Rdp proxy training guide

MODULE 01 / 06

Proxy Architecture Overview

Understand how the RDP Proxy sits between the end user and the target server, brokering credentials and enforcing policy without the user ever seeing the password.

❌ Direct RDP — Credential Exposure Risk

✅ RDP Proxy — Zero Credential Exposure

🔐

Credential Injection

The proxy retrieves credentials from the Secret Server vault and injects them directly into the RDP handshake. The connecting user authenticates to the proxy — never to the target. The actual password is never transmitted to the user's machine.

📹

In-Line Session Recording

All RDP traffic flows through the proxy, enabling pixel-perfect screen capture of the entire session. Video recordings are stored server-side in the Secret Server database or on a configured UNC share, indexed by session metadata.

🛡️

Policy Enforcement

Because the proxy terminates both sides of the RDP connection, it can enforce channel-level restrictions: clipboard redirect, drive mapping, printer redirect, and file transfer can be blocked regardless of the client's mstsc settings.

Network Port Reference

Connection Leg	Protocol	Default Port	Notes
User → SS Proxy	RDP over TLS	`3389` or `443`	Configurable; use 443 to traverse restrictive firewalls
Proxy → Target	RDP (NLA optional)	`3389`	Internal leg; target must allow proxy server IP
SS Web Node → Proxy	HTTPS/WCF	`443`	Registration & session coordination
Proxy → Vault API	HTTPS	`443`	Credential retrieval at session initiation

🧠 Knowledge Check — When using the RDP Proxy, who or what authenticates to the target server using the privileged password?

A. The end user's workstation after the user enters the password in the launcher

B. The mstsc.exe client using cached credentials stored in Windows Credential Manager

C. The Secret Server RDP Proxy service, after retrieving credentials from the vault

D. The Secret Server web node on behalf of the user's session token

Module 01 · Architecture

MODULE 02 / 06

Installing & Configuring the RDP Proxy

Deploy and register the RDP Proxy component on a dedicated Windows Server, then configure the binding, ports, and Secret Server site assignment.

ℹ️

Prerequisites

Windows Server 2016+ · .NET Framework 4.8 · Network reachability from proxy host to all target RDP servers · Outbound HTTPS to Secret Server web node · TLS certificate for the proxy hostname

1

Download & Install the Distributed Engine / RDP Proxy Installer ▾

Navigate to Admin → Distributed Engine → Manage Sites. Click Download Distributed Engine Installer. Run the installer on the designated proxy host as a local administrator.

⚠️

Dedicated Host Recommended

Deploy the proxy on a host separate from the Secret Server web node to limit blast radius in the event of compromise. The proxy host should be hardened and not domain-joined if possible.

              INSTALLER
              # Run on proxy host as Administrator

              .\SecretServerDistributedEngineSetup.exe --mode proxy

              # Accept license, select install path

              # Service will be named: SS RDP Proxy Service

2

Register the Proxy with Secret Server ▾

Go to Admin → Proxies and click Add Proxy. Provide the hostname or IP of the proxy server. Secret Server will generate a registration token.

              appsettings.json
              {

                "SecretServerUrl": "https://ss.corp.example.com",

                "RegistrationToken": "<paste-token-from-SS-UI>",

                "SiteName": "Proxy-Site-01",

                "ProxyPort": 3389,

                "EnableSsl": true,

                "CertificateThumbprint": "<your-cert-thumbprint>"

              }

3

Configure Proxy Listener & TLS Certificate ▾

Bind a trusted TLS certificate to the proxy listener. This certificate is presented to the connecting user's RDP client.

              PowerShell — Bind Certificate
              # Retrieve thumbprint of your proxy cert

              $thumb = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {

                $_.Subject -like "*rdp-proxy*"

              }).Thumbprint

              # Bind to port 3389 (or 443)

              netsh http add sslcert ipport=0.0.0.0:3389 `

                certhash=$thumb `

                appid="{00000000-0000-0000-0000-000000000000}"

💡

If users connect via mstsc and see a certificate warning, the proxy certificate is not trusted by the connecting machine's CA store. Deploy via GPO or use an internal CA certificate that is auto-trusted.

4

Assign Proxy to a Secret Server Site ▾

In the Secret Server UI go to Admin → Sites. Select (or create) the site that covers your target RDP servers. Under RDP Proxy Settings, select your newly registered proxy from the dropdown. Set the proxy's public address — this is what the user's launcher connects to.

Field	Value / Guidance
Proxy Hostname / IP	Externally reachable FQDN, e.g. `rdpproxy.corp.example.com`
Proxy Port	`3389` (or `443` for firewall bypass scenarios)
Enable Proxy	Toggle ON — makes all launchers on this site route through proxy
Restrict Launcher to Proxy	ON — prevents direct RDP bypassing the proxy

5

Verify Proxy Status in Admin Console ▾

Navigate to Admin → Proxies. The proxy row should display Online within 60 seconds. Check the Last Contact timestamp updates every heartbeat cycle (default: 30 s).

