Configure the Application Launcher and Session Recorder
After installation, there are five configuration steps to complete before using the application launcher and the session recorder.
Configure the Jump Server Logon Account
The Application Launcher uses a standard logon account to log into the target jump server and launch the LiebsoftLauncher application. The LiebsoftLauncher application launches the target application and connects to a web service, WebLauncherBackendService.svc, to obtain the necessary program settings and credentials.
Logon Account Requirements
The logon account must have the following:
- A domain account is recommended, but the logon account can be a local account.
- The account must be able to remotely log into the target jump server. If the account is not an administrator, it must be added to the Remote Desktop Users group on the jump server.
- Because the user account launches the LiebsoftLauncher application upon login, make sure the account has the permissions required for launch. Set the permissions in the RemoteApp settings, which are found in Server Manager > Roles > Remote Desktop Services. The permissions can be assigned directly to the user or assigned to a group that the user belongs to.
- The account needs all of the same rights necessary to launch the final target application. It does not necessarily need local or domain admin privileges.
Secure the Logon Account
- The account for application launching should have its password rotated frequently by Privileged Identity. Daily or weekly is recommended; however, setting the rotation schedule to hourly is not recommended and could possibly invalidate the logon account's session.
- There are no requirements for password propagation, and it is recommended you turn off password propagation for the password change job.
- We recommend keeping the password length 80 characters or less because some versions of Windows will not allow longer passwords to be used with RDP.
When launching an application, this account will be able to do anything the target application allows.
Recommended Policy Settings for the Logon Account
If this account is located in Active Directory, we recommend placing the account into an organizational unit (OU) by itself or with other similarly locked down accounts. On this OU, create a policy and modify the User Settings portion of the policy to lock down this logon account. There is no need to place the jump server in this OU because the policies locking down the user experience are user-based and not system-based.
The following table provides a list of recommended settings for lockdown. All policies should be tested to ensure they do not interfere with the required operation of a target application:
|
Policy |
Setting |
|---|---|
|
Enforcement |
|
|
Apply Software Restriction Policies to the following |
All software files except libraries (such as DLLs) |
|
Apply Software Restriction Policies to the following users |
All users |
|
When applying Software Restriction Policies |
Ignore certificate rules |
|
Trusted Publishers |
|
|
Trusted publisher management |
Allow all administrators and users to manage user's own trusted publishers |
|
Certificate verification |
None |
|
Software Restriction Policies > Security Levels |
|
|
Default Security Level |
Disallowed |
|
Software Restriction Policies > Additional Rules > Path Rules |
|
|
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% |
Security Level = Unrestricted |
| %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% | Security Level = Unrestricted |
| C:\Program Files (x86)\Lieberman\Roulette\RemoteAppLauncher\LiebsoftLauncher.exe | Security Level = Unrestricted |
| User Configuration | Policies | Administrative Templates | |
| Control Panel | |
| Prohibit access to Control Panel and PC settings | Enabled |
| Control Panel > Display | |
| Disable the Display Control Panel | Enabled |
| Control Panel > Printers | |
| Browse a common web site to find printers | Disabled |
| Browse the network to find printers | Disabled |
| Prevent addition of printers | Enabled |
| Prevent deletion of printers | Enabled |
| Control Panel > Programs | |
| Hide "Get Programs" page | Enabled |
