We are excited to welcome Windows hosts to the Teleport Access Plane. For the past 5 years we’ve helped refine our Access Plane for Linux hosts, providing short-lived certificate-based access, RBAC and developer-friendly access to resources. As we’ve rolled Teleport to larger organizations, we found that people wanted the same convenience and security of Teleport but for Windows hosts.
How do you control access to Windows hosts?
Windows has historically been configured and administered using graphical user interfaces. Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft to provide GUI access to Windows Desktop and Servers over a network connection. You connect via an RDP client by providing a Host Name or IP address and login using a Windows user account username and password.
As organizations grow their Microsoft fleet, they must eventually build out a centralized way to manage, maintain and access these fleets. In the world of Windows, this will mean deploying Active Directory (AD) services using domain controllers (DCs). AD responds to authentication requests and verifies users on the network. Since Active Directory has such privilege in the network, making Active Directory common targets for cyber attacks. If an adversary gets admin access to Active Directory, it’s often game over. This is why many opt to use a managed Active Directory service. If you do manage AD yourself, it’s important to follow best practices for hardening and network isolation.
An RDP Gateway might be deployed to provide access to internal network resources from outside the corporate firewall. This helps solve remote access problems…but there are a few other problems.
“Hackers don’t break in, they log in.”
Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. Microsoft has been working hard to move to a passwordless future. Since its inception Teleport has been passwordless and has never supported password-based SSH authentication. Teleport supports only SSH Certificates for Linux servers and x.509 certificates for other protocols like databases and Kubernetes clusters since we wanted to keep passwordless access as our security invariant. With Teleport Desktop Access, we are bringing passwordless, certificated-based access to Windows as well.
But how do you login to Windows without a password?
If you watch the gif below, you’ll notice a server is selected. The login page appears, but the password field remains empty.
Your browser does not support the video tag.
What is this magic — how does passwordless Windows authentication work?
With Teleport Desktop Access, to …….
Source: https://securityboulevard.com/2021/12/introducing-teleport-access-plane-for-linux-and-windows-hosts/