Agent Reference Guide
3 min
introduction kron pam windows agent is an application installed on windows servers/clients to manage authentication, authorization, and accounting (aaa) configured kron pam agents provide control over which users have the right to log in to which target devices, as well as what operations and commands they are allowed to run on the target devices all commands executed on the server, including session start/end times, are recorded with precision communication between the agents and the kron pam server takes place securely through https this document addresses common admin tasks and how to properly execute them windows agent capabilities window agents can block, elevate, and allow applications or processes with advanced and generic rules with the application name, hash, version, certificate, vendor, publisher, and path applications that have no rules (gray listed applications) can be blocked or allowed according to agent mode elevation can be done via mfa, managerial approval, or both on a per application basis application based local administration rights can be managed c hild process (subprocesses) of applications can be blocked or allowed, and exceptions can be defined for the subprocesses local user login can be blocked or allowed on an agent group basis generic rules are applied to every user (local admin or standard users) advanced rules are applied to specific users or user groups on specific servers/clients advanced rules supersede generic rules realm infrastructure is supported but not mandatory for agents if the user and device are not under the same device realm, the agent blocks the end user's login to the server or client also, direct access needs to be given for user login on the user group level realm infrastructure can be bypassed on an agent group basis when disabled every action that creates a process is logged to kron pam session logs every authentication attempt is logged to kron pam authentication logs the agent can discover applications in a folder through a job that can periodically check the contents of the folder client (win 10/11) and server (2016/2019/2022) endpoints can receive different generic policy rules specific users can be permitted to run anything and everything they want this means that defined user/users in configuration will not be policed if there are no special users in configuration, local users can be blocked from logging in to endpoints, this can also be configured on an agent group basis temporary local administrator rights can be given to end users application inspection integration with this feature, we integrate kron pam with virus total discovered applications are then queried over virus total and ranked as malicious, suspicious, or undetected the a gent can apply policies to windows services for example, if a local admin is needed to restart a windows service, you can give the right to a non administrator account or even if the user is a local administrator you can apply a deny policy to remove any right on windows services you can set remote start, stop, and uninstall capabilities for linux and windows epm agents directly from pam you can configure maximum ssh session limits at the agent group level, with user notification when the threshold is reached otp generation and validation on windows and linux agents can be done locally to support offline elevation and authentication scenarios when pam is unreachable the windows agent service can be secured by requiring admin otp verification before allowing the service to be stopped support for subprocess exceptions is present, allowing specific subprocesses to run even if the parent process is governed by a block policy, applicable to all policy types