RDM Client Setting Enforcement for Regulated Environments
Hi,
I am currently reviewing how some of the components of the application address certain industry regulations and security requirements that I need to abide by in my environment.
In Settings > Tools > SSH key agent, there are some options that we need to enforce/strictly set so that users cannot change these parameters. Specifically, we would need to enforce the state of Start agent on application start and Stop SSH key agent on lock. There may be a way to do this already, but I did not see any existing GPOs or registry values that indicate it can be strictly set. Also, could you please clarify if "on lock" refers to the application level lock, or when the Windows desktop session is locked? Or both?
In addition to the above, the following is more of a feature request: the actual regulatory requirement we are trying to meet is when an SSH-agent or similar key caching program is used, key caches that are set to expire within a certain period of time (in minutes or hours) of inactivity. Our concern is that while someone will usually be away from their computer long enough every couple of hours to cause a session lock (which would then stop the agent, thereby invalidating the key cache), there would be scenarios where someone is connected to a device but they are not actively interacting with that session if they are working across multiple machines or environments at once -- so while someone is 'active' at their computer and in the application, it is possible that an inactive session could be open longer than what the regulatory requirement would allow for.
I understand that in a perfect world, the server running sshd would certainly disconnect idle sessions before that happens, however, without an explicit way to configure and enforce this on both the client and the server side, it makes proving compliance to auditors difficult.
Anecdotally, for similar reasons we would also like to know if there is a way to force-disable the use of the mouse jiggler function for RDP Sessions.
All Comments (1)
Hello,
I'll go over your points in order.
> GPOs for "Start agent on application start" and "Stop SSH key agent on lock"
These don't currently exists, I will open a ticket for that.
> could you please clarify if "on lock" refers to the application level lock, or when the Windows desktop session is locked?
The lock in this case is the application-level lock. You can configure the application lock to apply when locking Windows as well. This is located in File > Settings > Security. There is also a GPO for this called ForceLockOnWindowsLock. There are also other GPOs for the other lock triggers, as well as a GPO to enforce the user to configure an application password to enable the locking feature (ForceLocalApplicationPassword).
> In addition to the above, the following is more of a feature request: the actual regulatory requirement we are trying to meet is when an SSH-agent or similar key caching program is used, key caches that are set to expire within a certain period of time (in minutes or hours) of inactivity. Our concern is that while someone will usually be away from their computer long enough every couple of hours to cause a session lock (which would then stop the agent, thereby invalidating the key cache), there would be scenarios where someone is connected to a device but they are not actively interacting with that session if they are working across multiple machines or environments at once -- so while someone is 'active' at their computer and in the application, it is possible that an inactive session could be open longer than what the regulatory requirement would allow for.
I understand that in a perfect world, the server running sshd would certainly disconnect idle sessions before that happens, however, without an explicit way to configure and enforce this on both the client and the server side, it makes proving compliance to auditors difficult.
Just to understand, are you looking for one, or both of these:
- Disconnect the SSH session itself after being idle for a certain amount of time
- Stop the SSH key agent after not being used for a certain amount of time
The first point might be more difficult. I would have to check with our terminal expert what we can do. Usually this is more something the server handles, but I understand that having something built into the client to ensure this would be useful. The closest we have at the moment, is the setting to close the session after X amount of time, but it doesn't check for activity. It's called "automatically close session after", and you can find it in any session, such as the SSH terminal, in its Advanced settings.
> Anecdotally, for similar reasons we would also like to know if there is a way to force-disable the use of the mouse jiggler function for RDP Sessions.
There is a GPO called "DisableMouseJiggler" as well as a configuration in the System Settings to disable it.
Regards,
Hubert Mireault