We are excited to welcome Windows hosts to the Remoteler Access Plane. For the past 5 years we’ve helped refine our Access Plane for Linux hosts, providing short-lived certificate-based access, RBAC and developer-friendly access to resources. As we’ve rolled Remoteler to larger organizations, we found that people wanted the same convenience and security of Remoteler but for Windows hosts.
Windows has historically been configured and administered using graphical user interfaces. Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft to provide GUI access to Windows Desktop and Servers over a network connection. You connect via an RDP client by providing a Host Name or IP address and login using a Windows user account username and password.
As organizations grow their Microsoft fleet, they must eventually build out a centralized way to manage, maintain and access these fleets. In the world of Windows, this will mean deploying Active Directory (AD) services using domain controllers (DCs). AD responds to authentication requests and verifies users on the network. Since Active Directory has such privilege in the network, making Active Directory common targets for cyber attacks. If an adversary gets admin access to Active Directory, it’s often game over. This is why many opt to use a managed Active Directory service. If you do manage AD yourself, it’s important to follow best practices for hardening and network isolation.
An RDP Gateway might be deployed to provide access to internal network resources from outside the corporate firewall. This helps solve remote access problems…but there are a few other problems.
Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. Microsoft has been working hard to move to a passwordless future. Since its inception Remoteler has been passwordless and has never supported password-based SSH authentication. Remoteler supports only SSH Certificates for Linux servers and x.509 certificates for other protocols like databases and Kubernetes clusters since we wanted to keep passwordless access as our security invariant. With Remoteler Desktop Access, we are bringing passwordless, certificated-based access to Windows as well.
But how do you login to Windows without a password?
With Remoteler Desktop Access, to access a Windows host, instead of presenting a password, Remoteler uses certificate-based authentication by emulating smart cards. Smart Cards are tamper resistant portable storage devices, providing security-critical computation for authentication and key exchanges. Smart cards are similar to HSMs or U2F/WebAuthn tokens – they store private keys and expose certificates and basic asymmetric crypto operations. Remoteler presents a x.509 certificate on each connection attempt over the virtual smart card interface, and deliberately sets a time to live (TTL) of 5 minutes, which gives just enough time to establish a connection but not enough time that the cert would be useful if compromised. The virtual smartcard is presented to Active Directory Domain Controllers and requires trusting the Remoteler Certificate Authority (CA) and allowing inbound connections from the Remoteler Desktop Access service.
Once logged in, the Desktop Session can last as long as Remoteler is configured to allow. Remoteler also enforces a maximum idle session timeout, actively looking for user input in order to keep a session alive.
To better understand the deployment model, we’ve created this architecture diagram outlining the setup used while beta testing Desktop Access. Desktop Access requires additional configuration in Active Directory. I modified Amazon’s Active Directory Domain Services on the AWS Cloud template. This template provides best practices for network and machine hardening.
With Remoteler Desktop Access gateway mode, a single Remoteler process can serve as a gateway for connecting to multiple remote Windows hosts, similar to Kubernetes Access. Hosts can be auto-discovered using the LDAP directory, or can be limited to a list provided in the Remoteler configuration file.
Remoteler has a very powerful Role-Based Access Control (RBAC) system. It provides fine- grained access and mapping of external groups. In the demo video, I show how a user is able to login as Administrator. Labels can be applied to hosts using a match on the Active Directory attributes. Below, the ‘dev’ label has been added to all staging nodes. This can be combined with Remoteler RBAC to limit who can access which hosts.
During early access, we’ve had a great cohort of beta testers. Remoteler Desktop Access is ideal for teams who want to modernize their Windows access to match what they are doing with Linux, Kubernetes, Databases and internal applications like CI/CD or version control. Remoteler Desktop access is a great fit for large Active Directory footprints where the team has full access to configure Active Directory.
Desktop Access does require hosts to be enrolled in Active Directory, so it’s not an ideal solution for home users looking to get access to their workstations.
If you would like to Try Desktop Access, I would recommend starting with our Getting Started Guide.
As Remoteler is an open-core company, you can always keep track of bug fixes and improvements by tracking the
desktop-access label in GitHub. We’ll soon be adding Clipboard support and working to bring the rest of your favorite Remoteler features to Desktop Access: including session recording and per-session MFA.