| Hide "Installed Updates" page | Enabled |
| Hide "Programs and Features" page | Enabled |
| Hide "Set Program Access and Computer Defaults" page | Enabled |
| Hide "Windows Features" | Enabled |
| Hide the Programs Control Panel | Enabled |
| Control Panel > Regional and Language Options | |
| Hide Regional and Language Options | Enabled |
| Hide the geographic location option | Enabled |
| Hide the select language group options | Enabled |
| Hide user locale selection and customization options | Enabled |
| Desktop | |
| Don't save settings at exit | Enabled |
| Hide and disable all items on the desktop | Enabled |
| Hide Internet Explorer icon on desktop | Enabled |
| Hide Network Locations icon on desktop | Enabled |
| Prevent adding, dragging, dropping and closing the Taskbar's toolbars | Enabled |
| Prohibit adjusting desktop toolbars | Enabled |
| Prohibit User from manually redirecting Profile Folders | Enabled |
| Remove Computer icon on the desktop | Enabled |
| Remove Properties from the Computer icon context menu | Enabled |
| Remove Properties from the Recycle Bin context menu | Enabled |
| Remove Recycle Bin icon from desktop | Enabled |
| Turn off Aero Shake window minimizing mouse gesture | Enabled |
| Network > Network Connections | |
| Ability to change properties of an all user remote access connection | Disabled |
| Prohibit access to properties of a LAN connection | Enabled |
| Prohibit access to the Remote Access Preferences item on the Advanced menu | Enabled |
| Prohibit changing properties of a private remote access connection | Enabled |
| Prohibit connecting and disconnecting a remote access connection | Enabled |
| Prohibit renaming private remote access connections | Enabled |
| Network > Offline Files | |
| Remove "Make Available Offline" command | Enabled |
| Remove "Work offline" command | Enabled |
| Network > Windows Connect Now | |
| Prohibit access to the Windows Connect Now wizards | Enabled |
| Start Menu and Taskbar | |
| Add Search Internet link to Start Menu | Disabled |
| Add the Run command to the Start Menu | Disabled |
| Clear history of recently opened documents on exit | Enabled |
| Clear history of tile notifications on exit | Enabled |
| Clear the recent programs list for new users | Enabled |
| Do not allow pinning items in Jump Lists | Enabled |
| Do not allow pinning programs to the Taskbar | Enabled |
| Do not display any custom toolbars in the taskbar | Enabled |
| Do not display or track items in Jump Lists from remote locations | Enabled |
| Do not keep history of recently opened documents | Enabled |
| Do not search communications | Enabled |
| Do not search for files | Enabled |
| Do not search Internet | Enabled |
| Do not search programs and Control Panel items | Enabled |
| Do not use the search-based method when resolving shell shortcuts | Enabled |
| Do not use the tracking-based method when resolving shell shortcuts | Enabled |
| Hide the notification area | Enabled |
| Lock all taskbar settings | Enabled |
| Lock the Taskbar | Enabled |
| Prevent changes to Taskbar and Start Menu Settings | Enabled |
| Prevent users from adding or removing toolbars | Enabled |
| Prevent users from moving taskbar to another screen dock location | Enabled |
| Prevent users from rearranging toolbars | Enabled |
| Prevent users from uninstalling applications from Start | Enabled |
| Remove access to the context menus for the taskbar | Enabled |
| Remove All Programs list from the Start menu | Enabled |
| Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands | Enabled |
| Remove Clock from the system notification area | Enabled |
| Remove common program groups from Start Menu | Enabled |
| Remove Default Programs link from the Start menu. | Enabled |
| Remove Documents icon from Start Menu | Enabled |
| Remove Downloads link from Start Menu | Enabled |
| Remove drag-and-drop and context menus on the Start Menu | Enabled |
| Remove Favorites menu from Start Menu | Enabled |
| Remove frequent programs list from the Start Menu | Enabled |
| Remove Games link from Start Menu | Enabled |
| Remove Help menu from Start Menu | Enabled |
| Remove Homegroup link from Start Menu | Enabled |
