Re: Vulnerability: Windows2000Server running Terminalservices

From: Thor@HammerofGod.com
Date: 04/10/02


From: Thor@HammerofGod.com
To: tom.unger@gmx.de, bugtraq@securityfocus.com
Date: Tue, 09 Apr 2002 15:19:16 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>
>4. the user TS-User opens another connections to the terminalserver via
>terminalserverclient. This time the sixth session
>exceeds the userlimit. The system grants the user TS-User to log on. The
>system denies access to the gpo hosted somewhere
>on the share "sysvol". The gpo is N O T applied. The result is the user
>TS-User sees an totally open desktop.He can do only
>things according to his userrights due to membership of domain-user. But he
>can do more than intended by the admin.

Application mode terminal server configuration is a bit different than your
standard console logon... Normally, you don't let user's log onto servers,
but in the case of terminal services, you extend this functionality on
purpose. It is important to have TS based security in place with tools
like APPSEC.EXE that allow you to bring additional controls into play
specifically for terminal services environments. Group Policy is a
wonderful thing, but in the case of terminal services, it should something
added on top of a already carefully secured terminal server.

>If you try out what I am telling here, you will notice that even if the user
>logs off once the gpo are applied successfully, the gpo
>is not saved in the userprofile. If the gpo would have been saved to the
>profile as claimed by Microsoft, the desktop would
>have beed locked down even if the system denies access to the gpo.

Mandatory profiles for terminal services users is a good thing... I belive
an initial mandatory profile would keep this from happening. Though, I
must say it is interesting that the GP is not applied when the license is
exceeded.

>As you will agree with me, neither the admin nor the TS-User are violating
>any licensing issues. There is one user exceeding the 5-user limit.
>The problem is the stupidity of the system by simply considering userlimits
>more important than granting access to grouppolicies.

Actually, no. It is a 5 "concurrent" user limit for per-server licensing.
5 of the same user is still 5 users, so the limit has indeed been reached.
I think saying it is the "stupidity of the system" is a bit
harsh. Personally, I would not be expecting the GP not to be applied, but
at least the admin will get the event log telling you that. You are,
after all, breaking the licensing agreement. But, as TS session licenses
are different than normal user licenses, I can see how this would not be
obvious.

>Microsoft has been informed by mail on march 23, 2002.

What did they say? I can image a "You're breaking the license agreement,
Tough Luck" response, but it would also be interesting to see what their
take on it technically was.

AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPLNo5IhsmyD15h5gEQIFfQCff+E+GQIiITfm9zVPG2dXrXI163cAnjFP
rX4Cp0UAfALoG4fOwfPb+vTk
=Ff47
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: win 2000 terminalservices licensing... from n4 dc to 2003 dc
    ... A W2K Terminal Services Licensing Server must run on a DC. ... Terminal Services Licensing can only be run on Domain Controllers ... terminalserver licensing server is installed on the ...
    (microsoft.public.windows.terminal_services)
  • Re: error in licensing protocol
    ... terminalserver licensing service. ... in the eventviewer do i get the error 1004 "The terminal server cannot ... Each farm contains an other win2000 server running the DB of our ...
    (microsoft.public.windows.terminal_services)
  • =?iso-8859-1?Q?Re:_Port_f=FCr_Zugriff?=
    ... dazu habe ich unter Terminalserver einen extra Thread. ... Terminalserver Lizenzierung. ... Da fehlt bei mir das Wort "extra". ... 445 wird ja nicht für für Licensing benutzt, ...
    (microsoft.public.de.outlook)
  • Vulnerability: Windows2000Server running Terminalservices
    ... while setting up and workung with a windows 2000 server running ... Windows 2000 grouppolicies (gpo) are not applied to users if the current ... Grouppolicies are used to deploy desktop/systemsettings to a defined group ... terminalserver in order to use the terminalserver ...
    (Bugtraq)
  • Re: Group Policy - Terminal Server
    ... There is a GPO linked to this OU called ... This contains some not-so-restrictive settings. ... I also have a 'TerminalServer' OU. ... It's like the loopback processing is not happening. ...
    (microsoft.public.windows.group_policy)