Commit 37773398 authored by Vangelis Koukis's avatar Vangelis Koukis
Browse files

Make disabling and enabling RDP more robust

Enhance the DisableRemoteDesktopConnections task,
so disabling and re-enabling RDP is more robust,
and respects Image-specific policy.

Previously, snf-image would disable RDP unconditionally
inside DisableRemoteDesktopConnections and assume there would be
an appropriate <RunSynchronousCommand> entry in unattend.xml
so SYSPREP would enable RDP unconditionally during the specialize
pass of the Windows Setup.

This has two main problems:
   * It assumes a specific answer file, with snf-image specific content.
     However, the answer file is Image-specific policy, and ideally
     snf-image should not make any assumption on its contents.
   * It enables RDP unconditionally, even though it may have been
     disabled inside a specific Image by the Administrator, on purpose,
     thus introducing a potential security risk.

To solve this problem, make DisableRemoteDesktopConnections
   * Note whether RDP was initially disabled or not,
   * Disable it unconditionally via a direct edit of the Registry,
     so no incoming RDP connections are allowed while SYSPREP is running,
   * Insert a command to set it to its original state when Setup is
     complete, without depending on the contents of unattend.xml
     or other answer file.
parent 3bcb05ab
......@@ -25,18 +25,15 @@
# This task will change the value of `fDenyTSConnection' registry key located
# This task will change the value of `fDenyTSConnections' registry key located
# under `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\'
# to "true". This will disable RDP connections.
# We assume that the key will change back to "false" during the specialize
# pass of the Windows setup via an appropriate <RunSynchronousCommand>
# entry in the unattend.xml or similar answer file for SYSPREP.
# to "true". This will disable RDP connections while the machine is being
# set up by SYSPREP upon first boot.
# TODO: Stop relying on specific entries in unattend.xml, which may
# have been heavily customized for a specific Image. Instead, insert the
# required # entry to re-enable RDP explicitly, and only if it was previously
# enabled.
# When Setup is complete, the task ensures the value of `fDenyTSConnections'
# is not set unconditionally to False, but is re-set to its original value
# instead, thus preserving Image-specific policy of whether RDP is enabled
# or not.
set -e
. "@commondir@/"
......@@ -64,12 +61,16 @@ fi
# Pad the value with zeros
current=$(printf "%03d" "$current")
#The current '\SYSTEM\CurrentContolSet\Control\Terminal Server' values
# The current '\SYSTEM\CurrentContolSet\Control\Terminal Server' values
values=$($HIVEXGET "$hive" "ControlSet${current}\Control\Terminal Server")
# Remove fDenyTSConnections if present
# Get current value of fDenyTSConnections, if one exists
curval=$(grep ^'"fDenyTSConnections"=' <<< "$values"|cut -f2 -d:)
# Then remove it from the list of values, if present
values=$(grep -v ^'"fDenyTSConnections"=' <<< "$values")
# and readd it with a value of 1
add_cleanup rm "$regfile"
......@@ -84,6 +85,16 @@ EOF
$HIVEXREGEDIT --merge "$hive" "$regfile"
# Ensure the value of fDenyTSConnections is re-set
# to its original Image-specific state after Setup has completed.
# TODO: Remove any snf-image specific <RunSynchronousCommand>
# segments from unattend.xml, since this task is now self-standing.
curval=$(printf "%d" "$curval")
echo "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /f /v fDenyTSConnections /t REG_DWORD /d $curval" >> \
exit 0
# vim: set sta sts=4 shiftwidth=4 sw=4 et ai :
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment