Teleport 16: Advancing Infrastructure Defense in Depth with Device Trust, MFA, and VNET
Jul 25
Virtual
Register Today
Teleport logoTry For Free
Background image

Protecting your Windows Fleet with Zero-Trust

In today's increasingly remote-first business landscape, secure and efficient access to Windows desktops and servers has become more crucial than ever. In this webinar, we navigate the evolving patterns and practices of remote access and how to optimally safeguard your Windows Servers. We will spotlight common access patterns, detailing the do's and don'ts for ensuring secure access.

The focus will then shift to the Teleport Access Platform, as we delve deep into the nuances of Teleport Desktop Access. Discover the power and flexibility of identity-based, passwordless access to Windows hosts across all computing environments, whether in the cloud, on-premises, or on the edge. With Teleport Desktop Access, managing your Windows infrastructure becomes a seamless, secure, and productive experience. Don't miss this opportunity to enhance your organization's remote access strategy, for companies using AD and non-AD attached Windows Servers.

Key topics we will cover include:

In this episode, we will cover:

  • Exploring Common Remote Access Patterns: Understand the evolving patterns of accessing Windows desktops and servers in remote work settings.
  • Navigating Secure Access to Windows Servers: Delve into the best practices and pitfalls to avoid while managing secure access to Windows servers.
  • Deep Dive into Teleport Access Platform: Uncover the features and benefits of the Teleport Access Platform, focusing on its implications for security and accessibility in remote work environments.
  • Unpacking Teleport Desktop Access: Gain in-depth insights into the functionalities of Teleport Desktop Access and how it fosters secure and efficient remote access.
  • Embracing Identity-Based, Passwordless Access: Discover how Teleport Desktop Access enables identity-based, passwordless access across diverse computing environments including cloud, on-premises, and edge setups.

Key topics on Protecting your Windows Fleet with Zero Trust

  • You can't trust the perimeter, and there's always a way in.
  • Principles of Zero Trust include identity verification, least privilege access, session context, and continuous monitoring.
  • Teleport manages graphical desktop access to remote hosts.
  • With Teleport Desktop Access, you get a passwordless login experience backed by strong cryptographic authentication, RBAC for groups of hosts and users, and audit log and recording of all desktop connections.
  • Teleport's Just-in-Time access is a great feature if you want to deliver the principle of least privilege.

Expanding your knowledge on Protecting your Windows Fleet with Zero Trust

Learn more about Protecting your Windows Fleet with Zero Trust

Transcript - Protecting your Windows Fleet with Zero-Trust

Ben: 00:00:02.899 Okay. Hi, everyone. Welcome to today's webinar. We are just getting started. And give it one more minute. I'll give people a little bit more time to join. If you see on the right-hand side, we have a chat window. As we sort of kick things off, please let us know where you're from and what brings you here today. Okay, there we go. We've got like 10 people now. So I think 10 people is a good amount to get started. We have a code of conduct for today's webinar. You can review it and please let us know where you're joining from. Okay, so for today's webinar, I'm going to be going over protecting your Windows fleet with zero trust. So for this webinar, we're going to go over a range of things. So we'll start off with: you don't need any prior knowledge of Teleport to enjoy this webinar. Hopefully, you have some experience managing Windows servers and RDP. We're going to mostly cover the Microsoft ecosystem. If you're looking into Kubernetes applications, desktops, or databases, we have a huge inventory of webinars available on demand through our website. If you go to our website and go to Resources, you can get lots of information there. I'm going to be covering some of the basics of zero trust. We also have some great content on our Learn site to go deeper into these concepts. We'll have a live demo, and I'm also open to Q&A.

Poll

Ben: 00:01:51.889 So if you see something that I show and you want to learn more, feel free to ask a question in the chat. We also have a more formal Q&A that we'll kind of complete at the end. I mostly keep an eye on the chat window, but if you have a specific question, the Q&A is better because I will definitely review that at the end of today's webinar. So to kick things off, I have a short poll to see what people are interested in being covered in today's webinar. And I'm going to open this now. And you should see this pop up. I'll give it a couple of minutes. I don't think anyone has — okay, we got some votes coming in. I'll give you a couple more minutes. It is on the right-hand side of the webinar window by Goldcast. The people who have just joined — we're just doing a quick poll to see what we would like to cover in today's webinar. Please fill in the poll. All right, you have five more seconds to find it. Okay, I'm going to close it. And okay, I can't easily share, but I'll go through it. So it looks like the majority of people are looking for a demo of Teleport Desktop Access, which I will go over. Overview of zero trust and the demo of Teleport coming in second place. And then third, tips and tricks for Teleport RBAC. This is probably more of an advanced topic, but I will cover some of this in today's webinar.

You can’t trust the perimeter

Ben: 00:03:30.784 So to get started, I'm going to go a little bit into some French-English history. And this is a famous castle which was in the north of France, run by an English king. And during this period in the 12th century, England and France were always at war. And you might be thinking, why are we starting off with a castle? And I think this is to do with the problems of perimeter-based security. In our case, this castle has multiple perimeters. It has a small perimeter. It has a larger perimeter. This perimeter is for where people work. This is for more important people, such as the church. And then lastly, we have the final keep, which I guess the king or whoever would come to stay, this is where he would stay. And these different levels of perimeter have different levels of security. You see there's a little bit of a wall. This one's a slightly bigger wall, and this one's a very difficult keep with even its own drawbridge. And what we see in today's infrastructure is a similar deployment model of a perimeter-based security approach. So we might have firewall rules at your first entry. You might have different networks. You might have private subnets, different VPCs, different connectivities to sort of protect the AWS account or the account that you have in your infrastructure, trying to get that root user that we have. And we have different degrees of users. So we might have our IAM users with a small amount of permissions in the keep that they can play around with, but they can't get to the very important root access.

Ben: 00:05:15.141 And lastly, here we have this big river. This represents the internet coming through and always wreaking havoc. And one interesting thing about this specific castle is during the siege, it was under attack for a couple of weeks, maybe even a month. And once they actually got entry into this castle through this garderobe which — I don't know if you know this, you can maybe put this in the chat. But this is an entry for the lavatory in the 12th century. And this is how — the soldier climbed up here and they got access to infrastructure. And for today's webinar, this equivalent in modern day is how there are script kiddies on the internet finding YouTube videos about how to hack your RDP server. This actually led to the creation of the Magna Carta. I'm not going to go too deep into the Magna Carta, but it was created because it was seen as the king couldn't protect all of his barons in different regions. And so it gave some more freedoms to the barons and became sort of the Greater Charter of Freedoms. And it sort of outlined sort of laws and liberties for people, which was a very new concept beyond just having a monarchy rule.

Operation Aurora

Ben: 00:06:31.227 So we started off with learning that we can't trust the perimeter, and there's always a way in. It might be the worst way into your infrastructure, but people will get into it. Fast-forward to 2009. There was a very famous case of Operation Aurora. If you haven't had a chance to watch these videos from Google or read about it, I'll put a link in the chat, or also the slides are available. Operation Aurora was a nation-state that got access into Google's infrastructure, and they got access to one system. They pivoted inside the perimeter and through multiple role escalations, they became a persistent threat actor within Google. And as a result of this, and similar to the Magna Carta, there were two papers which came out. One is the BeyondCorp paper from Google. This was a new approach from Google saying, "These are all the things that we need to do at Google to protect our infrastructure and move beyond a perimeter-based security approach." BeyondCorp also expands many other concepts beyond just removing a VPN to other aspects. There's checkpoints and gateways. I'd really recommend reading it. While it's from 2014, a lot of these concepts are still relevant. And if you're looking for a better overview, which is more modern, NIST guidelines, the NIST publication on zero trust architecture is another great read of great foundations that you can implement, whether your infrastructure is on-prem and cloud, Windows, Linux. Two great places to start to learn about zero trust.

The basics of zero trust

Ben: 00:08:23.482 And so zero trust is our approach to Windows and the Microsoft ecosystem. Starting in the pre-2010s, we had trust, but verify mainly to focus on defending the perimeter. In this case, not every machine may be on the internet. You may have local LANs and subnets where it wasn't really a key concern for getting access. I'm going to go next one. Hold on one second. Okay. So next up, we go into the early 2010s. In the early 2010s, the zero trust model became more relevant, partly due to cloud adoption and IT environments getting more advanced. You might have multiple networks and environments that you need to connect. And so there was more sort of checkpoints. But mainly, it was still connecting different networks. You might have some RSA tokens to get on the network. There might be a few checks. Pretty much once you're in the network, you are sort of a privileged user. In the late 2010s, Microsoft started publishing more guidelines — this is about the same time as the Project Aurora — emphasizing on the importance of things such as verifying identity. And we see this with a move for biometrics and support of TPMs. Also recommending on using least privileged accounts. Not everyone needs administrator on your machines. And then also always assuming that there's a possibility of a breach. **Ben:** 00:10:04.024 And then, from 2020 onwards, one thing, computer design has really changed between these two periods. Just a slightly fancier stand. The move to COVID accelerated zero trust deployments — Microsoft also has changed some of their internal tools, and you might have seen this recently this year, the Entra ID. It's a rebrand of Azure AD, which became the hosted Active Directory domain controller. And for people who have managed AD and domain controllers, it's basically like the keys to the kingdom. And I think this approach from Microsoft has been a great initiative to really lock down and define best practices. And the Entra team and the Microsoft team really have a whole range of good recommendations if you're deploying infrastructure. And I also know on this computer, too, you have the screen in the top for biometrics.

