This content describes how to configure the following options for Windows target devices:
Windows administrators can configure their servers to require Network Level Authentication (NLA) before the user is prompted to enter their credentials to lower the risk of DoS attacks. CA Privileged Access Manager accommodates this network level request so that it can complete connections.
This feature assumes and addresses the Allow connections only from computers running Remote Desktop with Network Level Authentication setting configured on the General tab of the RDP-Tcp Properties dialog.
In CA Privileged Access Manager, provision User access to the target Device described previously. Note that (as previously) in the Device record only the Device Name, its Address, and the Access Method: "RDP" are mandatory; however, no additional CA Privileged Access Manager configuration is required to handle the NLA requirement.
When a user selects the RDP Access Method, the RDP Access Method splash page appears, and then the CA Privileged Access Manager security window prompts for the NLA-based credentials request. After the user enters their credentials, CA Privileged Access Manager submits them to the target device to complete login.
Note: If password push (see next section) is applied to a Device, this login prompt is overridden.
In the Windows Remote Desktop Services (Terminal Services) Configuration server interface, there is an option that is labeled Always prompt for password. This option allows the Windows administrator to force a password prompt even when the client workstation has been configured to connect automatically.
Note: If NLA is enabled on an RDP server that is configured with the TLS security layer (the default for Windows Server 2008/2012), the Always prompt for password option is ignored. That is, users are not prompted for passwords even if the option is enabled. To support the Always prompt for password mechanism, the RDP server must be configured with the RDP security Layer.
CA Privileged Access Managercan be configured at the Device Group level to automatically populate that prompt (with the password obfuscated), and thus force an auto-connection that has been configured (at the Device level) for any Device in that Device Group.
This feature assumes and addresses the following setting on a Windows target device.
For example, on Windows Server: Open Start > Administrative Tools > Terminal Services Configuration, open Terminal Services > Connections, select and right-click RDP-Tcp, select Properties, select tab Logon Settings. This setting forces the login prompt to always be presented.
The following procedure assumes that you have already prepared Users, Devices, target accounts, and associated policies for auto-connection access using those target accounts.
When a CA Privileged Access Manager User selects the RDP Access Method the following actions occur: