Installation
To install Windows Agent (supporting Windows Server 2016, 2019, 2022, Windows 10 and 11), you need to have an installation package. Also, on endpoint .Net framework 4.7.2 should be installed if it does not exist. To get the setup file:
Installation should be done with a user who has local admin rights.
- Navigate to Windows Agent Management and click the Add button.
- Click Agent Installation.
- Then download the ps1 file on the screen to click here. The example of the ps1 file is below. You need to copy this file to the endpoint on which you want to install the agent. Port 443 should be open between the endpoint and Kron PAM servers. When you execute the Ps1 file on the endpoint it is going to download the agent, and you can install it.
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
Set-Location -Path C:\
Invoke-WebRequest -Uri "https://10.20.42.12:443/repo/windows-agent/win_agent.exe" -OutFile "win_agent.exe"
- If a non-expired token is already on the screen, you will see it on the download page. But if you need a new token, you can return to the first screen to reproduce one. Then, go to the next page to download the batch file again with a new token.
The agent is installed when you place the ps1 file on the endpoint and run it as a local admin.
- Start the installation package and click License Agreement.
- Click Next.
- Enter the necessary information. Then click Install.
- The registering endpoint is the Kron PAM Server
- The initial token is a registration token.
- Super Local Admin is a local admin account for all the endpoints. This account can perform any process on the server. An agent cannot block this account's actions on the endpoint, but every action of this account will be logged.
- Installation is successful.
* During installation, the agent sends the server's IP address, hostname, and OS version to Kron PAM. If the server's IP address changes at any point, the agent updates Kron PAM with the new information. From then on, the updated IP is used throughout Kron PAM, replacing the old one.
* If an agent remains offline beyond a specified time, it is automatically removed from the Agent Dashboard, along with any associated agent-specific rules. The device will then be moved to the "Unassigned Device" group in the device tree without affecting any Kron PAM-related rules. This is a configurable option set in the system configuration manager, using the parameter below (measured in days):
win.agent.remove.after.expire.time = 60
* To install the agent silently on CMD please use the below command line syntax
"agent.exe" INITIAL_TOKEN= "cb6b6d7f-bebb-4463-8a6e-ca58cb168120" REGISTER_ENDPOINT="https://10.20.42.12/"
Sometimes System administrators need a powerful user who can do anything. In these cases, you need to define the parameter below in the system configuration management page. When a user is defined with the below parameter those users can do anything, and they are not being policed just they are logged. This is called All Run Right.
win.agent.all.run.right = Administrator, PamAdmin, SystemAdmin