2017-08-28

Spying on your boss made easy ... courtesy of Microsoft SCCM

Update 30.08.: A decision was made as to what to do about this issue. The SCCM client will be monitoring the registry keys, as a form of a watchdog service, and will report any machines where modifications are made to a group of administrators via mail.



Update 29.08.: Apparently "mstsc.exe" offers the same functionality, I was told. Add a DWORD called "shadow" under "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" and set the value to "2". After that you should be able to use the following command: mstsc.exe /shadow:<session ID> /control /noConsentPrompt /v:<remote machine>

Like this the user will not even see a flickering mouse cursor. The only way to tell someone is watching you like this is by checking the task manager and looking for the RDP processes.



Ever wanted to know what your boss is doing all day long? Are you using Microsoft SCCM for operating system and software deployment and do you have local admin privileges on your boss' computer? Then you are in luck!

This basically is a direct continuation of the "Unusual Microsoft remote assistance slowdown" story and even ties into the "VNC Heisenbug" to a degree.

But from the start ...




During my investigation of the unusual Microsoft remote assistance slowdown our resident SCCM guy came up with a quick way around the whole issue ... the "System Center Configuration Manager Remote Control" software. According to him "quick and already available on all computers" but most importantly apparently not affected by the Office animations issue the regular "Microsoft Remote Assistance" software was facing.

I did not pay much attention to him at the time because I'm not interested in quick solutions but instead prefer figuring out what the actual issue is and rather fix that. However, he was so set on this that he went ahead and got a button for "CmRcViewer.exe" added to our internal ticketing system so all support employees have easy access to it and can use it to provide remote assistance to our users.

During my investigation of the VNC Heisenbug he kept asking me why I was wasting my time on VNC. If all I wanted was being able to log onto a user's existing session without having the remote user to click on a prompt to allow the connection I could just use the SCCM Remote software. Again, I was more interested in figuring out what actually happens with that VNC Heisenbug and I did not pay much attention to what the SCCM guy had just told me.

Then last week our hotline got a call from a user whose monitor had just died. But that user still had important documents open which she had not saved yet. Since the user was sitting in a remote office and it was already early afternoon there was no way our hardware team would be able to replace the monitor the same day. And asking the user to take the monitor from another workstation and connect it to her computer also was not an option.

So the hotline team came to me asking if I had any idea what we could do to help the user not lose a day's worth of work. At first, nothing useful came to mind since everything I could come up with required some kind of interaction from the user. But then I remembered what the SCCM guy said ... "without having the remote user to click on a prompt to allow the connection I could just use the SCCM Remote software". This made me look into whether this was actually a thing and apparently it was.

With some searching on the internet I quickly found what I was looking for: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control"

Under this path in the registry I found the option "Permission Required" which was set to "1". When I tried establishing a session with my test machine using "CmRcViewer.exe" I got a prompt on the test machine asking me if I wanted to accept the connection. Changing the value of "Permission Required" to "0" instead really got rid of that prompt.

Using this allowed me to help the user by establishing a connection to her computer, save all open documents and shut down the computer. The next day she would get a new monitor and everything would be well. Or at least it could have been...

Being able to establish a form of remote assistance session to any machine and being able to see the remote user's desktop without any kind of prompt was something that did not stick right with me. But at least the user would be able to tell if that was happening because of that extra title bar appearing at the top of the screen, like the one from remote desktop connections but in green. Or would they...

At this point I took a closer look at all the other options I saw in that registry key.


Permission Required - We already know this one. It turns off the prompt asking the user for permission to establish the session. Set it to "0" on the remote machine and the user will not be asked for permission.
PermittedViewers - Either an AD group or a single AD user that is allowed to establish a remote connection using this service.
RemCtrl Connection Bar - This turns the green bar at the top of the screen on and off.
RemCtrl Taskbar Icon - This turns a small icon in the system tray off that would indicate an active remote session.
BlockedInput - The SCCM Remote Control software allows the person running the viewer to turn off the local mouse and keyboard inputs on the remote machine. Really helpful for people who keep playing with their mouse drawing circles while you are trying to help them ... This option enables the block upon establishing the remote session.

So with a few edits to the registry of a remote machine I could establish a remote assistance session using the SCCM Remote Control software and the user would not get a prompt, would not see a title bar at the top of the screen, would not see a tray icon and would no longer be able to use his mouse or keyboard.

If I left out the mouse and keyboard block I could silently watch whatever the user was doing all day long. And he would not be able to notice. The only visual indicator that someone is watching you is a flickering mouse cursor. There are not even additional processes spawned since the server part is always running on the (at least our) client systems.

Ever wondered what your boss was doing all day long? Ever wanted to read all those confidential emails? Wait until your boss leaves his office and forgets to lock his workstation. Then just click your way through his Outlook mailbox.


The point where it got really nasty is when I realized that all this is possible by simply having the permissions to modify the values under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control". And that is hardly a hurdle for anyone. Not only the 50-odd people working in the IT department have local admin privileges on all clients but also a bunch of "decentralized" admins only in charge of the computers in their respective department have local admin privileges on those computers. Any of those people could easily modify the permissions of the registry key and add their user to the ACL for future use when they maybe no longer have local admin privileges. The possibilities are endless.

So for now I have blocked the usage of "CmRcViewer.exe" with Applocker via group policies until the people further up the food chain decide on what action to take.

[1] https://twitter.com/BeingSysAdmin/status/902082847250501632
[2] https://www.reddit.com/r/sysadmin/comments/6wi395/what_do_you_do_against_people_spying_on_other/

No comments:

Post a Comment