M4PAM - DB, RDP & SSH

Overview

The mamori server has built-in proxies for RDP, SSH and database connections. To apply controls and provide access-on-demand over database and server connections you must route all desired connections via the proxies running on the mamori server.

The feaures that become available via the proxies are listed below.

Enable Mamori database proxies to

SSO & multi-factor database connections
Access-On-Demand to RDS, servers, and databases
Update access to RDS & servers without having to modify network rules
SQL firewall rules
Identity based activity monitoring & audit
Isolate databases and RDS from random network IP access and scans
Controls Database permissions without having to created specialized DB credentials
Eliminate handing DevOps team database credentials

Enable Mamori RDP & SSH proxies to

SSO & multi-factor RDP, SSH, SCP & SFTP connections
Record & playback sessions
Prevent tunnelling
Simplify server key management and deployment
Eliminate named account sprawl



Steps

Step 1 - Update cloud RDS and target servers to whitelist only application servers and the mamori server

Step 2 - Configure mamori data sources, SSH and RDP logins

Step 3 - Provision user access and test access via mamori

Step 4 - Lockdown the application service accounts that are going via mamori

Typically application database connections are only routed through the mamori server if you want to implement gobal masking rules or apply SQL injection prevention policies.

If this is required for a critial application, then have one HA mamori server for the application traffic and another for the ad hoc traffic



Database Access Controls

The mamori proxies handle native connections for the 5 main database wire protocols (Oracle, MySQL, Postgres, MS SQL Server & MongoDB). Any database that uses the same wire protocol are also supported. For example, greenplum, redshift and cockroach DB are supported because they use the postgres wire protocol.

Databases, like teradata and impala, are supported via the mamori client jdbc and odbc driver.

One of the datasource permissions granted to a user is the passthrough mode the session will operate under. The table below describes the 3 available passthrough modes.

Passthrough ModeDescription
PASSTHROUGH100% passthrough. Has No statement checking, no masking
MASKED PASSTHROUGHApplies masking and statement permission checks. Allows code blocks that can't be analyzed.
PROTECTED PASSTHROUGHApplies masking. Only allows statements that can beanalyzed or are in the signed statement list



Steps

Step 1 - Add your data sources

Step 2 - Add database credentials to mamori roles

Step 3 - Add database permissions to mamori roles

Step 4 - Grant credential and permission roles to users

Step 5 - Define Access On-Demand policies

Step 6 - Verify connections from client tools



Add Datasources

Prerequisites

Ensure the appropriate drivers are installed

Click Datasources

Click

Next, edit the datasource details

FieldDescription
Datasource NameThe reference for this datasource

Database name in SQL tools.

Datasource TypeThe datasource type
Datasource GroupSet if you are going to push down db credentials via mamori
Driverdefaulted to driver for datasource type
Connection DetailsEnter database connection information

Click Save



If creating a mongo datasource, the authSource db and tls settings can be passed in under the advanced settings using either the Connection Properties: 
authSource=admin;tls=true

or the Connection URL Suffix:

&authSource=admin&tls=true
For MySQL driver version 8 and a DB server without SSL, add the following to the datasource connection string properties. 
useSSL=false



Add Credentials To A Role

Click Roles

Add or Edit an existing role

Click Database & Data Access

Click Credentials

Add the credential to the target datasource

Click OK



Add Permissions To A Role

The following instructions will grant a role the required permissions to run selects

  • MASKED PASSTHROUGH for all datasources

  • SELECT on all objects in all datasources

You can replace * with specific object names.

Click Roles

Add or Edit an existing role

Click Database & Data Access

Click Object Privileges

Click Add Object

Select Object Dialog Explanation

The object selection dialog has 4 fields : datasource,database,schema & table

Expand the object tree to the level you want to select and click on the paste button that displays on mouse over.

Place * in the appropriate fields if you want ALL objects at that level

Set * for datasource & click OK

Select the MASKED PASSTHROUGH permission

Click Add Object and enter * in all 4 fields & Click OK

Select the SELECT permission

Click Close



Grant roles to users

Click Roles

Click on Change Assigned Users grid menu for the role

Select users



Access On-Demand

To provide on-demand datasource access to a user

  • Do not grant the crendential role to a user
  • Grant the user the request role specified in the policy

The policy will grant the credential role to the user when it is executed.



