unencrypted password in RemoteApp scenarios

We have implemented the RemoteApp service in a Windows server on which we have configured the RDS service, where the launchers of all the tools that are to be started carry a string with the parameters to be passed, including the pw (account, password and asset). The string is: (--args "con name=SG-Oracle-autologon|driver=oracle_thin|url=jdbc:oracle:thin:@{asset}:1521:oracle|user={username}|password={password}"). The customer asks whether the pw (which cannot be seen in the connection string set in the launcher) is still passed unencrypted (visible) or always encrypted.

Thank you!

0 Tawfiq.Ahmad 2 months ago

Hi Dario,

As per the SPS admin guide it does include a related warning below:

"WARNING: Task managers and monitoring tools can expose the password as the part of a command line argument.

One Identity recommends hardening the remote host in use-cases when the remote app is not capable of using stdin. The remote app user should not be able to access task managers or monitoring tools. Alternatively, you can limit the access level of the monitoring agents."

The use-stdin parameter can be used as a workaround if supported by the target RemoteApp:

Table 10: List of parameters

use-stdin	No, but highly recommended if the remote app can use it.	Specifies the launcher to pass the password, username and asset by using StdIn.

https://docs.oneidentity.com/bundle/safeguard-for-privileged-sessions_administration-guide_8.0/page/guides/administration-guide/rdp-remoteapps-launcher.htm

If you need further assistance with this configuration, we recommend engaging PSO team for this implementation.

Thanks!