Hello Team
The application session launched via the RDS server allows users to access files placed in the RDS server desktop etc, if we launch the web browser and do ctrl + o . and then navigate.We can also launch cmd and powershell etc.
What are recommended hardening for applying segregated access within the application sessions launched via the RDS server as its one single user profile being used for the RDS sessions.
Best answer by Neil
Hi
Some, if not most, of these escapes can be mitigated through Chrome policies (and since Edge is chromium based, I believe you can do much the same with that). I haven't had much luck finding easy ways to prevent TS RemoteApp escapes in general since RemoteApp functionality is simply leveraging Remote Desktop code, so once a user launches a RemoteApp session, they're allowed to launch other applications regardless of whether those are published apps or not. I've found a few hacky ways to do it, but nothing I'd really recommend. Generally speaking it seems that you're better off leveraging other security software (like EPM) or using other methods to restrict RemoteApp users to as few rights as they need to run the intended application.
Chrome policies to prevent web app escapes I’ve tested:
1.) Block access to a list of URLs - Enabled
Blocked URLS:
Reference: https://chromeenterprise.google/policies/?policy=URLBlocklist
2.) Allow invocation of file selection dialogs - Disabled
Reference: https://chromeenterprise.google/policies/?policy=AllowFileSelectionDialogs
3.) Allow download restrictions - Block all downloads
Reference: https://chromeenterprise.google/policies/?policy=DownloadRestrictions
At this point I realized browser Print functions and how they can be similarly used:
4.) Enable printing - Disabled
Reference: https://chromeenterprise.google/policies/?policy=PrintingEnabled
While this isn’t a definitive list, I hope it helps you get started.
Finally -- it is important to note that if a user escapes a browser session through these methods, they are still audited accordingly. The resulting screen recording will show these additional applications being launched, and every interaction will have an audit trail as expected.
+5Just check “Launch Application inRemoteApp Mode” on the applications, that way only the actual application will be show to the final user, instead of the RDP Full windows:
That will help with that.
Hi
Some, if not most, of these escapes can be mitigated through Chrome policies (and since Edge is chromium based, I believe you can do much the same with that). I haven't had much luck finding easy ways to prevent TS RemoteApp escapes in general since RemoteApp functionality is simply leveraging Remote Desktop code, so once a user launches a RemoteApp session, they're allowed to launch other applications regardless of whether those are published apps or not. I've found a few hacky ways to do it, but nothing I'd really recommend. Generally speaking it seems that you're better off leveraging other security software (like EPM) or using other methods to restrict RemoteApp users to as few rights as they need to run the intended application.
Chrome policies to prevent web app escapes I’ve tested:
1.) Block access to a list of URLs - Enabled
Blocked URLS:
Reference: https://chromeenterprise.google/policies/?policy=URLBlocklist
2.) Allow invocation of file selection dialogs - Disabled
Reference: https://chromeenterprise.google/policies/?policy=AllowFileSelectionDialogs
3.) Allow download restrictions - Block all downloads
Reference: https://chromeenterprise.google/policies/?policy=DownloadRestrictions
At this point I realized browser Print functions and how they can be similarly used:
4.) Enable printing - Disabled
Reference: https://chromeenterprise.google/policies/?policy=PrintingEnabled
While this isn’t a definitive list, I hope it helps you get started.
Finally -- it is important to note that if a user escapes a browser session through these methods, they are still audited accordingly. The resulting screen recording will show these additional applications being launched, and every interaction will have an audit trail as expected.
Hi
Some, if not most, of these escapes can be mitigated through Chrome policies (and since Edge is chromium based, I believe you can do much the same with that). I haven't had much luck finding easy ways to prevent TS RemoteApp escapes in general since RemoteApp functionality is simply leveraging Remote Desktop code, so once a user launches a RemoteApp session, they're allowed to launch other applications regardless of whether those are published apps or not. I've found a few hacky ways to do it, but nothing I'd really recommend. Generally speaking it seems that you're better off leveraging other security software (like EPM) or using other methods to restrict RemoteApp users to as few rights as they need to run the intended application.
Chrome policies to prevent web app escapes I’ve tested:
1.) Block access to a list of URLs - Enabled
Blocked URLS:
Reference: https://chromeenterprise.google/policies/?policy=URLBlocklist
2.) Allow invocation of file selection dialogs - Disabled
Reference: https://chromeenterprise.google/policies/?policy=AllowFileSelectionDialogs
3.) Allow download restrictions - Block all downloads
Reference: https://chromeenterprise.google/policies/?policy=DownloadRestrictions
At this point I realized browser Print functions and how they can be similarly used:
4.) Enable printing - Disabled
Reference: https://chromeenterprise.google/policies/?policy=PrintingEnabled
While this isn’t a definitive list, I hope it helps you get started.
Finally -- it is important to note that if a user escapes a browser session through these methods, they are still audited accordingly. The resulting screen recording will show these additional applications being launched, and every interaction will have an audit trail as expected.
Thank you for the detailed response. It certainly is helpful.
The download part is where we need restriction, when download is completely blocked, then the logs export, packet capture etc which generally IT admins do need access to gets limited and usage of web application via PAM doesn't go well. Now if we assign network share drive and have limitation for each user access which again the account we use to launch the RDS session will have access in general, the users or contractors can copy other files (like backups etc) and also for some reason, the network share drive also gets unmapped intermittently (not just when server is restarted) .
If a solution to file transfer when in RDS is met from BT, then we can completely restrict downloads etc.
Hello,
Have you tried leveraging the Kiosk mode feature, by adding the following key to your application ini file ?
Kiosk mode has been introduced fairly recently in PS Automate, and I believe that the introduced feature should, on top of removing the toolbars and menus from the user interface, also block the execution of those types of shortcuts used to escape the browser.
Might be worth a try, to see if this would allow you to overcome the risks you outlined.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