| Remove links and access to Windows Update | Enabled |
| Remove Logoff on the Start Menu | Disabled |
| Remove Music icon from Start Menu | Enabled |
| Remove Network Connections from Start Menu | Enabled |
| Remove Network icon from Start Menu | Enabled |
| Remove Pictures icon from Start Menu | Enabled |
| Remove pinned programs from the Taskbar | Enabled |
| Remove pinned programs list from the Start Menu | Enabled |
| Remove programs on Settings menu | Enabled |
| Remove Recent Items menu from Start Menu | Enabled |
| Remove Recorded TV link from Start Menu | Enabled |
| Remove Run menu from Start Menu | Enabled |
| Remove See More Results / Search Everywhere link | Enabled |
| Remove the Action Center icon | Enabled |
| Remove the battery meter | Enabled |
| Remove the networking icon | Enabled |
| Remove the volume control icon | Enabled |
| Remove user folder link from Start Menu | Enabled |
| Remove user's folders from the Start Menu | Enabled |
| Remove Videos link from Start Menu | Enabled |
| Show "Run as different user" command on Start | Disabled |
| Turn off all balloon notifications | Enabled |
| Turn off automatic promotion of notification icons to the taskbar | Enabled |
| Turn off feature advertisement balloon notifications | Enabled |
| Turn off notification area cleanup | Enabled |
| Turn off user tracking | Enabled |
| Start Menu and Taskbar > Notifications | |
| Turn off notifications network usage | Enabled |
| System > Ctrl+Alt+Del Options | |
| Remove Change Password | Enabled |
| Remove Task Manager | Enabled |
| System > Internet Communication Management > Internet Communication settings | |
| Turn off access to the Store | Enabled |
| Turn off downloading of print drivers over HTTP | Enabled |
| Turn off handwriting recognition error reporting | Enabled |
| Turn off Help Experience Improvement Program | Enabled |
| Turn off Help Ratings | Enabled |
| Turn off Internet download for Web publishing and online ordering wizards | Enabled |
| Turn off Internet File Association service | Enabled |
| Turn off printing over HTTP | Enabled |
| Turn off the "Order Prints" picture task | Enabled |
| Turn off the "Publish to Web" task for files and folders | Enabled |
| Turn off the Windows Messenger Customer Experience Improvement Program | Enabled |
| Turn off Windows Online | Enabled |
| System > Removable Storage Access | |
| All Removable Storage classes: Deny all access | Enabled |
| CD and DVD: Deny read access | Enabled |
| CD and DVD: Deny write access | Enabled |
| Floppy Drives: Deny read access | Enabled |
| Floppy Drives: Deny write access | Enabled |
| Removable Disks: Deny read access | Enabled |
| Removable Disks: Deny write access | Enabled |
| Tape Drives: Deny read access | Enabled |
| Tape Drives: Deny write access | Enabled |
| WPD Devices: Deny read access | Enabled |
| WPD Devices: Deny write access | Enabled |
| System > Windows HotStart | |
| Turn off Windows HotStart | Enabled |
| Windows Components > Add features to Windows 8 | |
| Prevent the wizard from running. | Enabled |
| Windows Components > App runtime | |
| Block launching desktop apps associated with a file. | Enabled |
| Block launching desktop apps associated with a protocol | Enabled |
| Windows Components > Application Compatibility | |
| Turn off Program Compatibility Assistant | Enabled |
| Windows Components > Attachment Manager | |
| Hide mechanisms to remove zone information | Enabled |
| Windows Components > AutoPlay Policies | |
| Disallow Autoplay for non-volume devices | Enabled |
| Prevent AutoPlay from remembering user choices. | Enabled |
| Set the default behavior for AutoRun | Enabled |
| Default AutoRun Behavior (Do not execute any autorun commands) | |
| Turn off Autoplay | Enabled |
| Turn off Autoplay on | All drives |
| Windows Components > Credential User Interface | |
| Do not display the password reveal button | Enabled |
| Windows Components > Desktop Gadgets | |
| Restrict unpacking and installation of gadgets that are not digitally signed. | Enabled |
| Turn off desktop gadgets | Enabled |
| Turn Off user-installed desktop gadgets | Enabled |
| Windows Components > Digital Locker | |
