.webp?w=1600&resize=1600,900&ssl=1 "Windows Server")
Cloudflare has unveiled a clientless, browser-based Remote Desktop Protocol (RDP) solution, expanding its Zero Trust Network Access (ZTNA) capabilities for secure Windows server access.
This new offering, which follows the October 2024 release of short-lived SSH access, eliminates the need for traditional RDP clients while maintaining security and performance.
Remote Desktop Protocol, originally released in 1998 with Windows NT 4.0 Terminal Server Edition, has long been plagued by security vulnerabilities despite its widespread use across organizations.
RDP’s complexity handling screen captures, drawing commands, and video streams makes it computationally demanding and difficult to secure.
“RDP has also been used to deploy ransomware such as Ryuk, Conti, and DoppelPaymer, earning it the nickname “Ransomware Delivery Protocol,” notes Cloudflare in their announcement.
The protocol’s historical vulnerabilities include weak credentials and unrestricted port access, with the infamous BlueKeep vulnerability (CVE-2019-0708) allowing remote code execution without authentication.
Browser-Based Access Meets Zero Trust
Cloudflare’s solution addresses the growing need for secure remote access, particularly for organizations with distributed workforces and third-party contractors using personal devices.
Traditional solutions required either client software installation or self-hosted gateways like Apache Guacamole, creating infrastructure complexity and maintenance burden.
The new implementation leverages IronRDP, a high-performance RDP client that runs in the browser. Built with Rust, IronRDP offers significant advantages over Java-based alternatives like Guacamole.
The system elegantly solves browser limitations by encapsulating RDP sessions in WebSocket connections.
“Wrapping the Layer 4 TCP traffic in HTTPS enables the client to use native browser APIs to communicate with Cloudflare’s RDP proxy,” explains the company. This approach allows Cloudflare Access to secure sessions with identity-aware policies through JSON Web Tokens (JWT).
The technical workflow involves:
- The user selects an RDP server from Cloudflare’s App Launcher
- Authentication occurs through Cloudflare Access, validating JWT tokens
- IronRDP web client is delivered to the user’s browser
- RDP traffic tunnels over TLS-secured WebSockets to Cloudflare Workers
- Traffic routes through Apollo service to the target Cloudflare Tunnel
- NTLM authentication connects to the Windows server
- Proxy service establishes the secured connection
Enterprise-Grade Security Without Compromise
The solution enforces modern security standards, rejecting outdated authentication mechanisms and weak encryption. Every connection requires TLS-based WebSocket security, with policy enforcement for SSO, MFA, and device posture checks.
Administrators gain granular control through policy-based access and comprehensive audit logs for compliance requirements. The solution integrates with enterprise identity providers via SAML and OIDC protocols.
Cloudflare plans to enhance the solution with session monitoring capabilities and data loss prevention features. Advanced authentication methods, including passwordless options like client certificates and passkeys, are on the roadmap.
The company is also pursuing FedRAMP High certification to meet government and regulated industry requirements for data protection, identity management, and incident response.
For organizations struggling with secure remote access to Windows environments, Cloudflare’s browser-based RDP solution offers a promising alternative that balances security, performance, and usability without compromising on enterprise requirements.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
