Layer7 Privileged Access Management

Expand all | Collapse all

Adding a "Test" Server in PAM

Jump to Best Answer
  • 1.  Adding a "Test" Server in PAM

    Posted 02-13-2018 11:45 AM

    I spun up a Server 2016 VM, and want to add it into PAM just to test out functionality - what's the best way to do this? I am looking through the implementation guide and it doesn't quite address just adding it in.  I don't need anything fancy, just want to add it in and have my co-workers be able to access it to test it out.

     

    Thanks in advance!

     

    Mike



  • 2.  Re: Adding a "Test" Server in PAM

    Posted 02-13-2018 03:15 PM

    Hi Mike,

     

    When I'm adding a new bare bones windows device I typically add the device manually. I then create the target application using the Window Domain Service, and the target account using the domain administrator account. Lastly, I create the policy for access. For me, this is the easiest method.

     

    Hope this helps,

    Christo



  • 3.  Re: Adding a "Test" Server in PAM
    Best Answer

    Posted 02-13-2018 07:14 PM

    If you are new to PAM like me, this may help you.

    It is exactly the same thing Christo.1 mentioned but with steps.

     

    You first need to create a Device to represent your Windows 2016 server.

    Give it a meaningful name and select the best matching Operating System if there is no exact match.

    Select "Access" in the Device Type. (If you want to manage the password then select "Password Management" as well)

    Enter the IP address.

    Click "Save and Add Target Applications".

     

    Create an Application called Windows2016-RDP

    At the Host Name you should be able to select the device you registered above.

    Device Name would auto-populate.

     

    At the Application Name enter "Windows2016-RDP"

    At the "Application Type", if this server joined windows domain then you can select "Windows Domain Service".

    If it has not joined a Windows Domain and if you have Windows Proxy server managing the user accounts/password on this machine then you can select "Windows Proxy".

    If this server has not joined Windows Domain and you do not have Windows Proxy then just select "Generic".

    For your testing, I would just say select "Generic". Explore the others in the future.

    Click "Save"

     

    If you are using PAM 2.8.3, you would see "Go to Accounts List" link at the upper left corner.

    If not, just look for "Policy - Manage Passwords - Target - Accounts"

     

    If you are on PAM 3.x.x then the menu would be different but look for "Target Accounts".

     

    If you have selected "Generic" 

    This is an object representing the user account on the target device.

    Click "Add" to create.

    You should be able to lookup and select the hostname you created above.

    You should be able to lookup and select the application you created above.

    At the "Account Name" enter the local username such as "Administrator"

    Enter the user password at "Password" field.

    Click "Save"

     

    Go back to the Device tab and select the previously created device.

    At the Access Method, click Add 

     

    Now goto Policy and select your PAM username and the target device you created and click "Create Policy"

    At the Access, click "Add" and and select "RDP". Here you will see and empty field at the right hand side, click on that empty field and you will see the user account you created.

    If you want auto-login, you can select this user.

    If you want the user to manually enter their credentials then you do not need to link the user account.

    Click Save.

     

    Goto "Access" tab and you should be able to see the registered target device.

    It is general practice to click "Restart Session" before trying any new device.

    Next to the target device you would see the "RDP" button next to it.

     

    If you click on it, you will be connecting to that device.



  • 4.  Re: Adding a "Test" Server in PAM

    Posted 02-14-2018 09:40 AM

    Sung Hoon,

     

    Thank you very much for these instructions!

     

    I have gone through them a few times, but for some reason once I complete them, I cannot see the registered target device in the Access tab.  I have restarted the session, logged out/in…and still it is not showing.

     

    I will keep working on it.

     

    Thanks again!

     

    Mike



  • 5.  Re: Adding a "Test" Server in PAM

    Posted 02-14-2018 12:32 PM

    Can you access the video on link http://drops.shdc.io/kjQDYo ? This is for a special use case, but it shows all the steps needed to end up with an entry on the access page to connect to a target device. In your case you want to start with a built-in access method like RDP or SSH rather than using a custom service like shown in the video, but there are only minor differences in the procedure.



  • 6.  Re: Adding a "Test" Server in PAM

    Posted 02-14-2018 04:13 PM

    Thank you very much! It worked!

     

    Sent from my iPhone