Active Session Shadowing

[Chris Misztur <cm...@mriiot.com>]

This is worth bringing up again.  As a Guacamole admin I have the ability
to click on any connected user sessions and view/control without the user's
permission.

This is preventing us from completely eliminating MS RD Gateway for HR
security reasons.

/c

Re: Active Session Shadowing

[Geraint Raikes <ra...@gmail.com>]

Global settings based on organisations policies could be:

Admin connection sharing ON
Admin connection sharing OFF
Admin connection sharing ON + Prompt on users machine to allow access

Personally I'd use the third option for my org, and will likely hold off
upgrading to 1.1 equivalent if admin connection sharing is on and not able
to be turned off  (using Glyptodon)

On Thu, 23 Apr 2020 at 21:50, ivanmarcus <iv...@yahoo.com.invalid>
wrote:

> I was a little surprised by the inclusion of this in 1.1 at first, however
> I since found it to be useful to assist people on several occasions and
> believe it's a feature that should stay.
>
> That said I can see it could lead to issues for some people, so agree that
> it would be useful to be able to configure.
>
> On the matter of configuration; perhaps this should be a separate thread
> but I suggest it could also be useful to be able to globally set several
> other parameters such as the menu sidebar keys, new connection initial
> settings (eg default to 'ignore server certificate'), and similarly some
> new user settings?
>
>
> On 23/04/2020 1:48 p.m., Nick Couchman wrote:
>
> On Sun, Apr 19, 2020 at 12:03 AM Chris Misztur <cm...@mriiot.com>
> wrote:
>
>> This is worth bringing up again.  As a Guacamole admin I have the ability
>> to click on any connected user sessions and view/control without the user's
>> permission.
>>
>> This is preventing us from completely eliminating MS RD Gateway for HR
>> security reasons.
>>
>>
>
> I'll see if the other project folks want to weigh in on this - perhaps
> implementing either a global setting (guacamole.properties) to turn off the
> admin connection sharing across the board, or a per-connection parameter
> that makes the connection exclusive - does not allow anyone, even an admin,
> to join the connection - or both?
>
> -Nick
>
>
>

Re: Active Session Shadowing

[ivanmarcus <iv...@yahoo.com.INVALID>]

I was a little surprised by the inclusion of this in 1.1 at first, 
however I since found it to be useful to assist people on several 
occasions and believe it's a feature that should stay.

That said I can see it could lead to issues for some people, so agree 
that it would be useful to be able to configure.

On the matter of configuration; perhaps this should be a separate thread 
but I suggest it could also be useful to be able to globally set several 
other parameters such as the menu sidebar keys, new connection initial 
settings (eg default to 'ignore server certificate'), and similarly some 
new user settings?


On 23/04/2020 1:48 p.m., Nick Couchman wrote:
> On Sun, Apr 19, 2020 at 12:03 AM Chris Misztur <cmisztur@mriiot.com 
> <ma...@mriiot.com>> wrote:
>
>     This is worth bringing up again.  As a Guacamole admin I have the
>     ability to click on any connected user sessions and view/control
>     without the user's permission.
>
>     This is preventing us from completely eliminating MS RD Gateway
>     for HR security reasons.
>
>
>
> I'll see if the other project folks want to weigh in on this - perhaps 
> implementing either a global setting (guacamole.properties) to turn 
> off the admin connection sharing across the board, or a per-connection 
> parameter that makes the connection exclusive - does not allow anyone, 
> even an admin, to join the connection - or both?
>
> -Nick

Re: Active Session Shadowing

[Jason Keltz <ja...@eecs.yorku.ca>]

Hi Nick,
The way I see it, there's an in between as well  It would be great to have an option where, when you join the connection, it at least pops up a box at the bottom corner of the users screen and reports the user who has joined the session. This way, at least the user knows that it's happened.  That's the way I'd run mine.

Jason.


On Apr. 22, 2020, 9:48 p.m., at 9:48 p.m., Nick Couchman <vn...@apache.org> wrote:
>On Sun, Apr 19, 2020 at 12:03 AM Chris Misztur <cm...@mriiot.com>
>wrote:
>
>> This is worth bringing up again.  As a Guacamole admin I have the
>ability
>> to click on any connected user sessions and view/control without the
>user's
>> permission.
>>
>> This is preventing us from completely eliminating MS RD Gateway for
>HR
>> security reasons.
>>
>>
>I can see both sides of this.  On the one hand, if you don't trust the
>people administering your Guacamole instance to the point where they
>could
>see what's on a screen, do you really trust them?  Say the active
>sharing
>could be completely disabled, or wasn't present at all - a rogue
>Guacamole
>admin could still create a connection that someone in HR would use that
>would pass all of that data through a Man-in-the-Middle trap and record
>everything.  Or set the recording parameters of the Guacamole
>connection
>such that the entire screen session, including visible content, mouse
>clicks, and keystrokes, are recorded, and there would be no way for the
>HR
>person using that connection to know that this is going on.  I'll take
>a
>moment to point out that I'm reasonably certain the same would be true
>for
>the MS RDP Gateway connection - it is perfectly plausible that an admin
>could MITM or redirect traffic on that platform such that the end HR
>user
>wouldn't know the difference.  So, should the ability for an admin to
>see
>the active session really be that big of a deal??  Also, I believe the
>admin access to the connections is audited in the History table the
>same as
>any other access, so there should be an audit trail.
>
>On the other hand, it doesn't seem totally unreasonable to me to be
>able to
>turn this feature off if you so choose.  Having been a part of
>environments
>in the past and audits in the present where you're asking about the
>level
>of access people have to certain data, I can certainly see situations
>where
>it'd be nice to be able to either tick that box for audit or security
>compliance purposes, or to give certain groups the feeling that they're
>protected.
>
>I'll see if the other project folks want to weigh in on this - perhaps
>implementing either a global setting (guacamole.properties) to turn off
>the
>admin connection sharing across the board, or a per-connection
>parameter
>that makes the connection exclusive - does not allow anyone, even an
>admin,
>to join the connection - or both?
>
>-Nick

