Setting Up PCS

This section tells how to install, configure, and start using Privilege Control for Servers (PCS).

For an overview of PCS and its components, see Privilege Control for Servers.

Prerequisites to PCS Installation

Before you start installing and using PCS, you must already have the Delinea Platform set up for fundamental tasks.

Follow these procedures and understand these concepts:

Using Platform Integration Center
Discovery for Active Directory users and servers
Setting Up a PRA Engines Site
Installing PRA Engines
Installing the Delinea Connector
Setting up MFA Creating Authentication Profiles
Secrets on the Platform (including how to place an account in the Secret Server vault)

PCS Installation Overview

Before you begin installing and setting up PCS, make sure you are using one of the Supported Operating Systems for PCS.

To set up Privilege Control for Servers to work on the Delinea Platform and start using it, perform the following tasks:

Step 1: Configure Firewall Ports for PCS

Step 2: Set Up PCS Service Accounts

Step 3: Install the Delinea Connector on Managed Servers

Step 4: Enable IWA Service on Connectors

Step 5: Install the Delinea Platform Engine on Managed Servers

Step 6: Install the Delinea Agent on Managed Servers

Step 7: Scan Computer Inventory

Step 8: Set Up Authentication Profiles for PCS

Step 9: Set Up PCS Policies

Step 10: Set Up Audit and Session Recording

Step 11: Set Up Use My Account

Step 1: Configure Firewall Ports for PCS

To use Privilege Control for Servers, be sure your firewall ports are configured appropriately. Use the procedure in Setting Up a Platform Firewall.

Step 2: Set Up PCS Service Accounts

On the Delinea Platform, create a domain service account with roles and permissions that are specific to PCS. This account is called a Command Relay Service Account. The account must be placed in the Secret Server vault to be used for setting up Delinea Platform Engine Management and its Command Relay workload (see Using the Command Relay Workload).

You must create at least one of these accounts, but you can also create more according to best practices for the Secret Server Discovery and Directory Services.

Step 3: Install the Delinea Connector on Managed Servers

The Delinea Directory Connector enables secure communication between the Delinea Platform and AD directories. Install the Delinea Connector on your target servers by following the procedures at Delinea Connector and in these sections:

Step 4: Enable IWA Service on Connectors

Enable Integrated Windows Authentication for PCS by following the procedure at Configuring IWA.

Step 5: Install the Delinea Platform Engine on Managed Servers

Delinea Platform Engine and Engine Management are components of the larger Delinea Platform product, and they are required by Privilege Control for Servers. The Delinea Platform Engine runs two workloads for PCS:

Command Relay
Audit Collector

To install the Delinea Platform Engine:

On the server where the Delinea Platform Engine will be running, along with its Command Relay and Audit Collector workloads, log in as a user with the custom role you created for viewing inventory.
Download and install the Delinea Platform Engine on your target servers by following the procedures in Engine Management.

Updating the Platform Engine Management Settings

After installing the Delinea Platform Engine on your target servers, adjust the engine management settings.

From the left navigation, select Settings, then Engine Management.
Select the site that you want to update using the vaulted secret you just created.
Click the Settings tab.
Next to Audit Collector, click Edit.
Enter the following settings:
- Collector Port: 5063
- Session Recording: enabled
Click Save.
Next to Command Relay, click Edit.
Next to Command Relay Service Account, click Select.
Search for and select the vaulted engine management account you created earlier.
Click Turn off folder inheritance and share secret.
Click Save.

Updating the Platform Engine

The Delinea Platform Engine version 1.2.33.0 or later is required for PCS. You might need to update the software version for your Delinea Platform Engine.

Click Settings, then click Engine Management.
Click the name of the site where your Delinea Platform Engine is installed.
Click the Engines tab.
Look at the Version column.

If the version is not 1.2.33.0 or later, update the engine as follows:

In the Engines tab, click the name of the engine.
Click the Workloads tab.
In the Command Relay row, look at the Version column.
If the version is not 1.0.94 or higher, restart the Delinea Platform Engine service on the server that is running the Delinea Platform Engine. Wait for Command Relay to update.
Log in to the server running the Delinea Platform Engine.
Open PowerShell as an administrator.

