Configure Login Options for Windows Target Devices

You can configure the following options for Windows target devices:
capam33
You can configure the following options for Windows target devices:
2
Network Level Authentication Login for RDP Access
RDP sessions to a Windows server can be subject to denial-of-service (DoS) attacks. To lower the risk of DoS attacks, Windows server administrators can configure Network Level Authentication (NLA). NLA prompts a user to authenticate before a session is established with the server.
Symantec PAM
 accommodates NLA so that connections to a Windows target server can complete successfully.
No specific configuration is required for the appliance to handle the NLA requirement. Simply add users to the Windows target device record. In the Device configuration, only the 
Device Name
Address
, and the 
Access Method (
RDP) are mandatory.
If you configure RDP-Tcp access method with the setting: 
Allow connections only from computers running Remote Desktop with Network Level Authentication
, the appliance handles the NLA requirement properly. To configure the RDP-Tcp access method, select the General tab of the RDP-Tcp Properties dialog.
User Experience with NLA
When a user selects the RDP access method, the RDP page appears, and then a security dialog prompts for the NLA-based credentials. After the user enters the credentials, the appliance submits them to the Windows target device to complete login.
If you enable a password push for the Windows target device, this login prompt is overridden.
Enable a Password Push for RDP Password Enforcement
The Windows Remote Desktop Services interface has an option that is labeled
Always prompt for password
. This option allows the Windows administrator to force a password prompt even when the client workstation is configured to connect automatically.
If NLA is enabled on an RDP server using the TLS security layer, the server ignores the
Always prompt for password
option. Users are not prompted for passwords. To enforce the password
option, the Windows administrator must configure the server with the RDP security Layer.
You can configure a device group to populate the password prompt automatically, with the password obfuscated. 
The following procedure assumes that you have set up the following components:
  • users
  • devices
  • target accounts
  • associated policies for auto-connection for those target accounts
Follow these steps:
  1. Log in to the UI as an administrator with configuration privileges.
  2. Navigate to
    Devices
    ,
    Manage Device Groups
    .
  3. Select an existing device group, or select 
    ADD
     to create a group.
  4. From the
    Devices
     tab, select the target devices that require a password push for an auto-connection policy.
  5. Select the 
    Enable
    tab, and select the checkbox
    Provide Credentials for 'Always Prompt for Password'
    . This setting forces an auto-connection at the device level for any device in the device group.
    If a legal notice also appears during login, you can select the 
    Handle 'Legal Notice' on Logon Screen
     checkbox to accept it automatically.
  6. Navigate to
    Policies
    ,
    Manage Policies
    .
  7. Prepare a policy for the user/user group and the device group that you previously configured. Select RDP as the access method for the policy.
  8. Select OK.
Password push is now enabled.
User Experience with Password Push Configured
When a user logs in to
Privileged Access Manager
and selects the RDP access method, the following actions occur:
  1. The RDP Access Method splash page appears.
  2. The RDP window displays the Windows login screen.
  3. The appliance immediately overrides the login prompt. A brief delay occurs, during which the user sees a countdown screen until auto-connection is complete.
The remote user is logged in.