Testing ScaleFT access from admin workstation to remote server through remote desktop protocol but without VPN or Remote Desktop Gateway
ScaleFT creates a BeyondCorp secure style access to internal resources without publishing them over VPN or direct connection from the internet
This setup will cover a basic integration between one pc and one server, ScaleFT provides a free version for personal use for up to 5 servers, so this is a large step forward in providing secure access to your resources
Signup at https://www.scaleft.com/ , and there is excellent documentation in place and instant trial access
This is my first go at a BeyondCorp install and so far its looks very good
This is a simple test without the full security integration so no AzureAD or Okta , room for more improvements
Overall process
1 , Register Trial
2 , Setup Client
3 , Create Project
4 , Add Server to Project
5 , Add Permission to Project
6 , Use Secure BeyondCorp access to your internal resources
Protocol available Web Applications, Remote Desktop and SSH
And the Step by Step
Logging in to the interface there is no clients for now
Adding a client is as simple as downloading and running
sft enroll –team “tenant name”
ScaleFT does not require local admin rights to function on the machine where access is started form
Adding the client to the team require authentication , from the initial testing with Edge I saw some issues that needs a bit of time to repro , but running with chrome works
And we can now see my pc in the portal
To Enroll a Server we need to create a project
And then we can go to enrollment tokens to create a token for server to enroll
Setup token name and save the token
On the server we can install the scaleFT server side tools with powershell
PS C:\ScaleFT> Import-Module .\Install.psm1
PS C:\ScaleFT> Install-ScaleFTServerTools -EnrollmentToken
Downloading https://dist.scaleft.com/server-tools/windows/latest/ScaleFT-Server-Tool
C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi is signed by ScaleFT
Starting msiexec on C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi
MSI Log path: C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.log
Removing C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi
Starting Service scaleft-server-tools
True
And 2 minutes later we have it installed (on my slow connection)
And we now have a server to access
As we deal with zero trust we need to create a group that gives access
Groups can give either local admin or local user permissions, for this test we will use Admin
Back to my client and run sft list-servers
Getting prompted for access to ScaleFT and allowing access
I can now see my server
And we try to login
And in this environment we have locked down NTLM , and ScaleFT proxy through local host so we need to allow that
And adding local host to NTLM exceptions
And we can now logon through our tunnel.
And when we are done working we can issue a sft logout
And we have a full audit history
Can you tell if a PC remoted in from a unencrypted machine in your environment ?
So, what does ScaleFT do on our Windows Box to create access and users
After initial authentication we can see ScaleFT creating the admindemo user (that is my ScaleFT user) , adding it to local admin and terminal server users)
time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Creating local user ‘admindemo’ based on user:’1d55549f-d4c9-7adc-2463-3b3414354e7c'” goal=user_create
time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Adding local user ‘admindemo’ to local group ‘Administrators’ based on group:’BUILTIN-A3FC-7CF8FAD6C251′” goal=group_member_add
time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Adding local user ‘admindemo’ to local group ‘Remote Desktop Users’ based on group:’BUILTIN–B750-50F1D33462FE'” goal=group_member_add
ScaleFT cycles password at each logon so a test from here shows
* Username : WIN-GNM5AES6691\admindemo
* Domain : TERMSRV/127.0.0.1
* Password : C1Vi5JqadyEZjW%HuskZcWM3cI3JkXOPDx#JApF3HvgB#%ZxpMZ3D4wBKPGdcT4n
And after next logon
* Username : WIN-GNM5AES6691\admindemo
* Domain : TERMSRV/127.0.0.1
* Password : i7GYIDBh%[email protected]
So that looks good