M4PAM - DB, RDP & SSH

Overview

The mamori server has built-in proxies for RDP, SSH and database connections. To apply controls and provide access-on-demand over database and server connections you must route all desired connections via the proxies running on the mamori server.

The feaures that become available via the proxies are listed below.

Enable Mamori database proxies to

SSO & multi-factor database connections

Access-On-Demand to RDS, servers, and databases

Update access to RDS & servers without having to modify network rules

SQL firewall rules

Identity based activity monitoring & audit

Isolate databases and RDS from random network IP access and scans

Controls Database permissions without having to created specialized DB credentials

Eliminate handing DevOps team database credentials

Enable Mamori RDP & SSH proxies to

SSO & multi-factor RDP, SSH, SCP & SFTP connections

Record & playback sessions

Prevent tunnelling

Simplify server key management and deployment

Eliminate named account sprawl

Steps

Step 1 - Update cloud RDS and target servers to whitelist only application servers and the mamori server

Step 2 - Configure mamori data sources, SSH and RDP logins

Step 3 - Provision user access and test access via mamori

Step 4 - Lockdown the application service accounts that are going via mamori

Typically application database connections are only routed through the mamori server if you want to implement gobal masking rules or apply SQL injection prevention policies.

If this is required for a critial application, then have one HA mamori server for the application traffic and another for the ad hoc traffic

Database Access Controls

The mamori proxies handle native connections for the 5 main database wire protocols (Oracle, MySQL, Postgres, MS SQL Server & MongoDB). Any database that uses the same wire protocol are also supported. For example, greenplum, redshift and cockroach DB are supported because they use the postgres wire protocol.

Databases, like teradata and impala, are supported via the mamori client jdbc and odbc driver.

One of the datasource permissions granted to a user is the passthrough mode the session will operate under. The table below describes the 3 available passthrough modes.

Passthrough Mode	Description
PASSTHROUGH	100% passthrough. Has No statement checking, no masking
MASKED PASSTHROUGH	Applies masking and statement permission checks. Allows code blocks that can't be analyzed.
PROTECTED PASSTHROUGH	Applies masking. Only allows statements that can beanalyzed or are in the signed statement list

Steps

Step 1 - Add your data sources

Step 2 - Add database credentials to mamori roles

Step 3 - Add database permissions to mamori roles

Step 4 - Grant credential and permission roles to users

Step 5 - Define Access On-Demand policies

Step 6 - Verify connections from client tools

Add Datasources

Prerequisites

Ensure the appropriate drivers are installed

Click Datasources

Click

Next, edit the datasource details

Field Description
Datasource Name The reference for this datasource
Database name in SQL tools.
Datasource Type The datasource type
Datasource Group Set if you are going to push down db credentials via mamori
Driver defaulted to driver for datasource type
Connection Details Enter database connection information
Credential Reset Days Convert credential to a Mamori managed credential and reset it every X days
Credential Role The role that is linked to this managed crendential

Click Save

Field	Description
Datasource Name	The reference for this datasource Database name in SQL tools.
Datasource Type	The datasource type
Datasource Group	Set if you are going to push down db credentials via mamori
Driver	defaulted to driver for datasource type
Connection Details	Enter database connection information
Credential Reset Days	Convert credential to a Mamori managed credential and reset it every X days
Credential Role	The role that is linked to this managed crendential

If creating a mongo datasource, the authSource db and tls settings can be passed in under the advanced settings using either the Connection Properties:

authSource=admin;tls=true

or the Connection URL Suffix:

&authSource=admin&tls=true

For MySQL driver version 8 and a DB server without SSL, add the following to the datasource connection string properties.

useSSL=false

Add Credentials To A Role

Click Roles

Add or Edit an existing role

Click Database & Data Access

Click Credentials

Add the credential to the target datasource

Click OK

To convert the credential to a Mamori managed credential then specify the number of days to reset the password. Mamori will change the password to a strong password when the credential is saved, and then as per the reset policy.

Add Permissions To A Role

The following instructions will grant a role the required permissions to run selects

MASKED PASSTHROUGH for all datasources
SELECT on all objects in all datasources

You can replace * with specific object names.

Click Roles

Add or Edit an existing role

Click Database & Data Access

Click Object Privileges

Click Add Object

Select Object Dialog Explanation

The object selection dialog has 4 fields : datasource,database,schema & table

Expand the object tree to the level you want to select and click on the paste button that displays on mouse over.

Place * in the appropriate fields if you want ALL objects at that level

Set * for datasource & click OK

Select the MASKED PASSTHROUGH permission

Click Add Object and enter * in all 4 fields & Click OK

Select the SELECT permission

Click Close

Grant roles to users

Click Roles

Click on Change Assigned Users grid menu for the role

Select users

Access On-Demand

To provide on-demand datasource access to a user

Do not grant the crendential role to a user
Grant the user the request role specified in the policy

The policy will grant the credential role to the user when it is executed.

