Global settings
-
In the BeyondInsight console, go to Configuration > Privileged Access Management > Global Settings.
-
Set the options in each of the sections below. Click the Update button for each section to apply changes made in that section.
Sessions
| Setting | Description / Action |
|---|---|
| Connecting to systems using | Choose how you want to connect to systems. Select DNS Name or IP Address, or All if you want multiple connection options to be available. |
| Default RDP port for new Managed Systems | Change the default port for all RDP sessions. |
| Token timeout for remote session playback | Change the default timeout. The default is 30 seconds. The range is 10 - 60 seconds. |
| Session initialization timeout | Change the default session token value. The default is 60 seconds. The range is 5 - 600 seconds. Applies to SSH, RDP, and application sessions. |
| Default RDP screen resolution | Change the default screen resolution. Range is 640x480 - 1920x2058 pixels. An option is available to allow the client application to select screen resolution. |
| Allow multiple monitors in remote desktop sessions | Check this option to allow more than one monitor in a remote desktop session. |
| Enable smart sizing by default | Check this option to resize the RDP window to match the size of the user's screen. |
| Allow users to select a remote proxy | Check this option if you want users to be able to select specific BeyondInsight instances when making requests. |
| Make smart card device available in remote desktop sessions | When this option is checked, the user must log in to the session using smart card credentials when configured for the system. This setting applies to all RDP sessions and is disabled by default. |
| Hide record check box for ISA sessions | This option is checked by default. When this option is checked, ISA sessions are recorded and the Record Session check box is not available on ISA session requests. Uncheck this option if you want the Record Session check box available on the requests, giving the user the option to record the session. |
| Hide record check box for Admin Sessions | This option is checked by default. When this option is checked, Admin sessions are recorded and the Record Session check box is not available on the Start Admin Session form. Uncheck this option if you want the Record Session check box available on the form, giving the user the option to record the session. |
| Allow desktop background in remote desktop sessions | Controls whether the desktop background is displayed in the remote session. Can be disabled in scenarios of slower network connections. |
| Bypass SSH Connection Tests | This option is disabled by default; therefore, Password Safe performs a quick connectivity test to the target system to validate it’s online and available. Checking this option to bypass the SSH connectivity test can be useful in environments when systems may not always be online and available. Allowing the test to happen can result in a faster connectivity failure response back to the user (ie: a 5 sec test vs a 30 sec timeout for an SSH connection). If systems are consistently available, then the test can be bypassed to slightly reduce the initial connection time. |
Requests
| Setting | Description / Action |
|---|---|
| Require a ticket system and ticket number for ISA requests | Enable to have mandatory completion of the Ticket System and Ticket Number fields on all requests. |
| Display who has approved sessions | Enable this option on all requests. |
| Reason is required for new ISA requests | Enable this option on all requests. |
| Auto-select access policy for Quick Launch | Enable to automatically select the best access policy. When this option is selected, the access policy with the most available actions, or multiple access policies will be selected if each one has a different action. When this option is not selected, all the available access policy schedules will display when using Quick Launch. |
| Bypass SSH Landing Page for Quick Launch | Enable to save time for users when connecting using Quick Launch. |
| Bypass SSH Landing Page for regular or ISA requests | Enable to bypass the SSH landing page when running an SSH Session or SSH Application Session, and instead directly open PuTTY. This setting applies only to regular requests, ISA requests, and admin sessions. It does not apply to sessions initiated using Quick Launch. |
| Domain Account Concurrency Behavior | This setting defines how the Concurrent setting in an access policy applies the checkout concurrency for a domain account. When Account is selected, Password Safe applies the checkout concurrency to how many concurrent sessions a domain account may have per environment. When Account and System is selected, Password Safe applies the checkout concurrency to how many concurrent sessions a domain account may have per system in an environment. |
| View Password and SSH Session request display timeout (seconds) | Enter a number between 0 and 300 seconds, to set the maximum time for viewing a credential. The default is 120 seconds. Setting this number to 0 disables the timer, and the credential remains visible until the user closes the view or navigates away from the screen. |
Session monitoring
| Setting | Description / Action |
|---|---|
| Keystroke logging for admin session (RDP) | Records keystrokes for recorded RDP admin sessions that can be viewed in the right pane when viewing a recorded session. This is enabled by default. Uncheck this option to disable keystroke recording for RDP admin sessions. |
