TS users allowed to establish VPN tunnel!!

  • Thread starter Thread starter M. Glenney
  • Start date Start date
M

M. Glenney

Guest
We had this happen the other day. To me, it's a MAJOR security bug but I
thought I'd post it here first to get some feedback before reporting it as
such.

I had a TS user connect a VPN tunnel to his home from our Windows 2003
Terminal Server. The user has no admin rights of any kind. Once the tunnel
was connected the default gateway of the server was changed so that traffic
was routed through the tunnel. He did all this with standard MS tools built
into the OS. The gateway change was incidental. He did not set out to do
that.

Another thing that disturbs me is that I could not shut down the tunnel. We
got lucky and one of our other admins recognized the subnet as belonging to
our users home network so I called the user and had him disconnect it. Maybe
I just didn't know where to look but I could not find anything on it other
that what I was seeing with ipconfig.

I know we can keep this from happening on the network level. Aside from
that, WTF is going on here. Have I uncovered a major bug here or is there
something else I'm missing?

Thanks,

MG
 
Re: TS users allowed to establish VPN tunnel!!

M. Glenney wrote:
> We had this happen the other day. To me, it's a MAJOR security bug but I
> thought I'd post it here first to get some feedback before reporting it as
> such.
>
> I had a TS user connect a VPN tunnel to his home from our Windows 2003
> Terminal Server. The user has no admin rights of any kind.
Is this user a power user?
Is this TS server in A/D or is it in a workgroup?
If in A/D are you sure the user logged into the domain and does not
have a separate local login with higher privileges?


Once the tunnel
> was connected the default gateway of the server was changed so that traffic
> was routed through the tunnel. He did all this with standard MS tools built
> into the OS. The gateway change was incidental. He did not set out to do
> that.

It would make sense for the tunnel to change the default gateway.

What do you mean by "MS tools"? Do you mean PPTP connection?
I believe a power user has the ability to create a PPTP connection.

Also, you mentioned that you "had a TS user connect a VPN tunnel."
What specific steps did this user use to create the VPN
tunnel? (Start -> Settings -> Network Connection -> New Connection
-> VPN bla bla bla?)

Why do you allow a normal user access to these menu items?

You may need to lock down the TS with GP if in A/D.

>
> Another thing that disturbs me is that I could not shut down the tunnel. We
> got lucky and one of our other admins recognized the subnet as belonging to
> our users home network so I called the user and had him disconnect it. Maybe
> I just didn't know where to look but I could not find anything on it other
> that what I was seeing with ipconfig.
Were you logged in as the local Admin or as the Domain Admin?

I believe you would need to be a local Admin to close this connection.

>
> I know we can keep this from happening on the network level. Aside from
> that, WTF is going on here. Have I uncovered a major bug here or is there
> something else I'm missing?
I would find out what Security Groups this user belongs to.

You could also create a locked down user and then try to use the
same steps as the user above for creating a VPN tunnel.

> Thanks,
>
> MG

moncho
 
Re: TS users allowed to establish VPN tunnel!!

The process that you describe is by design, as far as I know.
Normal users should not be able to do this at all.

For a description of a similar problem (using a modem - default
gateway changes), check here:

270857 - How to Use a Modem with Terminal Services
http://support.microsoft.com/?kbid=270857
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

moncho <moncho@NOspmanywhere.com> wrote on 06 mar 2008:

> M. Glenney wrote:
>> We had this happen the other day. To me, it's a MAJOR security
>> bug but I thought I'd post it here first to get some feedback
>> before reporting it as such.
>>
>> I had a TS user connect a VPN tunnel to his home from our
>> Windows 2003 Terminal Server. The user has no admin rights of
>> any kind.
> Is this user a power user?
> Is this TS server in A/D or is it in a workgroup?
> If in A/D are you sure the user logged into the domain and does
> not have a separate local login with higher privileges?
>
>
> Once the tunnel
>> was connected the default gateway of the server was changed so
>> that traffic was routed through the tunnel. He did all this
>> with standard MS tools built into the OS. The gateway change
>> was incidental. He did not set out to do that.
>
> It would make sense for the tunnel to change the default
> gateway.
>
> What do you mean by "MS tools"? Do you mean PPTP connection?
> I believe a power user has the ability to create a PPTP
> connection.
>
> Also, you mentioned that you "had a TS user connect a VPN
> tunnel." What specific steps did this user use to create the VPN
> tunnel? (Start -> Settings -> Network Connection -> New
> Connection -> VPN bla bla bla?)
>
> Why do you allow a normal user access to these menu items?
>
> You may need to lock down the TS with GP if in A/D.
>
>>
>> Another thing that disturbs me is that I could not shut down
>> the tunnel. We got lucky and one of our other admins
>> recognized the subnet as belonging to our users home network so
>> I called the user and had him disconnect it. Maybe I just
>> didn't know where to look but I could not find anything on it
>> other that what I was seeing with ipconfig.
> Were you logged in as the local Admin or as the Domain Admin?
>
> I believe you would need to be a local Admin to close this
> connection.
>
>>
>> I know we can keep this from happening on the network level.
>> Aside from that, WTF is going on here. Have I uncovered a
>> major bug here or is there something else I'm missing?
> I would find out what Security Groups this user belongs to.
>
> You could also create a locked down user and then try to use the
> same steps as the user above for creating a VPN tunnel.
>
>> Thanks,
>>
>> MG
>
> moncho
 
Back
Top