The whole point behind publishing an application and limiting it to a particular group of users is because that is where you want to set the limit. If a user has access to a shell then they can execute any application for which they have execute permission.
In http://fixmyitsystem.com/2011/07/limit-rdp-inbound-and-outbound-access.html I show how to limit the access for RDP connectivity. The following steps will actually prevent a normal user from being able to execute the mstsc RDP client. It will however work for any executable.
Take Ownership
Files often are owned by SYSTEM or Trusted Installer. As a result even and administrator can not set permissions on these files. You can however claim ownership and then you can set permissions.
- Browse to C:\Windows\System32\
- Select and right click mstsc.exe
- Click Properties
- Select the Security Tab
- Click the Advanced Button
- Click the Owner Tab
- Click the Edit Button
- Select a user or group you want to assign ownership
Set Execute Permission
File level NTFS permission control what actions a user can perform on the file. The following will restrict normal users from executing the mstsc executable.
- Browse to C:\Windows\System32\
- Select and right click mstsc.exe
- Click Properties
- Select the Security Tab
- Click Edit
- Select the Users group
- From the Permissions window un-check Read & execute
- Click add and select the group you want to allow execution
- Ensure that the Read & execute is checked
- OK
- OK
Conclusion
RDS presents some unique challenges. It can be an extremely usefull tool but it can also present a big security risk. Applying some "what would a malicious user do" though can help you eliminate existing and potential problems.
No comments:
Post a Comment