UseCase12_RemoteApp - sandersdHES/PAMEmergingTech GitHub Wiki

6.12 Securing Application-Level Access via RemoteApp

Objective

This use case demonstrates how to configure RemoteApp access using PAM360, allowing users to launch only specific applications on a remote Windows server—without giving them full desktop access. This enables fine-grained control for scenarios such as:

  • Allowing external or low-privileged users to use specific apps (e.g., WordPad) securely
  • Preventing misuse or accidental modifications on the host system
  • Maintaining a least-privilege approach while offering necessary tools

Context

Instead of granting remote desktop access to a full system—which poses potential security risks—RemoteApp allows access to individual applications in isolation. PAM360 provides a streamlined way to manage and restrict these sessions.

Prerequisites

  • A Windows Server with Active Directory and DNS configured
  • PAM360 is installed and accessible
  • The MEAMP agent is installed on the Windows Server (see next step)
  • RemoteApp feature is supported only on Windows machines

Our scenario: We want a user to remotely launch only WordPad on a Windows Server, without having access to other applications, files, or system resources.

Step 1: Set Up the Landing Server and RemoteApp Environment

  1. Follow the official Landing Server Setup Guide

    → This configures your Windows Server as a Landing Server for remote sessions.

  2. Continue with the RemoteApp Configuration Guide

    → Ensure the MEAMP (ManageEngine Application Manager Plugin) is installed on your Windows Server.

    → Add WordPad to the list of available RemoteApps.

Step 2: Register RemoteApp in PAM360

Once your environment is ready:

  1. Navigate to Admin > Remote App

  2. Click Add and choose your configured Windows Server

    ⚠️ Only Windows OS is supported for RemoteApp

image.png

Step 3: Select the Applications

In the Remote App configuration:

  • Select the applications (e.g., WordPad) you wish to make accessible
  • These will be the only apps available for selected users

image.png

image.png

Step 4: Associate RemoteApps with a Resource

To apply RemoteApp restrictions to a specific machine:

  1. Go to Resources
  2. Select the target Windows VM
  3. Click Associate > Associate RemoteApp

image.png

  1. Choose the app(s) you want to allow (e.g., WordPad)

image.png

Step 5: Create a Restricted User

Create a user with the Connection User role:

  • This role allows launching apps only, without access to credentials or passwords
  • Navigate to Admin > Users > Add User, and select Connection User as the role

image.png

Step 6: Share the Resource (RemoteApp Only)

Now that the user and the app are ready:

  1. Share the configured resource with the new user
  2. Under sharing settings, select RemoteApp Only
  3. Choose WordPad from the list of available apps

image.png

image.png

Step 7: Connect to the RemoteApp

The user can now:

  1. Go to Connections in PAM360

  2. Click on the Windows VM shared with them

    image.png

PAM360 launches only the specified app (e.g., WordPad) in a remote session—no desktop access is granted.

image.png

Conclusion

This use case illustrates how RemoteApp in PAM360 enables secure, application-specific access to Windows servers:

  • Users can access only authorized applications, not the full system
  • Ideal for temporary contractors, external collaborators, or limited-use scenarios
  • Supports centralized control, session logging, and full auditability

You now have a tightly scoped, secure RemoteApp setup using PAM360—fully aligned with modern least-privilege and zero-trust principles.

🛡️ Privileged Access Management (PAM360) & Admin Bastion Project
🔍 Built with a focus on Zero Trust, credential security, and hands-on Azure lab architecture.
🧠 Created as part of the 2025 Emerging Technologies module at HES-SO.

👨‍💻 Dylan Sanderson    👨‍💻 Johann Von Roten    👨‍💻 Maxime Bossi    👩‍💻 Nadja Lötscher
📚 Explore the Wiki • 📧 Contact us via GitHub if you have questions!

⚠️ **GitHub.com Fallback** ⚠️