Finalizing documentation for website golive

Author: ScottHuman

docs/app_pages/Jit-Access-Page.md

@@ -1,3 +1,4 @@
+# JIT ACCESS
 
 <img src="../images/ui-page-jitaccess.png" alt="jitaccess" width="1000px">
 

docs/conf.py

@@ -52,7 +52,7 @@
 #html_theme = 'alabaster'
 html_theme = 'furo'
 html_theme_options = {"sidebar_hide_name": True,}
-html_logo = 'images/ams-logo.png'
+html_logo = 'images/transparent-access-manager-logo-no-border-512px.png'
 html_show_sourcelink = False
 html_show_copyright = False
 html_show_sphinx = False

docs/deploying_features/Setting-up-JIT-access.md

@@ -21,7 +21,7 @@ When a user is granted JIT access to a computer, Access Manager creates a new te
 
 `User (member of) -> Temporary dynamic group (member of) -> JIT group`
 
-If you are operating at this forest functional level, you must create an OU in your directory where AMS can create the dynamic group objects. From the [[JIT Access Page|Jit-Access-Page]], select your forest, click `Set Dynamic Group OU` button. Choose an OU in your directory. Once you have done that, use the `Delegate dynamic group permission` script to grant the AMS service account rights to create groups in this OU.
+If you are operating at this forest functional level, you must create an OU in your directory where AMS can create the dynamic group objects. From the [JIT Access Page](/app_pages/Jit-Access-Page), select your forest, click `Set Dynamic Group OU` button. Choose an OU in your directory. Once you have done that, use the `Delegate dynamic group permission` script to grant the AMS service account rights to create groups in this OU.
 
 
 <img src="../images/ui-page-jitaccess-jitmode.png" alt="!" width="1000px">
@@ -44,9 +44,9 @@ Best practice for JIT is that each computer that you want to enable JIT for, has
 
 <img src="../images/ui-page-jitaccess-groupcreation.png" alt="!" width="1000px">
 
-From the [Jit Access](/app_pages/Jit-Access-Page) page, you can enable automatic JIT group creation. Click `Add` to create a new mapping.
+From the [JIT Access](/app_pages/Jit-Access-Page) page, you can enable automatic JIT group creation. Click `Add` to create a new mapping.
 
-<img src="../images/ui-page-jitaccess-groupmapping.png" alt="!" width="1000px">
+<img src="../images/ui-page-jitaccess-groupmapping.png" alt="!" width="500px">
 
 Select the OU that contains the computers you want to create JIT groups for and select a different OU where the JIT groups should be created. 
 
@@ -65,19 +65,19 @@ Note, using AMS specifically to create JIT groups is not required for JIT to wor
 Using the group policy editor, create a new group policy object and link it to the OU containing your computer objects. Open the policy and navigate to `Computer Configuration`, `Preferences`, `Control Panel Settings`, `Local Users and Groups`.
 
 
-<img src="../images/group-policy-local-users-and-groups.png" alt="!" width="1000px">
+<img src="../images/group-policy-local-users-and-groups.png" alt="!" width="500px">
 
 Right click the `Local users and groups` node, and select `New`, `Local group`. Click the drop down arrow on the `Group name` field, and select `Administrators (built-in)`. 
 
-<img src="../images/group-policy-local-users-and-groups-new-group.png" alt="!" width="1000px">
+<img src="../images/group-policy-local-users-and-groups-new-group.png" alt="!" width="500px">
 
 Click the `Add` button, and the group, using the `%computername%` variable, specify the templated name of the group set in step 2.
 
-<img src="../images/group-policy-local-users-and-groups-add-member.png" alt="!" width="1000px">
+<img src="../images/group-policy-local-users-and-groups-add-member.png" alt="!" width="500px">
 
 Add the built-in admin account, by creating a new member entry for `Administrator`.
 
-<img src="../images/group-policy-local-users-and-groups-complete.png" alt="!" width="1000px">
+<img src="../images/group-policy-local-users-and-groups-complete.png" alt="!" width="500px">
 
 If you are ready to enforce JIT access, select the `Delete all member users` tick box, as well as the `Delete all member groups`. This will ensure that only the built-in administrator, the JIT group and any members specified in this policy are in the local administrators group.
 
@@ -96,7 +96,7 @@ From the `Authorization` page, select `Add...` to create a new target. Select th
 
 Select `Edit Permissions...` to open the ACL editor. Assign the appropriate users and groups permission to allow JIT access.
 
-<img src="../images/ui-page-authz-editsecurity-jit.png" alt="!" width="1000px">
+<img src="../images/ui-page-authz-editsecurity-jit.png" alt="!" width="500px">
 
 You must provide the group name or template in the `Just-in-time access settings` area, as well as the length of time until the access is expired.  
 

docs/getting_started/Getting-started.rst

@@ -10,30 +10,41 @@ The second component is an optional agent, called the Access Manager Agent (AMA)
 
 This document will guide you through the process for configuring Lithnet Access Manager, and the features you want to use in your environment.
 
