You can enable secure remote access to a Windows machine on the Dynamic Secrets or on the Rotated Secrets that generates ephemeral credentials for the machine. Users can access the Windows machine from the Secure Remote Access Portal over the web.

Prerequisites

To enable secure remote access to a Windows machine, you need:

A Dynamic Secret that specifies the Windows machine details and access credentials. Or a Rotated Secrets for a Windows Target.
Secure Remote Access Bastion.

Set Up Remote Access to a Windows Machine from the Akeyless CLI

Let's set up remote access to a Windows Machine using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Console instead.

Run the update-item command to define the following fields to the dynamic secret that specifies the Windows machine details and access credentials:

akeyless update-item --name <Dynamic Secret Name>\
--secure-access-enable true \
--secure-access-host <hostname or IP> \
--secure-access-rdp-domain <domain name>

akeyless update-rotated-secret --name <Rotated Secret Name> \
--secure-access-enable true \
--secure-access-host <hostname or IP> \
--secure-access-rdp-domain <domain name>
--rotate-after-disconnect <true|false>

where:

secure-access-host: The hostname (or IP address) for accessing the Windows machine as defined in the dynamic secret. For multiple values repeat this flag.
secure-access-rdp-domain: Optional, only required when the dynamic secret is configured to create credentials for a fixed user. This option defines the domain to which the Windows user for whom credentials are created belongs.

Optional:

secure-access-rdp-user : Override the RDP Domain username.
secure-access-allow-external-user: Allow providing external user for a domain users [true/false].
rotate-after-disconnect: Optional for Rotated Secret. You can enable an automatic secret rotation after a session ends.
secure-access-rd-gateway-server- Optional for Dynamic Secret, to connect from the bastion to the remote host via an RD-Gateway server.

Set Up Remote Access to a Windows Machine from the Akeyless Console

Let's set up remote access to a Windows Machine from the Akeyless Console. If you'd prefer, see how to do this from the Akeyless CLI instead.

Log in to the Akeyless Console and go to Secrets & Keys.
Select the Dynamic Secret or the Rotated Secret that specifies the Windows machine details and access credentials.
Click on the Secure Remote Access tab, select the pencil icon and enable the Secure Remote Access, then fill in the following fields:

Host(s): The hostname (or IP address) for accessing the Windows machine as defined in the dynamic secret.
Domain: Optional, only required when the dynamic secret is configured to create credentials for a fixed user. This option defines the domain to which the Windows user for whom credentials are created belongs.
Override User: Optional, override the RDP Domain username.
Allow Providing External Username: Optional. Select to enable an external username to log in to the target host.

To the right of the Enable Secure Remote Access field, select the tick mark icon to save your changes.

Access a Windows Machine Over the Web from the Secure Remote Access Portal

Log in to the Secure Remote Access Portal and select Remote Desktop.
Select the Windows machine hostname or IP address, then select Connect.
A new tab opens, in which you can interact with the Windows machine according to your permissions.
To lock the RDP screen, you can leverage the On-Screen Keyboard (OSK)- when using your own keyboard, press “Ctrl + Alt” and hit “Del” on the OSK inside your RDP session. Alternatively, you can simply close the relevant tab to disconnect the session.

Inject a Fixed user password automatically

While working with fixed users, Akeyless Bastion can automatically inject your own password if stored under your personal folder.

Create a new Static Secret under your personal folder with the exact full name of the relevant Dynamic Secret.

Download & Upload Files

To download files from a remote server, simply drag the desired files into the download folder inside the mounted virtual disk named file-share on Guac rdp, and a download process will start immediately. To upload files, use the Upload button on top of your session actions bar menu, the files will be located under the shared drive as well.

📘
Info
Mounted Folder
Notice that upload stores (temporarily) the file on the bastion’s server, please make sure it has enough disk space. The files will be cleared after the user disconnects.