Some functions have been implemented for the Access Server to protect against the launch of unwanted processes, as well as to restrict access to files that are vulnerable and necessary for normal operation.

Preventing users from starting unwanted processes

Each time the process starts, a series of checks are performed. The process is allowed to start if at least one of the checks is passed:

  • If the user is LOCAL_SYSTEM, LOCAL_SERVICE or NETWORK_SERVICE
  • If the user is an administrator on the RDS server
  • If the parent process is one of the known system processes (svchost.exe, winlogon.exe, userinit.exe, rdpinit.exe)
  • Process start is allowed in the processprotection.settings.json configuration file

If none of the checks are passed, then the launch of the process is denied.

The behavior is configured in the file C:\Program Files\Indeed Identity\Indeed PAM\Gateway\ProcessCreateHook\processprotection.settings.json

Example:

{
  "Rules": [
    {
      "Comment": "Common, record video",
      "ParentProcessPaths": [
        "C:\\Program Files\\Indeed Identity\\Indeed PAM\\Gateway\\ProxyApp\\Pam.Proxy.App.exe"
      ],
      "ApplicationPaths": [
        "C:\\Program Files\\Indeed Identity\\Indeed PAM\\Gateway\\ProxyApp\\ffmpeg.exe",
        "C:\\Program Files\\Indeed Identity\\Indeed PAM\\Gateway\\ProxyApp\\ffprobe.exe"
      ]
    }
}

Section Rules — Rules for allowed processes.

  • Configuration parameters:
    • Comment — comment for the rule.
    • ApplicationPathspaths to executable files that is allowed to launch.
    • ParentProcessPathspaths to executable files whose processes can launch applications from ApplicationPaths.

Protecting vulnerable files

It is a mechanism for differentiating access rights to files at the process level.

Users of the Local Administrators group have access to any file from any process. Other users can open any file from any process, except for vulnerable files. For vulnerable files, the process is checked: if the process is in the list of allowed, then access is allowed, otherwise it is denied.

The behavior is configured in the file C:\Program Files\Indeed Identity\Indeed PAM\Gateway\Service\filesprotection.settings.json

By default, vulnerable PAM files are added to the configuration file, no additional configuration is required.

Default  configuration:

{
  "VulnerableFiles": [
    {
      "Path": "C:\\Program Files\\Indeed Identity\\Indeed PAM\\Gateway\\ProxyApp\\appsettings.json",
      "AllowedProcesses": [
        "C:\\Program Files\\Indeed Identity\\Indeed PAM\\Gateway\\ProxyApp\\Pam.Proxy.App.exe"
      ]
    },
    {
      "Path": "C:\\ProgramData\\Indeed Identity\\Indeed PAM\\SessionTemp",
      "AllowedProcesses": [
        "C:\\Program Files\\Indeed Identity\\Indeed PAM\\Gateway\\ProxyApp\\Pam.Proxy.App.exe",
        "C:\\Program Files\\Indeed Identity\\Indeed PAM\\Gateway\\SshClient\\Pam.Putty.exe",
        "C:\\Windows\\System32\\mstsc.exe",
        "C:\\Windows\\SysWOW64\\mstsc.exe"
      ]
    },
    {
      "Path": "C:\\ProgramData\\Indeed Identity\\Indeed PAM\\VideoTemp",
      "AllowedProcesses": [
        "C:\\Program Files\\Indeed Identity\\Indeed PAM\\Gateway\\ProxyApp\\Pam.Proxy.App.exe",
        "C:\\Program Files\\Indeed Identity\\Indeed PAM\\Gateway\\ProxyApp\\ffmpeg.exe",
        "C:\\Program Files\\Indeed Identity\\Indeed PAM\\Gateway\\ProxyApp\\ffprobe.exe"
      ]
    }
  ]
}

Configuration parameters:

  • VulnerableFiles - list of vulnerable files.
  • Path - the path to the vulnerable file. You can specify both a specific file and a directory.
  • AllowedProcesses - list of processes that are allowed to access the vulnerable file. Specify the required executable modules.

After changing the configuration file, a restart of the Pam.Service service is required. You can do this in the Task manager, or with powershell command:

Restart-Service PAM.Service -Force