Ben: 00:11:03.171 So moving down other steps. So how do we apply principles of zero trust to RDP sessions? First up is identity verification. Windows Hello is the passwordless biometric approach from Microsoft, which is also unphishable. Using least privileged users, so not using administrators. Session context and continuous monitoring. There are a range of things that you can do as an administrator to create an audit log and feed these in. And then lastly, segmentation and network security. Best practices are such as running an RDP gateway and making sure that you don't make port 3386 available to the full public internet. Also making sure that machines are patched because there's lots of well-known vulnerabilities within Windows systems as well.

Ben: 00:12:05.106 And then, how do we apply this to Teleport? For Teleport, we do identity verification through either a local user or an identity provider, an SSO provider. These privileged accounts — we use just-in-time access requests, which I'm going to show you in this demo. Continuous monitoring and session context. I'm going to go over this in my demo, but this is the concept of — if you had one admin user and let's say you have a post-it note and a shared computer, you don't know which person was using which password and logging in. With Teleport and zero trust tools, you know that even if you share one administrative user, you know whether it was Bob or Alice that was performing those actions. And then lastly, segmentation, network security, best practice. There's a few things that Teleport can do in its architecture to really strengthen that position.

Live demo of Teleport Desktop Access

Ben: 00:13:04.457 So I'm going to pause it for a bit and look in the chat, see if there's any questions. Is there any question? As 22 of you are still with me, I'm going to dive into the demo. So I'm going to start here with myself in Teleport. So I'm in my browser. I have access to the login for Teleport. You'll see here I have GitHub. Teleport supports a range of identity providers. You could also just use your Active Directory. You can use Okta. You can use Google Workspaces. The idea behind using your SSO provider is that your SSO provider becomes the source of truth for who has that basic level of access to your infrastructure. So I'm going to start by logging in. And I'm logged in and I'm initially taken to a server view of our Linux servers. But since we're talking about Windows servers, I'm going to go straight to desktops. You can see here I have four connected Windows servers. I have used labels to say that this is a 2019 Windows server. I have a few other additions here, so I have their IP address, their labels, what's their hostname, and some internal other keys. These are an important primitive for role-based access control to say this server is a production server, this is a staging one, and then you can use Teleport RBAC to give access. In my case, I have access to all these machines, so I'm going to just dive straight in.

Ben: 00:14:44.199 When I want to connect, I have two options here. I have — my [inaudible] example is my Administrator account, so I can log into this one. And it's a pretty quick transition there, but you may notice that there was no prompt to log in. And that is because Teleport is using a passwordless smart card interface behind the scenes. And so there's no shared passwords. There's no vault. It all uses a password certificate-based approach. And so I can come in here, my very important Paint tool. Hello, team. And so you can just sort of go about your business on the server. Within this UI, you can see I'm logged in as a service administrator. I can basically just use the server. There's a few other additions here. So there's some icons here. One thing is you'll see here that there is clipboard sharing. And so I can see information here between both my desktop running Teleport and my local machine. It goes both ways. There's also support for directory sharing. I'm going to share these files. Directory sharing is another useful tool. This is also optionally to be configured through our role-based access control. And once this has been configured, you'll see in my network here. Okay, we are in my PC. I have this sort of network drive, and I have this video example. These are just some other videos I'm working on.

Ben: 00:16:40.467 And you can copy and paste files between hosts. And so I guess I'll copy this video over. I'll probably play this video. One thing that you may notice is that the screen rate or performance probably isn't perfect for playing videos, probably not the main design. But we are also working on improving the performance. So playing short videos is also a possibility. So we see here. And she's playing it pretty well. Okay, so that's sharing folders, clipboard sharing. There's a little warning here in case something fails. And then lastly, I'm just going to disconnect from this host. So once I've disconnected from this host, I want to touch on a few other things that I touched on during the demo. So the first thing is we talked about continuous monitoring. You can see that we have such things as someone shared a file. They also had a read. What was the name of the file? What was the IP address? The session ended and the session uploaded along with a comprehensive audit log about what happened during the session. We also have session recordings available. So this is the session that I just had. And this is a 16x speed for my last video.