Copy the following script:


Clear-Host;Write-Host "Uninstalling Delinea Platform Engine"; $ZipFile = "$env:TEMP\DelineaEngineInstaller.zip"; $InstallerFolder = "$env:TEMP\$(New-Guid)"; $ProgramFilesFolder = 'C:\Program Files\Delinea Platform Engine'; $ProgramDataFolder = 'C:\ProgramData\Delinea Platform Engine'; $ProgressPreference = 'Continue'; Write-Host "Downloading latest installer packages. This may take a moment..."; if (Test-Path $ZipFile) { Remove-Item $ZipFile } if (Test-Path $InstallerFolder) { Remove-Item $InstallerFolder -Recurse -Force } $Uri = 'https://enginepoolupdatedev.blob.core.windows.net/shell-installer/555173/win-x64.zip'; if ($PSVersionTable.PSVersion -lt [Version]"6.0") { $ProgressPreference = 'SilentlyContinue' } Invoke-WebRequest $Uri -OutFile $ZipFile; $ProgressPreference = 'Continue'; Expand-Archive $ZipFile $InstallerFolder; Remove-Item $ZipFile;Set-Location -Path $InstallerFolder; ./Delinea.EnginePool.Engine.Installer.exe uninstall --keep-working-directory; if (Test-Path $ProgramFilesFolder) { Remove-Item -Recurse -Force $ProgramFilesFolder; } if (Test-Path $ProgramDataFolder) { Remove-Item -Recurse -Force $ProgramDataFolder; }

Paste the script into PowerShell.
Run the script.

If errors happen during the uninstall, close the PowerShell windows, launch PowerShell again as administrator, and run the uninstall script.
On the Delinea Platform, click Settings, then click Engine Management.
Open the site where the Delinea Platform Engine is installed.
Click the Engines tab.
Click the engine name.
Click Delete Engine.

Step 6: Install the Delinea Agent on Managed Servers

Now that you have installed the Delinea Platform Engine, install the Delinea Agent on your managed servers.

Before running the procedures in this section, we recommend you see the additional content at Agents Reference.

Checking for Agent Installation

To see whether the Delinea Agent is already installed on a given computer, view the computer's information in the Inventory page. See Inventories .

If the agent is installed, the Client Version field shows a software version number. You can skip the next few procedures for downloading and installing the agent, because the agent is already present. Go ahead to Step 7: Scan Computer Inventory.

Downloading the Agent

To download the agent software:

Log in to your Delinea Platform tenant.
From the left navigation, select Marketplace, then Download Center.
In the Search box, enter Agent.
Find the agent for your operating system.
Click the download icon.
Wait for the package to compile and download.
Copy the download package to the server you want to manage.

Installing the Linux Agent

To install the Delinea Agent on a managed server that is running the Linux operating system, use the steps in this section.

To get more details about the Linux agent, see Agents Reference.

Requirements:

Perl (and the following modules: lib, File::Basename, File::Copy, File::Find, File::stat, Getopt::Long, Sys::Hostname and Text::ParseWords)
Forward and Reverse DNS entries for each *nix server

If you require a different version of the *nix agent, visit the following site:
https://<tenant>.delinea.app/view/marketplace/browse/authorization/agent-downloads-grid

You can also update the agent installation script to use the new URL for the agent download.

Steps:

Log in to your Linux server as root user.
Create a folder (for example, delinea-agent) and extract the package that you downloaded in Downloading the Agent:
```
# mkdir delinea-agent
```
```
# tar -xzf rhel6-x86_64.tgz -C delinea-agent/
```
Navigate to the folder that you created in the previous step:
```
# cd delinea-agent/
```
Install the Linux Agent:
```
# ./agent_setup.sh --domain <domain name>
```
There are several options you can specify if needed. For more information, display the documentation of agent_setup.sh:
# ./agent_setup.sh --help
For the UNIX computers where you have installed the Delinea agent, you need to join them to the Active Directory domain and the Privilege Control zone DelineaZone. To do this, use the adjoin command, either interactively at the command line or in a script. To use this command, you need to have certain privileges, and it must be run with a set of required command-line options. For details, see Joining Linux/UNIX Computers to a Domain and Zone.

