and Session Recording Features 15

The following diagrams illustrate three deployment scenarios. Deployment 1 places the recording,

transcoding, and streaming components on the Application Launch Server.


Deployment 2 places the recording and transcoding components on the Application Launcher

Server, and the streaming component on the web server. This deployment may make sense if the

CPU on the Application Launcher Server is powerful and can quickly process the raw video for

streaming. Note that this deployment model does not require IIS on the Application Launch Server.


Deployment 3 places the recording component on the Application Launch Server, and the

transcoding and streaming components on the web server. This model is recommended, provided

that the web server is sized to handle the demands placed on it by the video transcoding service.

Understanding the Installation Process

The following sections describe the installation of these components:

Note: Be sure your environment meets the requirements in the prerequisites section

before starting the installation steps. See Application Launcher and Session

Recording Installation Prerequisites (on page 19).

1) Install Remote Desktop Services on the Application Launch Server.

2) Install Desktop Experience on the servers that will run the video transcoding service and the

Application Launcher & Session Recorder components. If you are not going to enable session

recording, you do not need to install the Desktop Experience feature.

3) Install the Application Launcher & Session Recording component. You can install the

Application Launcher without the Session Recording feature. If installing the Session Recording


feature, the Application Launcher is also required.

This section has additional steps that detail how to install the Application Luancher & Session

Recorder components across multiple systems.

4) Configure Remote Desktop Services for application launching.

5) Install and configure the Media Server (Streaming Media Services). This is only required if using

session recording.

6) Configure Internet Information Server (IIS) to host recorded sessions. This is only required if

using session recording.

Sections 1, 2, and 4 all have subsections that detail how to perform the steps on Windows Server

2008 R2 or Windows Server 2012 (R2).

19

3.2 APPLICATION LAUNCHER AND SESSION RECORDING INSTALLATION PREREQUISITES Windows Server operating system for the Application Launch Server:

Windows Server 2012 R2 (recommended)

Windows Server 2012

Windows Server 2008 R2

We recommend that all servers in the ERPM system to be fully patched.

Note: Earlier versions of Windows Server are not supported. Windows workstation

platforms are not supported for hosting the application launcher.

The following items will be required for application launching and session recording:

Remote Desktop Session Host server role.*

Desktop Experience if using session recording.

Existing ERPM installation and installed files (SupplementalInstallers directory)

ERPM Web Service installed with SSL and no certificate errors and accessible from the

Application Launch Server. If using self-signed certificates, the certificate from the issuing web

server should be added to the Trusted Root Certification Authorities on the machines hosting

the Web Service, the Application Launch Server, and client systems.

.NET Framework 4.x on the Application Launch Server and transcoder hosts.

.NET Framework 4.x on machines connecting to run an application.

* Microsoft Remote Desktop Services (RDS) will require additional licensing be purchased from

Microsoft.


3.3 STEP 1. INSTALL REMOTE DESKTOP SERVICES The following sub-sections document how to install Remote Desktop Services on both a Windows

Server 2008 R2 and Windows Server 2012 (R2) host. If multiple Application Launch Servers will be

employed, they do not need to all run on the same operating system, but they do all need to be

Windows Server 2008 R2 or later (2012 R2 recommended).

3.3.1 Installing Remote Desktop Services for Server 2012 (R2)

This section covers installation of the prerequisites on a Windows Server 2012 and Windows Server

2012 R2 host which will function as an Application Launch Server for the purposes of launching

applications.

Open Server Manager and select Add Roles and Features.

Click Next on the Before You Begin page.


On the Select installation type page select Remote Desktop Services installation then click Next.

On the Select deployment type page, choose a deployment type and click Next.


The steps present go through a standard deployment where the admin will be required to configure

a collection post RDS installation. The Quick Start method will be faster while automatically creation

a collection, but it will also add and publish additional applications that are unnecessary and will not

provide any configuration options.


On the Select deployment scenario page, select Session-based desktop deployment, the click Next.


Click Next on the Role Services page.


On the Specify RD Connection Broker server page, select the server from the Server Pool field, then

add it to the selected computer field by clicking the right arrow head between the two fields.


Click Next to continue.


On the Specify RD Web Access server page, select the server from the Server Pool field, then add it

to the selected computer field by clicking the right arrow head between the two fields.




On the Confirm selections page, click Deploy. Restart the host if required.

After restarting, open Server Manager and click on Remote Desktop Services from the right pane,

then click on Collections from the center pane. A new collection must be made to publish the ERPM

application used to launch software from the Application Launch Server.

At the top right corner, select Tasks and click Creation Session Collection.


On the Before you begin page, click Next.


On the Name the collection page, supply a friendly name for the collection and click Next.


On the Specify RD Session Host server page, select the server from the Server Pool field, then add it

to the selected computer field by clicking the right arrow head between the two fields. Then click

Next.

ERPM will use a proxy account to connect to the Application Launch Server prior to launching the

selected application. This account will either need to be added to a group which can RDP to the

target Application Launch Server and launch subsequent applications, or should be added directly as

a user which can connect to the RD Session host server. Description of this account is covered in the

parent section, 1. Installing Remote Desktop Services.




On the Specify user profile disks page, click Next.


On the Confirm selections page, click Create.

An empty collection will be created. The installation and configuration of the launcher application

will be described later in this document.

3.3.2 Installing Remote Desktop Services for Server 2008 R2

This section covers installation of Remote Desktop Services on a Windows Server 2008 R2 host as

required for Application Launch Server services.


Start Server Manager and select Add Roles. Click Next on the welcome page and select Remote

Desktop Services then click Next.


Click Next on the Introduction to Remote Desktop Services page.


On the Select Role Services page, select Remote Desktop Session Host, then click Next.


Click Next on the Uninstall and Reinstall Applications for Compatibility page.


On the Specify Authentication Method for Remote Desktop Session Host page, choose the option

that best suits your company's needs. The option to Require Network Level Authentication will

provide greater security but may only work properly for newer hosts and if all incoming connections

are properly verified. The option Do not require Network Level Authentication will provide greater

compatibility for all connecting system but may reduce overall security of the Application Launch

Server. Click Next to continue.


On the Specify Licensing Mode page, a remote desktop session license mode must be selected. If

RDS client access licenses are not yet available but will be soon, select Configure later. If unsure

about what option to choose, select Configure later, and then contact your Microsoft licensing

services manager. RDS will function for 120 days without a proper licensing server. If RDS CALs are

available, then choose the proper Per Device or Per User model for your organization.

ERPM will use a proxy account to connect to the Application Launch Server prior to launching the

selected application. This account will either need to be added to a group that can RDP to the target

Application Launch Server and launch subsequent applications, or should be added directly as a user

that can connect to the RD Session host server. Description of this account is covered in the parent

section, 1. Installing Remote Desktop Services.




On the Configure Client Experience page, it is recommended to leave all options deselected. Click

Next to continue.


On the Confirm Installation Selections page, examine the installation selections. If everything is

correct, click Install. The server will need to reboot after installation

The installation and configuration of the launcher application will be described later in this

document.


3.4 STEP 2. INSTALL DESKTOP EXPERIENCE If you are not going to enable session recording, you do not need to install the Desktop Experience

feature. If you plan to enable session recording, install the Desktop Experience feature now.

Microsoft Desktop Experience is included with Windows Server 2008 and 2012. If you installed

Windows Server as a Server Core installation, Desktop Experience is not yet installed on your server.

If you installed a Full Windows Server installation, Desktop Experience may already be installed on

your server. For more information about Desktop Experience, see the following TechNet article:

https://technet.microsoft.com/en-us/library/dn609826.aspx (see

https://technet.microsoft.com/en-us/library/dn609826.aspx -

https://technet.microsoft.com/en-us/library/dn609826.aspx)

If you install the video transcoding service and the Application Launcher & Session Recorder

components on separate systems, install the Desktop Experience on the Application Launch Server

and the system that runs the video transcoder. You do not need to install Desktop Experience on

the streaming media server.

3.4.1 Installing Desktop Experience for Server 2012 (R2)

If session recording will be configured then the Desktop Experience must be installed. To add the

Desktop Experience, open Server Manager and select Add Features.

https://technet.microsoft.com/en-us/library/dn609826.aspx


On the Features Page, expand User Interfaces and Infrastructure, and select Desktop Experience.


If prompted for additional components, click Add Features.


Add any other requirements that other applications that will be launched from this system may

require (such as .net framework 3.51 or 4.x) and click Next.


Continue through to the end of the wizard. Click Close when done. Installation of the Desktop

Experience will require a restart of the host.

3.4.2 Installing Desktop Experience for Server 2008 R2

If session recording will be configured then the Desktop Experience must be installed. To add the

Desktop Experience, open Server Manager and select Add Features.


On the Features Page, select Desktop Experience.


If prompted for additional components, click Add Required Features.




Once the installation is complete, click Close and restart the server.


3.5 STEP 3. INSTALL THE APPLICATION LAUNCHER AND SESSION RECORDING FEATURE This step covers the installation of the application launcher and the optional session recoding

feature.

If you are not installing the session recording feature, skip the section titled "On the Transcoder

Host" and go to the section titled "On the Application Launch Server."

If you are installing the session recording feature, complete the section titled "On the

Transcoder Host" if you are installing the video transcoding service on a server OTHER THAN the

Application Launch Server.

If you are installing the session recording feature and you will be running the transcoding

service on the Application Launch Server, skip the section titled "On the Transcoder Host" and

go to the section titled "On the Application Launch Server."

The application launching capability of ERPM is best utilized with an Application Launch Server. An

Application Launch Server in the context of ERPM is a Windows Remote Desktop Session Services

machine (formerly Terminal Services) that will proxy connection attempts made to specific target

systems. The Application Launch Server will have all programs used to connect to target systems

installed on it. ERPM will use a proxy account to connect to the Application Launch Server. This

account can and should be managed by ERPM, but automated management is not necessary as a

static un-stored password may also be used.

Session recording for ERPM records remote sessions that ERPM initiates using the application

launcher deployed on the Application Launch Server. Recorded sessions are copied from the

Application Launch Server to a machine functioning as a video transcoder. The transcoder converts

videos from the raw format to one that can be played back by the machine functioning as a

streaming media server.

This section outlines the installation of session recording for application launching on two separate

machines functioning independently. In sub-section 5, the installation of streaming media services

will be detailed for the purposes of streaming the final recorded sessions.

3.5.1 Installing on the Transcoder Host

To begin installing the session recording software o the machine that will function as the video

transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory,


typically "%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to

the machine that will function as the transcoder and launch the installer.

Click Next on the welcome page.


Read and accept the license agreement to continue installation. Then click Next to continue.

Enter the full SSL-secured URL to the ERPM application-launcher web service. ERPM Web Services

are installed separately, typically on the ERPM web server. The application launcher web service is

installed with the standard ERPMWebService installer package. The URL is typically

https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.

Click Test to validate the URL. Any certificate issues must be corrected before installation can

properly succeed. If the web page does not appear at all, validate the URL and try again or install

Web Services. See Installing the Web Service in the ERPM Programmer's Reference for installation

instructions.


If the page tests without issue or errors, click Next to continue.

For the transcoder host, select to install:

Microsoft Expression 4 Encoder SP2

Session Recorder and File Watcher Service


Select the installation directory. Click Next to continue.


On the transcoder host, make note of the source and destination directories. This directory will be

used in later instructions when setting up the application launcher and streaming media services.

