Hanzo
PlatformHanzo KMSPlatformPrivileged Access ManagementGetting StartedResources

Windows Server

Learn how to configure Windows Server access through KMS PAM for secure, audited, and just-in-time access to your Windows servers via RDP.

KMS PAM supports secure, just-in-time access to Windows servers via the Remote Desktop Protocol (RDP). This allows your team to access Windows servers without sharing long-lived credentials, while maintaining a complete audit trail of who accessed what and when.

How It Works

Windows Server access in KMS PAM uses an KMS Gateway to securely proxy RDP connections to your Windows server. When a user requests access, Hanzo KMS establishes a secure tunnel through the Gateway, enabling access without exposing your server directly.

sequenceDiagram
    participant User
    participant CLI as KMS CLI
    participant Hanzo KMS
    participant Gateway as KMS Gateway
    participant Windows as Windows Server

    User->>CLI: Request Windows Server access
    CLI->>Hanzo KMS: Authenticate & request session
    Hanzo KMS-->>CLI: Session credentials & Gateway info
    CLI->>Gateway: Establish secure tunnel
    Gateway->>Windows: RDP connection (port 3389)
    Windows-->>Gateway: Session established
    Gateway-->>CLI: Proxied RDP session
    CLI-->>User: RDP access

Key Concepts

  1. Gateway: An KMS Gateway deployed in your network that can reach the Windows server. The Gateway handles secure communication between users and your server.
  2. RDP Protocol: Hanzo KMS connects to your Windows server using the Remote Desktop Protocol (RDP) on the configured port (default: 3389).
  3. Account Types: Windows accounts can be categorized as either User accounts or Service accounts, allowing you to organize and manage different types of access.

Prerequisites

Before configuring Windows Server access in KMS PAM, you need:

  1. KMS Gateway - A Gateway deployed in your network with access to the Windows server
  2. RDP Enabled - Remote Desktop must be enabled on the Windows server (port 3389 by default)
  3. Windows Credentials - A username and password for a Windows account on the server

Gateway Required: Windows Server access requires an KMS Gateway to be deployed and registered with your Hanzo KMS instance. The Gateway must have network connectivity to your Windows server on the RDP port (default: 3389).

Create the PAM Resource

The PAM Resource represents the Windows server you want to manage access to.

Before creating the resource, ensure you have an KMS Gateway running and registered with your Hanzo KMS instance. The Gateway must have network access to your Windows server.

  1. Navigate to your PAM project and go to the Resources tab
  2. Click Add Resource and select Windows Server
  3. Fill in the connection details:

A friendly name for this resource (e.g., production-windows, dev-server)

Select the Gateway that has network access to this Windows server

The hostname or IP address of the Windows server (e.g., 192.168.1.100 or server.internal.example.com)

The RDP port (default: 3389)

Optionally select an Active Directory resource to associate this Windows server with an AD domain. See Domain Join below for more details.

Clicking Create Resource will trigger a connection test from the selected Gateway to your Windows server. Hanzo KMS verifies that the server is reachable and responds to RDP connection requests.

Create PAM Accounts

A PAM Account represents a specific Windows user account on the server. You can create multiple accounts per resource with different permission levels.

After creating the resource, click into it to open the resource detail view. Select the Accounts tab on the right.

Click Add Account.

Fill in the account details:

A friendly name for this account (e.g., admin-account, deploy-user)

Select the type of Windows account:

  • User Account - A standard Windows user account
  • Service Account - A Windows service account

The Windows username on the server

The Windows password for this user

Domain Join

Windows Server resources can be associated with an Active Directory resource to represent domain membership. This is useful for organizing your infrastructure and understanding which servers belong to which AD domain.

When creating or editing a Windows Server resource, select an AD domain from the Active Directory Domain dropdown. Once associated:

  • The Windows server's connection details page will display the linked AD domain.
  • The AD resource's Related Resources tab will list this Windows server as a domain member.
  • AD account Resources tabs will show all domain-joined Windows servers, providing a centralized view of machines accessible with those domain credentials.

Depending on your environment, you may need to allow inbound traffic from your internal network on the Windows server's host firewall, in addition to any infrastructure-level firewall rules. For example, in PowerShell on the Windows server:

New-NetFirewallRule -DisplayName "Allow AD Subnet" -Direction Inbound -RemoteAddress 10.0.0.0/24 -Action Allow

Replace 10.0.0.0/24 with your actual internal subnet.

How is this guide?

Last updated on

Redis

Learn how to configure Redis access through KMS PAM for secure, audited, and just-in-time access to your Redis instances.

Approval Policies & Requests

Learn how to configure approval workflows for PAM account access.

On this page

How It Works
Key Concepts
Prerequisites
Create the PAM Resource
Create PAM Accounts
Domain Join