SecretZero Connector server Installation and Configuration Guide

Table of Contents

1. Overview
2. Prerequisites
3. Installation
4. RDS Configuration
5. Security Configuration
6. Testing & Verification
7. Troubleshooting
8. Maintenance

Overview

The SecuriTaaS Connector enables secure remote connections through RDP and SSH protocols. This guide provides comprehensive installation and configuration instructions for IT administrators.

Prerequisites

System Requirements

• Windows Server 2019 or later
• .NET Framework 4.7.2 or later (Download)
• Minimum 16GB RAM
• 10GB free disk space
• Administrator privileges
• Remote Desktop Services role

Installation Package Contents

securitaasconnector.zip/
├── securitaasconnector.exe
├── connector.ini
├── putty.exe
└── winscp/
    ├── WinSCP.com
    └── WinSCP.exe

Installation

1. Directory Setup

1. Create the following directory structure:

   C:\Program Files\SecuriTaaSConnector\
   ├── app/
   ├── certs/
   ├── logs/
   ├── putty/
   └── winscp/
   

2. Extract Package:

3. Extract securitaasconnector.zip to C:\Users\<user>\Documents\SecuriTaaSConnector
4. Move components to appropriate directories:

   - securitaasconnector.exe → app/
   - putty.exe → putty/
   - winscp folder contents → winscp/
   

2. Configuration Setup

Edit the connector.ini file with the following configuration:

2.1 SecurITaas Server Settings

[soserver]
#####################Securitaas Server Settings#######################################
server=<Your SecurITaas Server IP or FQDN>
port=9001
token_validation_bypass=false
token_validation_timeout=5
#####################END OF Securitaas Server Settings#################################

Configuration Parameters: - server: IP address or FQDN of your SecurITaas appliance (required) - port: Port for SecurITaas server communication (default: 9001) - token_validation_bypass: Set to false for production (security validation enabled) - token_validation_timeout: Timeout in seconds for token validation (default: 5)

2.2 Non-Standard Values (RDP and Session Settings)

[non standard values]
# Options: if 0, the session will have a 24 hours timeout. If not 0, the session will have a timeout in seconds.
def_timeout=86400
non_standard_rdp_port = 3389
rdp_redirect_server_name = 0
rdp_negotiate_security_layer = 1
rdp_authentication_level = 2
# Options: 0, 1, if 1, the session will be opened expecting NLA to be enabled. Leave it to 0 to work with securitaas
rdp_enablecredsspsupport = 0
rdp_prompt_for_credentials = 0
redirectdrives_setting = 1
# Options: DEBUG, INFO, WARNING, ERROR, CRITICAL
log_level = INFO
grace_period = 300

Configuration Parameters: - def_timeout: Default session timeout in seconds. If set to 0, sessions will have a 24-hour timeout (86400 seconds). Otherwise, specify timeout in seconds (default: 86400 = 24 hours) - non_standard_rdp_port: RDP port for Windows connections (default: 3389) - rdp_redirect_server_name: Set to 0 to disable server name redirection - rdp_negotiate_security_layer: Set to 1 to enable security layer negotiation (recommended) - rdp_authentication_level: Authentication level (0=None, 1=Required, 2=Required and Warn) - rdp_enablecredsspsupport: Set to 0 to disable CredSSP support (required for SecurITaas) - rdp_prompt_for_credentials: Set to 0 to disable credential prompts (required for SecurITaas) - redirectdrives_setting: Set to 1 to enable drive redirection, 0 to disable - log_level: Logging level (DEBUG, INFO, WARNING, ERROR, CRITICAL). Default: INFO - grace_period: Grace period in seconds when session timeout is reached (default: 300 = 5 minutes)