This directory will also be shared between the transcoder and the Application Launch Server if they

are on two separate systems.

On the transcoder host, set the service identity to run as either Local System or as a Specific User.

Local system offers the benefit of already having proper access and no password management

requirements.

Running as a specific user will offer the path of least privilege but will require configuring NTFS

permissions on the Source directory from the previous step for read, write, and delete files

(Modify) and will also require a password be managed (which ERPM has the ability to do

automatically).

Running the File Watcher service as Local System is recommended on the transcoder host.



Click Install to continue.


Click Finish to complete the first part of the installation.

After the initial installation is complete, a separate installation for the Microsoft Expressions

recorder will be initiated automatically.


Accept the License agreement for the Microsoft Expressions recorder.

Click Next on the Enter product key page. There is no product key to enter.


Elect to join the Microsoft customer experience or not. Click Next to continue.

Select to install Expression Encoder 4 and click Install.


Click Finish to complete the installation.

IMPORTANT NOTES REGARDING THIS INSTALLATION!

This installation will take additional actions that are not visible in the installer:

A [Domain] Local security group will be created called WriteRecordingGroup. If the installation

is taking place on a domain controller, the group is created in the Users container.

The Domain Admins group will be added to this WriteRecordingGroup.

The installer will create and share the following directory:

%inetpub%\wwwroot\SessionRecording as SessionRecording. This directory is used to copy

compiled session recordings from the Application Launch Server to the transcoder host. This

scenario would apply if using the FFMPeg video recorder rather than the Expressions recorder.

If the transcoder component is installed on the Application Launch Server, or if the Expression

session recorder is the only used session recorder, this share may be safely deleted. This share

directory will be required when configuring the Application Launch Server for app launching

with session recording.

The installer will create and share the following directory: %programfiles

(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be

used by the Application Launch Server to copy raw session recording files to the transcoder

host(s). If the transcoder component is installed on the Application Launch Server, this share


can be safely deleted. This scenario would apply if using the Expressions 4 recording software.

This share directory will be required when configuring the Application Launch Server for app

launching with session recording.

Each of the shared directory share permissions will be set to allow the WriteRecordingGroup

"Full Control". Minimum permissions required are "Change."

Test the Installation

The installer automatically opens the "Session Recording Configuration" dialog.

Click Test to verify that the installation if valid and can connect to the web service endpoint.

3.5.2 Installing on the Application Launch Server

To begin installing the session recording software on the machine that will function as the video

transcoder, open the SupplementalInstallers sub-folder from the ERPM installation directory,


typically "%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to

the machine that will function as the transcoder and launch the installer.



Read and accept the license agreement to continue installation. Then click Next to continue.

Enter the full SSL-secured URL to the ERPM application-launcher web service. ERPM Web Services

are installed separately, typically on the ERPM web server. The application launcher web service is

installed with the standard ERPMWebService installer package. The URL is typically

https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.

Click Test to validate the URL. Any certificate issues must be corrected before installation can

properly succeed. If the web page does not appear at all, validate the URL and try again or install

Web Services. See Installing the Web Service in the ERPM Programmer's Reference for installation

instructions.


If the page tests without issue or errors, click Next to continue.

For the Application Launch Server host, if session recording WILL BE enabled, select to install:

Microsoft Expression 4 Encoder SP2

Session Recorder and File Watcher Service

Application Launcher

If session recording will NOT be enabled, select to install:

Application Launcher


Select the installation directory. Click Next to continue.

Click Next on the video transcoder paths.


On the Application Launch Server host, set the service identity to run as a Specific User, Network

Service, or Local System.

Local system offers the benefit of already having proper access and no password management

requirements. If the transcoder is running on a separate system and Local system is used, then

the computer account of the Application Launch Server host must be granted Modify access to

the source directory on the transcoder host.

Network service provides for less rights than Local system and offers the benefit of already

having proper access and no password management requirements. If the transcoder is running

on a separate system and network service is used, then the computer account of the

Application Launch Server host must be granted Modify access to the source directory on the

transcoder host. "NT Authority\Network Service" must also be granted Modify access to the

Session Recording directory.

Running as a specific user will offer the path of least privilege but will require configuring NTFS

permissions on the Source directory from the previous step for read, write, and delete files

(Modify) and will also require a password be managed (which ERPM has the ability to do

automatically).

Running as a specific user is recommended for running the File Watcher service on the Application

Launch Server host when the transcoder is on a separate system.



Click Install to continue.


Click Finish to complete the first part of the installation.

After the initial installation is complete, A separate installation for the Microsoft Expressions

recorder will be initiated automatically.


Accept the License agreement for the Microsoft Expressions recorder.

Click Next on the Enter product key page. There is no product key to enter.


Elect to join the Microsoft customer experience or not. Click Next to continue.

Select to install Expression Encoder 4 and click Install.


Click Finish to complete the installation.

This installation will take additional actions that are not visible in the installer:

A [Domain] Local security group will be created called WriteRecordingGroup. If the installation

is taking place on a domain controller, the group is created in the Users container. This group

may be safely deleted from the Application Launch Server host if it is also functioning as the

transcoder host.

The Domain Admins group will be added to this WriteRecordingGroup.

The installer will create and share the following directory:

%inetpub%\wwwroot\SessionRecording as SessionRecording. This directory is used to copy

compiled session recordings from the Application Launch Server to the transcoder host. This

scenario would apply if using the FFMPeg video recorder rather than the Expressions recorder.

This share directory will be required when configuring the Application Launch Server host for

app launching with session recording. If the transcoder and Application Launch Server host is

the same system this share can be safely deleted.

The installer will create and share the following directory: %programfiles

(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be

used by the Application Launch Server hosts to copy raw session recording files to the

transcoder host(s). This scenario would apply if using the Expressions 4 recording software. This


share directory will be required when configuring the Application Launch Server host for app

launching with session recording. If the transcoder and Application Launch Server host is the

same system this share can be safely deleted.

Each of the shared directory share permissions will be set to allow the WriteRecordingGroup

"Full Control". Minimum permissions required are "Change."

Test the Installation

The installer automatically opens the "Session Recording Configuration" dialog.

Click Test to verify that the installation if valid and can connect to the web service endpoint.


3.6 STEP 4. SET UP RDS FOR APPLICATION LAUNCHING The section details configuring Remote App on the Remote Session host to launch the ERPM

Application Launcher. The application launcher is a boot strapper used to launch and provide

authentication information for configured applications.

When a user uses the "Launch App" links in the ERPM web interface, this application is called. It will

obtain the necessary credential information for the application to launch, and then launch the

application from the Application Launch Server. In turn, VDI will display the remote application on

the user's workstation as if it were a local application.

3.6.1 Configuring Remote App for Server 2012 (R2)

Open Server Manager and click the Remote Desktop Services link on the left pane. Then click

Collections. Select the collection to configure the ERPM Application Launcher.


In the REMOTEAPP PROGRAMS area, click Tasks and select Publish RemoteApp Programs. Then

click Add on the Publish RemoteApp programs dialog.


Select LiebsoftLauncher.exe from the application launcher installation location on the Application

Launch Server (configured in step 3 previously). The default directory for this file is: C:\Program

Files (x86)\Lieberman\Roulette\LaunchApp. Then click Next.


On the Confirmation page, click Publish.

Once the LiebsoftLauncher application is published, right-click on it in the RemoteApp Programs list

and select Edit Properties.


On the General tab, set the Show the RemoteApp program in RD Web Access dialog to No.

Although everything will work fine if this is not done, there is no need to publicize this application.


On the Parameters tab, set the Command-line Parameters option to Allow any command-line

parameters. The LiebsoftLauncher will differ every single time it is run based on many factors

including session IDs, programs being run and parameters included when launching the programs.


On the User Assignment tab, it is highly recommended to change the User Assignment option to be

a specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated

account (which should be managed by ERPM). This is the only account that will require access to run

the program. This account will be covered later in the Configuring Application Launching section.

The account assigned here will require any permissions and rights to launch the desired programs.

Click OK when done.

3.6.2 Configuring Remote App for Server 2008 R2

Open Server Manager and expand the Remote Desktop Services > RemoteApp Manager nodes in

the left pane.


In the RemoteApp Programs area, right-click and select Add RemoteApp Programs. Click Next on

the Welcome page then click Browse on the Choose programs to add to the RemoteApp Programs

list page.


Select LiebsoftLauncher.exe from the application launcher installation location on the

Application Launch Server (configured in step 3 previously). The default directory for this file is:

C:\Program Files (x86)\Lieberman\Roulette\LaunchApp. Then click Next.


On the Review Settings page, click Finish.

Once the LiebsoftLauncher application is added, right-click on it in the RemoteApp Programs list and

select Properties.

Note: CAUTION! DO NOT CHANGE THE ALIAS value.

De-select the check box for RemoteApp program in RD Web Access. Although everything will work

fine if this is not done, there is no need to publicize this application.


Set the Command-line arguments option to Allow any command-line parameters. The

LiebsoftLauncher will differ every single time it is run based on many factors including session IDs,

programs being run and parameters included when launching the programs.


On the User Assignment tab, it is highly recommended to change the User Assignment option to be

a specific user or group of users. Specifically, ERPM will connect to the server as a pre-designated

account (which should be managed by ERPM). This is the only account that will require access to run

the program. This account will be covered later in the Configuring Application Launching section.

The account assigned here will require any permissions and rights to launch the desired programs.

Click OK when done.

3.7 STEP 5. SET UP STREAMING MEDIA SERVICES Streaming Media Services is used to provide smooth streaming of the recorded sessions from the

streaming host (typically the ERPM web server) to the client's browser and video player.


Installation of this component is only required if session recording will be used. If you do not plan on

using the free session recording module provided with ERPM, this component is not required.

To begin installing the streaming media software on the machine that will function as the streaming

video server, open the SupplementalInstallers sub-folder from the ERPM installation directory,

typically %programfiles (x86)\Lieberman\Roulette. Copy IISMEdia64.msi to the machine that

will function as the streaming video server and launch the installer.

The installation of IIS Media services requires a basic stock installation of IIS to be available on the

same host server.



Read and accept the terms of the license agreement, then click Next.


Leave the default options selected then click Next.


Click Install.


Click Finish.

3.8 STEP 6. CONFIGURE IIS TO HOST RECORDED SESSIONS This step is only required if session recording has been enabled. If session recording is not enabled,

then do not perform this step. This will likely be configured on the same system where Streaming

Media Services was installed.

When an application is launched using the Application Launch Server and that application is

configured to also record the session, the recorded sessions will first be placed into a pre-configured

directory on the machine that will ultimately host the videos for later playback. When using the

Microsoft Expressions session recorder, the files will first be copied locally to the file system. The

File Watcher Service will then move the raw files to a share called "Source" on a machine that is

configured as the video transcoder (typically the ERPM web server, but could be any machine).

Once the raw XESC files are copied to the transcoder, the File Watcher service on that machine will

transcode the videos to WMV format and move the compiled files into the "SessionRecording"


share on the same system. It is this directory that will be hosted in IIS and made available via the

ERPM website.

To configure IIS on the machine that will host the compiled videos, not much work is required as the

application launcher installer will have configured most of the required elements:

The default website will have a new virtual directory added to it called SessionRecording. This

directory will point to %inetpub%\wwwroot\SessionRecording.

