PAM all session close

Though I like the idea of this, I would suggest to make it optional if it does not already exist.

Though I like the idea of this, I would suggest to make it optional if it does not already exist.

Optional sounds good, as far as I know the feature doesn't exist. Maybe it's possible to script this with help from the dvls team.

Hello,

Thank you for your request. You're right, it is not something possible today. But I'm not sure to understand why it should be optional. What are the use cases where you would like to avoid a log of after a checkin ?

Best regards,

We have use cases where the user is transferring large amounts of data and do not want them logged off of a server when the timed session expires since it is still in progress of transferring the data. May take a few days...

Hello,

Thank you for your anwer. Is there a reason why the user doesn't request the account for a few days in those cases if it can take a few days ? But I understand that you could have cases where you don't really know if it will be fast or not I guess. And if it is optional, who should be able to set that setting ? Do you see that as a system setting or by account ?

Best regards,

I am assuming that the session ending is the same as logging out the user from that server??? This was from the original request "user should be logged of or all sessions" that would kill the process running on that system.

Hello,

Yeah, I understand that it would kill processes running on that system and this is what you want to avoid. But at the same time, who will decide if you want to log off the user ot not ? Is there cases where even if there are processes running, you want to close the session ?

Best regards,

@francois,

Could we implement this with a powershell script for windows env. through RDM in the short term?
It would be high priority for us when users are checking out a account with domain administrator rights for example.

Hello,

Unfortunately, I don't think it would be possible to implement a such feature with the PowerShell module since the current PowerShell module doesn't allow to kill session. I will analyze to see what could be done to improve that.

Best regards,

Could we solve it like this for now?

We as the customer create a local powershell script in a designated folder that can be used to kill remote sessions.
RDM/DVLS would then have an option to be linked to this script.
So every time the user is checked in - force check-in then dvls would just send a command to the server to run that specific script with x parameters?

1) check-in account
2) dvls runs script with x parameters that then runs another script with passed parameters?
3) account password is rotated
4) end

Hello,

Thank you for your patience. To be honnest, I'm not sure if I understand your need correctly. You would like to be able to run a powershell script when we check-in a PAM account. For example, you have an RDP session using a PAM account to launch the session. On that RDP entry, you would like to link a powershell script that would run when the PAM account would be check-in, am I understanding correctly ? What you would like to do in that powershell script ?

Best regards,

To be clear we would like the following option from an RDP/windows viewpoint:

When you check-out a PAM account for x amount of time, then after x amount of time you need to be forced out of your windows rdp session.
We could let the user know trough RDM that the PAM session is about to expire and if they would like to extend this? (With approval if applicable.)

When the PAM sessions expires there should be a force close of your session / a force log-off from the server where you are working on.
The first one could be native to RDM and the second one could be a PowerShell script that is run from the devolutions server. The script could then force log-off the user from all known open / recent sessions within the RDM client.

It does not stop misuse from users who do not use RDM but that's something that could be mitigated by enforcing the use of the Devolutions Gateway as to connection point for RDP connections.

This is something that could be implemented native within devolutions PAM as a security policy on a PAM vault.

Hello,

Thank you for your answer. Now I understand your request. We have received similar requests to yours, and it is an aspect that we want to improve. We have customers asking to terminate the session after the end of checkout, but we also have customers who do not want that because a file copy could be in progress, for example, and they don't want to stop it. However, I understand your use case as well, where you want to remove access at the end of the checkout. Adding that limitation will force us to have a way to extend the checkout. We want to work on that soon to allow the user to request more time or additional permissions (JIT). We would like to focus on that first, then work on a way to stop the session. Our solution will probably use the Devolutions Gateway, where it could terminate the session at a specific time. By enforcing the use of Devolutions Gateway, you will be assured that the user will not be able to continue a session after the end of checkout.

Meanwhile, I will have a talk with the RDM team to see what could be possible on the client side to stop sessions. Like you said, it would not be perfect, but it could help to improve security before we have a better solution with Devolutions Gateway that could come later.

Let me know if you have more questions.

Best regards,