Security of mapping Local Resources over RDP

Question

I work with a group of developers that do network level program. To prevent these developers from accidentally causing problems on the corporate network they have been given there own isolated network (different ip range with a shared DMZ).

In the past these developers have maintained 2x computers (one for each network) and when they needed to move files from one network to the other they would use a thumb-drive. However, we recently moved offices and each of the developers was provided with an upgraded computer and told that for access to the corporate network they could remote into an RDP server setup in the DMZ. The problem being that we can no longer use thumb-drives. One of the solutions we came up with was to use the "Local devices and resources" tab under "Show Options" to map local drives to the RDP session, however, IS called foul play.

How is mapping "Local devices and resources" via RDP any more or less secure than our old system of moving files via a thumb-drive?

This might give you an idea: https://security.stackexchange.com/questions/133342/how-secure-is-rdp — Tom K., Sep 05 '17 at 13:43
@Tom ty, but that post is unrelated as it is focusing on TeamViewer ... which isnt an option in my case — CaffeineAddiction, Sep 05 '17 at 13:47
True, but you should focus on the RDP portion(s) in the answers. That's where I wanted to point to you. :) — Tom K., Sep 05 '17 at 13:51

score 1 · Answer 1 · answered Oct 05 '17 at 22:33

I believe that issue is due to auditing. An RDP session is not the same as a local logon session. Since thumb-drive auditing is very specific, I'd wager that it doesn't kickoff an event due to the nature of RDP.

An example of RDP woes (doesn't trigger account attempt lockout): https://community.spiceworks.com/topic/354021-how-to-limit-rdp-attempts-from-hostiles

If I get more time, I'll try to update with actual facts vs conjecture.

score 0 · Answer 2 · answered Sep 05 '17 at 16:11

With local devices and resources you can allow your local drive to be available on the other network. It will show up as a \tsclient\c for the local C: drive under Network and C on [computername] in the right pane of Explorer. This defeats the purpose of having the disconnected subnets.

I would request an internal FTPS server which can be restricted to a single folder path which should NOT be your common storage area. Filezilla server would work well.

score 0 · Answer 3 · answered Oct 05 '17 at 19:02

It depends on what you map. If you map the C drive, then the client can effectively run arbitrary code on the server because it can run any program psexec style. This is dubbed "RDP inception attack," and allows to client to hop out of the dmz.

If you map a folder, then you have to be careful and never run any program in the folder, because the client can backdoor any file in that folder. It can also drop exploits, like the "stuxnet" lnk exploit.

https://github.com/mdsecactivebreach/RDPInception

Security of mapping Local Resources over RDP

How is mapping "Local devices and resources" via RDP any more or less secure than our old system of moving files via a thumb-drive?

3 Answers3

Linked