The only change that may need to be made is to set the authentication scheme to anonymous. To

do this, open IIS, expend the default website, and open the Authentication area. Right click on the

authentication types and enable Anonymous Authentication and disable all others.

95

Following installation, there are five mandatory configuration steps that are required to use the

application launcher and the session recorder. The following steps are mandatory. The remaining

steps in this sections are optional.

1) Configure an Application Launch Server Logon Account (on page 96)

2) Configure the Web Launcher Settings (on page 122)

3) Configure the Application Launch Server Settings (on page 125)

4) Configure the Application Launch Server Host (on page 130)

5) Configure Applications for Launching (on page 139)

IN THIS CHAPTER

Configure an Application Launch Server Logon Account ........................ 96

Configure the Web Launcher Settings .................................................. 122

Configure the Application Launch Server Settings ................................ 125

Configure the Application Launch Server Host ..................................... 130

Configure Session Recording Settings ................................................... 132

Configure the ERPM Web Client for Session Playback .......................... 136

Configure Applications for Launching ................................................... 139

Configure Application Sets .................................................................... 162

Shadow Accounts .................................................................................. 168

Chapter 4 Configuring

Application Launching and

Session Recording

96 Configuring Application Launching and Session Recording

4.1 CONFIGURE AN APPLICATION LAUNCH SERVER LOGON ACCOUNT ERPM uses a standard logon account to log on to the target Application Launch Server and launch

the LiebsoftLauncher application. The LiebsoftLauncher application then launches the target

application and connects to a web service (WebLauncherBackendService.svc) to obtain the

necessary program settings and credentials from ERPM.

Logon Account Requirements

The logon account has the following requirements:

A domain account is recommended, but the logon account can be a local account.

The account needs to be able to remotely log on to the target Application Launch Server. That

means that if the account is not an administrator, it must be added to the Remote Desktop

Users group on the Application Launch Server.

Because the user account launches the LiebsoftLauncher application upon login, be sure that

the account has the permissions required for the launch. Set the permissions in RemoteApp

settings, which typically are found in Server Manager under the Roles > Remote Desktop

Services heading. The permissions can be assigned directly to the user, or assigned to a group

that the user belongs to.

The account needs all of the same rights necessary to launch the final target application. It does

not necessarily need local or domain admin privileges.

Securing the Logon Account

ERPM should frequently change the logon account password, for example daily or weekly. (Setting

the rotation schedule to hourly could possibly invalidate the logon account's session.) Follow the

basic procedures for a password change in ERPM (as per the Admin Guide) to have ERPM manage

the password for the account. There is no requirements for password propagation, so turn off

password propagation for the password change job. We recommend keeping the password length

to 80 characters or less because some versions of Windows will not allow long passwords to be used

via RDP.

Caution: When launching an application, this account will be able to do

anything that the target application lets it do.

Configuring Application Launching and Session Recording 97

RECOMMENDED POLICY SETTINGS FOR THE LOGON ACCOUNT

This account can be heavily locked down as it generally doesn't need access to anything other than

the application being locked.

If this account is located in Active Directory, we recommend placing the account into an

organizational unit (OU) by itself or with other similarly locked down accounts. On this OU, create a

policy and modify the User Settings portion of the policy to lock down this logon account. There is

no need to place the Application Launch Servers in this OU as the policies that lock down the user

experience are user based, not system based.

Following are some of the settings recommended to lock down the session. All policies should be

tested to ensure they do not interfere with the required operation of a target application:

User Configuration > Policies > Windows Settings >

Security Settings > Software Restriction Policies

Policy Setting

Enforcement

Apply Software Restriction Policies to the following All software files

except libraries

(such as DLLs)

Apply Software Restriction Policies to the following users All users

When applying Software Restriction Policies Ignore certificate

rules

Trusted Publishers

Trusted publisher management Allow all

administrators and

users to manage

user's own Trusted

Publishers

Certificate verification None


Software Restriction Policies/Security Levels

Default Security Level Disallowed

Software Restriction Policies/Additional Rules >> Path Rules

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\SystemRoot% Security Level =

Unrestricted

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers

ion\ProgramFilesDir% Security Level =

Unrestricted

C:\Program Files

(x86)\Lieberman\Roulette\RemoteAppLauncher\LiebsoftLaunche

r.exe

Security Level =

Unrestricted

User Configuration | Policies | Administrative Templates

Control Panel

Prohibit access to Control Panel and PC settings Enabled

Control Panel/Display

Disable the Display Control Panel Enabled

Control Panel/Printers

Browse a common web site to find printers Disabled


Browse the network to find printers Disabled

Prevent addition of printers Enabled

Prevent deletion of printers Enabled

Control Panel/Programs

Hide "Get Programs" page Enabled

Hide "Installed Updates" page Enabled

Hide "Programs and Features" page Enabled

Hide "Set Program Access and Computer Defaults" page Enabled

Hide "Windows Features" Enabled

Hide the Programs Control Panel Enabled

Control Panel/Regional and Language Options

Hide Regional and Language Options administrative options Enabled

Hide the geographic location option Enabled

Hide the select language group options Enabled

Hide user locale selection and customization options Enabled

Desktop

Don't save settings at exit Enabled


Hide and disable all items on the desktop Enabled

Hide Internet Explorer icon on desktop Enabled

Hide Network Locations icon on desktop Enabled

Prevent adding, dragging, dropping and closing the Taskbar's toolbars Enabled

Prohibit adjusting desktop toolbars Enabled

Prohibit User from manually redirecting Profile Folders Enabled

Remove Computer icon on the desktop Enabled

Remove Properties from the Computer icon context menu Enabled

Remove Properties from the Recycle Bin context menu Enabled

Remove Recycle Bin icon from desktop Enabled

Turn off Aero Shake window minimizing mouse gesture Enabled

Network/Network Connections

Ability to change properties of an all user remote access connection Disabled

Prohibit access to properties of a LAN connection Enabled

Prohibit access to the Remote Access Preferences item on the Advanced

menu

Enabled

Prohibit changing properties of a private remote access connection Enabled

Prohibit connecting and disconnecting a remote access connection Enabled

Prohibit renaming private remote access connections Enabled


Network/Offline Files

Remove "Make Available Offline" command Enabled

Remove "Work offline" command Enabled

Network/Windows Connect Now

Prohibit access of the Windows Connect Now wizards Enabled

Start Menu and Taskbar

Add Search Internet link to Start Menu Disabled

Add the Run command to the Start Menu Disabled

Clear history of recently opened documents on exit Enabled

Clear history of tile notifications on exit Enabled

Clear the recent programs list for new users Enabled

Do not allow pinning items in Jump Lists Enabled

Do not allow pinning programs to the Taskbar Enabled

Do not display any custom toolbars in the taskbar Enabled

Do not display or track items in Jump Lists from remote locations Enabled

Do not keep history of recently opened documents Enabled

Do not search communications Enabled

Do not search for files Enabled


Do not search Internet Enabled

Do not search programs and Control Panel items Enabled

Do not use the search-based method when resolving shell shortcuts Enabled

Do not use the tracking-based method when resolving shell shortcuts Enabled

Hide the notification area Enabled

Lock all taskbar settings Enabled

Lock the Taskbar Enabled

Prevent changes to Taskbar and Start Menu Settings Enabled

Prevent users from adding or removing toolbars Enabled

Prevent users from moving taskbar to another screen dock location Enabled

Prevent users from rearranging toolbars Enabled

Prevent users from uninstalling applications from Start Enabled

Remove access to the context menus for the taskbar Enabled

Remove All Programs list from the Start menu Enabled

Remove and prevent access to the Shut Down, Restart, Sleep, and

Hibernate commands

Enabled

Remove Clock from the system notification area Enabled

Remove common program groups from Start Menu Enabled

Remove Default Programs link from the Start menu. Enabled

Remove Documents icon from Start Menu Enabled

Remove Downloads link from Start Menu Enabled


Remove drag-and-drop and context menus on the Start Menu Enabled

Remove Favorites menu from Start Menu Enabled

Remove frequent programs list from the Start Menu Enabled

Remove Games link from Start Menu Enabled

Remove Help menu from Start Menu Enabled

Remove Homegroup link from Start Menu Enabled

Remove links and access to Windows Update Enabled

Remove Logoff on the Start Menu Disabled

Remove Music icon from Start Menu Enabled

Remove Network Connections from Start Menu Enabled

Remove Network icon from Start Menu Enabled

Remove Pictures icon from Start Menu Enabled

Remove pinned programs from the Taskbar Enabled

Remove pinned programs list from the Start Menu Enabled

Remove programs on Settings menu Enabled

Remove Recent Items menu from Start Menu Enabled

Remove Recorded TV link from Start Menu Enabled

Remove Run menu from Start Menu Enabled

Remove See More Results / Search Everywhere link Enabled

Remove the Action Center icon Enabled


Remove the battery meter Enabled

Remove the networking icon Enabled

Remove the volume control icon Enabled

Remove user folder link from Start Menu Enabled

Remove user's folders from the Start Menu Enabled

Remove Videos link from Start Menu Enabled

Show "Run as different user" command on Start Disabled

Turn off all balloon notifications Enabled

Turn off automatic promotion of notification icons to the taskbar Enabled

Turn off feature advertisement balloon notifications Enabled

Turn off notification area cleanup Enabled

Turn off user tracking Enabled

Start Menu and Taskbar/Notifications

Turn off notifications network usage Enabled

System/Ctrl+Alt+Del Options

Remove Change Password Enabled

Remove Task Manager Enabled


System/Internet Communication Management/Internet

Communication settings

Turn off access to the Store Enabled

Turn off downloading of print drivers over HTTP Enabled

Turn off handwriting recognition error reporting Enabled

Turn off Help Experience Improvement Program Enabled

Turn off Help Ratings Enabled

Turn off Internet download for Web publishing and online ordering

wizards

Enabled

Turn off Internet File Association service Enabled

Turn off printing over HTTP Enabled

Turn off the "Order Prints" picture task Enabled

Turn off the "Publish to Web" task for files and folders Enabled

Turn off the Windows Messenger Customer Experience Improvement

Program

Enabled

Turn off Windows Online Enabled

System/Removable Storage Access

All Removable Storage classes: Deny all access Enabled

CD and DVD: Deny read access Enabled

CD and DVD: Deny write access Enabled

Floppy Drives: Deny read access Enabled


Floppy Drives: Deny write access Enabled

Removable Disks: Deny read access Enabled

Removable Disks: Deny write access Enabled

Tape Drives: Deny read access Enabled

Tape Drives: Deny write access Enabled

WPD Devices: Deny read access Enabled

WPD Devices: Deny write access Enabled

System/Windows HotStart

Turn off Windows HotStart Enabled

Windows Components/Add features to Windows 8

Prevent the wizard from running. Enabled

Windows Components/App runtime

Block launching desktop apps associated with a file. Enabled

Block launching desktop apps associated with a protocol Enabled

Windows Components/Application Compatibility

Turn off Program Compatibility Assistant Enabled


Windows Components/Attachment Manager

Hide mechanisms to remove zone information Enabled

Windows Components/AutoPlay Policies

Disallow Autoplay for non-volume devices Enabled

Prevent AutoPlay from remembering user choices. Enabled

Set the default behavior for AutoRun Enabled

Default AutoRun Behavior Do not execute any autorun commands

Turn off Autoplay Enabled

Turn off Autoplay on All drives

Windows Components/Credential User Interface

Do not display the password reveal button Enabled

Windows Components/Desktop Gadgets

Restrict unpacking and installation of gadgets that are not digitally

signed.