2.3 Linux/SSH Configuration Values

[linuxvals]
# Options: path to the certificates directory this is the path to the certificates directory.
certs_dir = C:\Program Files\SecuriTaaSConnector\certs
#################DEFAULT VALUES, DO NOT CHANGE#######################################
api_base_url = /cert
lport=9001
auth_url = /auth/token
###################END OF DEFAULT VALUES#####################################
# Options: path to WinSCP.com this is the path to the WinSCP client.
winscp_path = C:\Program Files (x86)\WinSCP\WinSCP.com
# Options: path to WinSCP.exe this is the path to the WinSCP client.
winscp_exe_path = C:\Program Files (x86)\WinSCP\WinSCP.exe
# Options: path to putty.exe this is the path to the PuTTY client.
putty_path = C:\Program Files\SecuriTaaSConnector\putty\putty.exe
# Options: path to securitaassecuresftp.exe this is the path to the SecuritaasSecureSftp client.
sftp_client_path = 
# Options: \\tsclient\C\ this is the location where the user will be able to access their own files.
sftp_local_root = \\tsclient\C\
# Options: /home/<username> this is the location where the user will be able to access the files, if only /
# is specified, the user will be able to access all the files.
sftp_remote_root = 
sftp_port = 22
# Options: 0, 1, if 1, the session will be opened with elevated privileges/access right chosen by the user.
open_elevated_sftp_session = 0
# Options: winscp, securitaassecuresftp
use_winscp_client = securitaassecuresftp
# Options: path to the commands logs directory this is the path to the user's commands are logged temporarily before being sent to securitaas server.
putty_logs_dir = 

Configuration Parameters: - certs_dir: Directory where SSH certificates are stored (default: C:\Program Files\SecuriTaaSConnector\certs) - api_base_url: API base URL (default: /cert - DO NOT CHANGE) - lport: Local port for API communication (default: 9001 - DO NOT CHANGE) - auth_url: Authentication URL (default: /auth/token - DO NOT CHANGE) - winscp_path: Full path to WinSCP.com executable - winscp_exe_path: Full path to WinSCP.exe executable (required for WinSCP GUI sessions) - putty_path: Full path to putty.exe executable (required for SSH terminal sessions) - sftp_client_path: Full path to SecuritaasSecureSftp.exe (required if using custom SFTP client) - sftp_local_root: Local directory path for users SFTP file access (default: \\tsclient\C\) - sftp_remote_root: Remote directory path on Linux server. set / for full file system access or specific path for directory jailing (ex. set to /home to jail users to /home directory) - sftp_port: SSH/SFTP port (default: 22) - open_elevated_sftp_session: Set to 1 to enable elevated SFTP sessions with privileged access rights chosen by user from Request connection screen - use_winscp_client: Choose SFTP client (winscp for WinSCP.exe or securitaassecuresftp for custom client) - putty_logs_dir: Directory path for PuTTY session logs (leave empty to disable logging)

Important Notes: - The api_base_url, lport, and auth_url values are default values and should NOT be changed - Ensure all file paths use double backslashes (\\) or forward slashes (/) for Windows paths - The certs_dir directory will be created automatically if it doesn't exist - For putty_logs_dir, leave empty if you don't want to enable session logging

RDS Configuration

1. Install Remote Desktop Services

1. Open Server Manager
2. Click "Add Roles and Features"
3. Select "Remote Desktop Services installation"
4. Choose "Quick Start"
5. Complete installation wizard Microsoft RDS Installation Guide

2. Configure Unlimited RDP Connections

Registry Method

1. Open Registry Editor and navigate to:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
   

2. Create/Modify these values:

   DWORD Values:
   - EnableConcurrentSessions = 1
   - MaxRDPConnections = 0xffffffff
   

3. Additional Registry Keys:

   Location: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
   Values:
   - fSingleSessionPerUser = 0
   - Limit Number of Connections = 999999
   

Group Policy Method

1. Open Group Policy Editor (gpedit.msc)

2. Navigate to:

   Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections
   

3. Configure:

4. "Limit number of connections" = Disabled
5. "Restrict Remote Desktop Services users to a single Remote Desktop Services session" = Disabled

3. Disable RemoteFX Graphics

1. In Group Policy Editor, navigate to:

   Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Remote Session Environment
   

2. Configure:

   - "Configure RemoteFX" = Disabled
   - "Enable RemoteFX encoding" = Disabled
   - "Configure RemoteFX adaptive graphics" = Disabled
   

4. Session Management Configuration

1. Configure Session Settings:

   Location: Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Session Time Limits
   

2. Set the following:

   - "Set time limit for disconnected sessions" = Enabled
     - Time limit = 1 minute
   - "End session when time limits are reached" = Enabled
   - "Terminate session when time limits are reached" = Enabled
   

