Configure Remote Connection RDP Tools (MSTSC, RDCM, MobaXterm, RDM) Integrate with PSM
Related Post:
Microsoft Remote Desktop Connection (MSTSC)
To use Microsoft standard RDP client, Microsoft Remote Desktop Connection (MSTSC), you will need to start a program with following command
psm /u {Priv_Account_Name}@51Sectest.dev /a {Server_Name} /c PSM-RDP
For example: psm/u [email protected] /a 192.168.2.12 /c PSM-RDP
Windows 10 machines, Remote Desktop Connection might not have Program tab. Add the following line to the .rdp file:Â alternate shell:s:psm /u target-user /a target-address /c connection-component
Windows 10 machines, Remote Desktop Connection might not have Program tab. Add the following line to the .rdp file:Â alternate shell:s:psm /u target-user /a target-address /c connection-component
Microsoft Remote Desktop Connection Manager
Microsoft has retired MRDCM software and following link is not having download anymore. There is some serious vulnerabilities found in this software, although it is still very popular Remote Desktop Connection Manager tool.
You can
download RDCM here:Â https://www.microsoft.com/en-gb/download/details.aspx?id=44989Â
Search by google and found this link to download :Â https://www.scom2k7.com/downloads/rdcman.msi
To integrate RDCM with CyberArk PSM, it requires some configuration changes on RDP file object. This post lists least step you will need to follow to get RDCM working with PSM.Â
Search by google and found this link to download :Â https://www.scom2k7.com/downloads/rdcman.msi
To integrate RDCM with CyberArk PSM, it requires some configuration changes on RDP file object. This post lists least step you will need to follow to get RDCM working with PSM.Â
CyberArk KB:Â https://cyberark-customers.force.com/s/article/How-to-setup-Remote-Desktop-Connection-Manager
================================================
Title Provide a short description of the article. The title appears in the article and in search results.
How to connect through Privileged Session Manager for Windows using Remote Desktop Connection Manager
Introduction
Remote Desktop Connection Manager (RDCM) does not have the ability to disable credsspsupport and therefore you will be asked for credentials before the connection to the PSM is established. When connecting with an LDAP user this does not matter as it be able to automatically authenticate with these domain credentials however you will not be able to make connections when using CyberArk and RADIUS challenge-response authentication as their credentials are different.
You can download RDCM here:Â https://www.microsoft.com/en-gb/download/details.aspx?id=44989
You can download RDCM here:Â https://www.microsoft.com/en-gb/download/details.aspx?id=44989
Step-By-Step Instructions
Ensure the following group policy parameters are applied to the PSM server.
Always prompt for password upon connection - DisabledÂ
Require secure RPC communication - Enabled (this should already be enabled as part of hardening.Â
Require use of specific security layer for remote (RDP) connections - Enabled - Set to RDP.Â
You should now be able to use RADIUSÂ challenge-response and CyberArk authentication with RDCM.
Always prompt for password upon connection - DisabledÂ
Require secure RPC communication - Enabled (this should already be enabled as part of hardening.Â
Require use of specific security layer for remote (RDP) connections - Enabled - Set to RDP.Â
You should now be able to use RADIUSÂ challenge-response and CyberArk authentication with RDCM.
===============================================================
1Â Â Â Â Â Open Connection Manager application on your desktop and create an entry for the target device.
Give each entry a meaningful name to indicate the target device details.
2Â Â Â Â Â Configure the Server Settings tab:
2.1. Â
Populate the Server name field with the text {PSM-Server-Hostname}
2.2. Â
Enter a friendly name of your
choice in the Display name field.
3Â Â Â Â Â Â Configure the Connection Settings tab:
3.1. Â
Uncheck the Inherit from parent checkbox.
3.2. Â
Populate the Start program field with this string as
shown in the sample screenshot below:
psm /u {Priv_Account_Name}@51Sec-ITPROSEC /a {Server_Name}
/c PSM-RDP
             Â
              Substitute:
           {Priv_Account_Name} = The username
of the privileged account as defined in CyberArk; ie. MyUsernameAdmin
           {Server_Name} = The short name of
the destination server name as resolvable via DNS; ie.Â
PrintServer
1Â Â 4Â Â Configure the Logon Credentials tab as
shown in the sample screenshot below:
4.1. Â
Uncheck the Inherit from parent checkbox
4.2. Â
Enter your non-privileged AD account
username in the User name field
4.3. Â
Enter the text 51Sec-ITPROSEC in the Domain
field
Notes: How to connect to RDP Console / admin mode:
If you choose connect to console / admin, PSM will deny the session.
PSM server will tell you "The requested session access is denied".
- Make a copy of the PSM-RDP connection component (lets call it PSM-RDP-ADMIN).
- Set the "AlloweConnectToConsole" Value=Yes, Visible=Yes.
- Add it to the desired platform
- In RDP client where you specify the psm /u etc.. commands, change the /c to PSM-RDP-ADMIN
There is no "admin connect" in current version of MS-Windows after server 2003:
For 2003 or Windows XP you would need a custom connection component with mstc.exe /admin or mstc.exe /console as the command.
MobaXterm
MobaXterm also support PSM well. Here are all configuration steps in the screenshot.ÂMost important step is to configure Remote command "psm /u [email protected] /a 192.168.2.12 /c PSM-RDP"
Create a domain user account and save it into credential list.Â
mRemoteNG
So far, not find a good way to support remote command to launch "psm /u [email protected] /a 192.168.2.12 /c PSM-RDP" after RDP logged in PSM .
Remote Desktop Manager Free Edition
YouTube Video:👀
References
- Configure an RDP Start Program
- How to connect through Privileged Session Manager for Windows using Remote Desktop Connection Manager
i have an administrative MMC console 'psm-mmc' working through both PVWA and an rdp file. the rdp file syntax is
ReplyDeletealternate shell:s:psm /u [my privileged account in cyberark] /a [mydomain.com] /c PSM-MMC
although, looking at that, i'm not sure what the point of setting my domain as the target address does, since it's just opening an MMC console. the RDP file works great, but it goes full screen, hiding the local taskbar. interested in getting this into an microsoft RDCman 'server'. but the same syntax doesn't work. it seems to still be trying to RDP to mydomain.com even though i'm calling the PSM-MMC app
psm /u [my privileged account in cyberark] /a [mydomain.com] /c PSM-MMC