Enabled

Turn off desktop gadgets Enabled

Turn Off user-installed desktop gadgets Enabled


Windows Components/Digital Locker

Do not allow Digital Locker to run Enabled

Windows Components/Edge UI

Turn off switching between recent apps Enabled

Turn off tracking of app usage Enabled

Windows Components/File Explorer

Display confirmation dialog when deleting files Enabled

Display the menu bar in File Explorer Enabled

Do not allow Folder Options to be opened from the Options button on

the View tab of the ribbon

Enabled

Do not display the Welcome Center at user logon Enabled

Do not request alternate credentials Enabled

Hide these specified drives in My Computer Enabled

Restrict all drives

Hides the Manage item on the File Explorer context menu Enabled

No Entire Network in Network Locations Enabled

Prevent access to drives from My Computer Enabled

Restrict all drives

Prevent users from adding files to the root of their Users Files folder. Enabled


Remove "Map Network Drive" and "Disconnect Network Drive" Enabled

Remove CD Burning features Enabled

Remove File Explorer's default context menu Enabled

Remove File menu from File Explorer Enabled

Remove Hardware tab Enabled

Remove Security tab Enabled

Remove the Search the Internet "Search again" link Enabled

Turn off display of recent search entries in the File Explorer search box Enabled

Turn off Windows+X hotkeys Enabled

Windows Components/File Explorer/Common Open File Dialog

Hide the common dialog back button Enabled

Hide the common dialog places bar Enabled

Hide the dropdown list of recent files Enabled

Windows Components/File Explorer/Explorer Frame Pane

Turn off Preview Pane Enabled

Turn on or off details pane Enabled

Configure details pane Always hide


Windows Components/File Explorer/Previous Versions

Prevent restoring previous versions from backups Enabled

Windows Components/IME

Turn off history-based predictive input Enabled

Turn off Internet search integration Enabled

Windows Components/Internet Explorer

Automatically activate newly installed add-ons Disabled

Configure Media Explorer Bar Enabled

Disable the Media Explorer Bar and auto-play feature Enabled

Auto-Play Media files in the Media bar whenEnabled Disabled

Disable AutoComplete for forms Enabled

Disable changing accessibility settings Enabled

Disable changing Advanced page settings Enabled

Disable changing Automatic Configuration settings Enabled

Disable changing Calendar and Contact settings Enabled

Disable changing certificate settings Enabled

Disable changing connection settings Enabled

Disable changing home page settings Enabled


Home Page Define a home

page if necessary

Disable changing language settings Enabled

Disable changing Messaging settings Enabled

Disable changing ratings settings Enabled

Disable changing Temporary Internet files settings Enabled

Disable Import/Export Settings wizard Enabled

Disable Internet Connection wizard Enabled

Do not allow users to enable or disable add-ons Enabled

Identity Manager: Prevent user from using Identities Enabled

Notify users if Internet Explorer is not the default web browser Disabled

Pop-up allow list Enabled

Enter the list of sites here. Define allowed

sites list if

applicable such as

*.microsoft.com

Prevent "Fix settings" functionality Enabled

Prevent access to Internet Explorer Help Enabled

Prevent bypassing SmartScreen Filter warnings Enabled

Prevent bypassing SmartScreen Filter warnings about files that are not

commonly downloaded from the Internet

Enabled

Prevent changing pop-up filter level Enabled

Prevent changing proxy settings Enabled


Prevent changing the default search provider Enabled

Prevent configuration of how windows open Enabled

Select where to open links Open in existing

Internet Explorer

window

Prevent Internet Explorer Search box from appearing Enabled

Prevent managing pop-up exception list Enabled

Prevent managing SmartScreen Filter Enabled

Select SmartScreen Filter mode On

Prevent participation in the Customer Experience Improvement

Program

Enabled

Prevent per-user installation of ActiveX controls Enabled

Prevent running First Run wizard Enabled

Select your choice Go directly to

home page

Search: Disable Find Files via F3 within the browser Enabled

Search: Disable Search Customization Enabled

Specify default behavior for a new tab Enabled

New tab behavior Home page

Turn off ability to pin sites in Internet Explorer on the desktop Enabled

Turn off add-on performance notifications Enabled

Turn off browser geolocation Enabled


Turn off configuration of pop-up windows in tabbed browsing Enabled

Select tabbed browsing pop-up behavior Force pop-ups to

open in a new tab

Turn off Crash Detection Enabled

Turn off Favorites bar Enabled

Turn off Managing SmartScreen Filter for Internet Explorer 8 Enabled

Select SmartScreen Filter mode for Internet Explorer 8 On

Turn off pop-up management Enabled

Turn off Quick Tabs functionality Enabled

Turn off Reopen Last Browsing Session Enabled

Turn off suggestions for all user-installed providers Enabled

Turn off tabbed browsing Enabled

Turn off the auto-complete feature for web addresses Enabled

Turn off the quick pick menu Enabled

Turn on Suggested Sites Disabled

Turn on the auto-complete feature for user names and passwords on

forms

Disabled

Windows Components/Internet Explorer/Accelerators

Turn off Accelerators Enabled


Windows Components/Internet Explorer/Browser menus

Disable Open in New Window menu option Enabled

Disable Save this program to disk option Enabled

File menu: Disable closing the browser and Explorer windows Enabled

File menu: Disable New menu option Enabled

File menu: Disable Open menu option Enabled

File menu: Disable Save As Web Page Complete Enabled

File menu: Disable Save As... menu option Enabled

Help menu: Remove 'Send Feedback' menu option Enabled

Help menu: Remove 'Tour' menu option Enabled

Hide Favorites menu Enabled

Tools menu: Disable Internet Options... menu option Enabled

Turn off Print Menu Enabled

Turn off Shortcut Menu Enabled

View menu: Disable Full Screen menu option Enabled

View menu: Disable Source menu option Enabled

Windows Components/Internet Explorer/Delete Browsing History

Disable "Configuring History" Enabled

Days to keep pages in History 1


Windows Components/Internet Explorer/Internet Control Panel

Disable the Advanced page Enabled

Disable the Connections page Enabled

Disable the Content page Enabled

Disable the General page Enabled

Disable the Privacy page Enabled

Disable the Programs page Enabled

Disable the Security page Enabled

Windows Components/Internet Explorer/Internet Control

Panel/Advanced Page

Allow active content from CDs to run on user machines Disabled

Allow software to run or install even if the signature is invalid Disabled

Do not allow resetting Internet Explorer settings Enabled

Empty Temporary Internet Files folder when browser is closed Enabled


Panel/General Page

Start Internet Explorer with tabs from last browsing session Disabled



Panel/General Page/Browsing History

Allow websites to store application caches on client computers Disabled

Windows Components/Internet Explorer/Internet Settings/Advanced

settings/Browsing

Turn off details in messages about Internet connection problems Enabled

Turn on script debugging Disabled


settings/Multimedia

Allow Internet Explorer to play media files that use alternative codecs Disabled


settings/Searching

Prevent configuration of search on Address bar Enabled

When searching from the address bar Do not search

from the address

bar

Prevent configuration of top-result search on Address bar Enabled

When searching from the Address bar Disable top result

search



settings/Signup Settings

Turn on automatic signup Disabled

Windows Components/Internet Explorer/Internet

Settings/AutoComplete

Turn off URL Suggestions Enabled

Turn off Windows Search AutoComplete Enabled

Turn on inline AutoComplete Disabled

Windows Components/Internet Explorer/Security Features/Restrict

File Download

All Processes Enabled

Internet Explorer Processes Enabled

Windows Components/Internet Explorer/Toolbars

Configure Toolbar Buttons Enabled

Show Back button Enabled

Show Forward button Enabled

Show Stop button Enabled

Show Refresh button Enabled

Show Home button Enabled

Show Search button Disabled


Show Favorites button Disabled

Show History button Disabled

Show Folders button Disabled

Show Fullscreen button Disabled

Show Tools button Disabled

Show Mail button Disabled

Show Font size button Disabled

Show Print button Disabled

Show Edit button Disabled

Show Discussions button Disabled

Show Cut button Disabled

Show Copy button Disabled

Show Paste button Disabled

Show Encoding button Disabled

Disable customizing browser toolbar buttons Enabled

Disable customizing browser toolbars Enabled

Display tabs on a separate row Enabled

Hide the Command bar Enabled

Hide the status bar Enabled

Lock all toolbars Enabled


Lock location of Stop and Refresh buttons Enabled

Turn off Developer Tools Enabled

Turn off toolbar upgrade tool Enabled

Windows Components/Location and Sensors

Turn off location Enabled

Windows Components/Microsoft Management Console

Restrict the user from entering author mode Enabled

Windows Components/Network Sharing

Prevent users from sharing files within their profile. Enabled

Windows Components/Presentation Settings

Turn off Windows presentation settings Enabled

Windows Components/Sound Recorder

Do not allow Sound Recorder to run Enabled

Windows Components/Tablet PC/Accessories


Do not allow printing to Journal Note Writer Enabled

Do not allow Snipping Tool to run Enabled

Do not allow Windows Journal to be run Enabled

Windows Components/Tablet PC/Hardware Buttons

Prevent Back-ESC mapping Enabled

Prevent launch an application Enabled

Prevent press and hold Enabled

Turn off hardware buttons Enabled

Windows Components/Windows Error Reporting

Disable Windows Error Reporting Enabled

Windows Components/Windows Installer

Prevent removable media source for any installation Enabled

Prohibit rollback Enabled

Windows Components/Windows Logon Options

Set action to take when logon hours expire Enabled

Set action to take when logon hours expire Logoff


Windows Components/Windows Mail

Turn off the communities features Enabled

Turn off Windows Mail application Enabled

Windows Components/Windows Media Center

Do not allow Windows Media Center to run Enabled

Windows Components/Windows Media Player

Prevent CD and DVD Media Information Retrieval Enabled

Prevent Music File Media Information Retrieval Enabled

Windows Components/Windows Media Player/Networking

Hide Network Tab Enabled

Windows Components/Windows Media Player/Playback

Prevent Codec Download Enabled

Windows Components/Windows Messenger

Do not allow Windows Messenger to be run Enabled


Do not automatically start Windows Messenger initially Enabled

Windows Components/Windows Mobility Center

Turn off Windows Mobility Center Enabled

Windows Components/Windows Update

Do not adjust default option to 'Install Updates and Shut Down' in Shut

Down Windows dialog box

Enabled

Do not display 'Install Updates and Shut Down' option in Shut Down

Windows dialog box

Enabled

4.2 CONFIGURE THE WEB LAUNCHER SETTINGS To configure the web launcher settings for the ERPM web client, choose Settings > Manage Web

Application > Application Launch in the management console.


The "Launch Application with Credentials Settings" dialog opens.

Configuring the "Global" tab

The Global tab identifies the ERPM web service and other related settings that are used when

launching applications.

Launcher Web Service Config

Web service URL – The URL of the application launcher web service. When the web service

is installed (typically on the ERPM web server), a web service is normally created at

[site]/erpmwebservice. The web service is called WebLauncherBackendService.svc. Enter

the full URL in the Web service URL field, including the protocol and port if applicable.