To create a policy follow the steps below

Prerequisites

Define a role with credentials & permissions

Define Alert Channels

Click Policies

Click Access On Demand

Click Add

Policy Editor

For detailed field descriptions click here

Add a time parameter

Enter the statement below in the policy script
On Demand Policy
GRANT YOUR_ACCESS_ROLE_NAME TO :applicant VALID for :time minutes;

Connection Strings

To connect via the mamori server from your database tools update the connection strings as per the table below

Connection Without Mamori Via Mamori
Host the database ip the mamori server ip
Port the database listener the mamori proxy port. See Ports
Database the database name the alias in mamori for the database
Authentication database credentials Mamori SSO + 2FA

Connection	Without Mamori	Via Mamori
Host	the database ip	the mamori server ip
Port	the database listener	the mamori proxy port. See Ports
Database	the database name	the alias in mamori for the database
Authentication	database credentials	Mamori SSO + 2FA

Some SQL Server tools do not have a database field in their connection dialog. For these tools append the mamori datasource name to the username.

For example, myadlogin@mydatasource

Proxy Workflow

Remote Systems

If your datasources or servers on are on another network or can only be accessed via SSH tunnels, then before you add them you will need to either create the network entry with the mamori service or add them as wireguard peers.

The three types of network you are make are:

SSH Tunnel
Open VPN
IpSec

SSH Tunnel

Prerequisites

Create an ssh key

Place the public key in the target machine's authorized keys

Click Server Settings

Click Keys

Click

Set the key properties

Field Description
Type SSH Tunnel
Name Your reference for the tunnel
SSH User ssh target account name
SSH Host ssh target host name
SSH Post target ssh port
Local Port the port that will be used locally
Target Host default to localhost
Port port being mapped to on the target
Private Key Select the private key to use for the tunnel

Click OK

Field	Description
Type	SSH Tunnel
Name	Your reference for the tunnel
SSH User	ssh target account name
SSH Host	ssh target host name
SSH Post	target ssh port
Local Port	the port that will be used locally
Target Host	default to localhost
Port	port being mapped to on the target
Private Key	Select the private key to use for the tunnel

SSH Logins

Mamori allows you to grant a user access to an ssh login. When a user tries to connect with the login, the client connection is verified against one of the public ssh keys defined for their mamori account.

Ideally setup sudo and non-sudo ssh logins, and then make the sudo ssh login available only via an access on-demand request.

Create

Prerequisites

Create an ssh key

Place the public key in the target machine's authorized keys

Click SSH Logins

Click

Set the properties

Field Description
Name Your reference for the login
Remote User target ssh login name
Remote Host target host name
TCP Post target ssh port
Private Key Select the private key to use for the login
Password Password to use for the login

Click OK

Field	Description
Name	Your reference for the login
Remote User	target ssh login name
Remote Host	target host name
TCP Post	target ssh port
Private Key	Select the private key to use for the login
Password	Password to use for the login

Grant

Prerequisites

Edit a user or role

Click SSH & SERVER ACCESS

Click SSH LOGIN

Select the SSH Login to grant

Click Close

Using

To ssh via mamori you need ensure you have added a public ssh key to your mamori account. Follow the instructions below to add your public ssh key.

Login to the mamori portal

Click on your login name to see your profile menu

Click SSH & SERVER ACCESS

Click PUBLIC SSH KEY

Set the properties

Field Description
Name Your reference for the key
Public Key Paste in your public key

Click ADD KEY

Make an ssh connection from a terminal or tool
 ssh -p sshproxyport thesshlogin@mamoriserver
 -- example
 ssh -p 1122 prodserver@mymamoriserver

Field	Description
Name	Your reference for the key
Public Key	Paste in your public key

click here for instructions on how to view your current SSH proxy port.

RDP Session

Mamori allows you to grant a user access to an RDP session. Remote desktop sessions operate in two modes:

pre-authenticated : a user is multi-factored but does not have to enter the desktop OS login details
authenticated : a user is multi-factored and must enter the desktop OS login details

Mamori RDP sessions are currently only launchable from the mamori web portal. Users can not use native RDP clients.

Create

Click Remote Desktops

Click

Click the GENERAL tab

Set the properties

Field Description
Connection Name Your reference for the remote desktop session
Hostname Target server
Port Target server port.
Defaults to 3389
Remote Username OS login name
Remote Password OS login password
Remote Domain OS login domain
Security Server session authentication mode.
Defaults to Any
Ignore TSL certificate validation errors Defaults to true
Connect to system console Defaults to false

Click the ADVANCED tab

Set the properties

Field Description
Server Keyboard Layout Session keyboard layout
Initial program to start Executable name
Colour Depth Defaults to 64K Colours
Width Defaults to 1024
Height Defaults to 768
DPI Defaults to 96

Click OK

Field	Description
Connection Name	Your reference for the remote desktop session
Hostname	Target server
Port	Target server port. Defaults to 3389
Remote Username	OS login name
Remote Password	OS login password
Remote Domain	OS login domain
Security	Server session authentication mode. Defaults to Any
Ignore TSL certificate validation errors	Defaults to true
Connect to system console	Defaults to false

Field	Description
Server Keyboard Layout	Session keyboard layout
Initial program to start	Executable name
Colour Depth	Defaults to 64K Colours
Width	Defaults to 1024
Height	Defaults to 768
DPI	Defaults to 96

Grant

Prerequisites

Edit a user or role

Click SSH & SERVER ACCESS

Click REMOTE DESKTOPS

Select the remote desktop session to grant

Click Close

Using

To use a remote desktop session

Login to the mamori portal

Click Remote Desktops

Find the remote desktop you want to access

Click the launch button on the target desktop