I have a question regarding use of BeyondTrust Password Safe Cloud, specifically around application session security controls.
We are currently experiencing several security concerns when launching application sessions through the platform:
1. File Access via Chrome Download
When an application session is initiated, users can successfully access the target application via Chrome. However, if a user downloads a file and clicks “Show in folder”, it opens File Explorer on the application server.
This behavior allows users to:
- Browse system directories
- Access sensitive locations (e.g.,
C:\drive)
2. Unrestricted Browser Usage
Within the same application session, users are able to:
- Open new browser tabs
- Navigate to other websites or internal applications
- Perform actions outside the intended application scope
Security Concerns
This creates a significant risk, as users may gain unintended access to:
- Unauthorized system resources
- Sensitive files and directories
Has anyone implemented similar restrictions in Password Safe Cloud application sessions?
- Are there recommended configurations, policies, or best practices to achieve this level of control?
- Is this something that needs to be enforced at the Password Safe level, or should it be handled at the OS / browser configuration level (e.g., GPO, kiosk mode, hardening)?