Important: There should be no certificate or access errors when accessing this

URL in a browser. Test the URL to verify that it works for users that

will be accessing the web server. The best test is to log in to the

Application Launch Server using the Application Launch Server login

account (configured in the previous section) and attempt to access

the URL (provided below). If the account is prompted for credentials

or certificate errors, the application launcher will fail.

The typical URL is:

https://erpmwebservername.yourdomain.com/erpmwebservice/weblauncherbackends

ervice.svc.

Test Connection – Click to verify that the web service URL is correct and the web service is

properly responding to requests.

Launcher Related Web App Options

Enable launching applications using stored passwords in the web application – Required to

enable remote launching. If this option is not selected, then the Launch Application option

will be unavailable in the website.

Remote Launch

Enable launching applications on a remote server – Enable the configured applications to

launch via an Application Launch Server rather than launching only locally on the client.

When the option is enabled and an application is configured to use an Application Launch

Server, the applications can instead launch from the Application Launch Server and will use

RemoteApp to display the program's UI to the user's desktop as if it were a native

application.

[Script Launch] Path to script files on client systems – The path that the script automation files

will be copied to (manual copy). This path is used when local launch (rather than via the

Application Launch Server) will be used to launch web-based applications such as Twitter,

Facebook, or other web-based programs. If local launching of these sorts of applications will not

be launched directly from a client's machine (rather than via the Application Launch Server) it


will not be necessary to configure this path. The default location where these scripts are found

is:

C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation.

Sign generated RDP files with certificate identified by thumbprint – When RDP files are

generated, they will be signed with the identified certificate. This helps avoid

unknown/untrusted RDP connection warnings and errors. For this option to function, the

following must be true:

The certificate needs to be on the client workstation to generate RDP files to connect to the

Application Launch Server.

The certificate also needs to be on the Application Launch Server if RDP connections are

configured to go through the Application Launch Server.

The certificate must be accessible to the user that’s running the process creating and launching

the RDP file.

The security policy of the machine must be configured to require signed RDP files for this setting

to have any effect (it is not by default).

4.3 CONFIGURE THE APPLICATION LAUNCH SERVER SETTINGS Start by choosing Settings > Manage Web Application > Application Launch in the management

console.


Configuring the "Remote Servers" tab

The Remote Servers tab identifies the available Application Launch Servers and other related

settings that will be used for launching applications. The option Enable launching applications on a

remote server must also be selected on the Global tab to make use of these servers.


To add a new server, click the Add button in the lower right area of the dialog.

CONFIGURING THE "REMOTE APPLICATION SERVER CONFIGURATION" DIALOG

The following fields are mandatory:

Server configuration identifier – The friendly name of the server as it will appear in the

application launcher configuration.

Remote server system name – The actual name of the Application Launch Server. This should

be the name (FQDN or simple or IP) as can be reached from the client systems that will be

initiating the session.

Use RemoteApp to launch the liebsoft launcher on the server – This option must be selected to

remotely launch applications from the Application Launch Server using RemoteApp as available

in 2008 R2 and newer.

Launcher path on jump server – The path to the launcher component on the jump server.


Use RemoteApp connection broker (RDS 2012+ only)

o Connection broker – The fully qualified domain name (FQDN) of the connection

broker. For example, 2k8r2-3.demo.msft.

o Load balancer info – The loadbalanceinfo value from the .rdp file. For example,

tsv://MS Terminal Services Plugin.1.lsc.example.

Warning! Be careful that your RDS collection name does not exceed 16 characters.

Microsoft truncates names that exceed 16 characters when storing the name in the

registry. If the truncated name does not match the configured load balancer info

value, the following error message is returned: "Your computer can't connect to the

remote computer because the connection broker couldn't validate the settings in your

RDP file."

Use integrated Windows credentials to login to the jump server – When used in conjunction

with a Windows Server 2012 Application Launch Server that is properly configured for web

single server sign on and where the ERPM website is also configured for use with integrated

authentication and where the user actually logs in using integrated authentication, then this

feature will connect to the Application Launch Server using the ERPM user's credentials rather

than a specific Application Launch Server login. The login user must have proper permissions to

launch the application and RDP to the server.

Prompt for login credentials to application server – Will cause credentials to not be

automatically provided when connecting to the Application Launch Server. The user performing

the application launch must provide credentials that are valid for the Application Launch Server.

Login credential system name – This value must be populated. If ERPM will be using stored

(managed) credentials to log into the Application Launch Server, this is the name of the

system/server as it appears in ERPM from which to draw the credentials from. It is

recommended to use a domain credential for this purpose; see the section for configuring an

Application Launch Server login account.

Login credential account name – This is the name of the account that will be used to log in to

the Application Launch Server. It is recommended to use a domain credential for this purpose;

see the section for configuring an Application Launch Server login account.

Login credential domain name – The domain to which the account belongs. If this is a local

account (not recommended) then this should be the simple (NetBIOS) name of the Application

Launch Server.


Load saved password for connection from password store – Select this option to pull the

managed password from the ERPM password store. If it is desired to use a hard coded password

instead, then supply the actual password in the remote server logon password field.

[Script Launch] Path to script files on client systems – The path that the script automation files

will be copied to during installation of the AppLauncher. This path is used when launching web

based applications such as Twitter, FaceBook, or other web based programs. The default

location where these scripts are found is:

C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation

Update OIT agent data for agent running on the server – Only provides functionality when the

session recorder is provided by ObserveIT. Selecting this option will change certain metadata

attributes to more accurately reflect which user account is performing certain actions. This

affects auditing information stored within OIT.


Note: Important! If using the built-in session recording, instead of the session recording

offering from ObserveIT, DO NOT check the Update OIT agent data for agent

running on the server. This will prevent the built-in session recorder from working.


Once the entries are validated, click OK to add the Application Launch Server object. If the option to

Load saved password for connection from password store is selected and a stored password for

the target account does not exist, a warning indicating such will appear to the user otherwise the

dialog will close without incident.

Any of these settings can be changed at any time without having to make any changes to IIS or

performing IISReset or other administrative actions.

4.4 CONFIGURE THE APPLICATION LAUNCH SERVER HOST This section lists two configuration updates that should be made on the Application Launch Server

host.


To Configure the Host Machine for Multiple Application Launcher Sessions

The following configuration change is needed to allow multiple application launcher sessions to run

concurrently.

1) Log on to the Application Launcher Server host machine.

2) Open the Run dialog using the Win+R keyboard shortcut.

3) Type gpedit.msc and press OK.

The "Local Group Policy Editor" window opens.

4) Choose Computer Configuration > Administrative Templates > Windows Components >

Remote Desktop Services > Remote Desktop Session Host > Connections : Restrict Remote

Desktop Services users to a single Remote Desktop Services session.

5) Right-click Restrict Remote Desktop Services users to a single Remote Desktop Services

session and choose Edit.

A dialog opens to configure the policy.

6) Select Disabled, then click OK.

To Configure the Host Machine to Prevent Transcoding Problems

The following configuration change is needed to prevent a problem that could potentially result in

your session recordings failing to be processed by the transcoder.

1) Open the Run dialog on the Application Launcher Server host using the Win+R keyboard

shortcut.

2) Type gpedit.msc and press OK.

The "Local Group Policy Editor" window opens.

3) Choose Computer Configuration > Administrative Templates > System > User Profiles: Do not

forcefully unload the user registry at logoff.

4) Right-click Do not forcefully unload the user registry at logoff and choose Edit.

A dialog opens to configure the policy.

5) Select Enabled, then click OK.


4.5 CONFIGURE SESSION RECORDING SETTINGS Start by choosing Settings > Manage Web Application > Application Launch in the management

console.


Configuring the "Session Recorders" tab

The Session Recorders tab identifies configured session recording servers. There will typically be a

one-to-one relationship with the servers configured on the Remote Servers tab.

To add a new server, click the Add button in the lower right area of the dialog.


The following fields are mandatory:

Configuration label - the friendly name of the server as it will appear in the application launcher

configuration.

Basic configuration - use this option if the session recording host will perform both recording

and transcoding duties. Recorder options include Expressions 4, VLC, and Windows Problem

Steps Recorder. It is recommended to choose the Expressions 4 recorder option. The output

path will default a default local path if this option is selected.

Advanced configuration - use this option if it is desired to put recordings in a custom location or

if video transcoding will occur on a separate host (typical). It is not recommended to change the

Assembly path or Type in Assembly values.

Abort application launch if session recording fails - with this option selected, if session

recording fails to initialize, the remote session will be logged off and no remote app launch will

occur.

Output path - if using the Application Launch Server for both session recording and video

transcoding and it is desired to place the recordings to an alternate location, specify the path

here. If transcoding is occurring on a separate host, then this should be a network UNC path

(\\server\source) to the Source share on the transcoder host.


File name template - the default value is SessionRecording-$(SessionID). In this scenario

SessionRecording- is the filename prefix and $(SessionID) is a variable for the session ID of the

remote app launch session. If the names of the recordings should be changed, this is acceptable

but to not remote the $(SessionID) value from the name. There should also be no extension

listed for the file name.


Once the entries are validated, click OK to add the session recorder host object.

Any of these settings can be changed at any time without having to make any changes to IIS or

performing IISReset or other administrative actions.

Configuring the Transcoder to Record Multiple Videos at the Same Time

The session recording transcoder is set to record a maximum of one video at a time by default. To

configure the transcoder to record multiple concurrent videos, complete the following steps

1) Go to the system where the Application Launcher and Session Recorder components are

installed and choose Start > Lieberman Software > Settings.

The "Session Recording Configuration" dialog opens.

2) If necessary, expand the File Watcher Transcoder Service Settings section and locate Setting:

Maximum Concurrent Encoders.


3) Type the maximum number of simultaneous recordings that the transcoder should allow, then

click Push.

4) Close the "Session Recording Configuration" dialog.

4.6 CONFIGURE THE ERPM WEB CLIENT FOR SESSION PLAYBACK To play back recorded sessions, ERPM needs to know the location of the media server machine,

which is where the completed session recordings are located.

The media server will have configured IIS with a virtual directory under the default root website

called SessionRecording. It is this URL that will be provided to the ERPM website configuration. The

SessionRecording URL may be presented with or without SSL, but should be configured to use

anonymous authentication.

To Configure ERPM With the SessionRecording URL 1) Open the ERPM management console and click Manage Web App in the left action pane.

2) Choose Options > Configure default web application options from the menu.


3) Click the User/Session Management tab.

4) Locate the Session playback URL field and enter the URL for the media server where the videos

are hosted from. If using HTTPS, be sure to enter the valid name of the server that matches the

assigned name on the certificate to avoid certificate errors. A typical URL will be similar to

https://server.your.domain/sessionrecording/. Be aware that the system is expecting a

trailing forward slash at the end of the URL.

5) Click OK once the URL is entered.


6) If updating an existing website with this new information, right-click on the website instance

and select Replace instance options with default web application options. There is no need to

restart any servers or components after making this change.

Once the URL is added and once any sessions have been recorded, users with access to the auditing

section of the ERPM website will be able to play back any recorded sessions that exist.


4.7 CONFIGURE APPLICATIONS FOR LAUNCHING

4.7.1 Adding Application Launching Scripts

Enterprise Random Password Manager includes a number of application launching scripts. Most

scripts require additional configuration before they can be used to launch the target application.

