Use HCP Boundary to secure Windows access via just-in-time credentials

Authors: Vinodh Shankar and Ravi Panchal

Organizations worldwide increasingly rely on remote access to environments, driven by the shift towards cloud computing. With infrastructure and services hosted across multiple cloud providers and private data centers, IT operators and vendors must have remote access to manage and maintain these resources.

This guide offers an opinionated solution for organizations seeking enhanced security for remote access with just-in-time credentials. Organizations can leverage HCP Boundary and HCP Vault to secure remote desktop protocol (RDP) access to Windows machines joined to Active Directory (AD). This mitigates security risks associated with static credentials and supports regulatory compliance. The solution also applies to HashiCorp self-managed offerings, Boundary Enterprise and Vault Enterprise.

By securing remote access to your machines with HCP Boundary and HCP Vault, you gain the following benefits:

• Enhanced security: With Boundary's integration with Vault, organizations can automate the provisioning of dynamic Windows AD credentials. This eliminates the need for manual credential management, streamlining the authentication process and reducing administrative overhead.
• On-demand access: Boundary provides users with just-in-time access to Windows machines, granting temporary credentials only when needed. This approach minimizes the exposure window and reduces the risk of unauthorized access.
• Reduced risk of credential exposure: Leveraging Vault's capabilities, Boundary issues short-lived credentials for RDP access to Windows machines. These credentials expire after a predefined period, reducing the risk of credential theft and misuse. Short-lived credentials also minimize the attack surface.
• Role-based access control (RBAC): Fine-grained access policies allow organizations to define granular access controls based on user roles and permissions. This enables organizations to enforce least privilege principles and restrict access to only those resources and actions necessary for users to perform their jobs.
• Improved compliance: The use of dynamic, short-lived credentials aligns with PCI DSS regulatory compliance requirements for secure key management, data access and an important part of GDPR with the principle of least privilege access. By enforcing stricter access controls and reducing the exposure window, organizations can demonstrate compliance with data protection regulations.
• Auditing and accountability: Boundary and Vault provide comprehensive auditing and logging capabilities, allowing organizations to track and monitor RDP access to Windows machines. This enables real-time visibility into user activities, facilitating incident response and forensic analysis.

Target audience

This guide references the following roles:

• Platform operator: Someone who manages and automates your infrastructure lifecycle.
• Security operator: Someone who manages your identity provider, RBAC policies, and Active Directory.

Prerequisites

To follow this guide, you will need the following:

• HCP Account
• AWS Account featuring a VPC with private subnets.
• Windows domain controller and the target Windows machine joined to the Windows domain controller.
• Boundary self-managed worker
• Boundary Desktop
• Boundary and Vault CLI
• Microsoft Remote Desktop

Validated architecture

The solution leverages HashiCorp Boundary and Vault to secure user access to remote targets with time-bound dynamic credentials. The setup uses fully-managed, cloud-based HCP Boundary and HCP Vault, enabling quick deployment.

The diagram shows the following components in the solution:

• HCP Boundary controller authenticates users and grants access to target systems based on role-based access control (RBAC) policies.
• HCP Vault generates time-bound dynamic credentials for authorized users to access the remote target system.
• HCP Boundary worker acts as an ingress worker that is accessible by users.
• The self-managed Boundary worker resides within a private network and functions as an egress worker capable of accessing the target. It establishes a reverse proxy connection to the HCP worker.
• Users initiate connections to the HCP worker to access the target system.
• Inbound connection requests from users are directed to the self-managed egress worker via reverse proxy connection with the HCP Boundary worker.
• The self-managed egress worker establishes a connection to the remote target system.

Secured remote access workflow

The following diagram illustrates the secure remote access workflow between users, HCP Boundary, HCP Vault, and the target infrastructure. The numbered steps show how authentication, authorization, and credential generation flow through the system to enable just-in-time access to target resources.

The diagram shows the following workflow:

1. Once authenticated and authorized users request access to the Windows target, the Boundary Controller triggers a request to HCP Vault to generate dynamic AD credentials.
2. Vault's LDAP secrets engine communicates with the Windows Domain Controller to generate the dynamic AD credentials.
3. The Boundary Controller retrieves the AD credentials from Vault and presents them to the user. Despite being presented to the end user, it's important to emphasize that these credentials are ephemeral, have a short time-to-live (TTL), and do not need to be stored on local machines. Vault associates each dynamic secret with a lease and automatically destroys the credentials when the lease expires.
4. Finally, the user uses the dynamic, time-bound AD credentials to establish a just-in-time secure connection to the remote Windows target via the self-managed Boundary worker.

Deploy and configure HCP Boundary

The platform operator is responsible for deploying and configuring HCP Boundary.