To create a policy follow the steps below

Prerequisites

Define a role with credentials & permissions

Define Alert Channels

Click Policies

Click Access On Demand

Click Add

Policy Editor

For detailed field descriptions click here

Add a time parameter

Enter the statement below in the policy script

On Demand Policy
GRANT YOUR_ACCESS_ROLE_NAME TO :applicant VALID for :time minutes;



Connection Strings

To connect via the mamori server from your database tools update the connection strings as per the table below

ConnectionWithout MamoriVia Mamori
Hostthe database ipthe mamori server ip
Portthe database listenerthe mamori proxy port. See Ports
Databasethe database namethe alias in mamori for the database
Authenticationdatabase credentialsMamori SSO + 2FA
Some SQL Server tools do not have a database field in their connection dialog. For these tools append the mamori datasource name to the username.

For example, myadlogin@mydatasource

Proxy Workflow

Remote Systems

If your datasources or servers on are on another network or can only be accessed via SSH tunnels, then before you add them you will need to either create the network entry with the mamori service or add them as wireguard peers.

The three types of network you are make are:

  • SSH Tunnel
  • Open VPN
  • IpSec



SSH Tunnel

Prerequisites

Create an ssh key

Place the public key in the target machine's authorized keys

Click Server Settings

Click Keys

Click

Set the key properties

FieldDescription
TypeSSH Tunnel
NameYour reference for the tunnel
SSH Userssh target account name
SSH Hostssh target host name
SSH Posttarget ssh port
Local Portthe port that will be used locally
Target Hostdefault to localhost
Portport being mapped to on the target
Private KeySelect the private key to use for the tunnel

Click OK

SSH Logins

Mamori allows you to grant a user access to an ssh login. When a user tries to connect with the login, the client connection is verified against one of the public ssh keys defined for their mamori account.

Ideally setup sudo and non-sudo ssh logins, and then make the sudo ssh login available only via an access on-demand request.



Create

Prerequisites

Create an ssh key

Place the public key in the target machine's authorized keys

Click SSH Logins

Click

Set the properties

FieldDescription
NameYour reference for the login
Remote Usertarget ssh login name
Remote Hosttarget host name
TCP Posttarget ssh port
Private KeySelect the private key to use for the login
PasswordPassword to use for the login

Click OK



Grant

Prerequisites

Edit a user or role

Click SSH & SERVER ACCESS

Click SSH LOGIN

Select the SSH Login to grant

Click Close



Using

To ssh via mamori you need ensure you have added a public ssh key to your mamori account. Follow the instructions below to add your public ssh key.

Login to the mamori portal

Click on your login name to see your profile menu

Click SSH & SERVER ACCESS

Click PUBLIC SSH KEY

Set the properties

FieldDescription
NameYour reference for the key
Public KeyPaste in your public key

Click ADD KEY

Make an ssh connection from a terminal or tool

 ssh -p sshproxyport thesshlogin@mamoriserver
 -- example
 ssh -p 1122 prodserver@mymamoriserver

click here for instructions on how to view your current SSH proxy port.

RDP Session

Mamori allows you to grant a user access to an RDP session. Remote desktop sessions operate in two modes:

  • pre-authenticated : a user is multi-factored but does not have to enter the desktop OS login details
  • authenticated : a user is multi-factored and must enter the desktop OS login details
Mamori RDP sessions are currently only launchable from the mamori web portal. Users can not use native RDP clients.



Create

Click Remote Desktops

Click

Click the GENERAL tab

Set the properties

FieldDescription
Connection NameYour reference for the remote desktop session
HostnameTarget server
PortTarget server port.
Defaults to 3389
Remote UsernameOS login name
Remote PasswordOS login password
Remote DomainOS login domain
SecurityServer session authentication mode.
Defaults to Any
Ignore TSL certificate validation errorsDefaults to true
Connect to system consoleDefaults to false

Click the ADVANCED tab

Set the properties

FieldDescription
Server Keyboard LayoutSession keyboard layout
Initial program to startExecutable name
Colour DepthDefaults to 64K Colours
WidthDefaults to 1024
HeightDefaults to 768
DPIDefaults to 96

Click OK



Grant

Prerequisites

Edit a user or role

Click SSH & SERVER ACCESS

Click REMOTE DESKTOPS

Select the remote desktop session to grant

Click Close



Using

To use a remote desktop session

Login to the mamori portal

Click Remote Desktops

Find the remote desktop you want to access

Click the launch button on the target desktop

Edit this page on GitHub Updated at Wed, Mar 9, 2022
M4IP - Any IP Access