FortiPAM agent client executable integrity check
FortiClient supports the FortiPAM integrity check feature that allows you to check wither the privilege access management (PAM) client has been tampered with or not while launching an application.
The FortiPAM administrator defines the verification method to use. Once the secret is launched, FortiPAM sends verification information to the fortivrs through info response. FortiClient then verifies the certificate or checksum. If verification fails, the launch stops and an error displays. This feature supports the following verification methods:
Method |
Description |
---|---|
Executable hash |
FortiPAM supports the following hash value types for the PAM agent integrity check:
You can use the Certutil tool to calculate the hash checksum value for the installed launcher applications such as PuTTy, RDP, VNC, TightVNC, or WinSCP.
FortiClient calculates all hash values MD5/SHA1/SHA256 for the installed application and launches the secret if it matches any hash value. |
Certificate |
When secrets launch, the PAM agent verifies the application integrity using its digital certificate. FortiClient verifies if the application certificate authority (CA) certificate is available in the Windows certificate store as a trusted root CA. If a known public CA signed the certificate and the certificate is available on the Windows certificate store, the secret launches. If the private CA configured in the FortiPAM integrity check package that PuTTy signed, the PAM agent considers it as a valid certificate and the secret launches. If a public CA did not sign the certificate or the FortiPAM-configured certificate is unavailable in the Windows certificate store, it is not valid and a prompt to download the application configured on FortiPAM displays and the secret launch stops. |
You can configure Package Download Option as follows:
Package download option |
Description |
---|---|
External Download URL |
Enter launcher application's external download URL link. |
Internal Download URL |
Upload launcher application directly to the package. |
If verification fails, "The required software to launch is not installed on the computer. Click here to download" displays. Clicking "here" downloads the launcher application. You can install this application and use it for launching secrets.
The FortiPAM agent can only perform integrity checks on native secrets such as RDP, Putty, VNC, TightVNC, and WinSCP.
To configure PAM agent integrity check using executable hash when launching PuTTY:
- Configure FortiPAM:
- In FortiPAM, go to Secret Settings > Integrity Check.
- Create a client software package using PuTTy's SHA 256 executable hash.
- In the Hash field, enter the PuTTY.exe file's hash value. Do not enter the PuTTy.msi file's hash value.
- From the Package Download Option dropdown list, select External download URL.
- In the External Download Url field, enter the PuTTy.exe file's external download URL. Click OK and save.
- Configure the PuTTy launcher:
- Go to Secret Settings > Launchers > PuTTy.
- Enable Client Software.
- From the dropdown list, select the desired client software package. Save.
- Configure the template:
- Install FortiClient with PAM enabled.
- Register to EMS.
- Go to Settings > Advanced. Ensure that PAM is enabled.
- Log in to FortiPAM as a standard user from the endpoint.
- Go to Secrets > Secret List.
- Click Launch Secret to launch the PuTTy secret through the PuTTy application. The PuTTy session establishes.
- Go to C:\Program Files\Fortinet\FortiClient\logs\trace\fortivrs_session_1_1.log to verify the integrity check-related logs. From the example logs, you can observe that FortiClient calculates MD5, SHA1 and SHA256 checksums and then compares them with the executable hash in the FortiPAM integrity check package:
[2023-08-09 09:51:47.7398329] [12376:6272] [fortivrs 2316 info] startProgram: cmdline2-1: C:\Program Files\PuTTY\putty.exe admin@172.19.200.253 -P 22 [2023-08-09 09:51:47.7435547] [12376:6272] [fortivrs 2316 info] PerformHashCheck: Program Path(C:\Program Files\PuTTY\putty.exe), HashMethod: 1, Calculated HashSum: 14080A3E4E877BE235F06509B2A4B6A9 [2023-08-09 09:51:47.7465327] [12376:6272] [fortivrs 2316 info] PerformHashCheck: Program Path(C:\Program Files\PuTTY\putty.exe), HashMethod: 2, Calculated HashSum: 868866BD51F1AC744991C08EDA6446222A0CCDAE [2023-08-09 09:51:47.7506061] [12376:6272] [fortivrs 2316 info] PerformHashCheck: Program Path(C:\Program Files\PuTTY\putty.exe), HashMethod: 3, Calculated HashSum: 35C9DF3A348AE805902A95AB8AD32A6D61EF85CA8249AE78F1077EDD2429FE6B [2023-08-09 09:51:47.7513043] [12376:6272] [fortivrs 2316 info] PerformIntegrityCheck: (exe-hash):: Program Path(C:\Program Files\PuTTY\putty.exe), HashSum Matched for SHA256 [2023-08-09 09:51:47.7556323] [12376:6272] [fortivrs 2316 info] startProgram: Program Started, pid: 9868, session: 9540 [2023-08-09 09:51:47.7569721] [12376:12572] [fortivrs 2316 info] updateFortiVRS0: Send Client Update to FortiVRS[0], res_code(3) [2023-08-09 09:51:47.7607448] [12376:12560] [fortivrs 2316 info] SendUpdatetoFortiVRS0: SendUpdatetoFortiVRS0 success!.