-## Installation
+Installation
+************
 You'll need to first install and configure the Access Manager Service application. 
 
-[[Installing the Access Manager Service]]
+* :doc:`Installing the Access Manager Service </getting_started/Installing-the-Access-Manager-Service>`
 
-## Choosing the services to use
+
+Choosing the services to use
+############################
 Once you've installed AMS, you need to decide if you need to deploy the Microsoft LAPS agent, or the Lithnet Access Manager agent. Use the following table below to map the AMS features you want to use with the agent you need to deploy.
 
-| Feature | Requires Microsoft LAPS Agent | Requires Lithnet Access Manager Agent |
-| --- | --- | --- |
-| Access Microsoft LAPS passwords | ✔ | ❌ |
-| Encrypt local admin passwords in the directory | ❌ | ✔ |
-| Store a history of previous local admin passwords in the directory | ❌ | ✔ |
-| Grant just-in-time admin access to computers | ❌ | ❌ |
-| Access BitLocker recovery passwords | ❌ | ❌ |
 
-AMS is fully compatible with Microsoft LAPS, but the Access Manager Agent provides advanced functionality not available with the Microsoft LAPS agent. To learn more, read the guide on [[Choosing a local admin password strategy]]. 
+
++---------------------------------------------------------------------+---------------------------------+--------------------------------------+
+| Feature                                                             | Requires Microsoft LAPS Agent   | Requires Lithnet Access Manager Agent|
++=====================================================================+=================================+======================================+
++---------------------------------------------------------------------+---------------------------------+--------------------------------------+
+| Access Microsoft LAPS passwords                                     | ✔                               | ❌                                   |
++---------------------------------------------------------------------+---------------------------------+--------------------------------------+
+| Encrypt local admin passwords in the directory                      | ❌                              | ✔                                    |
++---------------------------------------------------------------------+---------------------------------+--------------------------------------+
+| Store a history of previous local admin passwords in the directory  | ❌                              | ✔                                    |
++---------------------------------------------------------------------+---------------------------------+--------------------------------------+
+| Grant just-in-time admin access to computers                        | ❌                              | ❌                                   |
++---------------------------------------------------------------------+---------------------------------+--------------------------------------+
+| Access BitLocker recovery passwords                                 | ❌                              | ❌                                   |
++---------------------------------------------------------------------+---------------------------------+--------------------------------------+
+
+AMS is fully compatible with Microsoft LAPS, but the Access Manager Agent provides advanced functionality not available with the Microsoft LAP[S agent. To learn more, read the guide on :doc:`Choosing a local admin password strategy </planning/Choosing-a-local-admin-password-strategy>`
 
 Note, that if the Microsoft LAPS agent is installed and enabled on a machine, the Lithnet LAPS agent will not take over password management. Either the Microsoft LAPS agent needs to be disabled by group policy, or uninstalled.
 
 Once you've chosen the features to enable, follow the instructions in the relevant getting started guides.
-- [Setting up Microsoft LAPS](/deploying_features/Setting-up-Microsoft-LAPS)
-- [Setting up password encryption and history](/deploying_features/Setting-up-password-encryption-and-history)
-- [Setting up JIT access](/deploying_features/Setting-up-JIT-access)
-- [Setting up BitLocker access](/deploying_features/Setting-up-BitLocker-access)
 
-{ref}`test link<Installing the Access Manager Agent>`
+* :doc:`Setting-up-Microsoft-LAPS </deploying_features/Setting-up-Microsoft-LAPS>`
+* :doc:`Setting Setting-up-password-encryption-and-history </deploying_features/Setting-up-password-encryption-and-history>`
+* :doc:`Setting-up-JIT-access </deploying_features/Setting-up-JIT-access>`
+* :doc:`Setting up Bitlocker access </deploying_features/Setting-up-BitLocker-access>`

docs/getting_started/Installing-the-Access-Manager-Service.md

@@ -31,10 +31,10 @@ Click the `Select from store...` button and select the certificate you installed
 
 Validate that the ports are correct, and click `File`, then `Save`.
 
-[[More information on configuring the web host|Web Hosting Page]]
+[More information on configuring the web host](/app_pages/Web-Hosting-Page)
 
 ## Step 5: Configure your authentication provider
-AMS supports several different authentication providers. Read the guide on [[configuring authentication|Authentication Page]] and choose an authentication provider. We strongly recommend using a modern authentication provider that supports strong authentication and can enforce multi-factor authentication. While integrated windows authentication is provided, we recommend you only use this for testing purposes.
+AMS supports several different authentication providers. Read the guide on [configuring authentication](/app_pages/Authentication-Page) and choose an authentication provider. We strongly recommend using a modern authentication provider that supports strong authentication and can enforce multi-factor authentication. While integrated windows authentication is provided, we recommend you only use this for testing purposes.
 
