Tips and Tricks
Is there a way to disable or autohide the Firefox URL or navigation bars on Carrier?
Yes there is, please see the config file /opt/privx/etc/carrier-config.toml
on Carrier host for these settings:
# Enable Firefox browser kiosk mode
# Disables right mouse button, maximize and minimize buttons and navigation.
# This setting overrides all other settings below.
# Disabled by default
kiosk_mode = false
# Enable URL bar of web browser
# Effective only, if kiosk mode is disabled.
# Enabled by default
enable_urlbar = true
# Enable navigation bar of web browser
# Effective only, if kiosk mode is disabled.
# Enabled by default
enable_navibar = true
# Autohide navigation bar of web browser, show when hovering the mouse
# Effective only, if kiosk mode is disabled.
# Disabled by default
autohide_navibar = false
Is there any way to restrict which Windows accounts in endpoint should be able to access using roles?
The idea with PrivX is that you restrict which roles a particular user has access to, e.g. based on membership of AD group Windows Admins via PrivX
and then on target configuration of the endpoint ensure that the particular user has the access right to logon locally and RDP allowed through some AD group membership, e.g. through role All Windows Admins
or individually if you like. The target host configuration on PrivX should have login as self for the PrivX role that has Windows Admins via PrivX
AD group configured.
This way the configuration is dynamic and there is no need to do any additional configuration than what Windows by default would require for RDP access with smart card authentication. Note that if your Windows target is an AWS host, you can configure the login as self using anAWS tag and enable scanning of the AWS directory for the target hosts.
How can I sudo with PrivX?
After having configured the target host for access through PrivX, one way to achieve this is to disable the password verification for sudo by editing /etc/sudoers
. If the users are accessing the host using individual accounts, sudoing can also be enabled only for specific accounts through /etc/sudoers
. If the password verification for sudo is disabled, we strongly recommend that the host is hardened in a way that it is only accessible through PrivX.
Can I configure how often PrivX verifies the connected user's access rights?
Yes, please modify the setting reauthorization_interval_sec
as needed in files *-proxy.toml
and *-mitm.toml
.
How can I reset the superuser password?
On a PrivX server, obtain an hashed version of your new password (replace example_password with your new password):# /opt/privx/bin/keyvault-tool bcrypt <example_password>
Access the PrivX database using psql with write permissions. Change the superuser password (replace password_hash and superuser with the hashed password and your superuser account name respectively):# UPDATE localuser SET password='password_hash' WHERE username='superuser'
You can now log into PrivX as superuser using the new password.
How to enable web login to AWS console or Azure portal
To enable login to AWS console or Azure portal, certain additional fields need to be added to host services:
Can I change the banner text?
Yes, please modify the setting privx_instance_name
as needed in file shared_config.toml
.