Handling RDP Window Resizing and resolution

Benjamin · April 10, 2025, 1:00pm

Hi ,

resizing RDP windows while keeping a good aspect ration is important for admins who work throughout the day with remote sessions. Unfortunately, the ‘smart sizing’ option in mstsc often doesn’t meet usability expectations. Instead, some customers prefer to use a “refresh” function within some remote desktop manager software which will disconnet and reconnect a session on the fly and change the resolution to fit the actual size of the windows.

Unfortunately, disconnecting a Privilege Secure session inside a remote connection manager will lead to deprovisionig it. How you guys handle this scenario to improve administrator adoption and overall usability?

Btw, it is possible to set multiple allowed RDP resolutions under global settings in privilege secure but I couldn’t find how it modifies the user experience as the RDP token created will always have the configured standard resolution.

Regards
Benjamin

martin.cannard · April 10, 2025, 2:29pm

Hi Benjamin,

As you rightly say, when you close a DirectConnect session, it will deprovision it. There is a workaround if you are expecting to open and close via the DirectConnect string. If you start the Activity in NPS via the GUI, you can then open and close the session in DirectConnect multiple times and it will remain running until the Activity expires.

We could consider adding a parameter to the connection string to keep it open, but we will need to research if we can do this. If you could open an enhancement request in the NPS Ideas portal, we’ll look into this for you.

As far as the resolutions are concerned in global settings, these are in place for a future feature where you would be able to provide a pick list of available resolutions when launched from the UI. At the moment, I do not have a date for that feature.

Hope this helps!

All the best,
Martin

kevin.horvatin · April 10, 2025, 9:49pm

Unfortunately, disconnecting a Privilege Secure session inside a remote connection manager will lead to deprovisionig it. How you guys handle this scenario to improve administrator adoption and overall usability?

You could start the session in the WebUI first and then use the direct connect to attach to the existing session. Since the direct connect didn’t start the session it won’t close it at the end. This is a work-around, there is also the ability to turn the “DisconnectSession” off in the NPS server settings.

This is a per Proxy Service setting (so if you have more than proxy, you will need to update the files on all servers).

It is also set per protocol (SSH/RDP)

In the ProxyService configuration files sbpam_ssh.json and sbpam_rdp.json found in the following directory: C:\ProgramData\Stealthbits\PAM\ProxyService

NOTE the above files may not exist, to create the defaults run the following command from a command prompt running as Administrator: "'C:\Program Files\Stealthbits\PAM\ProxyService\sbpam-proxy.exe' cfg -c sbpam_ssh
‘C:\Program Files\Stealthbits\PAM\ProxyService\sbpam-proxy.exe’ cfg -c sbpam_rdp

Either add or update the DisconnectSession setting to false (it is true by default).

If you had to create the default, then your sbpam_ssh.json file should look like this:

{
  "listenaddress": "0.0.0.0:4422",
  "DisconnectSession": false
}

and your sbpam_rdp.json file should look like this:

{
  "limitcolordepth": false,
  "listenaddress": "0.0.0.0:4489",
  "startuptimeout": "30s",
  "twofactorseparator": ",",
  "DisconnectSession": false
}

If you are unsure if your JSON file is syntactically correct, you can run the following command in PowerShell to validate it:

Get-Content C:\ProgramData\Stealthbits\PAM\ProxyService\sbpam_rdp.json | ConvertFrom-Json

If you have valid JSON you will see:

limitcolordepth    : False
listenaddress      : 0.0.0.0:4489
startuptimeout     : 30s
twofactorseparator : ,
DisconnectSession  : False

However if you did like I did when testing this out and forgot your comma after "twofactorseparator", you will see this!

ConvertFrom-Json : Invalid object passed in, ':' or '}' expected. (126): {
  "limitcolordepth": false,
  "listenaddress": "0.0.0.0:4489",
  "startuptimeout": "30s",
  "twofactorseparator": ","
"DisconnectSession": false
}
At line:1 char:32
+ Get-Content .\sbpam_rdp.json | ConvertFrom-Json
+                                ~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [ConvertFrom-Json], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ConvertFromJsonCommand

Benjamin · April 11, 2025, 8:16am

Hi,

thank you very much. I will try this workaround and write a feature request in the NPS ideas portal.

Regards
Benjamin

Benjamin · April 25, 2025, 7:16am

Hi Kevin,

I had some time to test your workaround, and while it works technically, the Windows session remains open if the user doesn’t sign out—even after the timeout set in the connection profile. From a security standpoint, this is less than ideal, even though the I/O recording continues to run.

Regards
Benjamin

kevin.horvatin · April 25, 2025, 3:20pm

to enforce a signout at the end of the session, you will need to add the “Logoff User” step to the activity.

When the session ends, after removing privilege from the user it will search for any open Sessions from that user on the target host and disconnect the user.

papin_kizito · June 9, 2025, 6:58pm

Does the sbpam_rdp.json config file allows other RDP session settings? since the last update, the mouse pointer does not change when inside the RDP Session. If you want to resize a window, the cursor remains on point/select, and you have to Aim exactly at the right pixel on a window border making it almost impossible to resize a window. It would be helpful to know which settings can be adjusted in the configuration file for the RDP and SSH session. (Color depth, clipboard / printer redirect, wallpaper, etc.)

dpiazza · June 10, 2025, 2:11pm

Hello, Papin! Welcome to the Netwrix Community

RDP session settings can be configured in the following location on Privilege Secure server(s):

\Program Files\Stealthbits\PAM\Web\rdp_template.txt

Please let me know if that helps! If you continue experiencing any issues with Privilege Secure’s RDP sessions, can you please create a support ticket?

- Dan

papin_kizito · June 10, 2025, 2:20pm

Thank you for the prompt response, this is exactly the settings file I was looking for. It will allow further customization of RDP sessions to find the right balance between speed, functionality and user experience.

dpiazza · June 10, 2025, 2:20pm

You’re welcome, Papin! I’m always happy to help

martin.cannard · June 10, 2025, 5:16pm

Hi Papin,

If you change any settings in this file, remember to back it up, as it will get overwritten when you upgrade. Ask me how I know

All the best,
Martin

system · August 9, 2025, 5:17pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
PAM configuration with non domain servers and SQL Discussions & Questions privilege-secure , sql-server , configuration	6	80	July 27, 2025
Integration NPS with "Powershell Code Signing" in ADDS Tiering Discussions & Questions privilege-secure , ideas	10	95	August 12, 2025
Fixing RDP Performance Issues to Windows 11 Hosts with Group Policy Show & Tell privilege-secure , rdp , windows	0	129	August 5, 2025
Issue with NPS Server in Workgroup - Getting DC name failed. Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN Discussions & Questions privilege-secure , ideas	14	172	July 29, 2025
July '25 Release (v25.08.04003) News privilege-secure , announcement , release-patch , product-update	6	235	August 8, 2025

Handling RDP Window Resizing and resolution

Related topics