T 5.132 Compromising RPD user sessions under Windows server 2003 and higher

The Remote Desktop release based on the Remote Desktop Protocol (RDP) is an effective and widely used resource for remotely maintaining a Windows server and for using programmes on remote computers (remote desktops). A client is connected to the RDP server without checking the authentication of the user beforehand. The entire login screen of the remote desktop is shown directly on the screen of the local client. There is therefore a risk of an attacker gaining remote access to the system by logging in using the Windows RDP.

Information on the operating system version and on membership in domains of the Windows servers is available to every remote desktop user without the user having to enter a user name and password. Additional information can be obtained from background images. In many cases, administrators display administration information as a background image, or the server manufacturer has provided a proprietary default background image for pre-installed operating systems. Valuable information can be obtained using this image to analyse the system and exploit the corresponding security gaps.

When the network connection is interrupted during a RDP session, Windows Server 2003 automatically restores the session without requiring the user to log in again as soon as the client is reconnected to the server over the network. The network downtimes can even last minutes in such cases. A higher level of fault tolerance is gained, but at the expense of a threat to the integrity of a RDP session. An attacker can gain remote access to the system through social engineering or by tapping the connection. A connection using RDP Version 5.2 in Windows Server 2003 can be easily tapped by third parties and redirected to a new destination without detection. Since the release of Windows Server 2003 Service Pack 1, you have the ability to secure the connection with SSL, but many clients are not able to establish connections any more, for example Remote Desktop clients from previous Windows versions and RDesktop for Unix/Linux. For this reason, SSL usually cannot be used everywhere to secure communication, and the risk of tapping the connection and of gaining access to the system without authorisation still exists.

Due the risks and threats described, a higher level of risk must be assumed to exist for the server as soon as RDP is used.

• An American manufacturer supplied servers with pre-installed OEM versions of Windows Server 2003 to its customers. When a user logs in to the operating system via the console or a remote desktop, a background image with the logo of the manufacturer and a photograph of the server hardware appears. This information could be used to determine which vulnerabilities the system has so they could be exploited for attacks.
• While the network is down, an administrator leaves an administration PC running an RDP session unsupervised for a short time. If this person is not back on the PC before network operations are restored and the screen saver does not have password protection enabled, then a third party could use the RDP session as soon as the disruption in the network is eliminated. He would then have full administrator privileges and could cause significant damage deliberately or accidentally.