How It Works
Windows Server access in Infisical PAM uses an Infisical Gateway to securely proxy RDP connections to your Windows server. When a user requests access, Infisical establishes a secure tunnel through the Gateway, enabling access without exposing your server directly.Key Concepts
- Gateway: An Infisical Gateway deployed in your network that can reach the Windows server. The Gateway handles secure communication between users and your server.
- RDP Protocol: Infisical connects to your Windows server using the Remote Desktop Protocol (RDP) on the configured port (default: 3389).
- Account Types: Windows accounts can be categorized as either User accounts or Service accounts, allowing you to organize and manage different types of access.
Prerequisites
Before configuring Windows Server access in Infisical PAM, you need:- Infisical Gateway - A Gateway deployed in your network with access to the Windows server
- RDP Enabled - Remote Desktop must be enabled on the Windows server (port 3389 by default)
- Windows Credentials - A username and password for a Windows account on the server
Create the PAM Resource
The PAM Resource represents the Windows server you want to manage access to.Ensure Gateway is Running
Before creating the resource, ensure you have an Infisical Gateway running and registered with your Infisical instance. The Gateway must have network access to your Windows server.
Create the Resource in Infisical
- Navigate to your PAM project and go to the Resources tab
- Click Add Resource and select Windows Server
- Fill in the connection details:
A friendly name for this resource (e.g.,
production-windows, dev-server)Select the Gateway that has network access to this Windows server
The hostname or IP address of the Windows server (e.g.,
192.168.1.100 or server.internal.example.com)The RDP port (default:
3389)Optionally select an Active Directory resource to associate this Windows server with an AD domain. See Domain Join below for more details.
Create PAM Accounts
A PAM Account represents a specific Windows user account on the server. You can create multiple accounts per resource with different permission levels.Navigate to the Resource
After creating the resource, click into it to open the resource detail view. Select the Accounts tab on the right.
Fill in Account Details
Fill in the account details:
A friendly name for this account (e.g.,
admin-account, deploy-user)Select the type of Windows account:
- User Account - A standard Windows user account
- Service Account - A Windows service account
The Windows username on the server
The Windows password for this user
Domain Join
Windows Server resources can be associated with an Active Directory resource to represent domain membership. This is useful for organizing your infrastructure and understanding which servers belong to which AD domain. When creating or editing a Windows Server resource, select an AD domain from the Active Directory Domain dropdown. Once associated:- The Windows server’s connection details page will display the linked AD domain.
- The AD resource’s Related Resources tab will list this Windows server as a domain member.
- AD account Resources tabs will show all domain-joined Windows servers, providing a centralized view of machines accessible with those domain credentials.
Depending on your environment, you may need to allow inbound traffic from your internal network on the Windows server’s host firewall, in addition to any infrastructure-level firewall rules. For example, in PowerShell on the Windows server:Replace
10.0.0.0/24 with your actual internal subnet.