To Add the Application Launching Scripts 1) In the management console, choose Settings > Manage Web Application > Application Launch.


2) Click the Applications tab.

3) Click Add Defaults.

To add new applications, click the Add button. Duplicate or edit existing items by using the Copy

or Edit buttons respectively.


After adding an application you have to configure it before it can be launched.

4.7.2 Configuring ERPM to Launch Applications

This section documents how to configure ERPM for app launching.

To Configure ERPM to Launch Specific Applications 1) Open the management console and choose Settings > Manage Web Application > Application

Launch.


2) Click the Applications tab.


The Applications tab identifies the applications that can be made available to launch from the

ERPM website and other related settings that will be used when launching these applications.

3) Select an application launch type item and click Edit.

The "Remote Application Configuration" dialog opens.

4) Complete the form.

EDITING THE REMOTE APPLICATION CONFIGURATION DIALOG

Remote application label – Required. This is the friendly name of the application as it will

appear in the ERPM website.

Remote application description – Optional. Enter a description for the application that will

appear in the ERPM website.

Remote application icon path – Optional. To set a custom icon for the application, identify the

location of the physical ERPM website installation files. Typically, this will be at

%inetpub%\wwwroot\PWCWeb. All file paths defined for the icons will be relative to this path.

It is recommended to create a custom folder (example "CompanyIcons") and add your icons to

this folder so that they persist through website upgrades. Then, for the icon path, simply add

the path using the following convention: FolderName\IconName.gif. All GIF files should be

32x32 pixels.

Remote launch type – Required. Select from the available launch types:

Launch application with command line parameters – Use this for any application which can be

launched with command line options such as SQL Management Studio, PuTTy, VMware vCenter,

and so on.

Open web application with form post – Use this for websites that only require a basic form post

and does not make use of JSON, YAML, or other technologies for passing the user name and

password information. When this is selected, fill out the Web Page and Name-Value pair fields.

The web page is the name of the login page, including the protocol, such as

http://webserver/pwcweb/login.asp. The name-value pair should consist of the variables

for the user name and password.

Launch terminal services client – Use this for launching the Microsoft Terminal Services client.

There are no additional requirements to set up this launch type.

Launch app through .net assembly – Used when an external .Net assembly will be used to

perform the connection and credential passing. Supply the Assembly Path and Type Name

values. The assembly path is the full physical file patch to the .Net assembly. Type name is the

name of the .Net interface.


Launch app through script automation – This is most frequently used for launching MMCs,

websites that do not pass user name and password information basic form post (see most web

examples in the default list), fat clients that do not make use of command line parameters, and

so on. Supply the Script Path and Automation URL. Script path is the name of the script to run,

including the extension. For example, login_azuremgmt.vbs. This script must be found in the

pre-defined script automation directory on the global options or Application Launch Server

configuration dialogs for the app launcher. Automation URL is the target URL. For example,

http://manage.windowsazure.com or for a device,

https://$(RemoteAccessTarget_TargetName)/login.html.

Run on the jump server – Optional. Use to launch the target application from the Application

Launch Server (configured previously) or from the user's workstation. If this option is not

selected then the application will attempt to launch locally on the user's local workstation. If

this option is selected, then the application will be launched on the Application Launch Server.

The application must be installed on the Application Launch Server at that time. This is a

per-application setting.

Use the targeted account to connect to the jump server – If the Application Launch Server is

used and the account being targeted to launch the application is a domain account or a valid

local Application Launch Server host account, this option will establish a connection with those

credentials rather than the pre-configured Application Launch Server connection credentials. If

the credentials are not valid on the Application Launch Server host then the connection will not

succeed. Do not use this option for non-Windows systems.

Application supports multi-tab – A special set of configurations and launch scripts for

applications which have multi-branch or multi-tab capabilities. See the the Multi-tab Support

section for more information on configuration and use.

Load user profile when starting application (Configure RDP connection parameters) – When

selected will load the connecting user's user profile on the Application Launch Server host which

will enable additional elements to available via RDP to become available such as color depth,

mapped drives, clipboard capability and so on.

Enable session recording – Optional. If a session recording host is configured, this option will be

available. When configured, the launching of this application on an Application Launch Server

will record just this application being run. This is a per-application setting.

Application – Mandatory. The application name is simply the name of the executable without

the path. For example, SSMS.EXE.

Command line – Mandatory. Command line is the parameters to launch the executable with.

Parameters are specific to the program being launched and not ERPM. ERPM does, however,

provide specific replacement variables that can be used in place of otherwise static values, such


as $(RemoteAccessTarget_TargetName) instead of the target's actual host name. See the

following sub-section for more information.

Application location – Optional. An application location must also be defined but can either be

a full physical path in the application location field or be setup to search for and even to

download a ready to run executable from a predefined network path (At launch download file

from path). A physical path MUST be defined when launching the application from an

Application Launch Server. If a physical path is not defined in the application location field, then

the option to Search for application on local system should be enabled. Sub-options for

application search include searching for the application on the system root or program files

directories. In addition, subsequent include and exclude directories may be defined. Multiple

values should be segregated by a semi-colon. There is no variable replacement such as

%systemroot% or %inetpub% so full physical locations must be used.

Search for application on local system –Optional. Will cause the application launcher to search

the Application Launch Server or the calling workstation's file system for the executable being

launched, and launch the first valid application it comes across. If this option is deselected, then

the Application location field above it becomes active where a static path can be defined. Using

the search mechanism adds time to launch the application. The locations it can search are the

Program Files directories or the system root directory. Searching is controlled by the

subsequent options on this dialog.

Search for application on local system root directs ERPM to search the %systemroot% location

on the Application Launch Server or the calling workstation's file system when launching an

application.

Search for application under the program files directory directs ERPM to search

%programfiles% and %programfiles(x86)% on the Application Launch Server or the calling

workstation's file system when launching an application.

Subdirectory restriction is the directories to not search when searching the program files

directory structure.

Additional search directories is the additional directories to search if there are any other

directories on the system to search. The list is semi-colon delimited.

Working Directory is the default search starting point.


Only run signed executables – Optional. Will ensure the program has a digital signature on it. If

the option is enabled, an additional verification can be configured to validate specific fields of

the digital signature such as the certificate serial number, certificate issuer or other signing bits.

Verify certificate fields of signing certificate – Becomes available if the option to Only run signed

executables is selected. The resulting dialog allows defining which fields to verify in the signing

certificate.

Only run executables with expected hashes – Optional. Allows the admin to define hashes of a

target application. This is useful to ensure that someone did not rename a malicious executable

or that only a specific patched version runs. Multiple hashes can be calculated and defined from

this dialog.

At launch, download the file from path – Optional. Defines a network path or URL to download

the application from if it is not already present on the host system.

Settings apply to client system configuration – Applies only to applications launched from the

users workstation and has no effect for applications launched using the Application Launch


Server host. Consider that a 32-bit application running on a 32-bit Windows host will typically

install to c:\program files\application. Yet that same 32-bit application running on a 64-bit

Windows host will typically install to c:\program files (x86)\application. This setting

permits configuration of only one application to launch with multiple possible settings. When

these settings are configured, the launcher will determine what host it is running on and

retrieve the appropriate settings, such as launch directory.

Application uses stored private key – Optional. This option allows programs that can use

certificates (such as SSH clients) to define which certificate to use when connecting. These

certificates must have been pre-imported and assigned via the management console by

choosing Settings > User Keys > Import Keys.

Application uses gateway server – Optional. If an SSH proxy/gateway is defined (in the

management console by choosing Settings > Manage Web Application > Remote Gateway

Servers) this option is available. This option is useful when a client must first connect to an SSH

proxy first before connecting to the final SSH target. This process uses plink.exe. The plink.exe

download location must also be specified with the path on the Application Launch Server where

the plink.exe executable resides. Plink.exe is installed in the launch app folder on the

Application Launch Server if the PuTTy files are also installed when installing the application

launcher. Plink.exe can also be downloaded from http://www.putty.org (see

http://www.putty.org - http://www.putty.org).

Configure Allowable Types – Mandatory. This defines which account types in the application

will be available. At least one account type must be selected. This is what specifically makes an

application available to MySQL or Windows but not Linux or SQL Server or Oracle.

Always use the specified account when starting this application – Optional. When this option is

NOT selected (default), the application is available for the selected account type(s) (Configure

Allowable Account Types). That means potentially any account could be used to launch this

application. If the option is enabled, ERPM will pull a predefined credential from the account

store and always use that account to launch the application. Also, the application will not be

available in the Launch App section of the ERPM website. Rather, it will be made available in the

Applications section of the website for the users that have permission to launch the application.

The Launch App section is accessible when viewing specific managed passwords. Applications is

always available regardless of managed passwords.

For replaceable variables in the command line or automation URL paths, see Variables for App

Launching (on page 146).

http://www.putty.org/


4.7.3 Variables for App Launching

ERPM provides variables for you to use to pass the user name, password, target server, and so on

when launching an application from the command line or via web automation scripts.

Consider the following scenario:

1) DEMO\Broberts logs into the ERPM web application.

2) DEMO\Broberts clicks on launch app. This causes a secondary account (DEMO\AppLaunchLogin)

to connect to the Application Launch Server and initiate and launch the liebsoftlauncher.exe

program.

3) Liebsoftlauncher connects back to the web service and retrieves program settings (including

target system), target user name, and target password. For this example, connecting to a server

called DB2012 as SA with with the SA password.

In this scenario the following elements are defined using the following variables:

DEMO\Broberts = $(SourceAppLogin) or $(UserEnteredLoginUsername)

DEMO\AppLaunchLogin = NOT EXPOSED

DB2012 = $(RemoteAccessTarget_TargetName)

SA = $(Username) or $(AccountName_FullyQualified)

SA Password = $(Password) or $(Password_Raw)

Following is a list of all possible variables

$(UserEnteredLoginUsername) – Same as $(SourceAppLogin), is the account used to log in to

the ERPM web application.

$(UserEnteredLoginUsername:RemoveNTSyleNamespace) – This element prunes the domain

name from the user name. From the example above, DEMO\Broberts becomes simply Broberts.

$(UserEnteredLoginUsername:ReplaceBackslashWithDot) – This element retains the domain

name with the user name but replaces the slash with a dot. From the example above,

DEMO\Broberts becomes DEMO.Broberts. Use this variable when a name is required that will

no be interpreted as a path for creating directories.

$(SourceAppLogin) – Same as $(UserEnteredLoginUsername), is the account used to login to

the app [component] that is triggering the launcher (that is, the RDP user to the Application

Launch Server).

$(SourceAppLogin:RemoveNTSyleNamespace) – This element prunes the domain name from

the user name. From the example above, DEMO\Broberts becomes simply Broberts.


$(SourceAppLogin:ReplaceBackslashWithDot) – This element retains the domain name with

the user name but replaces the slash with a dot. From the example above, DEMO\Broberts

becomes DEMO.Broberts. Use this variable when a name is required that will no be interpreted

as a path for creating directories.

$(Username) – This is the name of the target account. From the example above, SA.

$(AccountName_FullyQualified) – Building on the $(Username) variable, this will pre-pend the

domain prefix to the account name, if applicable.

$(Password) – The regex escaped password (for example, pass\"word ).

$(Password_Raw) – The raw un-escaped password.

$(RemoteAccessTarget_TargetName) – The target host to which the application will connect.

$(LauncherPath) – The path to the application launcher.

