Remote Desktop, simple small business example
A small business sought a cost-effective, secure remote access solution for their remote desktop servers.
They relied on a Linux-based edge firewall, using port forwarding to direct RDP traffic to internal machines. Although they utilized high, non-standard ports, these were frequently discovered, leading to daily brute-force attacks. As a result, internal Windows systems remained exposed at the network layer, vulnerable to any zero-day RDP exploits.
The goal:
Implement just-in-time network access controls for these RDP port forwards, without introducing a VPN – a solution that could add complexity and potential vulnerabilities.
The result:
Knocknoc was deployed on the existing Linux firewall to dynamically manage trusted IP addresses using IPSets. This approach effectively eliminated the network attack surface, and brute-force attacks naturally ceased as they were no longer possible.
This also introduced MFA to the RDP process as the small business utilised Office 365 (Entra), which added another layer of authentication security to their remote desktop environment, also closing notable compliance risks.
Technical how:
There are a number of ways to protect Remote Desktop (RDP) using Knocknoc. These include firewall orchestration or reverse proxying/brokering.
UsingIn thethis integratedexample HAProxyan backend,existing orIPTables thefirewall scriptwas backedutilized, areso bothleveraging viableIPSets approaches.made sense, resulting in a high performance dynamic configuration.
GivenHowever theKnocknoc excellenthas also been deployed in conjunction with Apache Guacamole, creating a seamless high-security web based / in-browser RDP support in HAProxy, Knocknoc can allow and block users to a Remote Desktop Gateway with ease. This can also include Apache Guacamole for a web tied(SSH/VNC) experience.
This allows you to deploy Knocknoc to users, and setup Remote desktop easily and quickly, only allowing the source IPs of your users just in time and only when they require access.
This also allows customers to quickly gate RDP behind your integrated SSO platform, combining your pre-existing IDP and all those security benefits with Knocknoc.