Apache Guacamole brokers RDP/SSH/VNC sessions through a web interface, which makes it a high-value target. Hardening should focus on MFA, proxy restrictions, and fast patching of guacd vulnerabilities.
¶ 1) Enforce MFA and strict auth integration
- Enable TOTP or integrate SSO with MFA requirement.
- Restrict local admin accounts to break-glass use only.
- Disable unused auth extensions and stale DB users.
- Audit failed logins and admin permission changes.
¶ 2) Secure guacd and connection broker paths
- Keep
guacd reachable only from Guacamole web app network segment.
- Restrict RDP/SSH/VNC target connectivity with firewall policy.
- Use HTTPS-only at ingress and secure cookie settings.
- Restrict clipboard/file transfer features for sensitive environments.
- Track Apache Guacamole advisories and update promptly.
- Upgrade beyond 1.5.5 to remediate CVE-2024-35164.
- Validate extension compatibility in staging before rollout.
- Keep JVM/Tomcat and DB components patched.
- Guacamole admin guide: https://guacamole.apache.org/doc/gug/
- Guacamole MFA docs: https://guacamole.apache.org/doc/gug/mfa.html
- Guacamole TOTP docs: https://guacamole.apache.org/doc/gug/totp-auth.html
- Guacamole CVE-2024-35164 advisory context: https://www.openwall.com/lists/oss-security/2025/07/01/2
Any questions?
Feel free to contact us. Find all contact information on our contact page.