Re: Vulnerability: Windows2000Server running Terminalservices

[Thor () HammerofGod com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> 4. the user TS-User opens another connections to the terminalserver via
> terminalserverclient. This time the sixth session
> exceeds the userlimit. The system grants the user TS-User to log on. The
> system denies access to the gpo hosted somewhere
> on the share "sysvol". The gpo is N O T applied. The result is the user
> TS-User sees an totally open desktop.He can do only
> things according to his userrights due to membership of domain-user. But he
> can do more than intended by the admin.

Application mode terminal server configuration is a bit different than your 
standard console logon... Normally, you don't let user's log onto servers, 
but in the case of terminal services, you extend this functionality on 
purpose.  It is important to have TS based security in place with tools 
like APPSEC.EXE that allow you to bring additional controls into play 
specifically for terminal services environments. Group Policy is a 
wonderful thing, but in the case of terminal services, it should something 
added on top of a already carefully secured terminal server.


> If you try out what I am telling here, you will notice that even if the user
> logs off once the gpo are applied successfully, the gpo
> is not saved in the userprofile. If the gpo would have been saved to the
> profile as claimed by Microsoft, the desktop would
> have beed locked down even if the system denies access to the gpo.

Mandatory profiles for terminal services users is a good thing...  I belive 
an initial mandatory profile would keep this from happening.  Though, I 
must say it is interesting that the GP is not applied when the license is 
exceeded.

> As you will agree with me, neither the admin nor the TS-User are violating
> any licensing issues. There is one user exceeding the 5-user limit.
> The problem is the stupidity of the system by simply considering userlimits
> more important than granting access to grouppolicies.

Actually, no.  It is a 5 "concurrent" user limit for per-server licensing. 
5 of the same user is still 5 users, so the limit has indeed been reached.
I think saying it is the "stupidity of the system" is a bit 
harsh.  Personally, I would not be expecting the GP not to be applied, but 
at least the admin will get the event log telling you that.   You are, 
after all, breaking the licensing agreement.  But, as TS session licenses 
are different than normal user licenses, I can see how this would not be 
obvious.

> Microsoft has been informed by mail on march 23, 2002.

What did they say?  I can image a "You're breaking the license agreement, 
Tough Luck" response, but it would also be interesting to see what their 
take on it technically was.

AD



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPLNo5IhsmyD15h5gEQIFfQCff+E+GQIiITfm9zVPG2dXrXI163cAnjFP
rX4Cp0UAfALoG4fOwfPb+vTk
=Ff47
-----END PGP SIGNATURE-----