On Sun, Apr 19, 2020 at 12:03 AM Chris Misztur <[email protected]> wrote:
> This is worth bringing up again. As a Guacamole admin I have the ability > to click on any connected user sessions and view/control without the user's > permission. > > This is preventing us from completely eliminating MS RD Gateway for HR > security reasons. > > I can see both sides of this. On the one hand, if you don't trust the people administering your Guacamole instance to the point where they could see what's on a screen, do you really trust them? Say the active sharing could be completely disabled, or wasn't present at all - a rogue Guacamole admin could still create a connection that someone in HR would use that would pass all of that data through a Man-in-the-Middle trap and record everything. Or set the recording parameters of the Guacamole connection such that the entire screen session, including visible content, mouse clicks, and keystrokes, are recorded, and there would be no way for the HR person using that connection to know that this is going on. I'll take a moment to point out that I'm reasonably certain the same would be true for the MS RDP Gateway connection - it is perfectly plausible that an admin could MITM or redirect traffic on that platform such that the end HR user wouldn't know the difference. So, should the ability for an admin to see the active session really be that big of a deal?? Also, I believe the admin access to the connections is audited in the History table the same as any other access, so there should be an audit trail. On the other hand, it doesn't seem totally unreasonable to me to be able to turn this feature off if you so choose. Having been a part of environments in the past and audits in the present where you're asking about the level of access people have to certain data, I can certainly see situations where it'd be nice to be able to either tick that box for audit or security compliance purposes, or to give certain groups the feeling that they're protected. I'll see if the other project folks want to weigh in on this - perhaps implementing either a global setting (guacamole.properties) to turn off the admin connection sharing across the board, or a per-connection parameter that makes the connection exclusive - does not allow anyone, even an admin, to join the connection - or both? -Nick