When the integrity check fails due to a tampered PuTTY application (executable hash value mismatch between the PuTTY.exe file and the hash in FortiPAM), "The required software to launch is not installed on the computer. Click here to download" displays. Click here to download the PuTTY.exe application to the endpoint. Install the application and relaunch the secret. Secret launching succeeds with the newly downloaded application.
To configure PAM agent integrity check using certificate when launching RDP signed by private CA:
- Configure FortiPAM:
- In FortiPAM, go to System > Certificates > Create/Import > Certificate > Import Certificate > Certificate and upload the certificate and key files. Enter and confirm the password, then click Create and OK. The uploaded certificate displays under Local CA Certificates.
- Go to Secret Settings > Integrity Check.
- Create a client software package using the certificate.
- From the CA Certificate dropdown list, select the uploaded certificate.
- From the Package Download Option dropdown list, select Internal download URL.
- In the Package field, upload the mstsc.exe file that the private CA signed. Click OK and save.
- Configure the RDP launcher:
- Go to Secret Settings > Launchers > Remote Desktop-Windows.
- Enable Client Software.
- From the dropdown list, select the desired client software package. Save.
- Configure the template:
- Go to Secret Settings > Templates > FortiGate SSH Password Template.
- Under Launcher, click Create.
- From the Launcher Name dropdown list, select Remote Desktop-Windows.
- In the Launcher Port field, enter the port number.
- Enable Integrity Check. Click OK and save the template.
- On the Windows endpoint, go to C:\Windows\System32 and replace the mstsc.exe signed by the public CA with the mstsc.exe file signed by the private CA (myCA.pem). To replace the file, change the permissions on the mstsc.exe file signed by public CA by going to Properties > Security > Advanced, clicking Change beside Owner, and entering the user account that is currently logged in, and clicking OK. Click Apply and OK to save the permission. Then replace the file with the mstsc.exe signed by private CA.
- Install FortiClient with PAM enabled.
- Register to EMS.
- Go to Settings > Advanced. Ensure that PAM is enabled.
- Log in to FortiPAM as a standard user from the endpoint.
- Go to Secrets > Secret List.
- Click Launch Secret to launch the RDP secret through the RDP application. The RDP session establishes after verifying the mstsc.exe file certificate. Since the RDP application is signed by a private CA, the application certificate is considered valid and the secret launches.
- Go to C:\Program Files\Fortinet\FortiClient\logs\trace\fortivrs_session_1_1.log to verify the integrity check-related logs. From the example logs, you can observe that the RDP application (mstsc.exe) file certificate is verified and then secret session is launched:
[2023-08-15 13:56:16.9145914 UTC-07:00] [15228:15280] [fortivrs 2434 info] startProgram: cmdline2-1: ndirsystem32\mstsc.exe /V:172.19.200.243:3389 /noConsentPrompt [2023-08-15 13:56:16.9150111 UTC-07:00] [15228:15280] [fortivrs 2434 info] PerformIntegrityCheck: Secret does not exist at path: ndirsystem32\mstsc.exe [2023-08-15 13:56:16.9154416 UTC-07:00] [15228:15280] [fortivrs 2434 info] startProgram: cmdline3: C:\Windows\mstsc.exe /V:172.19.200.243:3389 /noConsentPrompt [2023-08-15 13:56:16.9158138 UTC-07:00] [15228:15280] [fortivrs 2434 info] PerformIntegrityCheck: Secret does not exist at path: C:\Windows\mstsc.exe [2023-08-15 13:56:16.9160824 UTC-07:00] [15228:15280] [fortivrs 2434 info] startProgram: cmdline4: C:\Windows\system32\mstsc.exe /V:172.19.200.243:3389 /noConsentPrompt [2023-08-15 13:56:16.9628112 UTC-07:00] [15228:15280] [fortivrs 2434 info] IntegrityCheck::PhpVerifyFile: WinVerifyTrust_I Status Code: 0x800b010a [2023-08-15 13:56:16.9639246 UTC-07:00] [15228:15280] [fortivrs 2434 info] PerformIntegrityCheck: (cert):: Program Path(C:\Windows\system32\mstsc.exe), Certificate Verified