lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 27 Mar 2010 19:18:33 +0000
From: "Thor (Hammer of God)" <Thor@...merofgod.com>
To: "Mr. Hinky Dink" <dink@...inkydink.com>,
	"Full-Disclosure@...ts.grok.org.uk" <Full-Disclosure@...ts.grok.org.uk>
Subject: Re: Possible RDP vulnerability

That's funny - it was kind of a "trick answer" too. ;)

You can indeed "do that" with Vista (kind of) and Windows 7 (definitely) in combination with Server 2008.  I haven't messed with Server 2003 in years, and have no plans to. 

Here's how you do that, but before I go there, let's point out the "spirit" of the "trick question" so those playing along at home understand the real ramifications of what you are talking about, and then I'll detail the "right" answer (you can do whatever you want in regard to blogging, of course ;).

In general, you don't control the base connection methods a user wants to use.  This is because, again in general, you don't tell the user what to do or how to do it on their own system.  However, with group policy and RDP settings, you can indeed maneuver the user into "submission."  I say maneuver because if the user is a local admin, then most bets are off.  My initial answer was correct, however, only with the following blanks filled in (thus the "trick" part).  

With GP you can control the behavior of what happens if the client cannot validate the identity of the server.   Thus, you can say "if you don't trust the server, you don't connect."  Further, you can control what certificate chains are being trusted; ie, only corp resources.  Therefore, you can (for the most part) keep the users from establishing connections to "rogue" servers, or at least, make it obvious to them.  The video you showed failed to take into account that the "rogue" server in question had to already have an account created for the user, which kind of is a "show stopper."  I mean, if you already have their username and password to create the account for them to log into, then all bets are off.   Continuing, given the fact you can (again, for the most part) control what RDP hosts a user can connect to, you then leverage host-based GPO that prevents the user from sharing clipboard, disks, printers, etc upon connection.  That setting is enforced by the server. 

So, in combination, you can indeed use Group Policy to prevent users from sharing their disks.  I will call that an "I win" and request some other prize other than your blogging about dude. :D

Let's take things one step further for those who are interested in this.  Before allowing people to just connect to your server, I would suggest that the connect is based on gateway services that require a certificate to connect up to in the first place.  Then, all the hubbub about Dorphly Diprod user connecting up and "bypassing security" and all that other crap is obviated.  Further, simply deploy the connectoid via a signed RDP file.  Done.  If they try to change the file, it won't work anymore.  Super easy stuff, and it goes a long way toward helping to secure one's RDP access environment.

But as a "Big Time Security Professional" you probably knew that :)  I guess I should now go read your blog to see if my prize would be a good thing or a bad thing :-p

t





-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Mr. Hinky Dink
Sent: Saturday, March 27, 2010 11:48 AM
To: Full-Disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Possible RDP vulnerability

In your case, had you answered the question correctly I would have promised to never (again) blog about you arguing with Craig S. Wright.

However, it was a trick question.  There is no way to do it with Group Policy (at least not with XP and Server 2003... maybe they changed that in Windows Vis7a and Server 2008, but I really haven't kept up with the tech).

----- Original Message -----
From: "Thor (Hammer of God)" <Thor@...merofgod.com>
To: "Mr. Hinky Dink" <dink@...inkydink.com>; <Full-Disclosure@...ts.grok.org.uk>
Sent: Saturday, March 27, 2010 12:09 PM
Subject: RE: [Full-disclosure] Possible RDP vulnerability


Oh, sorry I read the question wrong.  Just don't allow them to "attach" 
their local drives.  Simple.

Still, what do I win?

t


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