Supplementary Technical Info
Unattended Access Auditlog
All sessions with Unattended Access are documented in the Auditlog, regardless of the setup in use. The Auditlog shows which users have connected to which endpoints, as well as the session duration and gateway used.
If the endpoint has the Admin By Request Server agent installed, the auditlog will also contain detailed information about which software has been used as well as all of the other things recorded by the classic Admin By Request auditlog.
Besides this, you also have the option to enable video recording of each session to be used as additional documentation.
To enable video recording:
-
In the portal, go to SRA > Settings > Unattended Access Settings and select the Settings menu.
-
On the RECORDING tab, enable Screen recording.
A Word about Security
There are security mechanisms built in to the Unattended Access setup.
When clicking the Remote Control button for a device in the Inventory (Inventory > [Device] > Details > Properties), the following flow is initiated:
-
A one-time unique transfer token is coupled with the initiating user's IP address.
-
The transfer token is sent to the Connector.
-
The Connector uses the transfer token to call back the Admin By Request portal to verify that the request is valid and actually initiated by the current user.
-
If the transfer token is valid, the Admin By Request portal issues a connector token. This token contains information about the endpoint and credentials, as well as settings for the remote session.
-
The Connector receives the connector token and verifies its validity.
-
If the token is valid, the arguments are sent to the Proxy, which will in turn attempt to establish a connection to the endpoint.
Furthermore, the information supplied in the Docker compose file can only be spun up for a short period of time. Once the gateway has been spun up, it will be locked to the server's IP address.
The connector token is encrypted using a secret only known by the Connector and the Admin By Request portal. The token values are also HMAC-validated by verifying a signed hash value of the connection properties.
All connections made by browsers are via Secure WebSockets and the gateways are "pull-configuration" only.
Technical Flows
Connection Flow
During this process, the following happens:
-
The Admin By Request portal assigns a one-time transfer token that’s coupled with the user's IP address.
-
The transfer token is delivered from the browser to the Connector to inform that a request to connect to an endpoint is present.
-
The Connector validates the transfer token by sending it back to the portal alongside the user's IP address. If token and IP address match, the portal issues a connector token that contains the necessary information to connect to the endpoint.
-
When the Connector receives the token, it’ll start by decrypting the values. Once decrypted, the values are HMAC-validated to ensure that no tampering has occurred.
-
If decryption and HMAC validation succeeds, the connection parameters are passed along to the Proxy, which initiates the connection to the endpoint with the requested protocol.
-
The connection stream is delivered back to the browser via Secure WebSocket.
If the gateway is configured with Cloudflare tunnels, then all communication is sent via the unique secure tunnel for that gateway.
Discovery Flow
The Connector asks the portal repeatedly if a discovery scan should be allowed to run. Based on the settings within the portal, this might eventually return a positive result.
Upon receiving a positive result, the Connector asks the Discovery container to run the discovery process. This returns a collection of discovered devices, which will in turn be returned to the portal to be ingested into the Inventory.
Tunnel Initiation Flow
Upon spinning up the Connector container, the portal is asked repeatedly if a tunnel should be initialized. If the portal settings allow for a tunnel to be created, the portal calls Cloudflare to set up the tunnel and receive a unique tunnel token back.
This token is returned to the Connector, which then initializes the tunnel to Cloudflare. Once the tunnel has been established, a status call is made to ensure connectivity. This status is returned to the portal, notifying it that the tunnel is ready for use.
Limiting Access
Besides how the Unattended Access solution grants access to various endpoints inside the infrastructure, limiting and securing access is of the highest importance. We recommend that customers at the very least:
-
Enable SSO with conditional access for users with remote access privileges.
-
Consider restricting the access to gateways based on the IP addresses that should be allowed to connect via each one.
We recommend that IP address restrictions are made within your own infrastructure, but restrictions can also be set via the portal by going to the gateway details and selecting SRA > Settings > Unattended Access Settings > Gateways > ON-PREMISE > [Gateway] > Settings > IP RESTRICTIONS:
From here, IP restrictions can be enabled, allowing you to enter the IP addresses you want to allow the ability to access endpoints via the selected gateway.