 The following pages will guide you through the process of configuring the relevant authentication provider for use with Access Manager.
 
@@ -66,6 +66,7 @@ In order to ensure that your service is not used inappropriately, you can place
 
 ## Step 9: Configure IP Detection
 <img src="../images/ui-page-ipaddressdetection.png" alt="!" width="1000px"><br>
+
 If you put AMS behind a reverse proxy or load balancer, you'll need to configure IP address detection. This is to ensure that AMS logs the correct IP address in audit logs, and applies rate limiting correctly. 
 
 [More information on IP address detection](/app_pages/IP-Address-Detection-Page)

docs/getting_started/index.rst

@@ -9,3 +9,9 @@ Installation
 
    Installing-the-Access-Manager-Agent
    Installing-the-Access-Manager-Service
+
+
+
+
+`Download the app </installation/Downloads>`_
+

docs/help/Getting-support.md

@@ -9,6 +9,6 @@ Search through these help pages, and read the [Frequently asked questions](Frequ
 
 If you're unable to find an answer to your problem, then we ask that you raise a new issue here on Github. This helps us keep track of requests and to triage problems appropriately.
 
-Please describe the problem in as much detail as possible. If you can, provide screen shots of the issue. Ensure you have captured the [log files](Troubleshooting)) from the time of the event. These logs may contain sensitive information about your environment, so don't upload them to the issue unless you are confident of their contents. If we need to see the log files, we will provide you an email address to send them to once your issue has been triaged.
+Please describe the problem in as much detail as possible. If you can, provide screen shots of the issue. Ensure you have captured the [log files](Troubleshooting) from the time of the event. These logs may contain sensitive information about your environment, so don't upload them to the issue unless you are confident of their contents. If we need to see the log files, we will provide you an email address to send them to once your issue has been triaged.
 
 [Create a new issue](https://github.com/lithnet/access-manager/issues/new)

docs/images/transparent-access-manager-logo-no-border-512px.png

@@ -37,10 +37,14 @@ One of the simplest to achieve technically, that has a high degree of effectiven
 
 While this sounds scary, Access Manager takes the technical complexity away from making such a change. Your administrators of course, will need to adapt to a new way of working, so getting appropriate buy-in from senior management is important. Like the other mitigations, it's not foolproof, and it's not perfect. It is however a relatively low complexity solution, that offers a high value.
 
-The theory behind this approach, quite simply, is that if a computer is compromised, and the user is a local admin on that computer but no where else, then lateral movement with that account becomes very difficult. So instead of having all your admins as members of the local administrators group, you assign them 'just-in-time access' (JIT) rights in Access Manager. When they need to access a computer, they visit the Access Manager web site, request JIT access to the computer, and Access Manager will grant them the appropriate rights for the length of time you allow. They can then logon to the server, and perform whatever work they need to, just as they did before. You can read more about exactly[how Access Manager performs just-in-time access](/deploying_features/Setting-up-JIT-access).
+The theory behind this approach, quite simply, is that if a computer is compromised, and the user is a local admin on that computer but no where else, then lateral movement with that account becomes very difficult. So instead of having all your admins as members of the local administrators group, you assign them 'just-in-time access' (JIT) rights in Access Manager. When they need to access a computer, they visit the Access Manager web site, request JIT access to the computer, and Access Manager will grant them the appropriate rights for the length of time you allow. They can then logon to the server, and perform whatever work they need to, just as they did before. You can read more about exactly [how Access Manager performs just-in-time access](/deploying_features/Setting-up-JIT-access).
 
 The difference here is that they are entitled to be an administrator of the computers you specify in the Access Manager configuration tool, but they only get promoted to administrator when they need and request it.
 
 This means that at any single point in time, you have relatively few users with admin rights across your fleet of computers, drastically reducing the ability for an attacker to spread across the fleet.
 
-It is important to note at this point, that Access Manager is not a fully-fledged Privileged Access Management (PAM) tool. There are no approval workflows. You determine in advance who can access which computer, and they can self-grant those privileges at any time. There are plenty of commercial PAM solutions out there if you want to control who and when people can access certain resources. We're not trying to fix that problem. We just want our admins to be admins only when they need to do admin work.
+It is important to note at this point, that Access Manager is not a fully-fledged Privileged Access Management (PAM) tool. There are no approval workflows. You determine in advance who can access which computer, and they can self-grant those privileges at any time. There are plenty of commercial PAM solutions out there if you want to control who and when people can access certain resources. 
+
+We're not trying to fix that problem. 
+
+We just want our admins to be admins only when they need to do admin work.