Penetration Testing mailing list archives
RE: Remote Desktop/Term. Serv information leakage
From: "Paul Fields" <Infosec () plainenglishsecurity com>
Date: Fri, 1 Jul 2005 20:18:53 -0400
Hi list, One of our recent clients has a seperate 'isolated' network where they keep sensitive material. This network is not connected to the internet, is not physically accessible and you can only connect to it using remote desktop.
Remote Desktop uses the same RDP as Terminal Services, I would assume that the users are connecting to a Terminal Server on the internal network, only because it fits with other things you say later on. I'd be surprised if they had a small pool of XP boxes running RD.
They asked us to test if the isolated network was adequately protected. Here's what I discovered: When you start a Rem Desktop session from the main network to the isolated one you can actually copy and paste stuff across...this is only true for text not for complete files, and seems to be by design.
Terminal Services clipboard redirection only works for Text, you can extend it to have File Copy capabilities with Rdpclip.exe from Microsoft. Without it, you only get text.
So literally we have a significant leakage over here, introducing threats to the isolated network.
I am posting this to ask your opinion on how this could be mitigated......
Depend on what you want to mitigate, you can turn the clipboard redirection off at the Local Machine and the Terminal Server. Obviously turning it off at the server works beter than depending on all the clients to be configured correctly. http://www.windowsitpro.com/Article/ArticleID/15810/15810.html?Ad=1
I think that Remote Desktop is not possible to configure securely since it's not designed as such...
Its not configured as such by default, you can turn the Clipboard off at the server, as well as configure Windows to encrypt the session.
and hence it transfers across anything it receives , be it mouse movements or copied & pasted text...
So I was trying to think what would be the best solution, without spending a fortune on a 'secure' commercial solution, that is. Maybe something like SSH tunneling then Rem. Desktop or VNC or what?
SSH is fine if you want to, but doesn't stop them from movine files across. You can enforce session encryption at the server if you are worried about people seeing packets in the clear, otherwise to counter your leakage/attack tools vector, turn off the clipboard. On the Terminal Server: Start > Programs > Admin Tools > Terminal Services Config > Connections
RDP-TCP Select Client Settings tab > Disable the following > Clipboard
Mapping If your client is interested in encrypting the sessions, then look here, follow down to Using Encryption. http://www.windowsecurity.com/articles/Windows_Terminal_Services.html On the Terminal Server: Start > Programs > Admin Tools > Terminal Services Config > Connections
RDP-TCP Select General tab > Encryption Level
The only issue might be high encryption level is RC4 128 bit, if they have policies requiring 3DES or AES they'd need Win2K3 Terminal Services which can use 3DES, or a proper VPN solution. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/6ff574cb-30c4-4ad9-8d5e-aee697c65b9b.mspx
And do you think this 'bug' is something investigating any further? Is it something you people knew of?
I've run a Windows 2000 Terminal Servers for 5 years so the clipboard behavior is not new to me. The encryption info came about when a client had questions about security, even though Terminal Services can encrypt its sessions, I recommended a hardware VPN solution.
Thanks a lot.
Hope this helps Paul
Current thread:
- Remote Desktop/Term. Serv information leakage kuffya (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Joachim Schipper (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Eric Smith (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Kyle Maxwell (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Terry Vernon (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Joachim Schipper (Jul 01)
- RE: Remote Desktop/Term. Serv information leakage Paul Fields (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Thor (Hammer of God) (Jul 01)
- <Possible follow-ups>
- RE: Remote Desktop/Term. Serv information leakage Andre Protas (Jul 01)
- RE: Remote Desktop/Term. Serv information leakage Ha, Jason (Jul 02)
- Re: Remote Desktop/Term. Serv Information leakage kuffya (Jul 02)
- RE: Remote Desktop/Term. Serv Information leakage Paul Fields (Jul 05)
- RE: Remote Desktop/Term. Serv information leakage Salvador.Manaois (Jul 04)
- Providers blocking portscans - bad news for pentest? Petr . Kazil (Jul 04)
- RE: Providers blocking portscans - bad news for pentest? Erin Carroll (Jul 04)
- RE: Providers blocking portscans - bad news for pentest? Alexander Klimov (Jul 05)
- Re: Providers blocking portscans - bad news for pentest? RCS (Jul 05)
- Providers blocking portscans - bad news for pentest? Petr . Kazil (Jul 04)