weblaps agent description

.gitignore

@@ -1,4 +1,5 @@
 *.docx
+*.pptx
 *.bat
 *.tmp
 Makefile

_build/html/_sources/agent.rst.txt

@@ -0,0 +1,59 @@
+WebLAPS agent
+==============================
+WebLAPS agent is used to manage passwords of local users and control membership in local groups. It could be run on joined or non domain joined computers.
+
+WebLAPS agent installation
+----------------------------------
+Before you begin make sure that MS .NET Framework 4.5.1 is installed.
+
+You can install WebLAPS agent using command line:
+
+   msiexec /i WebLAPSInstaller.msi /quiet /norestart SERVERURL=<serverulr> JOINKEY=<joinkey>
+
+.. list-table::
+  :header-rows: 1
+
+  * - **Parameter**
+    - **Example**
+    - **Description**
+  * - SERVERURL
+    - https://weblapspublic.host;https://weblapsprivate.host
+    - WebLAPS server URL. You can set multiple URLs delimmited with ";" in case if you want to perform password rotation on remote computers outside of corporate network. WebLAPS agent will try to select first available server. If you use reversproxy you can publish  URLs used by agent with mask /api/computers/remote/* so no other functionality will be available from internet.
+  * - JOINKEY
+    - superSECRETkey1
+    - key validated once by WebLAPS during initial connection.
+  * - NOSSLCHECK
+    - 1
+    - disable server certificate validation
+  * - GROUPID
+    - bc96b2b6-ab66-4592-be0a-2dfcfe317e58
+    - You can manually set computer container ID which will be used by agent to get policy otherwise distribution rules will be used to determine container
+
+WebLAPS agent policy
+----------------------------------
+Go to **Administration -> Computers -> Policies** and select computer container, next press "Add new" button.
+You can configure multiple policies which will be applied to the same computer container. Policies are inherited from all parent containers.
+
+.. image::  img/weblaps_agent_policy.png
+	:align: center	
+
+WebLAPS agent policy is applied to specified *local* user account. WebLAPS agent can automatically create managed user if it is not exists. For automatic password rotation please select **Manage password** checkbox and set "Password age". You can automatically remove all users from defined group except approved. You can specify multiple approved users delimited with ";". For domain user use following format: domain\\login.
+
+To view result settings for a container go to **Administration -> Computers -> Container Details** and select a computer container.
+
+.. image::  img/weblaps_agent_result.png
+	:align: center	
+
+WebLAPS agent access management
+----------------------------------
+
+Go to **Administration->Computers -> Access Groups** and setup user group to computer container mappings. You must use distinguished names of groups. Members of group will be able to get passwords managed by WebLAPS agent in the container and sub containers. If you have multiple policies for several managed users per one container you can additionally restrict managed .users to which passwords you provide access by filling **Allow access only to following subjects** parameter.
+
+.. image::  img/weblaps_agent_access.png
+	:align: center
+
+Additionally you can provide access only for particular computer to an user or a group (group nesting is not supported) by editing computer object. This mechanism does not connected with access control subsystem based on groups and containers
+
+.. image::  img/weblaps_agent_access_managedby.png
+	:align: center
+

_build/html/_sources/index.rst.txt

@@ -1,23 +1,25 @@
 Welcome to WebLAPS documentation!
 ===================================
 
-`LAPS Portal`_ is a web application which helps to secure windows environment with MS LAPS solution implemented. MS LAPS is effective tool to perform automatic password rotation of built-in Administrator password. **In case of compromising one of user account which is used for LAPS passwords access (like account of help desk user) all computers could be compromised!** To eliminate security risks and provide convenient way for LAPS password accessing LAPS Portal was created.
+`WebLAPS`_ is a web application which helps to secure windows environment with MS LAPS solution implemented. MS LAPS is effective tool to perform automatic password rotation of built-in Administrator password. **In case of compromising one of user account which is used for LAPS passwords access (like account of help desk user) all computers could be compromised!** To eliminate security risks and provide convenient way for LAPS password accessing LAPS Portal was created.
 
