Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Possible RDP vulnerability
From: "Thor (Hammer of God)" <Thor () hammerofgod com>
Date: Sat, 27 Mar 2010 19:18:33 +0000

That's funny - it was kind of a "trick answer" too. ;)

You can indeed "do that" with Vista (kind of) and Windows 7 (definitely) in combination with Server 2008.  I haven't 
messed with Server 2003 in years, and have no plans to. 

Here's how you do that, but before I go there, let's point out the "spirit" of the "trick question" so those playing 
along at home understand the real ramifications of what you are talking about, and then I'll detail the "right" answer 
(you can do whatever you want in regard to blogging, of course ;).

In general, you don't control the base connection methods a user wants to use.  This is because, again in general, you 
don't tell the user what to do or how to do it on their own system.  However, with group policy and RDP settings, you 
can indeed maneuver the user into "submission."  I say maneuver because if the user is a local admin, then most bets 
are off.  My initial answer was correct, however, only with the following blanks filled in (thus the "trick" part).  

With GP you can control the behavior of what happens if the client cannot validate the identity of the server.   Thus, 
you can say "if you don't trust the server, you don't connect."  Further, you can control what certificate chains are 
being trusted; ie, only corp resources.  Therefore, you can (for the most part) keep the users from establishing 
connections to "rogue" servers, or at least, make it obvious to them.  The video you showed failed to take into account 
that the "rogue" server in question had to already have an account created for the user, which kind of is a "show 
stopper."  I mean, if you already have their username and password to create the account for them to log into, then all 
bets are off.   Continuing, given the fact you can (again, for the most part) control what RDP hosts a user can connect 
to, you then leverage host-based GPO that prevents the user from sharing clipboard, disks, printers, etc upon 
connection.  That setting is enforced by the server. 

So, in combination, you can indeed use Group Policy to prevent users from sharing their disks.  I will call that an "I 
win" and request some other prize other than your blogging about dude. :D

Let's take things one step further for those who are interested in this.  Before allowing people to just connect to 
your server, I would suggest that the connect is based on gateway services that require a certificate to connect up to 
in the first place.  Then, all the hubbub about Dorphly Diprod user connecting up and "bypassing security" and all that 
other crap is obviated.  Further, simply deploy the connectoid via a signed RDP file.  Done.  If they try to change the 
file, it won't work anymore.  Super easy stuff, and it goes a long way toward helping to secure one's RDP access 

But as a "Big Time Security Professional" you probably knew that :)  I guess I should now go read your blog to see if 
my prize would be a good thing or a bad thing :-p


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
Mr. Hinky Dink
Sent: Saturday, March 27, 2010 11:48 AM
To: Full-Disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Possible RDP vulnerability

In your case, had you answered the question correctly I would have promised to never (again) blog about you arguing 
with Craig S. Wright.

However, it was a trick question.  There is no way to do it with Group Policy (at least not with XP and Server 2003... 
maybe they changed that in Windows Vis7a and Server 2008, but I really haven't kept up with the tech).

----- Original Message -----
From: "Thor (Hammer of God)" <Thor () hammerofgod com>
To: "Mr. Hinky Dink" <dink () mrhinkydink com>; <Full-Disclosure () lists grok org uk>
Sent: Saturday, March 27, 2010 12:09 PM
Subject: RE: [Full-disclosure] Possible RDP vulnerability

Oh, sorry I read the question wrong.  Just don't allow them to "attach" 
their local drives.  Simple.

Still, what do I win?


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]