| Do not allow Digital Locker to run | Enabled |
| Windows Components > Edge UI | |
| Turn off switching between recent apps | Enabled |
| Turn off tracking of app usage | Enabled |
| Windows Components > File Explorer | |
| Display confirmation dialog when deleting files | Enabled |
| Display the menu bar in File Explorer | Enabled |
| Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon | Enabled |
| Do not display the Welcome Center at user logon | Enabled |
| Do not request alternate credentials | Enabled |
| Hide these specified drives in My Computer | Enabled |
| Restrict all drives | |
| Hide the Manage item on the File Explorer context menu | Enabled |
| No Entire Network in Network Locations | Enabled |
| Prevent access to drives from My Computer | Enabled |
| Restrict all drives | |
| Prevent users from adding files to the root of their Users Files folder. | Enabled |
| Remove "Map Network Drive" and "Disconnect Network Drive" | Enabled |
| Remove CD Burning features | Enabled |
| Remove File Explorer's default context menu | Enabled |
| Remove File menu from File Explorer | Enabled |
| Remove Hardware tab | Enabled |
| Remove Security tab | Enabled |
| Remove the Search the Internet "Search again" link | Enabled |
| Turn off display of recent search entries in the File Explorer search box | Enabled |
| Turn off Windows+X hotkeys | Enabled |
| Windows Components > File Explorer > Common Open File Dialog | |
| Hide the common dialog back button | Enabled |
| Hide the common dialog places bar | Enabled |
| Hide the dropdown list of recent files | Enabled |
| Windows Components > File Explorer > Explorer Frame Pane | |
| Turn off Preview Pane | Enabled |
| Turn on or off details pane | Enabled |
| Configure details pane | Always hide |
| Windows Components > File Explorer > Previous Versions | |
| Prevent restoring previous versions from backups | Enabled |
| Windows Components > IME | |
| Turn off history-based predictive input | Enabled |
| Turn off Internet search integration | Enabled |
| Windows Components > Internet Explorer | |
| Automatically activate newly installed add-ons | Disabled |
| Configure Media Explorer Bar | Enabled |
| Disable the Media Explorer Bar and auto-play feature | Enabled |
| Auto-Play Media files in the Media bar when Enabled | Disabled |
| Disable AutoComplete for forms | Enabled |
| Disable changing accessibility settings | Enabled |
| Disable changing Advanced page settings | Enabled |
| Disable changing Automatic Configuration settings | Enabled |
| Disable changing Calendar and Contact settings | Enabled |
| Disable changing certificate settings | Enabled |
| Disable changing connection settings | Enabled |
| Disable changing home page settings | Enabled |
| Home Page | Define a home page if necessary |
| Disable changing language settings | Enabled |
| Disable changing Messaging settings | Enabled |
| Disable changing ratings settings | Enabled |
| Disable changing Temporary Internet files settings | Enabled |
| Disable Import/Export Settings wizard | Enabled |
| Disable Internet Connection wizard | Enabled |
| Do not allow users to enable or disable add-ons | Enabled |
| Identity Manager: Prevent user from using Identities | Enabled |
| Notify users if Internet Explorer is not the default web browser | Disabled |
| Pop-up allow list | Enabled |
| Enter the list of sites here. | Define allowed sites list if applicable such as *.microsoft.com |
| Prevent "Fix settings" functionality | Enabled |
| Prevent access to Internet Explorer Help | Enabled |
| Prevent bypassing SmartScreen Filter warnings | Enabled |
| Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | Enabled |
| Prevent changing pop-up filter level | Enabled |
| Prevent changing proxy settings | Enabled |
| Prevent changing the default search provider | Enabled |
| Prevent configuration of how windows open | Enabled |
| Select where to open links | Open in existing Internet Explorer window |
| Prevent Internet Explorer Search box from appearing | Enabled |
| Prevent managing pop-up exception list | Enabled |
| Prevent managing SmartScreen Filter | Enabled |
| Select SmartScreen Filter mode | On |