-LAPS Portal could be used to implement just-in-time administration (JITA) approach recommended by MS when accounts of system administrators are added to privileged groups for defined period of time and automatically removed after.
+WebLAPS could be used to implement just-in-time administration (JITA) approach recommended by MS when accounts of system administrators are added to privileged groups for defined period of time and automatically removed after.
 
-LAPS Portal has mobile clients which works under Android_ and iOS_ devices which in a secure way delivers passwords to mobile device. Mobile client also allows to login to LAPS Portal with help of confirmation of authentication request which is delivered by push notification.
+WebLAPS has an agent which could be used to manage local user accounts at non domain joined computers. It also can automatically create managed user, rotate its password and control membership in defined groups.
 
-LAPS Portal is written in Java, and could be used on any operation systems which support Java 1.8. LAPS Portal includes all necessary components and does not require additional software like web server or database engine. It is possible to join several LAPS Portal to cluster to operatin in a high availability mode in such case you will need a load balancer and an external database engine.
+WebLAPS has mobile clients which works under Android_ and iOS_ devices which in a secure way delivers passwords to mobile device. Mobile client also allows to login to LAPS Portal with help of confirmation of authentication request which is delivered by push notification.
 
-LAPS Portal uses Active Directory user accounts and groups to perform access control. To increase security of passwords managed by LAPS authentication with one time passwords was added to the portal. Currently following 2fa connectors implemented: 
+WebLAPS is written in Java, and could be used on any operation systems which support Java 1.8. LAPS Portal includes all necessary components and does not require additional software like web server or database engine. It is possible to join several LAPS Portal to cluster to operatin in a high availability mode in such case you will need a load balancer and an external database engine.
+
+WebLAPS uses Active Directory user accounts and groups to perform access control. To increase security of passwords managed by LAPS authentication with one time passwords was implemented. Currently following 2fa connectors implemented: 
 
 * RADIUS
 * LinOTP
 * FortiAuthenticator
 * Duo
 * Built-in TOTP provider which does not require any external system
 
-Security controls implemented in LAPS Portal
+Security controls implemented in WebLAPS
 
 * 2FA or OTP only authentication
 * password encryption by LAPS.E or AdmPwd.E supported
@@ -29,9 +31,9 @@ Security controls implemented in LAPS Portal
 * CSRF protection
 * user access token is bind to IP address of successful authentication. Access token has a configurable time limit
 * ability to schedule LAPS passwords backup in encrypted form in case of AD unavailability
-* audit all access to passwords managed by LAPS. It is possible to export LAPS logs in CEF format to external system via syslog 
+* audit access to passwords managed by LAPS. It is possible to export LAPS logs in CEF format to external system via syslog 
 
-.. _LAPS Portal: http://weblaps.pro/
+.. _WebLAPS: http://weblaps.pro/
 .. _Android: https://play.google.com/store/apps/details?id=com.ksoft.laps
 .. _iOS: https://itunes.apple.com/us/app/laps-mobile/id1461133789
 
@@ -41,6 +43,8 @@ Security controls implemented in LAPS Portal
 
    working
    mobile
+   agent
+   install_prereq
    install_unix
    install_win
    admin

_build/html/_sources/install_prereq.rst.txt

@@ -0,0 +1,25 @@
+Installation Prerequisites
+==========================
+
+.. |lapsuser| replace:: laps
+.. |lapsservice| replace:: laps
+.. |lapsdir| replace:: /opt/laps
+
+Prior to installing the WebLAPS, the following requirements must be met:
+
+#. Install Java JRE or JDK version 1.8
+#. Check that java executable is on your system PATH. Following command must return no errors
+
+	java -version
+
+if any error occurred please fix your Java installation https://www.java.com/en/download/help/path.xml
+
+#. Make sure that network connection is open to port 636 (LDAPS) from weblaps host to domain controllers
+
+#. Make sure that your LDAPS is configured at your domain controllers. LAPS stores passwords in special confidential attribute which is accessible only via secured connection. https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
+
+#. Prepare service user in AD and grant it permissions to read and reset passwords.
+
+#. Export certificate of CA which signed certificate for LDAPS
+
+#. import CA certificate at mobile devices if you want to use LAPS mobile app and you use your own CA to issue certificate for WebLAPS server.

