Add Applications to Password Safe
Applications can be managed by Password Safe. Requesters can request access to an application and launch a session through the Password Safe web portal.
Application sessions can be recorded.
The system where the application resides must already be added to Password Safe before you can add the application.
To add an application to Password Safe management, you must do the following:
- Set up the application details in Password Safe configuration.
- Associate the application with a managed account.
- Create an access policy that permits application access. Recording and keystroke logging can be turned on here.
- Create a user group that includes the managed accounts. Assign the Requester role (or Requester/Approver role) that includes selecting the access policy.
Follow the steps below to add an application.
- Select Configuration > Privileged Access Management > Applications.
- Click Create New Application.
- Enter a Name (required) and Version (optional) for the application. We recommend using the name of the application for transparency.
- Enter an Alias (required). By default, an alias combines the name and version, but can also be edited to display any desired alias.
- Enter the path to the application in the Application/Command (required) field. For example, C:\Program Files\Windows NT\Accessories\wordpad.exe.
Use the PS_Automate utility to automate the launch and authentication to a web page or to a standard Windows GUI application, by seamlessly passing vaulted credentials to a remote application. Enter the variable %PsAutomate% in the Application/Command field to ensure the PS_Automate utility is used regardless of the location of the application.
- Enter the arguments to pass to the application in the Parameters (optional) field.
Default placeholders are as follows:
- managed account name = %u
- managed account password = %p
- managed asset name = %h
- managed asset IP = %i
- database port = %t
- database instance or asset name = %d
- jump host dns = %n
- database dns = %s
- access URL = %w
Usage syntax for the PS_Automate utility is as follows:
- Web application: ps_automate.exe [ini=path to inifile][TargetURL=url] [BrowserName=name of browser]
- Accepted values for BrowserName are: "chrome", "firefox", "msedge"
- Windows application: ps_automate.exe [ini=path to inifile]
- Select a Functional Account (optional) from the list to connect to the Password Safe managed system hosting the remote application.
- Check the appropriate boxes to Associate with linked systems. Administrators can associate the application with a linked Windows system or a linked Linux or Unix system.
- By default, the boxes are not checked, which is the most restrictive state. A standard user in Password Safe sees one row with an application to the same functional account and managed system.
- If you associate the application with a linked Windows system, standard users see all Windows-based systems applied to the Domain Linked Account when they log in to Password Safe. This excludes Linux and Unix systems.
- If you associate the application with a linked Linux or Unix system, standard users see all Linux and Unix-based systems applied to the Domain Linked Account. This excludes Windows systems.
- If both options are selected, all systems associated to the Domain Linked Account are shown.
When configuring access to a Linux system, sudo can be used to configure authentication. The administrator can include a functional account, but this is not required.
- Select a Managed System from the list. The managed system must have the application (such as wordpad.exe) configured. When starting an application session, an RDP session connects to this application server and starts the application.
A Managed System is required if a Functional Account is selected.
- Enable AutoIt Passthrough to automatically pass the credentials for the application through an RDP virtual channel. Using AutoIt Passthrough provides a secure way to access applications through a remote session. The user requesting the session is not required to enter the application credentials.
- Enable Launch Application in RemoteApp mode to initiate a remote app session rather than a full desktop session. This limits use to the specified app and the user is presented with an application window. This setting is defined per application.
- Select Active to make the application available for remote sessions.
- Click Create Application.
For more information, please see the following:
Use Encryption Module for RemoteApp
The Encrypted Module for RemoteApp is an application which is automatically enabled to hide sensitive information from the terminal service logs.
To use this encryption, the managed system must be configured with a functional account which is also an administrator on the server the user is connecting to.
Associate the Application with a Managed Account
Now that the application is configured, the application must be associated with a managed account.
- In the console, click Managed Accounts.
- On the Managed Accounts page, select the managed account, and then click the More Options icon, and select Edit Account.
- In the Edit Managed Account pane, scroll down to Applications and click + to expand the Applications section.
- From the dropdown list, select the applications and then click Update Account.
You can select the application by editing the managed account. For more information about managed accounts settings, please see Add a Managed System Manually.
Set Up the Access Policy
You can create an access policy or use an existing policy. The access policy is part of the Requester role setup, described in the next section.
The Application Access Policy applies to all applications.
- Select Configuration > Privileged Access Management Policies > Access Policies.
- Create a new access policy and schedule or edit an existing access policy and schedule. Within the schedule settings, enable Application, under Policy Types, and save the access policy.
