Dynamically set NICE DCV session permissions at Windows logon

When using system authentication, Windows-based NICE DCV servers delegate client authentication to the underlying operating system. Upon authentication, DCV validates the DCV permissions, which specify the users that are allowed to access the session stream and the features they can use. Dynamically setting DCV session permissions allows administrators to automate session permissions based on specific events. This is especially beneficial when the DCV servers are joined to Active Directory, since the domain users and policies are known to the operating system. A similar method can be applied to non-domain joined machines; however, the end users will require local user accounts on the operating system. For this walkthrough, you will focus on domain-joined environments.

In this blog, you will deploy Windows scheduled tasks via Group Policy that will be invoked based on user login and logoff events. At logon, a task invokes a local PowerShell script to dynamically set the DCV session permissions. These permissions only allow the initial user access to the DCV session. Upon logout, a local logout script is invoked to reset the permissions allowing all domain users to access the server. The provided permissions can be further modified to fit your exact use case.

Architecture

The diagram above illustrates your end users connecting to a Windows-based DCV server over the internet. These DCV servers have Group Policies applied that are configured on the Organizational Unit containing the DCV computer objects within Active Directory. The policies create scheduled tasks that will invoke based upon users logging in and off the DCV server. The method outlined in this blog can be used the same way if users are privately connecting, or flowing through a DCV Connection Gateway. When the initial user connects, the permissions are open to all users. Without updating the permissions, the subsequent user is able to join the session as a collaborator. To lock the session to the initial user, the scheduled task will update the permissions to only allow the initial user stream access. When a subsequent user attempts a connection, they receive a permissions error. When the initial user logs out, the permissions are reset to be open. This walkthrough does not cover task failure retries, but more information can be found in the Task Scheduler documentation.

Prerequisites

Walkthrough

Step 1: Configure your dynamic DCV permissions GPO

Configure Dynamic Logon Permissions

1. Access your Windows-based domain-joined machine with a domain administrator account.
2. Choose Start, select Run, and enter gpmc.msc then select OK.
   • If you do not have GPMC installed, you may run the following in PowerShell to install it
     • Install-WindowsFeature GPMC
3. Navigate to the Organizational Unit (OU) that contains your DCV server computer objects. Alternative-select the OU and select Create a GPO for this domain, and Link it here…. Within the New GPO window, name the GPO appropriately. Locate the new GPO in the Linked Group Policy Objects window and alternative-select the policy and select Edit. Alternatively, if you have an existing policy you want to use instead, alternative-select the policy and select Edit….
4. Within the Group Policy Management Editor console, navigate to Computer Configuration >  Preferences > Control Panel Settings > Scheduled Tasks.
5. Alternative-select Scheduled Tasks and select New > Scheduled Task (At least Windows 7).
6. Within the New Task creation window, update the Action dropdown to Create.
7. In the Name field, enter DynamicDCVLoginPermissions.
8. Select the Change User or Group… button. In the object search box, enter SYSTEM and select Check Names. Select OK.
   • Note, you may use a lower privilege account if the permissions are sufficient.
9. Toggle the Run whether a user is logged on or not radio button.
10. Check the Run with highest privileges checkbox.
11. Update the Configure for: dropdown to an option that is the most applicable to your environment.
12. Navigate to the Triggers tab and select New….
13. For the Begin the task: dropdown, select At logon.
14. Select OK.
15. Navigate to the Actions tab and select New….
16. For the Program/script: textbox, enter powershell.exe.
17. For the Add arguments(optional): textbox, enter the following:
    • -File "C:\Program Files\NICE\DCV\Server\conf\DynamicDCVLoginPermissions.ps1"
18. Select OK.
19. Finalize your scheduled task by selecting OK in the New Task window.

Configure Dynamic Logoff Permissions

1. Within the Group Policy Management Editor console on the policy you used in the previous step, navigate to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks.
2. Alternative-select Scheduled Tasks and select New > Scheduled Task (At least Windows 7).
3. Within the New Task creation window, update the Action dropdown to Create.
4. In the Name field, enter DynamicDCVLogoffPermissions.
5. Select the Change User or Group… button. In the object search box, enter SYSTEM and select Check Names. Select OK.
6. Toggle the Run whether a user is logged on or not radio button.
7. Check the Run with highest privileges checkbox.
8. Update the Configure for: dropdown to an option that is the most applicable to your environment.
9. Navigate to the Triggers tab and select New….
10. For the Begin the task: dropdown, select On event.
11. Within the Settings section, set the Log: dropdown to Security. For the Source: dropdown, select Microsoft-Windows-Security-Auditing. For the Event ID: textbox, enter 4647. For more information on event 4647, see the Microsoft documentation.
12. Select OK.
13. Navigate to the Actions tab and select New….
14. For the Program/script: textbox, enter powershell.exe.
15. For the Add arguments(optional): textbox, enter the following:
    • -File "C:\Program Files\NICE\DCV\Server\conf\DynamicDCVLogoffPermissions.ps1"
16. Select OK.
17. Finalize your scheduled task by selecting OK in the New Task window.

Step 2: Configure your DCV server fleet

In the previous step, you configured your scheduled task to call a local script during logon and logoff events. In this step, you will configure the local script on your DCV server fleet.

