Re: [Full-disclosure] Possible RDP vulnerability

["Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>]

That's funny - it was kind of a "trick answer" too. ;)

You can indeed "do that" with Vista (kind of) and Windows 7 (definitely) in 
combination with Server 2008.  I haven't messed with Server 2003 in years, and 
have no plans to. 

Here's how you do that, but before I go there, let's point out the "spirit" of 
the "trick question" so those playing along at home understand the real 
ramifications of what you are talking about, and then I'll detail the "right" 
answer (you can do whatever you want in regard to blogging, of course ;).

In general, you don't control the base connection methods a user wants to use.  
This is because, again in general, you don't tell the user what to do or how to 
do it on their own system.  However, with group policy and RDP settings, you 
can indeed maneuver the user into "submission."  I say maneuver because if the 
user is a local admin, then most bets are off.  My initial answer was correct, 
however, only with the following blanks filled in (thus the "trick" part).  

With GP you can control the behavior of what happens if the client cannot 
validate the identity of the server.   Thus, you can say "if you don't trust 
the server, you don't connect."  Further, you can control what certificate 
chains are being trusted; ie, only corp resources.  Therefore, you can (for the 
most part) keep the users from establishing connections to "rogue" servers, or 
at least, make it obvious to them.  The video you showed failed to take into 
account that the "rogue" server in question had to already have an account 
created for the user, which kind of is a "show stopper."  I mean, if you 
already have their username and password to create the account for them to log 
into, then all bets are off.   Continuing, given the fact you can (again, for 
the most part) control what RDP hosts a user can connect to, you then leverage 
host-based GPO that prevents the user from sharing clipboard, disks, printers, 
etc upon connection.  That setting is enforced by the server. 

So, in combination, you can indeed use Group Policy to prevent users from 
sharing their disks.  I will call that an "I win" and request some other prize 
other than your blogging about dude. :D

Let's take things one step further for those who are interested in this.  
Before allowing people to just connect to your server, I would suggest that the 
connect is based on gateway services that require a certificate to connect up 
to in the first place.  Then, all the hubbub about Dorphly Diprod user 
connecting up and "bypassing security" and all that other crap is obviated.  
Further, simply deploy the connectoid via a signed RDP file.  Done.  If they 
try to change the file, it won't work anymore.  Super easy stuff, and it goes a 
long way toward helping to secure one's RDP access environment.

But as a "Big Time Security Professional" you probably knew that :)  I guess I 
should now go read your blog to see if my prize would be a good thing or a bad 
thing :-p

t





-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Mr. Hinky Dink
Sent: Saturday, March 27, 2010 11:48 AM
To: Full-Disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Possible RDP vulnerability

In your case, had you answered the question correctly I would have promised to 
never (again) blog about you arguing with Craig S. Wright.

However, it was a trick question.  There is no way to do it with Group Policy 
(at least not with XP and Server 2003... maybe they changed that in Windows 
Vis7a and Server 2008, but I really haven't kept up with the tech).

----- Original Message -----
From: "Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>
To: "Mr. Hinky Dink" <dink@xxxxxxxxxxxxxxx>; <Full-Disclosure@xxxxxxxxxxxxxxxxx>
Sent: Saturday, March 27, 2010 12:09 PM
Subject: RE: [Full-disclosure] Possible RDP vulnerability


Oh, sorry I read the question wrong.  Just don't allow them to "attach" 
their local drives.  Simple.

Still, what do I win?

t


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/