Terminal Server - this a hole or what?

[GotNoClue]

Just added a new "application mode" terminal server. Wanted to poke around and test security on it. Discovered that the basic user can run regedt32.exe and regedit.exe and add and delete keys even though the security on regedt32.exe states that basic joe user can only read from the registry. What the . . .? Checked this out on our other application terminal servers and same thing! Running W2k server with service pack 4 installed and all critical updates added. I have since removed rights for the basic user from accessing the executables, regedit.exe and regedt32.exe.

And before you ask . . . the basic user is ONLY a member of the local user acct and nothing greater.

Anyone heard anything about this?

 

[BryonB]

If you look at the Permissions defined in many places, you may see a user called "TERMINAL SERVER USER" listed with explicit rights to many items. This is a NT AUTHORITY type user, like SYSTEM.

I'm not sure, but you may be able to add this user to the local Users group, and limit its default rights that way.

 

[bran2235]

You should put your Terminal Servers in their own OU and then enable LoopBack Processing so that users which log into the WTS, have their own set of policies that get applied.

Next (the fun par) lock down everthing you want using GPOs... (i.e. Disable registry editing, etc.) Is this a Citrix server??

Hope this helps,
Brandon

 

[GotNoClue]

Awesome idea Brandon!! I'm still too much "old school" and haven't yet utilized the power of OUs and policies. I'm going to look into this idea tonight (dang, it would be nice to be in sales and actually have a life).

So, just a question, could you or anyone verify the same ability to edit the registry?

BTW, no it's not a Citrix server.

 

[wtotten]

I use GPs for my TS clients and I lock down the whole server.

Bill

 

[AaronPower]

By default normal users can run Regedit. However, there is a specific GPO option to "Disallow registry editing tools". You don't have to change the permissions on the executables.

Not sure about why you can edit locked down values. Try editing the following ...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext

I am writing this from a normal user account on a Win2k Sp4 TS, and I definitely can't edit that value.

You may find that some areas of the registry allow anybody to create new keys, and once created that person retains full control over those keys.

Also, you may have chosen "Permissions compatible with Windows NT4" during the server configuration. That will apply less strict permissions to the registry, and allow normal users to do things that you generally don't want them to be able to do.

Hope that helps.
Aaron Power.

 

[Daveyboy2]

You will need to implement a GPO on an OU. I've done it on my termnial service user clients, it's the best thing since canned beer.

Create a new OU, dump your users in it, and lock them down with a GPO that limits what they can do.

Been there, done that.

 

[GotNoClue]

Thanks for the help and info everyone!!!! Greatly appreciated.