_build/html/_sources/maintanance.rst.txt

@@ -144,3 +144,34 @@ javax.naming.CommunicationException javax.net.ssl.SSLHandshakeException indicate
 You should check whether all certificate chain imported into LAPS Portal. After importing certificates do not forget to restart LAPS Portal service.
 
 In case this error appears during communication with AD Controllers you should also check how many certificates domain controller has with Server Authentication purpose. In normal situation AD Controller should have one personal certificate with Server Authentication purposes . According to https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx *"You should be planning on having only one certificate on each LDAP server (i.e. domain controller or AD LDS computer) with the purpose of Server Authentication. If you have legitimate reasons for using more than one, you may end up having certificate selection issues, which is discussed further in the Active Directory Domain Services Certificate Storage.* As workaround import all certificates with Server Authentication purposes  to LAPS Portal
+
+SocketException
+^^^^^^^^^^^^^^^
+java.net.SocketException  indicates that there is LAPS Portal unable to establish TCP connection to domain controller. It could be caused by local or network firewall, problems in DNS resolition or that LDAPS is not configured on domain controller. In case of following error
+
+  Error connectiong to LDAP
+  javax.naming.CommunicationException: ad.domain.com:636 [Root exception is java.net.SocketException: Connection reset]
+
+please check that you can connect on port 636 from host where WebLAPS is installed to domain controller. You can do it with telnet command:
+
+  telnet domain.controller.host 636
+
+where domain.controller.host is a domain controller FQDN. Please check following article to be sure that LDAP over SSL is porperly configured at your domain controller https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
+
+
+Unable to start service
+^^^^^^^^^^^^^^^^^^^^^^^
+WebLAPS service crashes, log/wrapper.log contains following lines:
+
+  INFO|wrapper|Service laps|20-05-21 17:58:41|could not start process 57
+  INFO|wrapper|Service laps|20-05-21 17:58:41|The parameter is incorrect.
+  INFO|wrapper|Service laps|20-05-21 17:58:41|null/null/null
+  SEVERE|wrapper|Service laps|20-05-21 17:58:41|failed to spawn wrapped process
+
+Please check that java.exe file is on system path. In case if there are more than one JRE edit wrapper\conf\wrapper.conf, find follwing line 
+
+  wrapper.java.command  = ${ if  ("${os.name}".toLowerCase().startsWith("windows")) "java.exe"; else "java"}
+
+and comment it with '#'. Next set wrapper.java.command to right path to java.exe file like this (replace with correct path to java.exe)
+
+  wrapper.java.command  = c:/Program Files/Java/jre1.8.0_251/bin/java.exe

_build/html/_sources/mobile.rst.txt

@@ -1,6 +1,6 @@
 LAPS Portal mobile application
 ==============================
-LAPS Portal has mobile clients which works under Android_ and iOS_ devices. 
+LAPS Portal has mobile client which works under Android_ and iOS_ devices. 
 Main features of LAPS mobile client:
 
 * secure access to passwords managed by MS LAPS: in addition to TLS encryption all passwords are additionally encrypted with AES algorithm with unique device key per user. This device key is generated during device enrollment process and stored in secure way at mobile device. On iOS key is stored directly in the KeyChain. On Android key itself is encrypted with random 256-bit AES master key which is encrypted with a device-generated RSA (RSA/ECB/PKCS1Padding) from the Android KeyStore. The combination of the encrypted RSA(AES(master key)) and AES(device key) are stored in SharedPreferences.

_build/html/admin.html

@@ -85,6 +85,8 @@
 <ul class="current">
 <li class="toctree-l1"><a class="reference internal" href="working.html">Working with LAPS Portal</a></li>
 <li class="toctree-l1"><a class="reference internal" href="mobile.html">LAPS Portal mobile application</a></li>
+<li class="toctree-l1"><a class="reference internal" href="agent.html">WebLAPS agent</a></li>
+<li class="toctree-l1"><a class="reference internal" href="install_prereq.html">Installation Prerequisites</a></li>
 <li class="toctree-l1"><a class="reference internal" href="install_unix.html">Installation in Unix</a></li>
 <li class="toctree-l1"><a class="reference internal" href="install_win.html">Installation in Windows</a></li>
 <li class="toctree-l1 current"><a class="current reference internal" href="#">LAPS Portal administration</a><ul>