Keeper Connection Manager - Replace all those RDP shortcuts!

We are a small admin team of about 5 people. That’s 5 people that need to connect to servers. Except for myself, each person has a small number of servers they connect to. All admins have separate domain admin accounts, but we were all connecting to the servers in different ways. Some were using RDP shortcuts with saved credentials, while others were using random third-party apps like mRemoteNG or outdated versions of RDCMan. Unfortunately, we aren’t running an RMM tool, and we want our admins to sign in under their own elevated accounts instead of a shared one.

Our admins range from full sysadmins (like myself) to database admins that probably shouldn’t have full admin rights, but that’s a harder problem—and not the one we’re solving today. At first, I tried to get everyone on board with the same software, but it was a pain to get third-party software updated and synced across everyone’s machines. This also meant that if you signed into a new machine without that software, you’d have to resort to RDP and remembering all the server names.

Having a fairly extensive home lab, I wanted something like Apache Guacamole. If you don’t know, Apache Guacamole is an open-source, client-less web app for standard protocols like RDP, SSH, and VNC. In short, you use the web app to RDP into your selected machine without needing to install anything on the client or the host.

A quick Google search brought me to Keeper Connection Manager (KCM). It was Apache Guacamole, but for the enterprise environment—perfect. Not just a re-skin with a couple of logos updated, but with added features like CSV import and SAML support for SSO. The pricing wasn’t bad, so after a brief trial, we pulled the trigger. We also decided to move to Keeper’s Password Vault option to replace our Bitwarden instance because of its better integration.

The setup wasn’t bad. We’re a 99% Windows shop, but KCM only runs on Linux. Not a problem—I have a bit of Linux experience, and they provide an auto Docker script that allows for easy installation. I was able to set it up with the preconfigured, auto-renewing Let’s Encrypt cert, then locked down the NAT rules to only allow outside traffic from our SSO/SAML provider. This means our team is now able to sign in from within the network (or over the VPN) and access the servers and network devices.

Since we are now using Keeper for passwords, KCM is linked to the password vault. KCM can use variables when connecting to servers, so I mapped the username to admin-${GUAC_USERNAME}, which allows the sysadmins to use their standard login SSO to log in to KCM, but then it uses their domain admin account (example: admin-jsmith) to log in to the server.

This works great. The admins are now able to connect to the servers and network equipment from within the browser under their admin accounts. They can still copy and paste text and even do file transfers. This not only removes the headache of managing RDP or SSH credentials but also makes it easier for our team to jump to whatever they need without checking a spreadsheet for IP addresses.

Next is password rotation. Since we’re using Keeper Password Vault with their Secrets Manager, we can do password rotation using a connector to Active Directory. This means all our admin-* accounts are automatically rotated on a regular schedule without any slowdown in our workflow (security and convenience—must be dark magic). Yes, sometimes we need to grab our admin-* password and enter it manually, but we can just access the Keeper entry that has it, and it’ll be rotated shortly after that.

As the primary sysadmin, it’s much easier to spin up a server, add it to KCM with the correct permissions, and then tell the person that needs it, “It’s ready.” They can see the new server that was added to KCM without any fuss.

Let me know if you've used KCM or what we are doing wrong.