| Prevent participation in the Customer Experience Improvement Program | Enabled |
| Prevent per-user installation of ActiveX controls | Enabled |
| Prevent running First Run wizard | Enabled |
| Select your choice | Go directly to home page |
| Search: Disable Find Files via F3 within the browser | Enabled |
| Search: Disable Search Customization | Enabled |
| Specify default behavior for a new tab | Enabled |
| New tab behavior | Home page |
| Turn off ability to pin sites in Internet Explorer on the desktop | Enabled |
| Turn off add-on performance notifications | Enabled |
| Turn off browser geolocation | Enabled |
| Turn off configuration of pop-up windows in tabbed browsing | Enabled |
| Select tabbed browsing pop-up behavior | Force pop-ups to open in a new tab |
| Turn off Crash Detection | Enabled |
| Turn off Favorites bar | Enabled |
| Turn off Managing SmartScreen Filter for Internet Explorer 8 | Enabled |
| Select SmartScreen Filter mode for Internet Explorer 8 | On |
| Turn off pop-up management | Enabled |
| Turn off Quick Tabs functionality | Enabled |
| Turn off Reopen Last Browsing Session | Enabled |
| Turn off suggestions for all user-installed providers | Enabled |
| Turn off tabbed browsing | Enabled |
| Turn off the auto-complete feature for web addresses | Enabled |
| Turn off the quick pick menu | Enabled |
| Turn on Suggested Sites | Disabled |
| Turn on the auto-complete feature for user names and passwords on forms | Disabled |
| Windows Components > Internet Explorer > Accelerators | |
| Turn off Accelerators | Enabled |
| Windows Components > Internet Explorer > Browser menus | |
| Disable Open in New Window menu option | Enabled |
| Disable Save this program to disk option | Enabled |
| File menu: Disable closing the browser and Explorer windows | Enabled |
| File menu: Disable New menu option | Enabled |
| File menu: Disable Open menu option | Enabled |
| File menu: Disable Save As Web Page Complete | Enabled |
| File menu: Disable Save As... menu option | Enabled |
| Help menu: Remove 'Send Feedback' menu option | Enabled |
| Help menu: Remove 'Tour' menu option | Enabled |
| Hide Favorites menu | Enabled |
| Tools menu: Disable Internet Options... menu option | Enabled |
| Turn off Print Menu | Enabled |
| Turn off Shortcut Menu | Enabled |
| View menu: Disable Full Screen menu option | Enabled |
| View menu: Disable Source menu option | Enabled |
| Windows Components > Internet Explorer > Delete Browsing History | |
| Disable "Configuring History" | Enabled |
| Days to keep pages in History | 1 |
| Windows Components > Internet Explorer > Internet Control Panel | |
| Disable the Advanced page | Enabled |
| Disable the Connections page | Enabled |
| Disable the Content page | Enabled |
| Disable the General page | Enabled |
| Disable the Privacy page | Enabled |
| Disable the Programs page | Enabled |
| Disable the Security page | Enabled |
| Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | |
| Allow active content from CDs to run on user machines | Disabled |
| Allow software to run or install even if the signature is invalid | Disabled |
| Do not allow resetting Internet Explorer settings | Enabled |
| Empty Temporary Internet Files folder when browser is closed | Enabled |
| Windows Components > Internet Explorer > Internet Control Panel > General Page | |
| Start Internet Explorer with tabs from last browsing session | Disabled |
| Windows Components > Internet Explorer > Internet Control Panel > General Page > Browsing History | |
| Allow web sites to store application caches on client computers | Disabled |
| Windows Components > Internet Explorer > Internet Settings > Advanced Settings > Browsing | |
| Turn off details in messages about Internet connection problems | Enabled |
| Turn on script debugging | Disabled |
| Windows Components > Internet Explorer > Internet Settings > Advanced Settings > Multimedia | |
| Allow Internet Explorer to play media files that use alternative codecs | Disabled |
| Windows Components > Internet Explorer > Internet Settings > Advanced Settings > Searching | |
| Prevent configuration of search on Address bar | Enabled |
| When searching from the address bar | Do not search from the address bar |