| Keystroke logging for admin session (SSH) | Records keystrokes for recorded SSH admin sessions that can be viewed in the right pane when viewing a recorded session. This is enabled by default. Uncheck this option to disable keystroke recording for SSH admin sessions. |
| Keystroke logging for ISA (RDP) | Records keystrokes for recorded RDP ISA sessions that can be viewed in the right pane when viewing a recorded session. This is enabled by default. Uncheck this option to disable keystroke recording for RDP ISA sessions. |
| Keystroke logging for ISA (SSH) | Records keystrokes for recorded SSH ISA sessions that can be viewed in the right pane when viewing a recorded session. This is enabled by default. Uncheck this option to disable keystroke recording for SSH ISA sessions. |
| Keystroke logging for ISA (Application) | Records keystrokes for recorded ISA application sessions that can be viewed in the right pane when viewing a recorded session. This is enabled by default. Uncheck this option to disable keystroke recording for ISA application sessions. |
| Enhanced session auditing for ISA (RDP) | Enhanced session auditing captures and records all mouse activity in the Keystrokes menu of Recorded Sessions for RDP sessions. Enhanced session auditing is enabled by default. It uses the rules in the access policy for Admin Session multi-session checkouts. During a recorded RDP session, an agent called pbpsmon is installed on the host for the duration of the session. The agent monitors and audits Windows click events. |
| Enhanced session auditing for ISA (application) | Enhanced session auditing captures and records all mouse activity in the Keystrokes menu of Recorded Sessions for RDP application sessions. Enhanced session auditing is enabled by default. It uses the rules in the access policy for Admin Session multi-session checkouts. During a recorded RDP session, an agent called pbpsmon is installed on the host for the duration of the session. The agent monitors and audits Windows click events. |
Note
Session monitoring captures text that is copied in an RDP session window. The copied text is captured only the first time. Any subsequent copy tasks of the same text are not captured for the session.
Note
To use enhanced session auditing, the functional account of the managed Windows host or Remote Desktop Services host must have administrative rights.
Purging
| Setting | Description / Action |
|---|---|
| Minimum retention for old password | Set the number of days to retain old passwords. The default is 30 days. The range is 1 - 360 days. |
| Number of old passwords to retain | Set the number of past passwords to retain. The default is 5 passwords. The range is 1 - 30 passwords. Password Safe will retain, at minimum, a number of passwords equal to the total of the current password (1) plus the value for Past Passwords. Password Safe will delete all passwords that are older than the number of days equal to the value of Minimum Retention Days. |
| Retention period for sent mail log | Set the number of days to store log entries for sent email. The default is 30 days. The range is 1 - 365 days. |
| Retention period for admin log | Set the number of days to store the administrator activity logs. The default is 90 days. The range is 30 - 365 days. |
| Retention period for password change log | Set the number of days to store password change logs. The default is 90 days. The range is 30 - 365 days. |
| Retention period for password test results | Set the number of days to store success and failure results for automated password tests. The default is 30 days. The range is 10 - 90 days. |
| Retention period for system event log | Set the number of days to store system event logs. The default is 365 days. The range is 5 - 1095 days. |
Miscellaneous
| Setting | Description / Action |
|---|---|
| Unlock accounts on password change | Enable for locked accounts to automatically unlock when their password has changed. |
| Enable Rebex debug logging | Enable Rebex debug logging to troubleshoot custom platform issues. |
| Jumphost connection format | Select Hostname or IP Address. |
| Enable automatic admin notifications for failed password events | Failed email notifications can be sent to multiple admin accounts. Disable to stop sending admin notification emails, or enable to start sending admin notification emails. This setting is disabled for new installations but enabled for existing installations. |
| Enable automatic notifications for failed propagation events | Notifications are sent to the email address assigned to the Managed System, Managed Account, or Active Directory managed system. Disable to stop sending propagation notification emails, or enable to start sending propagation notification emails. This setting is enabled by default for all new installations. |
Note
To access propagation and password events from the BeyondInsight console, click Managed Accounts in the left menu. Click the vertical ellipsis to the right of a managed account, and then select Go to Advanced Details. Under Advanced Details, click Events.
Changes made to Global Settings can be seen on the User Audits page:
- Go to Configuration > General > User Audits.
- Changes that were made to Password Safe Global Settings are indicated as PMM Global Settings in the Section column. Click the i button for the audit item to view more details about the action taken.
Updated 6 days ago