Installing the Windows Agent

To install the Delinea Agent on a managed server that is running the Windows operating system, use the steps in this section.

Requirements:

.Net 4.8
Must be joined to the Active Directory domain and Privilege Control zone

Steps:

Log in to the server as domain administrator.
In the File Explorer, right-click the .zip file that you downloaded in Downloading the Agent and select Extract All....
Click Extract.

When extraction is complete, the files appear in a new File Explorer window.

The container package is in Zip format, but the files inside are in TGZ format.
Open the Agent-for-Windows-6... folder.
Double-click the Windows 64 agent installer file.
Click Next. The Delinea Agent for Windows Wizard opens.
Click Next.
Accept the terms of the license agreement and click Next.
Keep the default destination folder and click Next.
Click Install.
Select Run Agent Configuration Wizard.
In the Agent Configuration Wizard, click Add Service.
Click Privilege Elevation Service, then click OK.
Select the DelineaZone, then click Next.
Click Yes to add the Domain Admins.
Click Yes to Restart.

Step 7: Scan Computer Inventory

At this point you must run Discovery to make the platform aware of your newly added computers.

Follow the steps at Discovery.
To be sure that Discovery found all your added machines, check the Inventory. Follow the steps at Computers Inventory.

Step 8: Set Up Authentication Profiles for PCS

Authentication profiles are required for PCS to function.

An authentication profile specifies the authentication challenges required to log in to the platform and the length of time that must elapse before a user is prompted for authentication again.

To set up authentication profiles for PCS:

Follow the concepts and steps in Creating Authentication Profiles. Follow these guidelines:

Endpoint Login Profiles: Authentication profiles for Endpoint Login policies should not have Challenge 1 set to Password, because the platform will always present a password challenge to the user first.
Local Administrator Privilege Profiles: Profiles for Local Administrator Privilege policies should not have Challenge 1 set to Password, because the platform will always present a password challenge to the user first.
Emergency Access Profiles: You do not need to create any profiles for Emergency Access policies, because their Rule Type is always Allow.

Step 9: Set Up PCS Policies

PCS authentication policies provide users with machine-level (server) permissions for logging in to remote computers and servers managed by Delinea Platform and performing actions on them. By assigning machine-level policies, you can ensure that each asset adheres to compliance standards, maintaining both security and efficiency across your network.

Follow the steps in Setting Up PCS Policies.

Step 10: Set Up Audit and Session Recording

To track events on Delinea Platform, you can set up audit logs and session recordings. For more details, see Audit.

From the left navigation, select Insights, then Session review.
Log into the server as the administrator, root, or normal AD user.

To Configure on Linux:

Do not skip these steps. The Linux agent requires Direct Audit to be enabled on the Agent when policies have session recording enabled. If you skip these steps, and enable Session Recording in a Granular Privilege Elevation policy for Linux, you could be blocked from logging in to the Linux agent. See Session Recording Stops Linux Agent Login.

Log in as root user.
Enter the following commands:
- dacontrol -i DelineaPlatformAudit
- dacontrol -e
- dainfo

To Configure on Windows:

Log in a Domain Administrator.
Launch Agent Configuration.
Click Add Service.
Select Auditing and Monitoring Service.
Click OK.
On the Enable session capture and replay page, select DelineaPlatformAudit.
Click Next.

Audit and Monitoring configuration is complete.

Viewing Audit Session Recordings

From the left navigation, select Insights, then Session review.

Linux

When logging in to a Linux server, use one of the following options:

Run commands as root user.
Run commands as a normal AD user. Elevate commands as a normal AD user having the Local Administrator Privileges policy using the dzdo command.

Windows

When logging in to a Windows server, use one of the following options:

Run programs as the administrator.
Run commands as a normal AD user. Launch elevated desktop as a normal AD user having the Local Administrator Privileges policy.

Step 11: Set Up Use My Account

You can set up Use My Account (UMA) so you can log in to enrolled Linux systems.

See Setting Up Use My Account.