Skip to main content
Version: Axidian Privilege 2.10

Access Server Security Settings

caution

Be sure to follow the instructions listed on this page. This is required for the Axidian PAM to function properly.

Applying Settings Using the Utility

To apply the necessary access server security settings, follow these steps:

  1. Go to the ..PAM_2.10.0\axidian-pam-windows\MISC\ConfigurationProtector\ distribution folder.

  2. Run the terminal (Windows PowerShell) as Administrator.

  3. Run the command:

    .\Pam.Tools.Configuration.Protector.exe apply-gateway-security

  4. Set the Prohibit access to Control Panel and PC settings option to Enabled.
    Path: User configuration → Administrative Templates → Control Panel → Prohibit access to Control Panel and PC settings

  5. Restart the access server machine .

  6. Make sure that the required access server security settings have been applied.

  7. Check your resources, make sure the Require Use of Specific Security Layer for Remote (RDP) Connections option of the group policy is set to one of the following values:

    • Not Configured
    • Enabled: Negotiate
    • Enabled: SSL

    Path: Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Hosts → Security → Require Use of Specific Security Layer for Remote (RDP) Connections

    caution

    Value Enabled: RDP is not supported by Axidian PAM.

Verifying that the Access Server Security Settings have been Successfully Applied

To ensure that the required access server security settings have been applied, follow these steps:

  1. Go to the ..PAM_2.10.0\axidian-pam-windows\MISC\ConfigurationProtector\ distribution folder.
  2. Run the terminal (Windows PowerShell) as Administrator.
  3. Run the command: 
    .\Pam.Tools.Configuration.Protector.exe validate-gateway-security

Applying Settings Manually

If using the Pam.Tools.Configuration.Protector utility is impossible for some reason, then apply the necessary security settings manually, as described below.

  1. Copying the library file to the ProxyApp directory

    Go to the C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.24 directory, copy the Microsoft.DiaSymReader.Native.amd64.dll file into the C:\Program Files\Axidian\Axidian Privilege\Gateway\ProxyApp directory. The version in the path may vary depending on the version of Dotnet Runtime installed on the server. Use the largest available version starting from 3.1.

  2. Disabling a user CA trusted root certificate storage

    There are two ways to do so:

    1. Via Group Policy.
    2. Via a setting in the registry on the RDS Gateway server, if group policy is not applied.

    Way 1 — via Group Policy

    Change the setting in group policy that applies to the RDS Gateway server:

    Path: Computer Configuration → Windows Settings → Security Settings → Public Key Policies → Certificate Path Validation Settings.

    In Stores tab:

    1. Enable Define these policy settings option.
    2. Disable Allow user trusted root CAs to be used to validate certificates option.

    Way 2 — Via a setting in the registry

    In HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoot, create a Flags key with DWORD type and set the value to 1. The user CA trusted root certificate storage is disabled if the first bit of the value in Flags is 1.

  3. Disabling Windows push notification system services

    Disable the following services:

    • Windows Push Notifications (WpnService)
    • Windows Push Notifications User (WpnUserService)

  4. Disabling the Control Panel for users in the Group Policy 

    Set the Prohibit access to Control Panel and PC settings option to Enabled.

    Path: User configuration → Administrative Templates → Control Panel → Prohibit access to Control Panel and PC settings.

  5. Checking the Selected Security Layer for Remote RDP Connections in the Group Policy of Your Resources

    Check your resources, make sure the Require Use of Specific Security Layer for Remote (RDP) Connections option of the group policy is set to one of the following values:

    • Not Configured
    • Enabled: Negotiate
    • Enabled: SSL

    Path: Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Hosts → Security → Require Use of Specific Security Layer for Remote (RDP) Connections.

    caution

    Value Enabled: RDP is not supported by Axidian PAM.