Ben: 00:18:24.428 I had it in my Hello. I opened my folder. I shared it. And the session recording is a file which you can also export and integrate into your SIEM solution or whatever you need to do to sort of debug and figure out what's happening for that session. So just to review, we have username and host. We can also actually create users on the fly based upon the login. So I have my local user here, `benarent`. This user will get provisioned and created for me. And so you can also use this as a mapping to not use administrator or use other local accounts. And we have file sharing. We have clipboard support and everything else. So I think that's a nice overview. For architecture, one thing that's unique about Teleport compared to other products on the market — you might have RDP gateways. The Teleport team wrote their own wrapper on top of RDP, which we call TDP. And this lets us do a few things. One, there's always a — it's a memory-safe RDP client. And it's also isolated from the network. So you can deploy the Teleport Desktop Service and only provide an outbound connection to the Teleport proxy. Meaning that you never have to open up any ports. So you can think of it as a very secure RDP gateway.

Ben: 00:20:08.399 Outbound connections, yeah — is all you need to Teleport Proxy. This Teleport Proxy here. This is “teleport.sh”, which is our cloud-hosted edition. And then we have the Teleport Authentication Service, which is in charge of issuing the certificates and for joining hosts. For deployment options, we support both Active Directory Domain Controllers and non-AD. In my example, I'm using non-AD hosts. For Active Directory Domain Hosts, it's the same overview you connect to — but instead, you connect to the Domain Controller. This has a few benefits if you're already using Domain Controllers. We have automatic Windows account service discovery, and then you have LDAP filtering. And then I think I touched on this flow a little bit. This is just sort of an overview from one of our blog posts around how the smart card interface works for password disconnection. This is in this blog post, so I'm not going to dive too deep into it for this webinar. And then non-AD hosts, it's the same deployment. You deploy an “.exe” and a certificate, which you export. These connect to the Teleport Desktop Service, and then that connects to Teleport, and it's the same flow. This has the other benefit, too, of — you could deploy — you could have different clouds, you could have different deployments. You could have different sites, and then you could all consolidate them onto one Teleport service.

Ben: 00:21:47.738 All right, continuing on here. So you might question — why did we build it this way? One, it's a secure RDP client. It's passwordless by default. There's no sort of backdoor or workaround. So if you're a security team, you know that if you want to set up Teleport, there's no sort of backdoor into the Windows service that you deploy. And another benefit is by consolidating control, you have access to everything else that you have to Teleport. So your clusters, your databases, your Windows servers. One benefit I've not touched on yet is Just-in-Time access. This is an awesome feature if you want to deliver the principle of least privilege. And so here I have Access Requests view. In this demo, there's a few ways in which you could set this up, but you can imagine I'd have no access to any Windows hosts, and I want to access this env with the cats [icon] in it. I can proceed to my request. I can say I need to debug Windows box. Once I submit this request, this will then go — we have alerts through Slack and PagerDuty. Someone on the IT team can quickly approve it. Then I can come in and assume the role and get access to those hosts.

Ben: 00:23:20.194 In my demo environment, I'm sort of like admin and the non-user, but that's sort of a little overview of how access requests work. And what's nice is you can also just build a just-in-time list and also an inventory, so you might want to have a database and a Windows server to sort of get your job done. For role-based access control, we use labels, which you see I added here. These are static labels that you set on the host. And they're key pairs, and then also you can set logins. So you can say I want to log in as an administrator or I'm an internal user or create users on demand. The audit log, I covered this in the demo, but we have two options. We have session recordings and then we also have an audit log of activity, such as the audit log starting and ending. Within the audit log itself — they are very easy to export. They're just JSON events, and you can see that there's a range of information here, such as the labels, the IP address of the connecting host to the remote host, which user, and what event happened.

Ben: 00:24:44.739 For our roadmap, so we have a few options. We have performance improvements, which are coming, just to make it a little bit faster for some more edge cases. And one exciting addition is we have limited passwordless access for local users. This wasn't added in other versions, and if you're sort of new to Teleport, this may not make sense, but if you've been watching Teleport closely, this wasn't added in our community edition. But starting in Teleport 14, which will launch in September, that will be added. And I just have a poll if people are currently a Teleport user or if they're interested in learning more about Teleport. So the poll will probably pop up on the right-hand side, and let's just do a good little poll check. Okay, let me come back to my poll. All right, we've got a few more votes coming in. Looks like we have some community users. So for these community users — it's great. If you have Active Directory domain controllers, you can try this now. Otherwise, it's coming. Enterprise Cloud is very supported. Oh, it's great. “I would like to learn more.” So that is great.