Re: Active Session Shadowing

[David Barber <md...@aol.com.INVALID>]

Hi perhaps a tick box for the users  to disable this which can be over 
ridden by an admin but which action sends a notification to the user 
this has happened.
Would enable both sides to feel they have control :)


Nick Couchman wrote:
> On Sun, Apr 19, 2020 at 12:03 AM Chris Misztur <cmisztur@mriiot.com 
> <ma...@mriiot.com>> wrote:
>
>     This is worth bringing up again.  As a Guacamole admin I have the
>     ability to click on any connected user sessions and view/control
>     without the user's permission.
>
>     This is preventing us from completely eliminating MS RD Gateway
>     for HR security reasons.
>
>
> I can see both sides of this.  On the one hand, if you don't trust the 
> people administering your Guacamole instance to the point where they 
> could see what's on a screen, do you really trust them?  Say the 
> active sharing could be completely disabled, or wasn't present at all 
> - a rogue Guacamole admin could still create a connection that someone 
> in HR would use that would pass all of that data through a 
> Man-in-the-Middle trap and record everything.  Or set the recording 
> parameters of the Guacamole connection such that the entire screen 
> session, including visible content, mouse clicks, and keystrokes, are 
> recorded, and there would be no way for the HR person using that 
> connection to know that this is going on.  I'll take a moment to point 
> out that I'm reasonably certain the same would be true for the MS RDP 
> Gateway connection - it is perfectly plausible that an admin could 
> MITM or redirect traffic on that platform such that the end HR user 
> wouldn't know the difference.  So, should the ability for an admin to 
> see the active session really be that big of a deal??  Also, I believe 
> the admin access to the connections is audited in the History table 
> the same as any other access, so there should be an audit trail.
>
> On the other hand, it doesn't seem totally unreasonable to me to be 
> able to turn this feature off if you so choose. Having been a part of 
> environments in the past and audits in the present where you're asking 
> about the level of access people have to certain data, I can certainly 
> see situations where it'd be nice to be able to either tick that box 
> for audit or security compliance purposes, or to give certain groups 
> the feeling that they're protected.
>
> I'll see if the other project folks want to weigh in on this - perhaps 
> implementing either a global setting (guacamole.properties) to turn 
> off the admin connection sharing across the board, or a per-connection 
> parameter that makes the connection exclusive - does not allow anyone, 
> even an admin, to join the connection - or both?
>
> -Nick


-- 
Regards
David Barber

Re: Active Session Shadowing

[Nick Couchman <vn...@apache.org>]

On Sun, Apr 19, 2020 at 12:03 AM Chris Misztur <cm...@mriiot.com> wrote:

> This is worth bringing up again.  As a Guacamole admin I have the ability
> to click on any connected user sessions and view/control without the user's
> permission.
>
> This is preventing us from completely eliminating MS RD Gateway for HR
> security reasons.
>
>
I can see both sides of this.  On the one hand, if you don't trust the
people administering your Guacamole instance to the point where they could
see what's on a screen, do you really trust them?  Say the active sharing
could be completely disabled, or wasn't present at all - a rogue Guacamole
admin could still create a connection that someone in HR would use that
would pass all of that data through a Man-in-the-Middle trap and record
everything.  Or set the recording parameters of the Guacamole connection
such that the entire screen session, including visible content, mouse
clicks, and keystrokes, are recorded, and there would be no way for the HR
person using that connection to know that this is going on.  I'll take a
moment to point out that I'm reasonably certain the same would be true for
the MS RDP Gateway connection - it is perfectly plausible that an admin
could MITM or redirect traffic on that platform such that the end HR user
wouldn't know the difference.  So, should the ability for an admin to see
the active session really be that big of a deal??  Also, I believe the
admin access to the connections is audited in the History table the same as
any other access, so there should be an audit trail.

On the other hand, it doesn't seem totally unreasonable to me to be able to
turn this feature off if you so choose.  Having been a part of environments
in the past and audits in the present where you're asking about the level
of access people have to certain data, I can certainly see situations where
it'd be nice to be able to either tick that box for audit or security
compliance purposes, or to give certain groups the feeling that they're
protected.

I'll see if the other project folks want to weigh in on this - perhaps
implementing either a global setting (guacamole.properties) to turn off the
admin connection sharing across the board, or a per-connection parameter
that makes the connection exclusive - does not allow anyone, even an admin,
to join the connection - or both?

-Nick