IT and system administrators are faced with a dilemma: how to ensure people working from home can access specific internal systems securely. Allowing VPN access is not an ideal solution if access is needed only to a particular Windows application or internal website.
Another example of specific access: a remote worker would need to transfer files to/from a Linux/Unix/Windows system that under normal operation would have no access from the demilitarized zone (DMZ). These extraordinary times require easy-to use and easy-to-deploy solutions to get the work done remotely without sacrificing security in the process.
Here are five ways how our solution PrivX, typically deployed for privileged user access, can be used to provide easy, secure, restricted and monitored remote access to all employees working out of office with just their favorite modern web browser.
1. Multi-Factor Authentication (MFA) for employee access
Option 1) Leverage your existing LDAP user directory, for example an on-premise Active Directory together with a Time-based One-time Password (TOTP) to enforce Multi-Factor Authentication (MFA) for your employees. They will log in to the PrivX GUI with their browser using their familiar domain password and TOTP from an authenticator application like Microsoft Authenticator or Google Authenticator - installed on the user’s mobile phone.
Option 2) If you have an OpenID Connect (OIDC) Identity Provider that already enforces MFA, for example Microsoft Azure Active Directory, you can use it to authenticate PrivX users.
Option 3) Alternatively, the PrivX GUI can be configured to use an X.509v3 certificate client authentication for Active Directory users, for example to authenticate PrivX users with a smart card.
2. Temporary access to authorized targets - without passwords
PrivX provides role-based access controls (RBAC) to authorized targets that consist of both the target host and target account. The configured target account can be either the user’s personal account that enables your employee to log in as self, or a shared account.
PrivX uses ephemeral certificates that are created just-in-time and used automatically when the user initiates an Secure Shell (SSH) or Remote Desktop Protocol (RDP) connection from the PrivX GUI to the authorized target. The certificates are short-lived and disappear automatically soon after the authorization, so there are no leave-behind credentials for anyone to share or steal.
For a shared target account, it is also possible to configure stored credentials that are never revealed to the PrivX user. So even when using shared accounts, the user cannot share any credentials to anyone else.
In both cases, there’s always a solid audit trail of activities linked to an individual, There is also no need to distribute any credentials or show any secrets to the user at any point. This is a great boost to security.
If the conditions that grant access to the PrivX user no longer apply, for example the user is removed from an Active Directory group configured in the role, then the authorized target(s) is no longer available in the user’s allowed connections and any ongoing connections are disconnected. No need to wait for the user to log out for changes to take effect.
If needed, you can use PrivX to grant temporary access, for example by granting a time-limited access for 10 hours that expires automatically after the time is up. In this case, the authenticated PrivX user requests a role via PrivX and one or more steps (with approval roles) have to be approved before the role is granted to the user. Once again, no leave-behind credentials for anyone to misuse.
3. Restricted Windows RDP access to targets or applications
You can also grant limited RDP access to specific targets, for example RDP without file transfer or clipboard could be allowed for some PrivX users to login as self to access their Windows workstations.
You can restrict access even further. Together with the target host Windows configuration you can allow only particular Windows application(s) to be used on Windows Servers. If PrivX session recording is enabled for the authorized target host, monitored RDP connections can be viewed as a video and transferred files downloaded by your auditors or PrivX administrators.
4. Restricted SSH access
Any target host running a secure shell server can be configured with PrivX Roles to allow restricted access. Secure Shell access via the PrivX GUI is restricted by design to Shell (terminal) and File Transfers only. Access from the internet to PrivX Server itself should be restricted in your firewall/load balancer to the PrivX GUI only.
SSH access can be restricted further, for example, to allow only File Transfers. The target host operating system file permissions apply to the target account within the SFTP connection. If the PrivX session recording is enabled for the authorized target host, also the uploaded/downloaded files are recorded in addition to the terminal session for viewing.
5. Restricted HTTPS/HTTP web access
You can also restrict access to only to specific networks/target hosts when connecting from the PrivX GUI to websites. Login as self to web target is possible if the user provides own credentials for the web service. Again, optional session recording is possible. If needed, additional PrivX Extender component can be used to access Web targets (as well as SSH and RDP targets) in a private network or virtual private clouds (VPC).
Remote access management made easy
Our solution, PrivX, is a quick-to-implement and scalable privileged access management (PAM) solution that extends to all employees working from home for establishing secure remote access to web applications. It’s a viable alternative for VPNs and other traditional remote secure access tools. Setting it up takes only days, it can be installed remotely and it requires virtually no maintenance. You are in control of costs: start small and scale if needed.
Learn more about the solution here in this short video:
Suvi Lampila is a Senior Technical Services Engineer at SSH.COM. Suvi has been with SSH since 2001 and she has held various positions in technical support, quality assurance and professional services both in Finland and Hong Kong.