$(SessionID) – The GUID for the launcher link.

$(PrivateKey) – The file path for the DER encoded private key (if available).

$(PrivateKeyPassphrase) – The pass phrase, if present for $(PrivateKey).

$(PuttyKey) – The file path for the putty encoded private key (if available).

These variables are used in line and replaced by ERPM at the time the application is launched. For

example, if in the website the user were to go to the SQL Server database instance on a server

called DB2012 and connect with the built-in (and managed) SA account, the command-line syntax

would be:

-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password) -nosplash

The switches ( -S, -U, and -P ) are part of the SMSS.EXE executable. The subsequent values of

$(RemoteAccessTarget_TargetName), $(Username), and $(Password) would be replaced by the

name of the server (DB2012), the name of the account (SA), and the password for SA respectively.

4.7.4 Maintaining Application Launching Scripts

As a courtesy to our customers, updated scripts that support common online business applications

are periodically made available. This section describes how to download and install those files, and

keep the script directory in sync across multiple launchers if script updates are required.

To Install New Application Launching Scripts 1) Download updated scripts from the Enterprise Random Password Manager product download

page:


https://liebsoft.com/products/enterprise_random_password_manager/product-download/

Scripts are distributed as a single .zip archive file.

2) Customize the scripts as needed and test that they work.

Scripts are generic and may need to be customized to work in your environment. See Variables

for App Launching (on page 146) for additional information.

3) Copy updated and customized automation scripts to the WebAutomation location. Be sure to

also copy scripts to any secondary launchers.

To verify that you are copying scripts to the correct location, see "To Verify the Script Launch

Path Configured on Your Remote Application Server" later in this section.

The following table lists the default file installation locations.

Application Launcher File(s) Default installation location

Application launcher

files to be installed

on a bastion host

LiebSoftLauncher.exe

%ProgramFiles(x86)%\Lieberman\Roulette\LaunchApp

The automation

scripts

%ProgramFiles(x86)%\Lieberman\Roulette\LaunchApp\

WebAutomation

Note: If you add your own compiled scripts to the WebAutomation folder, the defined

login account must be able to read and execute the scripts.

To Verify the Script Launch Path Configured on Your Remote Application Server 1) In the management console, choose Settings > Manage Web Application > Application Launch.

2) Click the Remote Servers tab.

3) Select the remote application server and click Edit.

The "Remote Application Server Configuration" dialog opens.

4) Refer to the [Script Launch] Path to script files field to view the path.


4.7.5 Multi-Tab Support

A lot of administrative tools support several connections to the target systems from one tool

window. It can be implemented as separate tabs (like in SecureCRT) or like branches in tree-view

navigation pane (like in Microsoft SQL Management Studio).


The following shows SecureCRT with two connections.


The following shows SQL Management Studio with two servers.

These applications can use different credentials for each target system connection. However, some

applications have limitations when using multiple tabs or branches. For example it is possible to use

integrated windows authentication to connect SQL Management Studio to some MS SQL servers,

while others require an explicit SQL account using SQL authentication. In the case of SQL

Management Studio, when the tool is launched and integrated, Windows authentication is used and

it is not possible to re-use the existing instantiation of the tool. However, if one connection uses

integrated authentication and the secondary connections use SQL authentication, or if all

connections use SQL authentication, then you can re-use the currently running instance.

ERPM supports this functionality using Multi-tab Configuration window in Remote Application

Configuration.

If multi-tab is not used, when a user launches a tool like SecureCRT or SQL Management Studio, it

establishes one session on the Application Launch Server and one instance of the application in that

session. This is a more secure scenario as it segregates the data and session information so it cannot

be shared within the tool and any systems the user may be accessing.


The trade-off is that a secondary launch of the same tool, just to a new system, will cause a second

session to be created, which can be slow and will consume more resources.

If multi-tab is used, when a user launches a tool such as SecureCRT or SQL Management Studio, it

establishes one session on the Application Launch Server, and one instance of the application in that

session. Then, when a user launches the same tool again to connect to another system, it re-uses

the existing session and simply adds a tab or another tree to the tool. This reduces resource

consumption on the Application Launch Server host and can speed up the use of the tool. The

trade-off is that the application can now share information from all servers with anything it is

connected to. Consider launching a web application to your company's Twitter feed, logging in, and

then launching a new tab to another site that has been compromised. Now the cache and

in-memory information is available to all tabs in the browser.


4.7.6 Multi-Tab Support Configuration

To configure multi-tab support, first establish the Application Launch Server and basic application

settings as previously described in the Configure Applications for Launching section.

Note: Mutli-tab is only supported when launching from the Application Launch Server(s).

Enable the Application supports multi-tab option on the left side of the Remote Application

Configuration dialog, then click the ellipses (...)


Click Add in the lower left corner of the dialog.

Fill out all the information on the Multi-tab Configuration dialog.

Multi-tab configuration label is a label that will be shown in the Multi-tab configuration

selection drop down list in the Remote application configuration window. The name should be

indicative of the multi-tab application settings being used.

Multi-tab automation local executable path is a path to compiled AutoIT script which is able to

open a new tab/establish a connection to new target system.

Automation executable arguments are new-tab-executable specific. Usually the ProcessID is

used to find the HWND (handle to a window) of the application window, target system is

transferred to provide it to the application for new connection. If is used in this case user name

and password are not needed.


Allow this multi-tab automation for existing application launches by EXE name controls how

launched application instance will be detected. If it is unchecked, the only instances of the

applications this multi-tab configuration is selected for will be assumed as previously launched.

In the example of using SQL Management Studio, there are two different application configurations:

one for Integrated Windows Authentication and another one for SQL server authentication. Both

scenarios use the same executable, ssms.exe. In case of multi-tab configuration for Integrated

Windows Authentication, where different Windows accounts are being used to connect to target

database servers, the option to Allow this multi-tab automation for existing application launches

by EXE name should be unchecked because it is impossible to connect to secondary instance of MS

SQL using the existing instance of smss.exe server using integrated Windows authentication if SSMS

process was initially launched from another user. In this case the automation executable arguments

will be similar to this:

$(RemoteAccessTarget_TargetName) nouser nopasswords $(ProcessID)

ProcessID is the ID that will be used to reuse the currently running executable.

In the SQL Management Studio case where SQL Authentication is being used or similar types of

connections, the option to Allow this multi-tab automation for existing application launches by

EXE name can be selected. In this case the automation executable arguments will be similar to this:

-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password_Raw)

In the commands above, $(RemoteAccessTargget_TargetName), $(Username), and

$(Password_Raw) are standard ERPM variables. $(ProcessID) is a variable that returns the PID of

the initial launched application. The nouser and nopasswwords values are “fake” values for user

name and passwords arguments. Because we use IWA, we do not need user name and password

arguments.


SSMSNewTabIwa.exe and SSMSNewTabSql.exe are compiled AutoIT scripts that we use to interact

with Microsoft SQL Server to open new connections that use Integrated Windows Authentication or

SQL authentication respectively. The listing of these scripts is below. Users may create their own

AutoIT scripts or Lieberman Software will provide the scripts.


Click OK when finished. Then select the appropriate multi-tab configuration settings for the target

application.

Multi-tab scripts have been compiled for the following applications:

RunAs and wait until process finishes = RunAsWait

DHCP Manager = RunDHCP

DHCP Manager = RunDHCPNewTab

DNS Manager = RunDNS

DNS Manager = RunDNSNewTab

File Server Resource Manager = RunFSRM

Hyper-V Manager = RunHyperV

Hyper-V Manager = RunHyperVNewTab

MS Terminal Services = RunMstsc

Network File Services Management = RunNFSMGMT

Performance Monitor = RunPERFMON


Server Manager = RunServerManager

Storage Explorer = RunStorageExplorer

Storage Manager = RunStorageMgmt

Task Scheduler = RunTaskScheduler

Run process and wait until finished = RunWait

WBAdmin (Backup) = RunWBADMIN

WINS Manager = RunWINS

WINS Manager = RunWINSNewTab

SecureCRT = ARM_SCRTStart

SecureCRT = SCRTNewTabSSH2

SecureCRT = SCRTNewTabTELNET

SecureCRT = SCRTStart

SQL Mgmt Studio = SSMSNewTabIwa

SQL Mgmt Studio = SSMSNewTabSql

A simple test script = TestParams

Remote Desktop = UnlockMstsc

Remote Desktop for ARM = UnlockMstscARM

4.7.6.1 MULTI-TAB AUTOIT SCRIPT EXAMPLES

SSMSNewTabIwa.au3 #include <MsgBoxConstants.au3>

local $paramCount = $CmdLine[0]

local $systemName = $CmdLine[1]

local $domainUserName = $CmdLine[2]

local $password = $CmdLine[3]

local $ssmsPid = $CmdLine[4]


if $paramCount = 4 Then

openNewTab($ssmsPid, $systemName, $domainUserName, $password)

EndIf

Func openNewTab($p_ssmsPid, $p_systemName, $p_domainUserName, $p_password)

Opt("WinTitleMatchMode", 2)

local $ssmsWindows = WinList("Microsoft SQL Server Management Studio")

for $i=1 To $ssmsWindows[0][0]

If $ssmsPid=WinGetProcess($ssmsWindows[$i][1]) Then

local $delay = 5

WinActivate($ssmsWindows[$i][1])

WinWaitActive($ssmsWindows[$i][1])

Send('!f')

Sleep($delay)

Send('e')

Sleep($delay)

Send('+{TAB}')

Sleep($delay)

Send('+d')

Sleep($delay)

Send('{TAB}')


Sleep($delay)

Send($systemName)

Sleep($delay)

Send('{TAB}')

Sleep($delay)

Send('+w')

Sleep($delay)

Send('{ENTER}')

EndIf

Next

EndFunc

SSMSNewTabSql.au3 #include <MsgBoxConstants.au3>

local $paramCount = $CmdLine[0]

local $systemName = $CmdLine[1]

local $domainUserName = $CmdLine[2]

local $password = $CmdLine[3]

local $ssmsPid = $CmdLine[4]

if $paramCount = 4 Then

openNewTab($ssmsPid, $systemName, $domainUserName, $password)

EndIf


Func openNewTab($p_ssmsPid, $p_systemName, $p_domainUserName, $p_password)

Opt("WinTitleMatchMode", 2)

local $ssmsWindows = WinList("Microsoft SQL Server Management Studio")

for $i=1 To $ssmsWindows[0][0]

If $ssmsPid=WinGetProcess($ssmsWindows[$i][1]) Then

local $delay = 5

WinActivate($ssmsWindows[$i][1])

WinWaitActive($ssmsWindows[$i][1])

Send('!f')

Sleep($delay)

Send('e')

Sleep($delay)

Send('+{TAB}')

Sleep($delay)

Send('+d')

Sleep($delay)

Send('{TAB}')

Sleep($delay)

Send($systemName)

Sleep($delay)

Send('{TAB}')

Sleep($delay)

Send('+s')


Sleep($delay)

Send('{TAB}')

Sleep($delay)

Send($domainUserName)

Sleep($delay)

Send('{TAB}')

Sleep($delay)

Send($password)

Sleep($delay)

Send('{ENTER}')

EndIf

Next

EndFunc

4.8 CONFIGURE APPLICATION SETS Application sets are simply pre-defined collections of applications to launch. They can be created to

group types of applications together, such as DB management products or remote terminal

products, or they can be created based on job duties.