For more information on creating and editing access policies and schedules, please see Configure Password Safe Access Policies.
Set Up Role-Based Access
Users who need to access an application must be managed accounts that are members of a group.
Access to applications is also available to admins and ISA users, without the need to configure an access policy.
The Requester role and application access are assigned as part of creating the user group.
The PS_Automate utility allows you to automate the launch and authentication of various Windows GUI applications from Password Safe. You can use the utility to launch and authenticate to a web page or to a standard Windows GUI application.
The utility allows Password Safe to seamlessly pass vaulted credentials from Password Safe to a remote application using the pass through option (using token pass instead of credentials).
PS_Automate supports Incognito mode for Chrome, Firefox, and Microsoft Edge, with Microsoft Edge being the default browser when a browser name is not specified or supported.
The utility uses an INI file for all input and operational behavior. By using multiple INI files, the same utility can automate behavior to a wide range of authentication scenarios.
The PS_Automate utility, as well as INI files for Amazon Web Services, Azure, Office 365, and Google, are made available when enhanced session auditing is enabled in Password Safe. The files are deployed by the session proxy when a session is created in Password Safe.
PS_Automate is a utility for Windows only. It is not supported on macOS.
The usage syntax for the PS_Automate utility is as follows:
ps_automate.exe [ini=path to inifile][TargetURL=url] [BrowserName=name of browser]
ps_automate.exe [ini=path to inifile]
For testing purposes the utility also excepts username and password on the command line: [username=username] [password=password]. However, this is not recommended for production use, as command line parameters can be written to Windows logs, such as the event log.
ps_automate.exe ini="BIWebApp.ini" TargetURL="https://localhost/WebConsole/index.html#!/dashboard" BrowserName="chrome"
ps_automate.exe ini= "C:\automate\AWSWebApp.ini" TargetURL="https://534949981440.signin.aws.amazon.com/console/" BrowserName="firefox"
ps_automate.exe ini="MSWebApp.ini" TargetURL="https://login.microsoftonline.com"BrowserName="msedge"
For more information on defining the command line arguments in the INI file used by PS_Automate, please see Define Command Line Arguments in INI File.
The following prerequisites must be in place before you can use the AutoIt Passthrough feature:
- The application must be launched through an AutoIt script.
- The wrapper AutoIt script must call the Password Safe Passthrough library through pspassthru.dll (provided as part of the Password Safe Resource Kit).
For information about turning on the feature, please see Add an Application.
AutoIt Script Details
The AutoIt example script uses the following functions:
- DLLCall: An AutoIt function. The first argument takes in the location of the DLL file to call.
Func get_credentials($token) Local $aResult = DLLCall("pspassthru.dll", "str:cdecl", "pbps_get_ credentials", "str", $token, "bool", 0) Local $credentials = StringSplit($aResult, " ") return $credentials Endfunc
char* ps_get_credentials(char* token, bool respond_with_json)
char* token: A one-time use token provided by Password Safe as the last command line argument passed to the AutoIt script.
bool respond_with_json: A flag to toggle the format of credentials. When this value is True, the credentials are in JSON format. Otherwise, they are in a white-space delimited list.
The token is sent to Password Safe to be validated.
- If the token is valid for the current session and has not been used, the return value is a string with credentials in the desired format.
- If the token is invalid or has been used, the return value is NULL.
Tokens are validated and credentials are sent over an encrypted RDP virtual channel not visible to the end user.
You can add your SAP environment to Password Safe management.
Password Safe supports SAP NetWeaver.
- Instance Number: When adding the system to Password Safe you must know the SAP instance number.
- Client ID: An ID that is unique to the SAP instance.
The instance number and client ID are provided in an email when you purchase SAP.
- SAP permissions: The Password Safe functional account requires RFC privileges.
SAP RFC privileges are needed for password changes. RFC permissions assigned to the functional account permit the password change. However, the password cannot be tested.
If an account has RFC privileges, that account can change their password and others. It can also test its own password.
- The username and password in Password Safe must be the same as in SAP.
Set Up the Functional Account
The functional account requires the Client ID. All other settings are the typical functional account settings.
For more information on creating a functional account, please see Create a Functional Account.
You must add SAP manually. You cannot add SAP using a Smart Rule.
- In the console, click Assets.
- Select the asset where the SAP instance resides, and then select Add to Password Safe.
- Select SAP from the Platform list.
- Enter the instance number.
- All other settings are the typical managed system settings.
For more information on adding Managed Systems, please see Add a Managed System Manually.