27 July 2011

RDS Limit application execution to privileged users only

#WindowsServer

RDS by default has your remote users logged on as a member of the Users local group.  This can present a potential issue in that these users can execute application to which you may not want them to have access.

The whole point behind publishing an application and limiting it to a particular group of users is because that is where you want to set the limit.  If a user has access to a shell then they can execute any application for which they have execute permission.

In http://fixmyitsystem.com/2011/07/limit-rdp-inbound-and-outbound-access.html I show how to limit the access for RDP connectivity.  The following steps will actually prevent a normal user from being able to execute the mstsc RDP client.  It will however work for any executable.

Take Ownership
Files often are owned by SYSTEM or Trusted Installer.  As a result even and administrator can not set permissions on these files.  You can however claim ownership and then you can set permissions.

  • Browse to C:\Windows\System32\
  • Select and right click mstsc.exe
  • Click Properties
  • Select the Security Tab
  • Click the Advanced Button
  • Click the Owner Tab
  • Click the Edit Button
  • Select a user or group you want to assign ownership

Set Execute Permission
File level NTFS permission control what actions a user can perform on the file. The following will restrict normal users from executing the mstsc executable.

  • Browse to C:\Windows\System32\
  • Select and right click mstsc.exe
  • Click Properties
  • Select the Security Tab
  • Click Edit
  • Select the Users group
  • From the Permissions window un-check Read & execute
  • Click add and select the group you want to allow execution
  • Ensure that the Read & execute is checked
  • OK
  • OK


Conclusion
RDS presents some unique challenges. It can be an extremely usefull tool but it can also present a big security risk.  Applying some "what would a malicious user do" though can help you eliminate existing and potential problems.

No comments:

Post a Comment