1. Navigate to HashiCorp Cloud Platform and login using your credentials.

2. Click the Boundary tab, and then and click Deploy Boundary on the right-hand panel.

3. Fill out the Administrator Username and Administrator Password.

4. Store the administrator username and password in a safe location. You will use these credentials to authenticate using the Admin Console, CLI, or Terraform.

   Click Deploy after completing the form. It may take a few minutes to initialize the HCP Boundary instance.

5. Create a project within the organization scope. Scopes are resource groupings used to partition resources and then assign ownership.

Configure the self-managed worker and register with HCP Boundary

The platform operator is responsible for configuring the self-managed worker and registering it with HCP Boundary.

Configure HCP Boundary self-managed workers. You can deploy self-managed workers in private networks while still communicating with an upstream HCP Boundary cluster. Self-managed HCP worker binaries exist for Linux, MacOS, Windows, BSD, and Solaris. Workers must install the Boundary Enterprise binary to be registered with HCP.

Register the worker with HCP using the Boundary CLI or Admin Console Web UI.

Deploy and configure HCP Vault

The platform operator is responsible for deploying HCP Vault and peering it with your VPC.

1. Navigate to HashiCorp Cloud Platform and login using your credentials.
2. Select the organization to create an HCP Vault Dedicated cluster.
3. Select your preferred cloud provider as Amazon Web Services.
4. For the purpose of this solution, select Development.
5. Create a HashiCorp Virtual Network (HVN) for AWS.
6. Review and finalize to deploy.
7. Create a peering connection between HCP and your virtual private cloud (VPC).

Integrate HCP Boundary with an identity provider

The platform operator is responsible for integrating HCP Boundary with an identity provider.

Integrate HCP Boundary with your existing identity provider like LDAP, Active Directory, Microsoft Entra, Okta, etc for user authentication and authorization.

Enable an LDAP secret engine and create dynamic roles

The security operator is responsible for enabling an LDAP secret engine and creating dynamic roles.

1. Login to Vault and enable LDAP secret engine at ldap/ path.

2. Configure LDAP secrets engine to use AD schema.

3. Create two roles that generate dynamic credentials for restricted and privileged user access. LDIF entries manage the dynamic user credentials when you create the roles.

   The following LDIF example template creates dynamic credentials for restricted in the hashidemo.com domain and restricts users from accessing the Windows Control Panel. You need to update the domain to match your Active Directory domain name.

   Restrict users from accessing the Windows Control Panel

   dn: CN={{.Username}},CN=Users,DC=hashidemo,DC=com
   changetype: add
   objectClass: top
   objectClass: person
   objectClass: organizationalPerson
   objectClass: user
   userPrincipalName: {{.Username}}@hashidemo.com
   sAMAccountName: {{.Username}}
   
   dn: CN={{.Username}},CN=Users,DC=hashidemo,DC=com
   changetype: modify
   replace: unicodePwd
   unicodePwd::{{ printf "%q" .Password | utf16le | base64 }}
   -
   replace: userAccountControl
   userAccountControl: 66048
   -
   
   dn: CN=Block_Control_Panel_Access,CN=Users,DC=hashidemo,DC=com
   changetype: modify
   add: member
   member: CN={{.Username}},CN=Users,DC=hashidemo,DC=com
   -
   

   The following LDIF example template creates dynamic credentials for privileged users in the hashidemo.com domain and allows users to access all functions. You need to update the domain to match your Active Directory domain name.

   Allow users to access all functions

   dn: CN={{.Username}},CN=Users,DC=hashidemo,DC=com
   changetype: add
   objectClass: top
   objectClass: person
   objectClass: organizationalPerson
   objectClass: user
   userPrincipalName: {{.Username}}@hashidemo.com
   sAMAccountName: {{.Username}}
   
   dn: CN={{.Username}},CN=Users,DC=hashidemo,DC=com
   changetype: modify
   replace: unicodePwd
   unicodePwd::{{ printf "%q" .Password | utf16le | base64 }}
   -
   replace: userAccountControl
   userAccountControl: 66048
   

4. Create a HCP Vault policy that lets HCP Boundary generate dynamic AD credentials for restricted and privileged roles.

   path "ldap/creds/restricted" {
     capabilities = ["read"]
   }
   
   path "ldap/creds/privileged" {
     capabilities = ["read"]
   }
   

5. Create a Vault token with the above policy attached. This token is required when setting up a Vault credential store in Boundary.

Configure Vault credential store in HCP Boundary

The platform operator is responsible for configuring the Vault credential store in HCP Boundary.

1. Create a Vault credential store in HCP Boundary. Provide the Vault token generated in the above step for the configuration.

2. Create two credential libraries, one for privileged roles and the other for restricted roles.

   The credential library for privileged roles should use ldap/creds/privileged as the secret engine path. Likewise, the credential library for restricted roles should use ldap/creds/restricted as the secret engine path.

