TS users allowed to establish VPN tunnel!!

[Guest M. Glenney]

We had this happen the other day. To me, it's a MAJOR security bug but I

thought I'd post it here first to get some feedback before reporting it as

such.

 

I had a TS user connect a VPN tunnel to his home from our Windows 2003

Terminal Server. The user has no admin rights of any kind. Once the tunnel

was connected the default gateway of the server was changed so that traffic

was routed through the tunnel. He did all this with standard MS tools built

into the OS. The gateway change was incidental. He did not set out to do

that.

 

Another thing that disturbs me is that I could not shut down the tunnel. We

got lucky and one of our other admins recognized the subnet as belonging to

our users home network so I called the user and had him disconnect it. Maybe

I just didn't know where to look but I could not find anything on it other

that what I was seeing with ipconfig.

 

I know we can keep this from happening on the network level. Aside from

that, WTF is going on here. Have I uncovered a major bug here or is there

something else I'm missing?

 

Thanks,

 

MG

[Guest moncho]

Re: TS users allowed to establish VPN tunnel!!

 

M. Glenney wrote:

> We had this happen the other day. To me, it's a MAJOR security bug but I

> thought I'd post it here first to get some feedback before reporting it as

> such.

>

> I had a TS user connect a VPN tunnel to his home from our Windows 2003

> Terminal Server. The user has no admin rights of any kind.

Is this user a power user?

Is this TS server in A/D or is it in a workgroup?

If in A/D are you sure the user logged into the domain and does not

have a separate local login with higher privileges?

 

 

Once the tunnel

> was connected the default gateway of the server was changed so that traffic

> was routed through the tunnel. He did all this with standard MS tools built

> into the OS. The gateway change was incidental. He did not set out to do

> that.

 

It would make sense for the tunnel to change the default gateway.

 

What do you mean by "MS tools"? Do you mean PPTP connection?

I believe a power user has the ability to create a PPTP connection.

 

Also, you mentioned that you "had a TS user connect a VPN tunnel."

What specific steps did this user use to create the VPN

tunnel? (Start -> Settings -> Network Connection -> New Connection

-> VPN bla bla bla?)

 

Why do you allow a normal user access to these menu items?

 

You may need to lock down the TS with GP if in A/D.

>

> Another thing that disturbs me is that I could not shut down the tunnel. We

> got lucky and one of our other admins recognized the subnet as belonging to

> our users home network so I called the user and had him disconnect it. Maybe

> I just didn't know where to look but I could not find anything on it other

> that what I was seeing with ipconfig.

Were you logged in as the local Admin or as the Domain Admin?

 

I believe you would need to be a local Admin to close this connection.

>

> I know we can keep this from happening on the network level. Aside from

> that, WTF is going on here. Have I uncovered a major bug here or is there

> something else I'm missing?

I would find out what Security Groups this user belongs to.

 

You could also create a locked down user and then try to use the

same steps as the user above for creating a VPN tunnel.

> Thanks,

>

> MG

 

moncho

[Guest Vera Noest [MVP]]

Re: TS users allowed to establish VPN tunnel!!

 

The process that you describe is by design, as far as I know.

Normal users should not be able to do this at all.

 

For a description of a similar problem (using a modem - default

gateway changes), check here:

 

270857 - How to Use a Modem with Terminal Services

http://support.microsoft.com/?kbid=270857

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

moncho <moncho@NOspmanywhere.com> wrote on 06 mar 2008:

> M. Glenney wrote:

>> We had this happen the other day. To me, it's a MAJOR security

>> bug but I thought I'd post it here first to get some feedback

>> before reporting it as such.

>>

>> I had a TS user connect a VPN tunnel to his home from our

>> Windows 2003 Terminal Server. The user has no admin rights of

>> any kind.

> Is this user a power user?

> Is this TS server in A/D or is it in a workgroup?

> If in A/D are you sure the user logged into the domain and does

> not have a separate local login with higher privileges?

>

>

> Once the tunnel

>> was connected the default gateway of the server was changed so

>> that traffic was routed through the tunnel. He did all this

>> with standard MS tools built into the OS. The gateway change

>> was incidental. He did not set out to do that.

>

> It would make sense for the tunnel to change the default

> gateway.

>

> What do you mean by "MS tools"? Do you mean PPTP connection?

> I believe a power user has the ability to create a PPTP

> connection.

>

> Also, you mentioned that you "had a TS user connect a VPN

> tunnel." What specific steps did this user use to create the VPN

> tunnel? (Start -> Settings -> Network Connection -> New

> Connection -> VPN bla bla bla?)

>

> Why do you allow a normal user access to these menu items?

>

> You may need to lock down the TS with GP if in A/D.

>

>>

>> Another thing that disturbs me is that I could not shut down

>> the tunnel. We got lucky and one of our other admins

>> recognized the subnet as belonging to our users home network so

>> I called the user and had him disconnect it. Maybe I just

>> didn't know where to look but I could not find anything on it

>> other that what I was seeing with ipconfig.

> Were you logged in as the local Admin or as the Domain Admin?

>

> I believe you would need to be a local Admin to close this

> connection.

>

>>

>> I know we can keep this from happening on the network level.

>> Aside from that, WTF is going on here. Have I uncovered a

>> major bug here or is there something else I'm missing?

> I would find out what Security Groups this user belongs to.

>

> You could also create a locked down user and then try to use the

> same steps as the user above for creating a VPN tunnel.

>

>> Thanks,

>>

>> MG

>

> moncho