About the Client
The client owns and operates a privileged access manager that allows companies to restrict access to data via an existing Active Directory environment. This allows companies to isolate the privileged information to reduce the risk of it being stolen and increase the level of control and awareness companies have over their environments.
The client needed to allow their customers to create quick, easy, and secure native client high-trust logins using their own desktop or mobile RDP client like Windows RDP client (MSTSC), Mac RDP client, Remote Desktop Connection Manager, and mRemote while enforcing audit events, notifications, permissions, access request, and password rotation.
They also wanted to avoid requiring their customers to download, install or maintain any custom launchers, agents, or deployment packages to their computer or device.
Remote Desktop Client Solutions
There were the same prerequisites for creating the RDP proxy that there were for SSH proxy i.e. so that the user could use the desktop app and not the web browser.
RDP proxy is implemented on the netty network framework, all the protocols necessary for the current implementation were implemented independently, including the transport layer protocols t123, t124, t125, x224, in particular, server-side NTLM was implemented (for SSH proxy we used mina-ssd, for RDP proxy we ourselves parse and create binary packages packets). The operation principles are the same as in SSH proxy:
- The user is authorized on the proxy server
- Server checks login / password, workflows
- The server opens a connection to the remote server and authorizes using the credentials that are stored in a record
- All traffic from the user is sent to the server and back.
In RDP proxy we support keystrokes recording, we store everything that the user has typed in the database as events. We support screen recording, we can then generate a video, we support saving files and text transferred through the clipboard.
We have a record type called remote app. When a user connects to a remote app record, then he does not open a desktop session, but immediately starts some application, it can be a browser that goes to some site and immediately enters a password, it can be database administration tools that connect to the database with the required credentials. Initially, it worked in web-based RDP sessions, and then we made support for RDP proxy as well.
To do this, we launch our client’s shell on the remote server, which then communicates with the client’s server, receives from it an encrypted application launch script and encrypted credentials. Then the resulting script launches the desired application and enters credentials.
Benefits Provided to the Client
As a result of the solutions provided by Softwarium, the client’s customers have two ways they can create a remote session in their native Remote Desktop Protocol client. The first method is to populate their connection parameters into the client manually and the second method is to download a remote desktop file that already contains their Host and User values. This significantly simplified the login process while maintaining rigorous security.