This topic describes how to use Bastionhost to authorize, control, and audit access to web-based (HTTP/HTTPS protocol) and client tool application assets. This helps enterprises achieve deep integration and expansion of operation and maintenance security for sensitive assets and comprehensively protect the security of business systems.
Background information
As enterprises continue to advance their digital transformation to meet core requirements such as improving collaboration efficiency, optimizing business processes, and integrating resource configurations, various information systems have emerged and continue to develop. These include common internal collaboration systems such as OA, ERP, CRM (such as SAP, Salesforce), along with web-based applications that are heavily relied upon in various industries. While the development of applications has increased the diversity of business systems, it has also expanded the attack surface of sensitive data assets. In addition to external attack threats, new risks such as permission confusion and internal data breaches occur frequently, continuously challenging the security baseline of enterprises.
Therefore, in addition to strengthening O&M security for hosts and database assets, it is also necessary to enhance O&M control and auditing for business systems with high data sensitivity, achieving a qualitative change from "border defense" to "cell-level control".
Solution
The traditional solution for enterprises to address application asset access scenarios is to deploy a Windows system server themselves. O&M personnel access desktop applications through administrator user accounts to perform operations such as application publishing and system maintenance. In this scenario, it is impossible to identify the source of operations by personnel dimension. Additionally, multiple users sharing desktop data poses a significant risk of data breaches and permission confusion. Too many user accounts also increase management costs, making it difficult to organize permissions, audit behaviors, and isolate data.
Alibaba Cloud Bastionhost Enterprise Dual-Engine Edition or Chinese Cryptographic Algorithm Edition builds an enterprise-level asset control system covering all scenarios by deeply integrating the access and management capabilities of application assets. Its core capabilities include the following:
Supports one-stop access to diverse asset types, including web applications, client software, and desktop applications. It establishes closed-loop management for the entire asset lifecycle through standardized permission configuration and operational behavior control.
Provides a one-click synchronization feature that synchronizes Bastionhost users to the target server domain system in real time, ensuring absolute user data isolation and eliminating the risk of permission spillover.
Dual-channel access mode — Remote Desktop Service (RDS) supports complete desktop environment and browser access, while RemoteApp enables lightweight client application publishing, achieving minimal exposure surface access control.
Enables the configuration of URL allow/deny lists for web applications, allowing administrators to implement path-level access control by domain name and IP address to precisely govern user operational paths.
Establishes an end-to-end audit mechanism with full-screen recording of O&M behaviors, forming a traceable security audit closed loop.
How it works
By deploying a Windows system server as an application server and completing application configuration and authorized access, O&M personnel can only access authorized application assets through Bastionhost. At the same time, administrators can also set access policies for destination addresses to control the pages that O&M personnel can access through blacklists and whitelists, reducing business security risks. For operations performed by O&M personnel on application assets, Bastionhost supports full-screen recording for auditing, meeting enterprise audit requirements and enabling precise tracing when O&M incidents occur.
The process of using Bastionhost for application O&M consists of the following steps:
Purchase Bastionhost Enterprise Dual-Engine Edition or Chinese Cryptographic Algorithm Edition: If your Bastionhost instance is Basic Edition, upgrade to the corresponding edition. For more information, see Upgrade instance type.
Prepare an application server: Administrators need to prepare a Windows host as an application server and deploy Windows Server RDS and RemoteApp applications on the application server. For configuration steps, see Deploy Windows Server as an application server.
NoteWe recommend Windows Server 2016, Windows Server 2019, or Windows Server 2022.
Import and add the application server to Bastionhost: Import the prepared application server into Bastionhost and add the imported application server on the Bastionhost application page.
Deploy the application server: Publish the USMDriver.exe RemoteApp program on the application server. For more information, see Add and deploy an application server.
Synchronize Bastionhost users to the application server: Synchronize Bastionhost users to the application server and create corresponding accounts for them. After successful synchronization, O&M personnel can log on to the application server through these accounts to perform O&M operations. For more information, see Create application server accounts.
Add remote clients in Bastionhost: Add remote clients for accessing application assets on the application server, such as browsers and database client tools. For more information, see Add remote clients.
Add and configure applications in Bastionhost: Add client applications or web applications and authorize them to the appropriate O&M personnel. For more information, see Add and configure applications.