Add Applications to Password Safe

Applications can be managed by Password Safe. Requesters can then request access to the application and launch a session through the Password Safe web portal.

Application sessions can be recorded.

The system where the application resides must already be added to Password Safe before you can add the application.

To add an application to Password Safe management, you must do the following:

  • Set up the application details in Password Safe configuration.
  • Associate the application with a managed account.
  • Create an access policy that permits application access. Recording and keystroke logging can be turned on here.
  • Create a user group that includes the managed accounts. Assign the Requester role (or Requester/Approver role) that includes selecting the access policy.

Add an Application

Follow the steps below to add an application.

  1. Select Configuration > Privileged Access Management > Applications.
  2. Click Create Application.
  3. Enter a name for the application. It is recommended to use the name of the application for transparency.

    The following are optional categorization fields:

    • Version
    • Publisher
    • Type
    • Parameters: The arguments to pass to the application. Default placeholders are as follows:
      • managed account name = %u
      • managed account password = %p
      • managed asset name = %h
      • managed asset IP = %i
      • database port = %t
      • database instance or asset name = %d
      • jump host dns = %n
      • database dns = %s
    • Functional Account: Select a functional account from the menu. The functional account must already be created.
    • Managed System: The managed system must have the application (such as wordpad.exe) configured. When starting an application session, an RDP session connects to this application server and starts the application.
    • AutoIt Passthrough: Check this box to automatically pass the credentials for the application through an RDP virtual channel. Using AutoIt Passthrough provides a secure way to access applications through a remote session. The user requesting the session is not required to enter the application credentials.
    • Launch Application in RemoteApp mode: If enabled, this initiates a remote app session instead of a full desktop session. This limits use to the specified app and the user is presented with an application window. This setting is defined per application.

    The following fields are required:

    • Alias: Combines the name and version entered by default, but can also be edited to display any desired alias.
    • Application/Command: The path to the application. For example, C:\Program Files\Windows NT\Accessories\wordpad.exe.

If Functional Account is set, then Managed System is required.

  1. Administrators can associate the application with a linked Windows system or a linked Linux or Unix system. By default, the boxes are not checked; this is the most restrictive state. A standard user in Password Safe sees one row with an application to the same functional account and managed system.
    • Associate the Application with a linked Windows system: Standard users see all Windows-based systems applied to the Domain Linked Account when they log in to Password Safe. This excludes Linux and Unix systems.
    • Associate the Application with a linked Linux/Unix system: Standard users see all Linux and Unix-based systems applied with the Domain Linked Account. This excludes Windows systems.
    • If both options are enabled, all systems associated to the Domain Linked Account are shown.

When configuring access to a Linux system, sudo can be used to configure authentication. The administrator can include a functional account, but this is not required.

  1. Select Active to make the application available for remote sessions.
  2. Click Create Application.

There are prerequisites that must be met before you can use AutoIt Passthrough. For more information, please see Use AutoIt Passthrough.

Use Encryption Module for RemoteApp

The Encrypted Module for RemoteApp is an application which is automatically enabled to hide sensitive information from the terminal service logs.

To use this encryption, the managed system must be configured with a functional account which is also an administrator on the server the user is connecting to. 

Associate the Application with a Managed Account

Now that the application is configured, the application must be associated with a managed account.

  1. In the console, click Managed Accounts.
  2. On the Managed Accounts page, select the managed account, and then click the More Options icon, and select Edit Account.
  3. In the Edit Managed Account pane, scroll down to Applications and click + to expand the Applications section.
  4. From the dropdown list, select the applications and then click Update Account.

You can select the application by editing the managed account. For more information about managed accounts settings, please see Add a Managed System Manually.

Set Up the Access Policy

You can create an access policy or use an existing policy. The access policy is part of the Requester role setup, described in the next section.

The Application Access Policy applies to all applications.

  1. Select Configuration > Privileged Access Management Policies > Access Policies.

Configure an access policy when adding an application in Password Safe.

  1. Create a new access policy and schedule or edit an existing access policy and schedule and enable the Application policy type for the schedule, and save the access policy.

For more information on creating and editing access policies and schedules, please see Configure Password Safe Access Policies.

Set Up Role-Based Access

Users who need to access an application must be managed accounts that are members of a group.

Access to applications is also available to admins and ISA users, without the need to configure an access policy.

The Requester role and application access are assigned as part of creating the user group.

Use AutoIt Passthrough

The following prerequisites must be in place before you can use the AutoIt Passthrough feature:

  • The application must be launched through an AutoIt script.
  • The wrapper AutoIt script must call thePassword Safe Passthrough library through pbpspassthru.dll (provided as part of the Password Safe Resource Kit).

For information about turning on the feature, please see Add an Application.

AutoIt Script Details

The AutoIt example script uses the following functions:

  • pbpspassthru.dll
  • pbps_get_credentials
  • DLLCall: An AutoIt function. The first argument takes in the location of the dll to call. In the example, the pbpspassthru.dll is located in the same directory as the AutoIt script.
 
Func get_credentials($token)
   Local $aResult = DLLCall("pbpspassthru.dll", "str:cdecl", "pbps_get_
      credentials", "str", $token, "bool", 0)
   Local $credentials = StringSplit($aResult[0], " ")
   return $credentials
Endfunc

pbps_get_credentials Function

char* pbps_get_credentials(char* token, bool respond_with_json)

Parameters

char* token: A one-time use token provided by Password Safe as the last command line argument passed to the AutoIt script.

bool respond_with_json: A flag to toggle the format of credentials. When this value is True, the credentials are in JSON format. Otherwise, they are in a white-space delimited list.

Return Value

The token is sent to Password Safe to be validated.

  • If the token is valid for the current session and has not been used, the return value is a string with credentials in the desired format.
  • If the token is invalid or has been used, the return value is NULL.

Tokens are validated and credentials are sent over an encrypted RDP virtual channel not visible to the end user.

Add SAP as a Managed System

You can add your SAP environment to Password Safe management.

Password Safe supports SAP NetWeaver.

Requirements

  • Instance Number: When adding the system to Password Safe you need to know the SAP instance number.
  • Client ID: An ID that is unique to that SAP instance.

The instance number and client ID are provided in an email when you purchase SAP.

  • SAP permissions: The Password Safe functional account requires RFC privileges.

    SAP RFC privileges are needed for password changes. RFC permissions assigned to the functional account permit the password change. However, the password cannot be tested.

    If an account has RFC privileges, that account can change their password and others. It can also test its own password.

  • The username and password in Password Safe must be the same as in SAP.

Set Up the Functional Account

The functional account requires the Client ID. All other settings are the typical functional account settings.

Please see Create a Functional Account.

Add SAP

You must add SAP manually. You cannot add SAP using a Smart Rule.

  1. In the console, click Assets.
  2. Select the asset where the SAP instance resides, and then select Add toPassword Safe.
  3. Select SAP from the Platform list.
  4. Enter the instance number.
  5. All other settings are the typical managed system settings.

Please see Add a Managed System Manually.