Request SSH or RDP Sessions in Password Safe

When configured by your Password Safe administrator, you can request access to a managed system using a remote session. Using the Password Safe request and approval system, you can request remote sessions that use SSH or RDP connection types.

Password Safe acts as a proxy, providing session management to target systems. No passwords are transmitted, allowing inherently secure session management.

Request an RDP Session

  1. Log in to the Password Safe web portal.
  2. On the Accounts page, select the tab for the type of system or application you need to access.
  1. Select the account from the list.
  2. On the Requests page, set the following:
    • Start Date: Select the start date for the session that corresponds with the access policy.
    • Start Time: Select Immediately to start the session at the current time, or click the Scheduling button for a future session.
    • Requested Duration: Set the length of time that the session should be available. The maximum duration is 365 days. The default and maximum durations are set on the managed account.
    • Access Request: Select the session type of RDP Session.
    • RDP Admin Console: If an administrator has enabled this option in the access policy, you can request a remote session in console mode (mstsc /admin). This can be useful if the number of remote sessions is maxed out on the host. An RDP console session allows you to connect without requiring other sessions to disconnect. Running a console session disables certain services and functionality, such as but not limited to:
      • Remote Desktop Services client access licensing
      • Time zone redirection
      • Remote Desktop Connection broker redirection
      • Remote Desktop easy print
    • Reason: Enter a reason for the request. By default, this field is required, but it can be disabled through BeyondInsight options. The maximum allowed length is 200 characters.
    • Ticket System: (optional) Select a ticket system and enter the ticket number. Ticket systems can be used for cross-reference.

For more information on mstsc /admin, please see mstsc.

  1. Click Submit Request. An email is sent to the approver if email notification is configured.

 

SSH Direct Connect

SSH Direct Connect uses an SSH client to initiate a session to a target system. As the requestor, you can access the system without ever viewing the managed account's credentials. To configure an application to connect to Password Safe, you must provide a connection string.

Each application has its own unique string format.

Once the application connects to Password Safe, you are prompted to enter your Password Safe login credentials. If successful, the connection is established.

RDP Direct Connect

You can also use Direct Connect to initiate an RDP session. As the requestor, you can access the system without ever viewing the managed account's credentials.

If the requestor is granted approval for RDP sessions, a message displays, stating, Request requires approval. If the request is not approved within 5 minutes, this connection will close. After five minutes, the RDP client disconnects, and you can send another connection request. When the request is approved, you are automatically connected.

To use RDP Direct Connect, you must download the RDP file from the Password Safe web portal. This is a one-time download. Each account and system combination requires that you download the unique RDP file associated with it.

Download the RDP Direct Connect file to request an RDP Session.

  1. Log in to the Password Safe web portal.
  2. On the Accounts page, select the tab for the type of system or application you need to access.
  1. Find the account in the list.
  2. Click the download arrow.
  3. Run the file to establish a connection to the target system.
  4. Enter your password that you use to authenticate into Password Safe

RDP Direct Connect supports only push two-factor authentication. An access-challenge response is not supported.

LDAP users that use the mail account naming attribute cannot use RDP Direct Connect.

Password Restrictions

  • On Windows 2008 and Windows 7, the password cannot exceed 81 characters. If a password is too long, the user cannot log in with the selected account.
  • On Windows 2012, the password cannot exceed 127 characters. If a password is too long, the user cannot log in with the selected account.

Enforce Session End Time

When a Password Safe administrator creates an access policy, they assign a time frame that permits access to the asset. As part of that policy, the administrator can enforce the end of the session and close the session when the time expires. Sessions display a counter showing when the session will end.

RDP Session:

An RDP session displaying a counter showing when the session will end.

SSH Session:

An SSH session displaying a counter showing when the session will end.