The security settings required for PAM operation must be applied on the RDS Gateway server.
The settings can be applied using the utility Pam.Tools.Configuration.Protector. Necessary to run the utility with the appropriate parameter with administrator rights: Pam.Tools.Configuration.Protector.exe apply-gateway-security
Applying access server security settings
Follow the instruction below:
Open the distribution folder Indeed PAM → MISC → ConfigurationProtector
Run the command-line with administrator rights.
Run the command: .\Pam.Tools.Configuration.Protector.exe apply-gateway-security.
Disabling Control Panel for users is not applied automatically with Pam.Tools.Configuration.Protector
Checking the successful application of the access server security settings
Follow the instruction below:
Open the distribution folder Indeed PAM → MISC → ConfigurationProtector
Run the command-line with administrator rights.
Run the command: .\Pam.Tools.Configuration.Protector.exevalidate-gateway-security
Restart the machine with the access server after applying security settings.
List of settings:
1) File Microsoft.DiaSymReader.Native.amd64.dll
Copy the fileMicrosoft.DiaSymReader.Native.amd64.dll from C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.24toC:\Program Files\Indeed\Indeed PAM\Gateway\ProxyApp. The version in the source path may differ depending on the version of Dotnet Runtime installed on the server. It is necessary to take the largest version starting from 3.1.*
2) Disabling the user's storage of trusted root CA certificates
There are two possible options:
Via Group Policy.
Via the configuration in the registry on the RDS Gateway server, if the group policy is not applied.
Group Policy
Change the setting in the group policy that applies to the RDS Gateway server:
Go to Computer Configuration - Windows Settings - Security Settings - Public Key Policies - Certificate Path Validation Settings. Open tab Stores:
Enable parameter Define these policy settings.
Disable parameter Allow user trusted root CAs to be used to validate certificates.
Registry configuration:
Open registry and go to HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots.Then create a keyFlags(DWORD type) and set value1. The user's storage of trusted root CA certificates is disabled if the first bit of the valueFlagsequal 1.
3) Windows Push Notifications service.
Services WpnService and WpnUserServicemust be disabled.
4) Disabling Control Panel for users
Open group policy and go to User configuration -> Administrative Templates -> Control Panel -> Prohibit access to Control Panel and PC settings