1. Access your Windows-based DCV server with an administrator account. Navigate to the path you configured in scheduled tasks; C:\Program Files\NICE\DCV\Server\conf\.
2. Within the conf directory, create your logon PowerShell script and name it DynamicDCVLoginPermissions.ps1. Set the contents of the script to the following:

   • # DynamicDCVLoginPermissions.ps1
     $ActiveUser = (Get-WMIObject -ClassName Win32_ComputerSystem).Username
     Set-Location -Path "C:\Program Files\NICE\DCV\Server\bin\"
     $SessionId = ((.\dcv.exe list-sessions).Split("'"))[1]
     if(-not(Test-Path -Path "C:\Program Files\NICE\DCV\Server\conf\updated.perm")){
         Copy-Item -Path "C:\Program Files\NICE\DCV\Server\conf\default.perm" -Destination "C:\Program Files\NICE\DCV\Server\conf\updated.perm"
     }
     Set-Content -Path "C:\Program Files\NICE\DCV\Server\conf\updated.perm" -Value "[permissions]`n%any% disallow builtin`n$ActiveUser allow builtin"
     .\dcv.exe set-permissions --session $SessionId --file "C:\Program Files\NICE\DCV\Server\conf\updated.perm"

3. Within the conf directory, create your logoff PowerShell script and name it DynamicDCVLogoffPermissions.ps1. Set the contents of the script to the following:
4. Confirm the DCV server has the required firewall rules to allow remote scheduled task creation. The following rules will need to be allowed within Windows Defender Firewall with Advanced Security.
   • Remote Scheduled asks Management (RPC)
   • Remote Scheduled asks Management (RPC-EPMAP)
   • Windows Management Instrumentation (ASync-In)
   • Windows Management Instrumentation (DCOM-In)
   • Windows Management Instrumentation (WMl-In)
5. Confirm your GPO has successfully applied to the DCV server. You can force an update by running gpupdate /force in an Administrator PowerShell terminal.
6. To update the default permissions, you will need to open the default.perm file in the conf folder within a text editor ran as an administrator. Your logon task will update the session permissions to only allow the signed-in user to access the stream. The default permissions file configures the initial permissions for any session on the DCV server. For this walkthrough, you will allow streaming access to all users that are known to the underlying Windows operating system. This is configured by using the permissions provided below. If your workload requires different applied permissions, you may update the permission files accordingly. For more information, see Working with permissions files in the administrator guide.
7. Once you have configured your default permissions, restart the DCV server service to apply the new permissions. Run the following within PowerShell:

Step 3: Testing your configuration

1. Navigate to the Amazon Elastic Compute Cloud (Amazon EC2) console. Find your DCV server that you configured in the last step within the EC2 instance console. Toggle the checkbox for this instance.
2. A details window will populate at the bottom of the page for your selected instance. Take note of the IP address or DNS name you are connecting to. If you are connecting from the public internet, use the content of the Public IPv4 address or Public IPv4 DNS attributes.
3. Choose which DCV client you would like to use to connect. OS-based clients can be downloaded from the DCV downloads page. If you would like to use a browser-based connection, confirm you are connecting with a DCV supported browser. Note that browser-based connections currently do not support QUIC connections.
4. Open your DCV client and input your DCV server’s IP or DNS name that you took note of earlier in this step. Your instance’s security group will need to allow the default DCV streaming port; 8443. The notation is the following:
   • OS-based clients: IP-or-DNS > Connect
   • Browser-based clients: https://IP-or-DNS:8443
5. By default, DCV server will use its own self-signed certificate for the connection. You will need to trust this certificate before connecting by performing the following:
   • OS-based clients: Select the Trust & Connect button on the popup window.
   • Browser-based clients: The webpage will give you a warning about the connection. This differs browser to browser, but you will need to proceed DCV server URL. This is typically done by selecting the Advanced button and then proceeding to the URL.
6. Sign in with your Active Directory credentials.
   • Username should be formatted as: DOMAIN\USERNAME
7. You are now connected to your DCV session. Review the DCV user guide for session usage details.
8. Using the same steps, attempt to login with another DCV client using a different Active Directory user’s credentials. You will receive an authorization error message since the logon task made the first user the only identity that can access the stream.
9. Within your DCV session, log out of Windows. This will invoke the logout task to reset the permissions. Attempt to access with the other user again and you will be able to connect.

Clean up

During this walkthrough, you did not create any additional resources that will incur costs. If you created a new EC2 DCV server for this walkthrough, simply terminate that instance to mitigate further costs.

Conclusion

In this blog, you deployed scheduled tasks via Active Directory GPOs to dynamically set DCV permissions as end users login and logout. The permissions you set during the walkthrough can be modified further to add features like collaboration. Deploying these tasks through Active Directory allows for a more manageable deployment. Local scheduled tasks can be used for the same result on non-domain joined machines.

Andrew came to AWS in 2019 from a large datacenter environment where he specialized in VMware, Cisco UCS, and automation. Through his time at AWS, he developed a passion for visualization workloads. In 2022, he started his current role as a Sr. Developer Advocate for DCV.