To Create an Application Set 1) Open the ERPM console and choose Settings > Manage Web Application > Application Launch.


2) Click App Sets on the Applications tab.

The "Remote Application Sets" dialog opens.


3) Click Add Set in the lower-left corner, supply a proper name, then click OK and the new list will

be added to the dialog.

4) To add applications to the application set, right-click the application set and select Add

applications to set.

The "Remote Applications" dialog opens.


5) Select all the desired applications then click OK.


To view the applications added to an application set, expand the application set.

Once application sets are defined, in order for users who do not have" All Access" privileges to be

able to use the groupings, application set permissions must be defined in addition to the application

permissions.

To Define Application Permissions

When the user does not have "All Access" privileges, additional permissions are required to launch a

specific application. Use the management console to define these permissions.

1) Open the management console and choose Delegation > Web Application Remote Application

Permissions.

The "Web Application Remote Application Permissions" dialog opens.

2) Click Add in the lower-left corner.

The "Select Enrolled Identities" dialog opens.


3) Select an available identity, click OK, then select one or more applications that the user can

launch.

To Define Application Set Permissions 1) Open the management console and choose Delegation > Web application Remote Application

Set Permissions.

2) Click the Add button to add an identity that will have permissions to an application set and add

the identity and click OK.


3) Select from the available application sets, then click OK again.

A prompt will appear to use a shadow account. (See Shadow Accounts (on page 168) for details.)

4) If a Shadow Account will be used, click Yes and continue to supply the required information,

otherwise, click No.

After shadow accounts, another prompt will appear asking if there will be system restrictions.

5) If there will be system restrictions for these applications, click Yes and continue to supply the

required information; otherwise, click No.


When the user goes to the website, they will be able to select from among the available

application set filters when attempting to launch an application.

4.9 SHADOW ACCOUNTS Shadow accounts allow a user to connect to a system with a specific app and choose from among

one or more accounts to connect with. Consider the normal paradigm where a user must go to the

Managed Passwords Area, find the target system and local account for the application to connect

with. While this works for many scenarios, it is not very flexible and it does not address the need be

able to connect with domain or directory accounts to other systems or applications. This is

specifically what shadow accounts do.

With a shadow account, a user will go to the system or application in question in the systems view

of ERPM and choose to launch an application. An available list of applications will be presented to

the user and the user can determine which account, local or central (domain or directory) to

connect with to the system or application.

To use shadow accounts requires the View Systems and Allow Remote Sessions global delegation

permission. Once permissions are granted, additional configuration to map shadow accounts must

be performed.


Shadow accounts are first mapped and then associated with application permissions, even when a

user has All Access. To use Shadow Accounts, a per application rule must be established for the

target user. To establish shadow accounts mappings go to Delegation > Web Application Identity to

Shadow Account Mappings. This dialog will show any existing mappings. To add a new mapping,

click the Add Mapping button in the lower left corner of the dialog.


Select the target identity from the list of available identities, then click OK.


Select from the available [previously] managed/stored identities in ERPM and click OK. The new

mappings will now be in the list of available mappings.

Click OK to close the Shadow Account Mappings dialog.

Next add the application permissions. Go to Delegation > Web Application Remote Application

Permissions.


Click Add in the lower left corner of the Remote Application Permissions dialog to add a new

application permission. The first dialog to appear will be for the identity that will be granted the

permissions to use an application with a shadow account. Select the identity then click OK.


Next a list of remote applications will be presented to the user. Select the target application(s) that

will be established for the user then click OK.


ERPM will then prompt to use a Shadow Account. Click Yes to assign one or more shadow accounts

that the target user may use when launching the specified application.

Based on the selected user, a list of available corresponding mappings will be presented Select the

mapping(s) that should be configured for the target user and selected applications, then click OK.


ERPM will then prompt to restrict the applications permissions & configured shadow account

mappings to specific management sets. If it is desired to restrict the applications and or shadow

account mappings to specific lists of systems, click Yes. Otherwise, click No.

If Yes was selected, then a list of management sets will be presented.


Select from the desired management set(s) and click OK.

The new mapping will be presented in the Web Application Remote Application Permissions dialog.

Any undesired mappings may be deleted or reports may be generated from this page.

To use the mappings, the user must go to the Systems view in the ERPM web page (View systems

permission required).


Click Launch App next to the desired target system. If Launch App is not visible it means the user

does not have either the Allow Remote Sessions permission or a Shadow Account Mapping is not

present.

The user will be able to select from among the applications and launch accounts to launch the

application.

179

IN THIS CHAPTER

Setting User Permissions to Launch Applications ................................. 179

Using the Application Launcher ............................................................ 180

5.1 SETTING USER PERMISSIONS TO LAUNCH APPLICATIONS To launch an application a user must have one of the following sets of permissions:

All Access, or

View accounts, Allow Remote Sessions, and permissions for the specific application being

launched

To Set Permission to Launch Applications

To define the additional permissions that are required to launch a specific application if a user does

not have All Access permissions, do the following:

1) Open the ERPM management console and choose Delegation > Web application remote

application permissions.

2) Click Add in the lower left corner, then select an available identity.

Chapter 5

Using Application Launching

180 Using Application Launching

3) Click OK, then select one or more applications the user can launch.

5.2 USING THE APPLICATION LAUNCHER There are two types of application launching in ERPM:

Launching with variable account and system information

Launching with pre-define account and system information

The difference in app configuration is the option in the lower right corner of the application that

says to always use the specified account being selected or not. If the option is selected, the

Using Application Launching 181

application will appear in the applications portion of the website. If the option is not selected, the

user must go to the Launch App section next to the system/account they wish to use to connect.

To Launch an App as a Pre-Configured Application

To launch an application that has been pre-configured for a specific account and target, such as a

company's Twitter or Facebook page, the user will click the Operations > Applications link, then

click on the application to launch. Only applications that are pre-configured to always launch as a

specific user and that the login user has access to will be shown on this page. If an application is not

shown it is a sign of at least one of two possible causes:

The user has no permission to launch an application


There are no apps configured to always run as a specific user

To Launch an App Using Variable Target and Account Information

Once the the target system and account to connect as are located in the Passwords > Managed

Password section of the website, click the play button.

All applications available to the user for the specific account type will then be shown. If the RDP icon

appears at the right edge of the black title bar, that indicates the application is configured to launch

via the Application Launch Server. If the camera icon appears at the right edge of the black title bar,

that indicates the session will be recorded.

Using Application Launching 183

To launch the application, click Launch. What happens next will depend on whether the application

is configured to launch locally or from an Application Launch Server, and whether or not the user

has performed this process previously. If connecting via an Application Launch Server, the system

will initiate a series of calls to the Application Launch Server and the LiebsoftLauncher on that host.

This will be visible to the user. If the user has not previously launched an app from the

machine/profile that they are currently logged into, they will likely receive a couple of security

prompts. Use the filter options at the top of the page to search for applications, show only a set of

applications, or change the layout of application launcher page.


Each application also has an Advanced launch configuration. Clicking the ear icon will allow the

interactive user to specify alternate credentials to connect to the target system as. These could be

static credentials or they could be other stored credentials in ERPM (if they have the rights to

retrieve the password). Generally, it will not be necessary to manipulate the advanced settings.

185

Once any sessions have been recorded, users with access to the auditing section of the ERPM

website will be able to playback any recorded sessions that exist. Such recored sessions will be

visible in the ERPM auditing section with a camera icon next to their audit entry.

Simply click on the camera icon to playback the recorded sessions.

The session properties page will identify user, IP address, and time stamp information and more. To

playback the recording, simply chose the desired recording and click Play Recording.

Chapter 6

Auditing Application Launching

186 Auditing Application Launching

The video will open on the systems preferred media player and begin streaming automatically.

187

Index

A

ADDING APPLICATION LAUNCHING

SCRIPTS • 139

APPLICATION LAUNCHER AND SESSION

RECORDING INSTALLATION OVERVIEW •

14


RECORDING INSTALLATION

PREREQUISITES • 17


RECORDING INSTALLATION

PREREQUISITES • 19

AUDITING APPLICATION LAUNCHING •

185

B

BACKGROUND AND GOALS • 6

C

CONFIGURE AN APPLICATION LAUNCH

SERVER LOGON ACCOUNT • 95

CONFIGURE AN APPLICATION LAUNCH

SERVER LOGON ACCOUNT • 96

CONFIGURE APPLICATION SETS • 162

CONFIGURE APPLICATIONS FOR

LAUNCHING • 95

CONFIGURE APPLICATIONS FOR

LAUNCHING • 139

CONFIGURE SESSION RECORDING

SETTINGS • 132

CONFIGURE THE APPLICATION LAUNCH

SERVER HOST • 95


SERVER HOST • 130


SERVER SETTINGS • 95


SERVER SETTINGS • 125

CONFIGURE THE ERPM WEB CLIENT FOR

SESSION PLAYBACK • 136

CONFIGURE THE WEB LAUNCHER

SETTINGS • 95

CONFIGURE THE WEB LAUNCHER

SETTINGS • 122

CONFIGURING APPLICATION LAUNCHING

AND SESSION RECORDING • 95

CONFIGURING ERPM TO LAUNCH

APPLICATIONS • 140

CONFIGURING REMOTE APP FOR SERVER

2008 R2 • 83

CONFIGURING REMOTE APP FOR SERVER

2012 (R2) • 77

I

INSTALLING DESKTOP EXPERIENCE FOR

SERVER 2008 R2 • 49

INSTALLING DESKTOP EXPERIENCE FOR

SERVER 2012 (R2) • 45

188 Auditing Application Launching

INSTALLING ON THE APPLICATION

LAUNCH SERVER • 65

INSTALLING ON THE TRANSCODER HOST

• 54

INSTALLING REMOTE DESKTOP SERVICES

FOR SERVER 2008 R2 • 35

INSTALLING REMOTE DESKTOP SERVICES

FOR SERVER 2012 (R2) • 20

INSTALLING THE APPLICATION LAUNCHER

AND SESSION RECORDING FEATURES •

13

INTRODUCTION • 5

L

LICENSE AGREEMENT • 8

LIMITED WARRANTY • 8

M

MAINTAINING APPLICATION LAUNCHING

SCRIPTS • 147

MULTI-TAB AUTOIT SCRIPT EXAMPLES • 158

MULTI-TAB SUPPORT • 149

MULTI-TAB SUPPORT CONFIGURATION •

153

O

OVERVIEW • 5

S

SETTING USER PERMISSIONS TO LAUNCH

APPLICATIONS • 179

SHADOW ACCOUNTS • 167

SHADOW ACCOUNTS • 168

STEP 1. INSTALL REMOTE DESKTOP

SERVICES • 20

STEP 2. INSTALL DESKTOP EXPERIENCE • 45

STEP 3. INSTALL THE APPLICATION

LAUNCHER AND SESSION RECORDING

FEATURE • 54

STEP 4. SET UP RDS FOR APPLICATION

LAUNCHING • 77

STEP 5. SET UP STREAMING MEDIA SERVICES

• 88

STEP 6. CONFIGURE IIS TO HOST

RECORDED SESSIONS • 93

U

UNDERSTANDING SESSION RECORDING •

10

USING APPLICATION LAUNCHING • 179

USING THE APPLICATION LAUNCHER • 180

V

VARIABLES FOR APP LAUNCHING • 145, 146,

148