Agent Reference Guide
2min
Kron PAM Windows Agent is an application installed on Windows servers to manage Authentication, Authorization, and Accounting (AAA). Configured Kron PAM Agents control which users have the right to log in to which target devices and execute commands, as well as what they are limited to doing on the target devices. All commands executed on the server, including session start/end times, are recorded indisputably. Communication between the agents and the Kron PAM server is securely provided by HTTPS protocol.
This document addresses common admin tasks and how to execute them properly.
- Window agents can block, elevate, and allow applications or processes with Advanced and Generic Rules with the application name, hash, version, certificate, vendor, publisher, and path.
- According to Agent Mode, Applications with no rules (gray-listed applications) can be blocked or allowed.
- Elevation can be done via MFA, Managerial approval, or both on an application basis.
- The child process (subprocess) of the applications can be blocked or allowed.
- Local user login can be blocked or allowed on an agent group basis.
- Generic rules are applied to every user (local admin or standard users). Advanced rules are applied to specific users or user groups on specific servers/clients. Advanced rules suppress generic rules.
- Realm infrastructure is supported but not mandatory for agents. If the user and device are not under the same Device, the device Realm agent blocks the end user's login to the server or client. Also, direct access needs to be given for user login on the user group level. Realm infrastructure can be bypassed on an agent group basis when disabled.
- Every action that creates a process is logged to Kron PAM Session logs.
- Every authentication attempt is logged to Kron PAM Authentication logs.
- Agent can discover applications under a folder and a job can be created periodically checks.
- Client (win 10/11) and Server (2016/2019/2022) endpoints can receive different generic policy rules.
- All run right, for specific users can be defined. This means that defined user/users in configuration will not be policed.
- If there are no exceptional users in configuration, local users can be blocked to login endpoints this is also configured on an agent group basis
- Temporary local administrator rights can be given to end users.
- Application Inspection Integration: with this feature, we integrate Kron PAM with Virus Total. Discovered applications queried over Virus Total and ranked as Malicious, Suspicious, and Undetected.
- Agent can apply policies to Windows Services, for instance; if a local admin is needed to restart a Windows service, you can give allow the right to a non-administrator account. Or even if the user is a local administrator right you can apply a deny policy to remove any right on Windows services.