The security settings required for PAM operation must be applied on the RDS Gateway server.


The settings can be applied using the utility Pam.Tools.Configuration.Protector. Necessary to run the utility with the appropriate parameter with administrator rights: Pam.Tools.Configuration.Protector.exe apply-gateway-security

Applying access server security settings

Follow the instruction below:

  1. Open the distribution folder Indeed PAM → MISC → ConfigurationProtector
  2. Run the command-line with administrator rights.
  3. Run the command: .\Pam.Tools.Configuration.Protector.exe apply-gateway-security.

Disabling Control Panel for users is not applied automatically with Pam.Tools.Configuration.Protector

Checking the successful application of the access server security settings

Follow the instruction below:

  1. Open the distribution folder Indeed PAM → MISC → ConfigurationProtector
  2. Run the command-line with administrator rights.
  3. Run the command: .\Pam.Tools.Configuration.Protector.exe validate-gateway-security

Restart the machine with the access server after applying security settings.

List of settings:

1) File Microsoft.DiaSymReader.Native.amd64.dll

Copy the file Microsoft.DiaSymReader.Native.amd64.dll from C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.24 to C:\Program Files\Indeed\Indeed PAM\Gateway\ProxyApp. The version in the source path may differ depending on the version of Dotnet Runtime installed on the server. It is necessary to take the largest version starting from 3.1.*

2) Disabling the user's storage of trusted root CA certificates

There are two possible options:

  1. Via Group Policy.
  2. Via the configuration in the registry on the RDS Gateway server, if the group policy is not applied.

Group Policy

Change the setting in the group policy that applies to the RDS Gateway server:

Go to Computer Configuration - Windows Settings - Security Settings - Public Key Policies - Certificate Path Validation Settings.
Open tab Stores:

  • Enable parameter Define these policy settings.
  • Disable parameter Allow user trusted root CAs to be used to validate certificates.

Registry configuration:

Open registry and go to HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots. Then create a key Flags (DWORD type) and set value 1. The user's storage of trusted root CA certificates is disabled if the first bit of the value Flags equal 1.

3) Windows Push Notifications service.

Services WpnService and WpnUserService must be disabled. 

4) Disabling Control Panel for users 

Open group policy and go to User configuration -> Administrative Templates -> Control Panel -> Prohibit access to Control Panel and PC settings