Ivanti recommends optimizing the security of your IWC environment by configuring the Console in:
a hosted virtual machine within a virtual desktop infrastructure environment (VDI)/Jump server.
a server based computing environment such as Citrix XenApp or Microsoft Remote Desktop Services and enable secured access.
In either of these environments, configure the Console computer to run (allow) only the IWC Console (pwrtech.exe) application and also run via a IWC Managed Session.
To further lock down the machine on which the Console runs, the following steps are also recommended:
Using Windows policies, restrict Console users to be able to adjust System time.
Configure your system such that Console users are never given Windows Administrative rights on the Console machine: Windows Authentication with a Designated Account (Optional) configured in the Console.
When granting access to a database via Windows Authentication, a user can access the database through any tool, not just the IWC Console; therefore, the use of a Designated Windows account is advisable.
The Designated Account should only be configured in the IWC Console and should not be used for the IWC Services. This Designated Account should not be an Administrator account; it can be a generic account, member of the group configured during the creation of the database, that has access only to the database.
For more details, see Windows authentication with designated account.