How to block Windows commands from NPAM 3.6

Hi

Can someone explain to me, how to get block certain Windows commands or type key.

I try to add commands in Command Risk, but no luck.

Do I have to create some kind of script, or Command Risk is enough.



Thx
  • Command Risk is the correct feature, but it can sometimes be tricky to identify the "Command" that should be filtered. Here are some tips..

    The feature is documented as follows:
    Disconnecting a Privileged Session > Disconnecting the Session Automatically.
    Note: This is "Command Risk" where the risk level is audited in the reporting console as a particular color indicating risk and reactive actions can be configured here to Auto Disconnect the session and/or block the user from attempting further sessions at that point.

    In order to identify the particular "Command" you are interested in configuring here, it is helpful to view the Keystroke Report of an example session where you can view how the commands are audited from PAM perspective.
    Reporting Console > Command Control Keystroke Report (select an example session to explore commands in)..
    View the "Standard Input" column, these are the commands that you will want to come up with a filter for to enter in as "Command Risk."
    It can also be helpful to enable the following option in the bottom right of the keystroke report, "Show audited commands: Use this option to show or hide the full list of audited commands. If this option is enabled, the screen shows the actual commands that are being run when a user types a command. You can also view each input command individually by mousing over the command."

    Some examples for "Command Risk" that might be helpful to see (regex also possible):
    =~/^(|\/bin\/|\/sbin\/|\/usr\/bin\/)passwd(\s |$)/
    *AppMgmt Service Stop*
  • Command Risk is the correct feature, but it can sometimes be tricky to identify the "Command" that should be filtered. Here are some tips..

    The feature is documented as follows:
    Disconnecting a Privileged Session > Disconnecting the Session Automatically.
    Note: This is "Command Risk" where the risk level is audited in the reporting console as a particular color indicating risk and reactive actions can be configured here to Auto Disconnect the session and/or block the user from attempting further sessions at that point.

    In order to identify the particular "Command" you are interested in configuring here, it is helpful to view the Keystroke Report of an example session where you can view how the commands are audited from PAM perspective.
    Reporting Console > Command Control Keystroke Report (select an example session to explore commands in)..
    View the "Standard Input" column, these are the commands that you will want to come up with a filter for to enter in as "Command Risk."
    It can also be helpful to enable the following option in the bottom right of the keystroke report, "Show audited commands: Use this option to show or hide the full list of audited commands. If this option is enabled, the screen shows the actual commands that are being run when a user types a command. You can also view each input command individually by mousing over the command."

    Some examples for "Command Risk" that might be helpful to see (regex also possible):
    =~/^(|\/bin\/|\/sbin\/|\/usr\/bin\/)passwd(\s |$)/
    *AppMgmt Service Stop*
  • Command Risk is the correct feature, but it can sometimes be tricky to identify the "Command" that should be filtered. Here are some tips..

    The feature is documented as follows:
    Disconnecting a Privileged Session > Disconnecting the Session Automatically.
    Note: This is "Command Risk" where the risk level is audited in the reporting console as a particular color indicating risk and reactive actions can be configured here to Auto Disconnect the session and/or block the user from attempting further sessions at that point.

    In order to identify the particular "Command" you are interested in configuring here, it is helpful to view the Keystroke Report of an example session where you can view how the commands are audited from PAM perspective.
    Reporting Console > Command Control Keystroke Report (select an example session to explore commands in)..
    View the "Standard Input" column, these are the commands that you will want to come up with a filter for to enter in as "Command Risk."
    It can also be helpful to enable the following option in the bottom right of the keystroke report, "Show audited commands: Use this option to show or hide the full list of audited commands. If this option is enabled, the screen shows the actual commands that are being run when a user types a command. You can also view each input command individually by mousing over the command."

    Some examples for "Command Risk" that might be helpful to see (regex also possible):
    =~/^(|\/bin\/|\/sbin\/|\/usr\/bin\/)passwd(\s |$)/
    *AppMgmt Service Stop*
  • Thank's for your support.
    I solved problem exactly as you suggested.