| Prevent configuration of top-result search on Address bar | Enabled |
| When searching from the Address bar | Disable top result search |
| Windows Components > Internet Explorer > Internet Settings > Advanced settings > Signup Settings | |
| Turn on automatic signup | Disabled |
| Windows Components > Internet Explorer > Internet Settings > AutoComplete | |
| Turn off URL Suggestions | Enabled |
| Turn off Windows Search AutoComplete | Enabled |
| Turn on inline AutoComplete | Disabled |
| Windows Components > Internet Explorer > Security Features > Restrict File Download | |
| All Processes | Enabled |
| Internet Explorer Processes | Enabled |
| Windows Components > Internet Explorer > Toolbars | |
| Configure Toolbar Buttons | Enabled |
| Show Back button | Enabled |
| Show Forward button | Enabled |
| Show Stop button | Enabled |
| Show Refresh button | Enabled |
| Show Home button | Enabled |
| Show Search button | Disabled |
| Show Favorites button | Disabled |
| Show History button | Disabled |
| Show Folders button | Disabled |
| Show Fullscreen button | Disabled |
| Show Tools button | Disabled |
| Show Mail button | Disabled |
| Show Font size button | Disabled |
| Show Print button | Disabled |
| Show Edit button | Disabled |
| Show Discussions button | Disabled |
| Show Cut button | Disabled |
| Show Copy button | Disabled |
| Show Paste button | Disabled |
| Show Encoding button | Disabled |
| Disable customizing browser toolbar buttons | Enabled |
| Disable customizing browser toolbars | Enabled |
| Display tabs on a separate row | Enabled |
| Hide the Command bar | Enabled |
| Hide the status bar | Enabled |
| Lock all toolbars | Enabled |
| Lock location of Stop and Refresh buttons | Enabled |
| Turn off Developer Tools | Enabled |
| Turn off toolbar upgrade tool | Enabled |
| Windows Components > Location and Sensors | |
| Turn off location | Enabled |
| Windows Components > Microsoft Management Console | |
| Restrict the user from entering author mode | Enabled |
| Windows Components > Network Sharing | |
| Prevent users from sharing files within their profile. | Enabled |
| Windows Components > Presentation Settings | |
| Turn off Windows presentation settings | Enabled |
| Windows Components > Sound Recorder | |
| Do not allow Sound Recorder to run | Enabled |
| Windows Components > Tablet PC > Accessories | |
| Do not allow printing to Journal Note Writer | Enabled |
| Do not allow Snipping Tool to run | Enabled |
| Do not allow Windows Journal to run | Enabled |
| Windows Components > Tablet PC > Hardware Buttons | |
| Prevent Back-ESC mapping | Enabled |
| Prevent launch an application | Enabled |
| Prevent press and hold | Enabled |
| Turn off hardware buttons | Enabled |
| Windows Components > Windows Error Reporting | |
| Disable Windows Error Reporting | Enabled |
| Windows Components > Windows Installer | |
| Prevent removable media source for any installation | Enabled |
| Prohibit rollback | Enabled |
| Windows Components > Windows Logon Options | |
| Set action to take when logon hours expire | Enabled |
| Set action to take when logon hours expire | Logoff |
| Windows Components > Windows Mail | |
| Turn off the communities features | Enabled |
| Turn off Windows Mail application | Enabled |
| Windows Components > Windows Media Center | |
| Do not allow Windows Media Center to run | Enabled |
| Windows Components > Windows Media Player | |
| Prevent CD and DVD Media Information Retrieval | Enabled |
| Prevent Music File Media Information Retrieval | Enabled |
| Windows Components > Windows Media Player > Networking | |
| Hide Network Tab | Enabled |
| Windows Components > Windows Media Player > Playback | |
| Prevent Codec Download | Enabled |
| Windows Components > Windows Messenger | |
| Do not allow Windows Messenger to be run | Enabled |
| Do not automatically start Windows Messenger initially | Enabled |
| Windows Components > Windows Mobility Center | |
| Turn off Windows Mobility Center | Enabled |
| Windows Components > Windows Update | |
| Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box | Enabled |
| Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box | Enabled |
