Handling RDP Window Resizing and resolution

Products Privilege Secure Discussions & Questions
,
1

Hi ,

resizing RDP windows while keeping a good aspect ration is important for admins who work throughout the day with remote sessions. Unfortunately, the ‘smart sizing’ option in mstsc often doesn’t meet usability expectations. Instead, some customers prefer to use a “refresh” function within some remote desktop manager software which will disconnet and reconnect a session on the fly and change the resolution to fit the actual size of the windows.

Unfortunately, disconnecting a Privilege Secure session inside a remote connection manager will lead to deprovisionig it. How you guys handle this scenario to improve administrator adoption and overall usability?

Btw, it is possible to set multiple allowed RDP resolutions under global settings in privilege secure but I couldn’t find how it modifies the user experience as the RDP token created will always have the configured standard resolution.

Regards
Benjamin

2

Hi Benjamin,

As you rightly say, when you close a DirectConnect session, it will deprovision it. There is a workaround if you are expecting to open and close via the DirectConnect string. If you start the Activity in NPS via the GUI, you can then open and close the session in DirectConnect multiple times and it will remain running until the Activity expires.

We could consider adding a parameter to the connection string to keep it open, but we will need to research if we can do this. If you could open an enhancement request in the NPS Ideas portal, we’ll look into this for you.

As far as the resolutions are concerned in global settings, these are in place for a future feature where you would be able to provide a pick list of available resolutions when launched from the UI. At the moment, I do not have a date for that feature.

Hope this helps!

All the best,
Martin

1 Like
3

Unfortunately, disconnecting a Privilege Secure session inside a remote connection manager will lead to deprovisionig it. How you guys handle this scenario to improve administrator adoption and overall usability?

You could start the session in the WebUI first and then use the direct connect to attach to the existing session. Since the direct connect didn’t start the session it won’t close it at the end. This is a work-around, there is also the ability to turn the “DisconnectSession” off in the NPS server settings.

This is a per Proxy Service setting (so if you have more than proxy, you will need to update the files on all servers).

It is also set per protocol (SSH/RDP)

In the ProxyService configuration files sbpam_ssh.json and sbpam_rdp.json found in the following directory: C:\ProgramData\Stealthbits\PAM\ProxyService

NOTE the above files may not exist, to create the defaults run the following command from a command prompt running as Administrator: "'C:\Program Files\Stealthbits\PAM\ProxyService\sbpam-proxy.exe' cfg -c sbpam_ssh
‘C:\Program Files\Stealthbits\PAM\ProxyService\sbpam-proxy.exe’ cfg -c sbpam_rdp

Either add or update the DisconnectSession setting to false (it is true by default).

If you had to create the default, then your sbpam_ssh.json file should look like this:

{
  "listenaddress": "0.0.0.0:4422",
  "DisconnectSession": false
}

and your sbpam_rdp.json file should look like this:

{
  "limitcolordepth": false,
  "listenaddress": "0.0.0.0:4489",
  "startuptimeout": "30s",
  "twofactorseparator": ",",
  "DisconnectSession": false
}

If you are unsure if your JSON file is syntactically correct, you can run the following command in PowerShell to validate it:

Get-Content C:\ProgramData\Stealthbits\PAM\ProxyService\sbpam_rdp.json | ConvertFrom-Json

If you have valid JSON you will see:

limitcolordepth    : False
listenaddress      : 0.0.0.0:4489
startuptimeout     : 30s
twofactorseparator : ,
DisconnectSession  : False

However if you did like I did when testing this out and forgot your comma after "twofactorseparator", you will see this!

ConvertFrom-Json : Invalid object passed in, ':' or '}' expected. (126): {
  "limitcolordepth": false,
  "listenaddress": "0.0.0.0:4489",
  "startuptimeout": "30s",
  "twofactorseparator": ","
"DisconnectSession": false
}
At line:1 char:32
+ Get-Content .\sbpam_rdp.json | ConvertFrom-Json
+                                ~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [ConvertFrom-Json], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ConvertFromJsonCommand
2 Likes
4

Hi,

thank you very much. I will try this workaround and write a feature request in the NPS ideas portal.

Regards
Benjamin

3 Likes
5

Hi Kevin,

I had some time to test your workaround, and while it works technically, the Windows session remains open if the user doesn’t sign out—even after the timeout set in the connection profile. From a security standpoint, this is less than ideal, even though the I/O recording continues to run.

Regards
Benjamin

1 Like
6

to enforce a signout at the end of the session, you will need to add the “Logoff User” step to the activity.

The image displays options for post-session user management, including removing a user from administrators, logging off a user, and deleting an account. (Captioned by AI)
The image displays options for post-session user management, including removing a user from administrators, logging off a user, and deleting an account. (Captioned by AI)546×258 8.07 KB

When the session ends, after removing privilege from the user it will search for any open Sessions from that user on the target host and disconnect the user.

1 Like
7

Does the sbpam_rdp.json config file allows other RDP session settings? since the last update, the mouse pointer does not change when inside the RDP Session. If you want to resize a window, the cursor remains on point/select, and you have to Aim exactly at the right pixel on a window border making it almost impossible to resize a window. It would be helpful to know which settings can be adjusted in the configuration file for the RDP and SSH session. (Color depth, clipboard / printer redirect, wallpaper, etc.)

1 Like
8

Hello, Papin! Welcome to the Netwrix Community :smiling_face_with_sunglasses:

RDP session settings can be configured in the following location on Privilege Secure server(s):

\Program Files\Stealthbits\PAM\Web\rdp_template.txt

Please let me know if that helps! If you continue experiencing any issues with Privilege Secure’s RDP sessions, can you please create a support ticket?

- Dan

9

Thank you for the prompt response, this is exactly the settings file I was looking for. It will allow further customization of RDP sessions to find the right balance between speed, functionality and user experience.

2 Likes
10

You’re welcome, Papin! I’m always happy to help :+1:

1 Like
11

Hi Papin,

If you change any settings in this file, remember to back it up, as it will get overwritten when you upgrade. Ask me how I know :grinning_face:

All the best,
Martin

1 Like
12

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.