✅

Success Criteria

Status = Online · Last Contact < 60 sec ago · Site association shows correct site name · No certificate errors in SS Engine log

MODULE 03 / 06

Configuring the RDP Launcher to Route via Proxy

Configure Secret Templates and Launcher settings so that every RDP session initiated from the vault is automatically routed through the proxy without user intervention.

Launcher Initiation Flow

Secret Template — RDP Launcher Settings

Navigate to Admin → Secret Templates → [Your Windows Template] → Launcher Tab

Setting	Recommended Value	Impact
Launcher Type	`Remote Desktop`	Enables RDP-specific proxy routing
Connect As	`Credentials on Secret`	Vault creds injected by proxy — not typed by user
Use Proxy	Enabled	Routes through registered proxy; hides target IP from user
Restrict User Input	Enabled	User cannot override launcher with custom .RDP files
Additional RDP Parameters	`drivestoredirect:s:`	Blocks drive redirection at the token level

Understanding the Generated .RDP Token

The launcher generates a temporary .RDP file. Notice that the full address points to the proxy, not the target. The gatewaycredentialssource is set so the user is not prompted for credentials.

      .RDP TOKEN (Generated by Launcher)
      # Connection target is the PROXY, not the server

      full address:s:rdpproxy.corp.example.com:3389

      session bpp:i:32

      authentication level:i:2

      enablecredsspsupport:i:1

      # Token for session authorization — no password here

      loadbalanceinfo:s:SS_SESSION_TOKEN=eyJ0eXAiOi...

      # Restrictions embedded

      redirectclipboard:i:0

      redirectdrives:i:0

      redirectprinters:i:0

      redirectcomports:i:0

      # Password field is intentionally empty — proxy injects

      password 51:b:

MODULE 04 / 06

Enforcing Session Recording

Configure mandatory session recording on all proxied RDP sessions, set the recording storage backend, and ensure users are notified of monitoring.

⚠️

Legal & Compliance Notice

Recording employee sessions may have legal requirements depending on jurisdiction. Ensure legal review is complete before enforcement. Secret Server supports displaying a legal banner/consent notice before session launch.

1

Enable Session Recording on the Secret Policy ▾

Navigate to Admin → Secret Policies → [Your Policy] → Session Recording

Policy Setting	Value	Enforce?
Enable Session Recording	Enabled	Enforced
Enable Recording via Proxy	Enabled	Enforced
Enable On-Screen Keyboard Logging	Enabled	Optional
Hide Secrets from Launcher	Enabled	Enforced

💡

Setting a policy item to Enforced prevents Secret owners or users from disabling it on individual secrets, even with Owner-level access.

2

Configure Recording Storage Location ▾

Go to Admin → Configuration → Session Recording

Option	Notes
Database (Default)	Recordings stored as BLOBs in SQL DB. Simplest setup, but SQL backup must cover it. Good for small volumes.
UNC Path / File Share	Recommended for scale. Format: `\\fileserver\SSRecordings\`. SS service account must have write. Backup independently.
AWS S3 / Azure Blob	Available with SS Cloud or on-prem with cloud storage add-on. Infinite retention without on-prem disk management.

              web-appSettings.config (UNC Path)
              <add key="SessionRecordingPath"

                   value="\\\\fileserver\\SSRecordings" />

              <add key="SessionRecordingEnabled"

                   value="true" />

3

Set Retention & Purge Policy ▾

Go to Admin → Configuration → Session Recording → Retention. Define how long recordings are kept before automatic deletion.

🚨

Regulatory Alignment

HIPAA / PCI-DSS / SOC 2 may require session recordings to be retained for 1–7 years. Set retention to match your highest applicable standard. Consult compliance before enabling purge.

4

Configure Pre-Session Legal Banner ▾

Navigate to Admin → Configuration → Login → Login Banner. Set a message that appears before each session launch requiring user acknowledgment.

              Recommended Banner Text
              NOTICE: This session will be recorded and monitored

              for security and compliance purposes. By proceeding,

              you acknowledge and consent to this monitoring.

              Unauthorized use of this system is prohibited and

              subject to disciplinary and legal action.

📁 Recording File Format & Metadata

FORMAT

Secret Server stores recordings as proprietary .ssvid files (AES-256 encrypted). The audit viewer decrypts and streams on demand. Raw video export is available to administrators for external archiving.

INDEXED METADATA

Each recording is indexed with: Secret ID, username, start/end timestamps, target hostname/IP, session duration, and any keystroke log. Supports full-text search across keystroke logs.

MODULE 05 / 06

Restricting Clipboard, Drive Redirect & Idle Timeouts

Prevent data exfiltration channels through the proxied session and enforce automatic termination of idle sessions.