3. Registry Configuration:

   Location: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
   Values:
   - MaxDisconnectionTime = 60000 (1 minute in milliseconds)
   - RemoteAppLogoffTimeLimit = 60000
   - fDisableAutoReconnect = 1
   

5. RemoteApp Configuration

1. Create RemoteApp Collection:
2. Open RemoteApp Manager
3. Click "Create RemoteApp Collection"

4. Name it "QuickSessionCollection"

5. Add SecuriTaaS Connector:

6. In RemoteApp Manager
7. Click "Add RemoteApp Programs"
8. Browse to C:\Program Files\SecuriTaaSConnector\app\securitaasconnector.exe
9. Set properties:
   • Name: securitaasconnector
   • Display name: SecuriTaaS Connector
   • Description: SecuriTaaS Remote Access Connector

Security Configuration

1. Windows Firewall Rules

1. Open Windows Defender Firewall with Advanced Security

2. Create Inbound Rule:

   Name: SecuriTaaS RDP
   Protocol: TCP
   Port: 3389
   Action: Allow
   Profile: Domain, Private
   

3. Create Outbound Rule:

   Name: SecuriTaaS Service
   Protocol: TCP
   Port: 443
   Action: Allow
   

2. File System Permissions

1. Set permissions on C:\Program Files\SecuriTaaSConnector:

   - SYSTEM: Full Control
   - Administrators: Full Control
   - Users: Read & Execute
   

3. SSL Certificate Configuration

1. Open Server Manager → Remote Desktop Services
2. Tasks → Edit Deployment Properties
3. Certificates → Configure SSL certificate RDS Certificate Guide

Testing & Verification

1. Component Verification

1. Check Services:
   - Remote Desktop Services
   - Remote Desktop Gateway

2. Verify Files:
   - securitaasconnector.exe launches
   - putty.exe launches
   - WinSCP.com accessible

3. Test Connections:
   - RDP connectivity
   - SSL certificate validation
   - Multiple simultaneous connections

2. Log Verification

1. Check logs in:

   C:\Program Files\SecuriTaaSConnector\logs\sessioncreator.log
   

Troubleshooting

Common Issues

1. RDP Connection Failures:

   - Check Event Viewer → Applications and Services Logs → Microsoft → Windows → Terminal Services
   - Verify firewall rules
   - Test network connectivity
   

2. Certificate Issues:

   - Verify SSL certificate installation
   - Check certificate expiration
   - Validate certificate chain
   

3. Performance Issues:

   - Monitor CPU and memory usage
   - Check network bandwidth
   - Verify RemoteFX settings
   

4. Session Issues:

   - Check session limits in Group Policy
   - Verify user permissions
   - Review RDS license status
   

Maintenance

Regular Tasks

1. Daily Checks:

   - Monitor logs
   - Check service status
   - Verify connections
   

2. Weekly Tasks:

   - Review security events
   - Check certificate status
   - Backup configurations
   

3. Monthly Tasks:

   - Apply Windows updates
   - Review user access
   - Performance optimization
   

Backup Procedures

1. Backup these components:

   - connector.ini
   - SSL certificates
   - Registry settings
   - User profiles
   

2. Recommended Backup Schedule:

   - Configuration files: Weekly
   - Certificates: Before expiration
   - Registry settings: After changes
   - User profiles: Monthly
   

Support Resources

Documentation

• Microsoft RDS Documentation
• Windows Server Security Guide
• SecuriTaaS Support Portal: [Portal URL]

Contact Information

Technical Support: support@securitaas.com
Emergency Support: [Emergency Contact]
Hours: 24/7

Additional Resources

1. Microsoft Documentation:
2. RDS Deployment Guide
3. RDS Security Guide

4. Windows Server Administration

5. Performance Optimization:

6. RDS Performance Tuning
7. Network Optimization

---

Note: Always backup your configuration before making changes. For additional support, contact SecuriTaaS technical support.

Last Updated: [Current Date] Version: 1.0

This completes the comprehensive guide for SecuriTaaS Connector installation and configuration. Follow each section carefully and refer to the troubleshooting guide if you encounter any issues.