| Warning |
|---|
The security settings required for PAM operation must be applied on the RDS Gateway server. |
| Note |
|---|
The settings can be applied using the utility Pam.Tools.Configuration.Protector. Necessary to run the utility with the appropriate parameter with administrator rights: |
Applying access server security settings
Follow the instruction below:
- Open the distribution folder Indeed PAM → MISC → ConfigurationProtector
- Run the command-line with administrator rights.
- Run the command: .\Pam.Tools.Configuration.Protector.exe apply-gateway-security.
| Note |
|---|
Disabling Control Panel for users is not applied automatically with Pam.Tools.Configuration.Protector |
Checking the successful application of the access server security settings
Follow the instruction below:
- Open the distribution folder Indeed PAM → MISC → ConfigurationProtector
- Run the command-line with administrator rights.
- Run the command: .\Pam.Tools.Configuration.Protector.exe validate-gateway-security
| Warning |
|---|
Restart the machine with the access server after applying security settings. |
List of settings
:1) File Microsoft.DiaSymReader.Native.amd64.dll
Copy the file Microsoft.DiaSymReader.Native.amd64.dll from C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.24 to C:\Program Files\Indeed\Indeed PAM\Gateway\ProxyApp. The version in the source path may differ depending on the version of Dotnet Runtime installed on the server. It is necessary to take the largest version starting from 3.1.*
2) Disabling the user's storage of trusted root CA certificates
There are two possible options:
- Via Group Policy.
- Via the configuration in the registry on the RDS Gateway server, if the group policy is not applied.
Group Policy
Change the setting in the group policy that applies to the RDS Gateway server:
Go to Computer Configuration - Windows Settings - Security Settings - Public Key Policies - Certificate Path Validation Settings.
Open tab Stores:
- Enable parameter Define these policy settings.
- Disable parameter Allow user trusted root CAs to be used to validate certificates.
Registry configuration:
Open registry and go to HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots. Then create a key Flags (DWORD type) and set value 1. The user's storage of trusted root CA certificates is disabled if the first bit of the value Flags equal 1.
3) Windows Push Notifications service.
Services WpnService and WpnUserServicemust be disabled.
4) Disabling Control Panel for users
Open group policy and go to User configuration -> Administrative Templates -> Control Panel -> Prohibit access to Control Panel and PC settings
| Divbox | ||||
|---|---|---|---|---|
| ||||
|