Re: Vulnerability: Windows2000Server running Terminalservices

Date: 04/10/02

Date: Tue, 09 Apr 2002 15:19:16 -0700

Hash: SHA1

>4. the user TS-User opens another connections to the terminalserver via
>terminalserverclient. This time the sixth session
>exceeds the userlimit. The system grants the user TS-User to log on. The
>system denies access to the gpo hosted somewhere
>on the share "sysvol". The gpo is N O T applied. The result is the user
>TS-User sees an totally open desktop.He can do only
>things according to his userrights due to membership of domain-user. But he
>can do more than intended by the admin.

Application mode terminal server configuration is a bit different than your
standard console logon... Normally, you don't let user's log onto servers,
but in the case of terminal services, you extend this functionality on
purpose. It is important to have TS based security in place with tools
like APPSEC.EXE that allow you to bring additional controls into play
specifically for terminal services environments. Group Policy is a
wonderful thing, but in the case of terminal services, it should something
added on top of a already carefully secured terminal server.

>If you try out what I am telling here, you will notice that even if the user
>logs off once the gpo are applied successfully, the gpo
>is not saved in the userprofile. If the gpo would have been saved to the
>profile as claimed by Microsoft, the desktop would
>have beed locked down even if the system denies access to the gpo.

Mandatory profiles for terminal services users is a good thing... I belive
an initial mandatory profile would keep this from happening. Though, I
must say it is interesting that the GP is not applied when the license is

>As you will agree with me, neither the admin nor the TS-User are violating
>any licensing issues. There is one user exceeding the 5-user limit.
>The problem is the stupidity of the system by simply considering userlimits
>more important than granting access to grouppolicies.

Actually, no. It is a 5 "concurrent" user limit for per-server licensing.
5 of the same user is still 5 users, so the limit has indeed been reached.
I think saying it is the "stupidity of the system" is a bit
harsh. Personally, I would not be expecting the GP not to be applied, but
at least the admin will get the event log telling you that. You are,
after all, breaking the licensing agreement. But, as TS session licenses
are different than normal user licenses, I can see how this would not be

>Microsoft has been informed by mail on march 23, 2002.

What did they say? I can image a "You're breaking the license agreement,
Tough Luck" response, but it would also be interesting to see what their
take on it technically was.


Version: PGP 7.1