Symantec Privileged Access Management

 View Only

 Need CA Suggession

Purushothaman Anbazhagan's profile image
Purushothaman Anbazhagan posted May 14, 2023 02:50 AM
Hi Team,

Please find the below questions those are came form my clients and pelase suggest which is best practice,
1.       The target RDP devices accessing via service accounts it is taking only two sessions, also it is not a unique session, so what will be the solution                to get a unique and multiple session using a service account?
2.       Normally the end users used to log in to the target RDP devices with the service accounts, then the target device log management captured                  only the service accounts, so it is possible to get the user information(exactly user ID should need in the logs) like which user did the activities              in  the device logs?
3.       The domain users(end users) can able to do the Auto login on the target RDP devices if the users are mapped with the user group to the device            group?
4.       If the end users will part of in user group and they are trying to log in to the target RDP servers it is prompting the credentials list, so it is                         possible to do auto login without prompting the credentials lists?
5.       Could you please suggest which is the best practice to do the implementation on below
            a.       User group + Device Group + Access Policy with using service accounts.
            b.       Single user + single device group + single policy for each user and all the users will use their own service accounts (all the users will get                            their own service accounts). 

Thanks & Regards,
Purushothaman. A

Ralf Prigl's profile image
Broadcom Employee Ralf Prigl

1. This is not a question for PAM. It is a matter of configuring the Windows RDP server, specifically RDP licensing.
2. The PAM session logs will show which users launched an access session to the remote server. For full login integration, review documentation page Privileged Access Manager Server Control Login Integration.
3. Yes, auto-login can be configured in any policy, whether it's a policy for individual users and devices, or groups.
4. If you have more than one credential configured in an access policy, PAM needs to ask which credential you want to use. If you don't want a list of accounts to choose from, configure only one account for auto-login.
5. That depends on your environment and your use cases. A common use case is to have a list of service accounts defined in an access policy for a user group and configure them with Check-Out/Check-In, see documenation page Require an Account Check-Out to View the Password. The first user (user 1) to connect to the RDP server picks any of the available service accounts. While checked out for user 1, this service account is not available for other users, and user 2 has to pick another account from the list. This ensures that all users have independent sessions, while not requiring a separate account for each user.