RDP Channel Restriction Matrix

RDP Channel	Exfil Risk	Proxy Enforcement	Policy Setting
Clipboard Redirect	HIGH	Blocked at proxy	`redirectclipboard:i:0`
Drive Mapping	HIGH	Blocked at proxy	`drivestoredirect:s:`
Printer Redirect	MEDIUM	Blocked at proxy	`redirectprinters:i:0`
COM Port Redirect	MEDIUM	Blocked at proxy	`redirectcomports:i:0`
SmartCard Redirect	MEDIUM	Configurable	`redirectsmartcards:i:0`
Audio Redirect	LOW	Configurable	`audiomode:i:2`

📋 Clipboard Restriction — Why It Matters

⏱️ Idle Session Timeout Configuration

Configure automatic session termination for sessions that have been idle beyond a threshold. This is enforced at the proxy level, overriding any Windows Group Policy on the target.

1

Configure Idle Timeout in Secret Policy ▾

Go to Admin → Secret Policies → [Policy] → Remote Desktop

Setting	Recommended	Notes
Enable Idle Timeout	ON	Activates proxy-side idle detection
Idle Timeout (minutes)	`15`	15 min for PAM best practice; adjust per risk tier
Inactivity Notification	`2 min warning`	Shows overlay warning before disconnect

2

Verify Idle Detection Scope ▾

💡

What "Idle" Means

The proxy tracks RDP input channel activity (mouse moves, keystrokes). A running script on the remote session does NOT reset the idle timer — only user input does. This correctly identifies sessions where the user has walked away.

🛡️ Session Restriction Checklist

✓

Clipboard redirect disabled in Secret Policy Prevents copy-paste data exfiltration between user workstation and target

✓

Drive mapping (redirectdrives) blocked Prevents mounting local drives on the target server via the session

✓

Printer redirect disabled Eliminates the ability to print sensitive data from the target

✓

Idle timeout set to ≤ 15 minutes and enforced Automatically terminates abandoned privileged sessions

✓

Restrict Launcher to Proxy is enabled on Site Prevents users from initiating direct RDP connections that bypass proxy controls

✓

Legal banner/consent message configured Satisfies notification requirements for session monitoring

MODULE 06 / 06

Reviewing Sessions in the Audit Viewer

Locate, playback, and export recorded RDP sessions for security investigations and compliance audits using the built-in Secret Server Audit Viewer.

Interactive: Session Audit Log (Simulation)

▶ SESSION PLAYBACK — Click play to simulate

jsmith → WIN-PROD-01 · 2025-11-14 09:14:32 UTC

🔒 AES-256 encrypted · 22m 18s duration

Session Event Log

Click any row to jump to that timestamp in playback. Events are extracted from the keystroke log and screen activity analyzer.

TIMESTAMP EVENT TYPE DETAIL

09:14:32SESSION_STARTProxy session initiated by jsmith from 10.20.1.55

09:14:40AUTH_SUCCESSCredential injected for WIN-PROD-01\administrator

09:15:44KEYSTROKEnet user administrator <redacted> — password reset command

09:17:37PROCESScmd.exe spawned — regedit.exe spawned

09:21:56CLIP_ATTEMPTClipboard redirect attempt blocked by proxy

09:28:40IDLE_WARNINGInactivity threshold 13m reached — warning displayed

09:29:32USER_RESUMEDInput detected — idle timer reset

09:36:50SESSION_ENDSession terminated normally by user — duration 22m 18s

How to Access Recorded Sessions

1

Navigate to the Secret's Audit Tab

Open the relevant Secret in Secret Server UI → click the Audit tab. All sessions launched from this secret are listed in chronological order with user, date, and duration.

2

Search Across All Sessions

For cross-secret investigation go to Reports → Session Monitoring. Filter by user, date range, target hostname, or duration. The keystroke log is full-text searchable — useful for finding when a command was run across thousands of sessions.

3

Export for External Review

Administrators with View Session Recording permission can export recordings. Choose Export as .mp4 for playback in external tools, or Export Raw (.ssvid) for archival. The export is watermarked with session metadata.

⚠️

Access Control for Recordings

Grant View Session Recording only to Security, Audit, and Compliance roles. Regular administrators should not have this permission by default — privilege of review should be separated from privilege of access.

Required Permissions by Role

Permission	Security Team	IT Admin	Auditor	End User
Launch RDP via Proxy	✅	✅	—	Conditional
View Session Audit Log	✅	✅	✅	Own only
View Session Recording (video)	✅	—	✅	—
Export Recordings	✅	—	✅	—
Delete Recordings	Admin only	—	—	—
Terminate Active Session	✅	—	—	—

🧠 Final Check — A clipboard redirect attempt appears in the session event log. What does this indicate?

A. The user successfully copied data from the target server to their local clipboard

B. A copy or paste action was attempted but was blocked by the proxy's channel restriction

C. The RDP session was terminated because clipboard use violated policy

D. The target server denied the clipboard operation at the OS level

🎓

Training Complete

You've completed the Secret Server RDP Proxy deployment training. You are now equipped to deploy, configure, and audit controlled RDP sessions with zero credential exposure.

COMPLETION CERTIFICATE

RDP Proxy Deployment

Secret Server — Technical Configuration

COMPLETED

MODULES

6 / 6 Completed

SCORE

—

LEVEL

Advanced Technical

Deploying the RDP Proxy in Secret Server