3. Specify GET as the HTTP method.

Configure two new targets to access from HCP Boundary

The platform operator is responsible for configuring two new targets to access from HCP Boundary.

1. Create two new generic TCP targets, windows_restricted and windows_privileged, both using the same target instance address and port. Each target is mapped to its respective credential library.

   The windows_restricted target is mapped to the windows_restricted credential library, while the windows_privileged target is mapped to the windows_privileged credential library.

2. Set the worker filter field to use the self-managed egress worker. This lets you connect to the Windows target via the self-managed egress worker in a private network.

Configure two new roles in HCP Boundary

The platform operator is responsible for creating two new roles in HCP Boundary.

1. Create two new roles, support and admin. Grant each of the roles permission to connect to a specific target. Users belonging to the support role should have access to the windows_restricted target while those belonging to the admin role should have access to windows_privileged target.

2. Allow access to specific targets using below grants. Replace WINDOWS_RESTRICTED_TARGET_ID with the actual target ID of the windows_restricted target.

   ids=<WINDOWS_RESTRICTED_TARGET_ID>;actions=read,authorize-session
   

3. Assign principals to roles. The principal can be a user, group or managed group.

Test the workflow for the user with restricted access

While the platform team is responsible for testing the workflow for a user with restricted access. The user with restricted access is likely the application team.

1. Log in to the Boundary Desktop client using the HCP Boundary cluster URL.

   

2. Retrieve dynamic AD credentials as restricted user

   1. Click on the Connect button to retrieve the time-bound, dynamic AD credentials for accessing the windows_restricted target.

      At this stage, the HCP Boundary Controller will make a request to HCP Vault via the self-managed Boundary worker to generate the credentials. The username portion of the dynamic credentials is prefixed due to the Vault dynamic secret backend role configured for this target using Username template.

   2. The dynamic credentials are now available to connect to the remote target with appropriate policy and permissions attached.

   

3. Connect to the remote target as restricted user.

   All of the details required for the support user to connect to the remote Windows host are now available. The Boundary client establishes a secure connection from the user's machine to the Boundary worker using the local loopback address and a dynamic port.

   Destination Address: 127.0.0.1:<dynamic_port_number>
   Username: hashidemo.com\<dynamic_username>
   Password: <dynamic_user_password> 
   

4. Configure the Microsoft Remote Desktop client with the details provided in the Boundary Desktop output to connect to the remote target.

5. Once logged in to the Windows machine, open the command prompt and run the command whoami to confirm that the logged-in user is the dynamically generated user account.

6. Finally, verify that the user has access to the Control Panel by clicking 'Windows' - 'Control Panel'.

7. The dynamic AD credential generated for the user should not allow access to the Windows Control Panel.

Test the workflow for the user with privileged access

The platform team is responsible for testing the workflow for a user with privileged access. The user with privileged access is likely the security team.

1. Authenticate to Boundary as privileged user.

2. Log in to the Boundary Desktop client using the HCP Boundary cluster URL.

3. Retrieve dynamic AD credentials as privileged user.

   1. Click on the Connect button to retrieve the time-bound, dynamic AD credentials for accessing the windows_privileged target.

   At this stage, the HCP Boundary Controller will make a request to HCP Vault via the self-managed Boundary worker to generate the credentials. The username portion of the dynamic credentials is prefixed due to the Vault dynamic secret backend role configured for this target using Username template.

   1. The dynamic credentials are now available to connect to the remote target with the appropriate policy and permissions attached.

1. Connect to the remote target as privileged user.

   All of the details required for the user to connect to the remote Windows host are now available. The Boundary client establishes a secure connection from the user's local machine to the Boundary worker using the local loopback address and a dynamic port.

   Destination Address: 127.0.0.1:<dynamic_port_number>
   Username: hashidemo.com\<dynamic_username>
   Password: <dynamic_user_password> 
   

2. Configure the Microsoft Remote Desktop client with the details provided from the Boundary Desktop output to connect to the remote target.

3. Once logged in to the Windows machine, open the command prompt and run the command "whoami" to confirm that the logged-in user is the dynamically generated user account.

4. Finally, verify that the user has access to the Control Panel by clicking 'Windows' - 'Control Panel'.

5. The dynamic AD credential generated for the user should allow access to the Windows Control Panel.

Clean up resources

The platform operator is responsible for cleaning up the associated resources post testing.

Conclusion

In this guide, you learned how to secure remote access to Windows machines with HCP Boundary and HCP Vault. To learn more, check out the following resources:

• Getting started with HCP Boundary
• Getting started with HCP Vault
• Vault LDAP Secrets Engine
• Self-managed Boundary workers
• Multi-hop sessions with HCP Boundary