Q&A

Ben: 00:26:10.006 Okay, let me come back to my screen share. Okay, so it looks like we're going to extend a bit more time. So just going to quickly go over some other things Teleport can do and also get to Q&A. So Teleport is an infrastructure access platform. It's identity-first, using your identity provider, zero trust. I think we covered this in great depth today. Certificate-based, even if the certificate is not very apparent, even our smart card interface uses certificates for access. And we also provide Just-in-Time access. And lastly, you can see we get complete visibility for both engineers and machines. I didn't go over machines, but Teleport Machine ID is also a very great tool for accessing CI/CD services.

Next steps

Ben: 00:27:10.925 So next steps, we have a range of options. You can try Teleport Team. You can download Teleport or you can check us out on GitHub. Always appreciate that stuff. Also, as another sort of webinar promotion, we have our user conference coming up on October 25th in San Francisco. If you would like, I can offer 50% off. So it's around $75. If you're in the Bay Area or would like to fly in, we would love to have you here. We will have some of the team that worked on Desktop Access there, so you can ask them all the questions you would like, and a bunch of people from the team to help.

Ben: 00:27:49.615 So now I'm going to go to our Q&A. And let me share. So Reggie says, "Are all Windows logins accounts available on all Windows machines, or is there a way to restrict your log in users?" Yeah, so in this case, you would use our RBAC mechanism to say so. In my case, it depends upon how you sort of set up your rules. I just have an access role, but you might want to have an administrator and an intern role, and the intern only gets access to specific logins for those specific machines— would be the example that I would use. So, "Are all Windows logins available on all Windows machines, or is there a way —?" Sorry, I've done this one already. Okay, "Are there similar features like RDP, maybe VNC, for Linux boxes planned?" This is like a tentative one. Yes, we are exploring this. It likely would be towards the end of the year. Ricardo, I would definitely like to follow up because I know the team is sort of investigating which Linux boxes and which machines, so we'd love to gather more information from you. Okay. So are there any other questions or any chat? I'll give you all a couple more minutes. And I'm trying to extend the time of the webinar. It looks like we have a short period of time, but definitely time for a couple more questions.

Ben: 00:29:34.784 Yes. So, Peter, let me share this one. "Can I replay a session?" Yes. The session replay is available in the session recordings. You can replay them here. We also have a command line tool which is called tsh. tsh can be used to export and re-encode these playbacks as videos so you can sort of store them for archival reasons as well. Okay. It looks like — okay. "Do we need a Linux box in a scenario, and can we use Desktop Access on a Windows-only environment?" The answer to this is yes — you would need one Linux box. Although, I guess, technically, you could run Teleport on a server with Windows Subsystem for Linux. I've not really tried it yet, but that is a possibility. Probably the easiest way to get started would be to use one Linux box in your infrastructure, but I'd definitely like to follow up with our team to learn more. It looks like we have a bit more time, so if there's any other questions, I can answer them.

Ben: 00:30:58.961 Yeah, Peter, too, the webinar will be recorded. So that looks like it's the end. A couple more minutes. Okay. "What about Windows servers without a GUI? Can you use Teleport to access those machines?" This is a great question. I'd say you've got a few options. One, you could technically run Teleport in the same way you'd run Teleport on a server, especially if you're running Windows Subsystem for Linux. I'm going to log in to this host. But I haven't tried it without a GUI, but that's probably the approach that I would take. So probably something that I'd investigate more. Okay. See if there are any other questions. All right. Well, I know we're sort of at advertised time. I'd like to thank everyone for coming to join us today and enjoying the overview of Teleport and Teleport Desktop Access. Like I said, if you have any questions, you can reach out to us. We also have a community Slack room that you can join. If you come here in the community Slack, you can feel free to ask us any questions. So thanks so much and have a great day, and thanks for watching.

Ben: 00:30:58.961 Yeah, Peter, too, the webinar will be recorded. So that looks like it's the end. A couple more minutes. Okay. "What about Windows servers without a GUI? Can you use Teleport to access those machines?" This is a great question. I'd say you've got a few options. One, you could technically run Teleport in the same way you'd run Teleport on a server, especially if you're running Windows Subsystem for Linux. I'm going to log in to this host. But I haven't tried it without a GUI, but that's probably the approach that I would take. So probably something that I'd investigate more. Okay. See if there are any other questions. All right. Well, I know we're sort of at advertised time. I'd like to thank everyone for coming to join us today and enjoying the overview of Teleport and Teleport Desktop Access. Like I said, if you have any questions, you can reach out to us. We also have a community Slack room that you can join. If you come here in the community Slack, you can feel free to ask us any questions. So thanks so much and have a great day, and thanks for watching.

Join The Teleport Community

Background image

Try Teleport today

In the cloud, self-hosted, or open source
Get StartedView developer docs