Fork me on GitHub
Teleport

Role-Based Access Control for Desktop Access

Improve

Desktop Access Role-Based Access Control

Teleport's RBAC allows administrators to set up granular access policies for Windows desktops connected to Teleport.

Teleport's role resource provides the following options for controlling desktop access:

kind: role
version: v4
metadata:
  name: developer
spec:
  options:
    # Specify whether or not to record the user's desktop sessions.
    # Desktop session recording is enabled if one or more of the user's
    # roles has enabled recording. Defaults to true if unspecified.
    # Desktop sessions will never be recorded if auth_service.session_recording
    # is set to 'off' in teleport.yaml or if the cluster's session_recording_config
    # resource has set 'mode: off'.
    record_sessions:
      desktop: true

    # Specify whether clipboard sharing should be allowed with the
    # remote desktop (requires a supported browser). Defaults to true
    # if unspecified. If one or more of the user's roles has disabled
    # the clipboard, then it will be disabled.
    desktop_clipboard: true
  allow:
    # Label selectors for desktops this role has access to.
    windows_desktop_labels:
      environment: ["dev", "stage"]

    # Windows user accounts this role can connect as.
    windows_desktop_logins: ["Administrator", "{{internal.windows_logins}}"]
Active Directory Configuration

Teleport's RBAC system is not a replacement for proper Active Directory administration. Teleport-issued Windows certificates are valid for a small amount of time, but they do apply to the entire domain. Proper care should be taken to ensure that each Teleport user's roles reflect only the necesary Windows logins, and that these Windows users are properly secured.

Labeling

Both allow and deny rules support windows_desktop_labels selectors. These selectors are matched against the labels set on the desktop. It is possible to use wildcards ("*") to match all desktop labels.

Windows desktops acquire labels in two ways:

  1. The host_labels rules defined in the windows_desktop_service section of your Teleport configuration file.
  2. Automatic teleport.dev/ labels applied by Teleport (for desktops discovered via LDAP only)

For example, the following host_labels configuration would apply the environment: dev label to a Windows desktop named test.dev.example.com and the environment: prod label to desktop.prod.example.com:

host_labels:
  - match: '^.*\.dev\.example\.com$'
    labels:
      environment: dev
  - match: '^.*\.prod\.example\.com$'
    labels:
      environment: prod

For desktops discovered via LDAP, Teleport applies the following labels automatically:

LabelLDAP AttributeExample
teleport.dev/computer_namenameWIN-I5G06B8RT33
teleport.dev/dns_host_namedNSHostNameWIN-I5G06B8RT33.example.com
teleport.dev/osoperatingSystemWindows Server 2012
teleport.dev/os_versionosVersion4.0
teleport.dev/windows_domainSourced from configexample.com
teleport.dev/is_domain_controllerprimaryGroupIDtrue
teleport.dev/ouDerived from distinguishedNameOU=IT,DC=goteleport,DC=com

Logins

The windows_desktop_logins role setting lists the Windows user accounts that the role permits access to. For local users, the {{internal.windows_logins}} variable can be used as a placeholder for the user's windows_logins trait. The windows_logins trait can be specified when the user is created with tctl users add alice --windows-logins=Administrator,DBUser.

New clusters automatically populate the preset access role with the following:

allow:
  windows_desktop_logins: ["{{internal.windows_logins}}"]

Clipboard Access

In order for a user to copy and paste between a remote desktop and their local workstation, clipboard sharing must be enabled for the user. The desktop_clipboard role option defaults to enabled if unspecified. To disable clipboard sharing for a Teleport user, ensure that they are assigned at least one role that explicitly disables clipboard sharing:

desktop_clipboard: false

Session Recording

In order for a Teleport user's desktop sessions to be recorded, the following must both be true:

  • Session recording is enabled (i.e. not set to off) on the cluster. This setting resides in teleport.yaml under auth_service.session_recording, but can also be configured dynamically via the cluster's session_recording_config resource.
  • The user's roles enable desktop session recording.

By default, desktop session recording is considered enabled in Teleport roles unless it is explicitly disabled:

record_sessions:
  desktop: false

In order to disable desktop session recording for a user, all of the user's roles must disable it. In other words, the presence of a single role which enables recording is enough to ensure sessions are recorded.