Remote Access to VM using WebBrowser
Posted by tanke_md@reddit | sysadmin | View on Reddit | 23 comments
Hi,
I dont know if this subreddit its a good fit for this question, let me know if I am wrong. :)
After some issue with an attack we are looking for alternatives of some processes my company uses, in this case is the security using Remote Desktop Connections. My colleagues tell me continously that RDC has a lot of vulnerabilities, but.. in my company we need access to tons of VMs with different configurations, environments.. have this in Azure and use their Virtual Desktop service is not on the table due to costs.
Our intention is to get rid of RDC and access to all VM using a web browser, and we found "Apache Guacamole". The idea is to install them in the Windows Server server's with HyperV, block any connection from outside of that machine and allow just to enter using a web browser.
Actually I dont know if I am saying anything stupid...or its not a bad idea for our company.
I will appreciate any ideas or help :)
Regards
kero_sys@reddit
VPN then RDP. Don't expose RDP to the internet.
jstuart-tech@reddit
If the servers are all in Azure why not use Azure Bastion?
tanke_md@reddit (OP)
the servers are not in azure.
Administrative-Help4@reddit
Keeper Connection Manager from Keeper Security is what we are looking at right now.
open-trade@reddit
You can get rid of RDC, Guacamole is a viewer which support RDP/VNC/SSH protocols etc, if your VMs run Windows, you still rely on RDC.
You can try out the other remote desktop solutions, TeamViewer / RustDesk etc, they also both have web client.
judgethisyounutball@reddit
A bit of clarification here please, are you saying your VMs are currently exposing RDP to the Internet or is the concern having RDP exposed internally?
tanke_md@reddit (OP)
VM are not exposed to internet. But if some attacker gets access due to any bug of the VPN or any.. ¿"virus" maybe?, using some attacks like "pass-the-hash" maybe can access some servers. Right now all the servers have dedicated admin accounts, not domains accounts, but we want to cover any possibility, we read about RDC vulnerabilties, thats the reason of this post.
TrippTrappTrinn@reddit
A simple way to reduce the attack surface is to only permit rdp to a limited number of jumphosts, and then only permit rdp access from those to the other servers. Our company partly implemented RDP through Cyberark only to servers. S hassle, but really locks down RDP sccess
cjcox4@reddit
Guacamole uses VNC AFAIK. And yes, there are VNC "things" for the browser, https://novnc.com/info.html Not sure what Apache Gauac uses, but that might be it.
So, my take. With a suitably secured ssh jump host, with clients firewalled so that VNC connect an only come via the jumphost, cooperative (or non-cooperative, cooperative as in "may I" vs "I'm god so I'm in") ssh tunnels to Windows hosts is possible tunneling insecure VNC (now encrypted by the SSH tunnel)... is an ok thing to do. Not sure Guacamole does, but my pattern for doing this is pretty secure. And lends itself to "whatever" extra security insertions you need for your company policies.
With that said, my company went TeamViewer, but my demo lab setup is still in place for those in my company that want to understand the concept and need something very generic for low cost (some might say "free", but nothing is really free).
orev@reddit
Guacamole supports multiple protocols including VNC, RDP, and SSH.
cjcox4@reddit
Good to know.
tanke_md@reddit (OP)
I will get deeper in this approach. I appreciate your answer :)
orev@reddit
Guagamole is a type of proxy server you can use to access a Windows machine via RDP. It's not something you install on each server as a replacement for RDP.
Remote access to Windows machines is defacto RDP, and the security part is that it should never be exposed to the Internet directly. You would typically rely on a VPN where you connect that, and then you can only access RDP over the VPN. If you use Guacamole, you would connect to that (optionally through a VPN first), and then jump from that to the VM using the RDP protocol. In these scenarios, you could tighten it down by using the firewall on each server to limit connections from specific IPs (e.g. the VPN subnets or the Guacamole server).
Ad-1316@reddit
NPS (network policy server) on RDGateway - can setup to use 2fa.
tanke_md@reddit (OP)
This needs to connect to Azure, our intention was to keep all on premises without cloud services. But we didnt found any "2FA" for Windows Domains without Azure :(. Azure could be an option if we dont find anything better.
Ad-1316@reddit
NPS and Gateway on prem, using https://www.microsoft.com/en-us/download/details.aspx?id=54688
no_regerts_bob@reddit
web browsers have tons of vulnerabilities, what do your colleagues think about that?
tanke_md@reddit (OP)
My colleagues are learning and improving everyday in security, but for sure they have lack of knowledge we want to solve asap, that one of the reasons of this post. MFA is being used for mail, vpn..etc.. but within the network we dont use it (we dont want to link Windows domain to Azure for MFA...or is not the intention currently). One alternative they got was to add certificates for all the connections.
no_regerts_bob@reddit
my point is that switching out one mechanism for another is essentially just a sideways move. you aren't increasing security, you're just changing which products you need to maintain and keep updated. maybe its easier to keep apache guacemole and your web browsers patched than to keep RDP patched, I doubt its much different really.
to increase security, make the mechanism safer not just different. add MFA (there are many ways to do this without Azure), or certificates can work too. limit access, audit access.
smonty@reddit
Worked for an organization that blocked RDC and wanted us to use VMware web console to manage servers.
I quit within six months.
tanke_md@reddit (OP)
Yes, I agree with you... its a pain in the ***.
TrippTrappTrinn@reddit
Ask what vulnerabinities. We use remote dedktop to all our Windows Azure VMs, and security have no issues with it. Of course it is not exposed to the internet.
tanke_md@reddit (OP)
We were using this approach (we are..). VM are not exposed to internet. But if some attacker gets access due to any bug of the VPN or any.. ¿"virus" maybe?, using some attacks like "pass-the-hash" maybe can access some servers. Right now all the servers have dedicated admin accounts, not domains accounts, but we want to cover any possibility, we read about RDC vulnerabilties, thats the reason of this post.