Skip to main content
Version: 3.24

Proxy Settings Segregations

Because there are many settings in the global level definition, there is a need to segregate some of these settings to facilitate security policy management and possible exceptions on devices that do not support certain configurations.

For example, some RDP devices do not support the TLS security level, and must be isolated in a separate configuration if the global level is not configured in Automatic mode. Another example is Linux devices that by strategic decision, or technical limitations, do not support automated privilege elevation with SUDO.

To isolate these Devices and Credentials in segregated configurations, we must first understand the password segregation hierarchy.

caution

Devices and credentials cannot be included in more than one segregated parameter.

The segregating layer has the option of keeping the current parameter unchanged. Therefore, there is no obligation to define all parameters for each layer.

info

Note that in the Color depth field, (which is displayed in all segregation layers) you can choose which color depth you want to use in VNCHTTP, VNCX11 and VNC sessions to suit the performance you want. The options range from 8 bits to 32 bits.

Segregation levels

Segregations respect hierarchy and rewriting order. Override system default settings, acting as a chain of adjustment layers where the next layer will always have the power to rewrite under the previous one:

  1. Global parameters
  2. Access groups segregated parameter
  3. Device segregated parameters
  4. Credential segregated parameters
  5. Parameters segregated by origin

Thus, a parameter defined in the Global layer can be overwritten by Access Group segregation, which in turn can be overwritten by Device segregation, and so on.

Through the module Settings ➔ System Parameters ➔ Segregated Parameters, you will have access to the creation of the segregated parameters and access to all segregations registered for proxy sessions. We must configure it following this step by step:

Segregation for Access Groups

Click on the Actions menu and choose New segregation for groups a new window will open called Parameter segregated access groups containing the tabs Remote Session, Recording, Security and Groups:

  • Name: Give your segregation a name.

  • Status: Define whether this segregation will be Active or Inactive.

  • Remote Session Configure which type of remote session will be included in the segregation parameters in the groups and which will be enabled.

Remote Session Tab - Access Groups
  • Recording: Configure which parameters will be enabled when starting a session recording.
Recording tab - Access groups
  • Security: Configure the strength of the groups' security.
Security tab - Access groups
  • Groups: Configure and add which access groups will be part of the segregation.
Groups tab - Access groups

Device segregation

Click on the Actions menu and choose New segregation for devices a new window will open called Device segregated parameters containing the tabs Remote Session, Recording, Security and Devices:

  • Name: Give your segregation a name.
  • Status: Define whether this segregation will be Active or Inactive.
  • Remote Session: Configure which type of remote session will be included in the segregation parameters on the devices and which will be enabled.
Remote Session Tab - Devices
  • Recording: Configure which parameters will be enabled when starting a session recording.
Recording tab - Devices
  • Security: Configure the strength of security on devices.

Session inactivity time

info

It is possible to specify how long a senhasegura session can be idle, that is, without any user interaction. In the Session inactivity time field, define the amount and whether it is in minutes, hours or days.

Security tab - Devices
  • Devices: Fill in an existing device in the system and add it.
Devices tab - Devices

Segregation for credentials

Click on the Actions menu and choose New segregation for credentials a new window will open called Credentials segregated parameters containing the tabs Remote Session, Recording, Security and Credential:

Name: Give your segregation a name. Status: Define whether this segregation will be Active or Inactive. Remote session: Configure what type of remote session will be included in the credential segregation parameters and what will be enabled.

Remote Session Tab - Credential

Recording: Configure which parameters will be enabled when starting a session recording.

Recording tab - Credential

Security: Configure the strength of credential security.

Security tab - Credential

Credential: Configure and add which access credentials will be part of the segregation.

Credential tab - Credential

Segregation by origin

Click on the Actions menu and choose New segregation by origin a new window will open called Parameters segregated by origin containing the tabs Remote Session, Recording, Security and Origins:

  • Name: Give your segregation a name.
  • Status: Define whether this segregation will be Active or Inactive.
  • Remote session: Configure which type of remote session will be included in the segregation parameters at source and which will be enabled.
Remote Session Tab - Source
  • Recording: Configure which parameters will be enabled when starting a session recording.
Recording tab - Origin
  • Security: Configure what the security strength will be at the origin.
Security tab - Origin
  • Origins: Configure and add which access sources will be part of segregation.
Origins tab - Origin

With each proxy session, senhasegura will always frame the requester to an Access Group that allows the use of a Device Credential. And this user always starts from a source workstation. Hence, senhasegura will always be able to determine an appropriate combination of parameters for this session.

The image proxy-100 shows that the Global setting allows file transfer.

Remote session settings

The image proxy-110 demonstrates that there are segregations for all layers, and each segregation has a name that makes clear the intention to use.

Segregated parameters report

The banner segregation example kept all other parameters unchanged. Only the banner has been set.

Banner segregation example

Device segregation example inactivated automated privilege elevation execution and allowed the use of personal credentials.

Device segregation example

The credential segregation example does not allow file transfer, clipboard use, and does not allow the use of <Ctrl+Alt+Del> key combination.

Credential segregation example

Source segregation example is forcing the use of the 2FA to view passwords and start proxy sessions and allows immediate password recycle after the proxy session is opened.

Source segregation example

Note that there is a possibility that a session may have to consider some of these rules, all, or none at all. Making the configuration possibilities very flexible.