RDP Application – RDP Host Asset Account Feature Limitation

Hi Team,

We have a limitation with the RDP Host Asset Account feature and was wondering if there is a known workaround or roadmap for enhancement.

The limitation is that the RDP Host Asset Account needs to be pre-specified in the Access Request Policy or is User specified during the requested connection:

  • The former configuration posses a problem, in that ALL the Users will be logged into the RDP Host using a generic Privileged Account, in turn allowing subsequent connections to connect to disconnected sessions. Even if the GPO is set to terminate disconnected sessions after 1 minute, there is a window of opportunity for another User to hijack the disconnected session. The opportunity is further increased as more Users try and connect to the same RDP Application.
  • The latter configuration is also a problem for the customers that don't want un-privileged accounts to log into the RDP Host. So specifying a normal User account is against security policy, and specifying a Local or AD administrative account is counter intuitive as these are privilege accounts and passwords should not be known to the User.

The feature that I think would be of benefit is for SPP to allow the User:

  • to select the Privileged account for the RDP Host Asset Account
  • or to allow linked accounts to be used as the RDP Host Asset Account
  • or to allow the Scoped Privileged account to be used as the RDP Host Asset Account, which is selected by the User to log into the RDP Application

SPP 7.4.x does not have this feature as per below: