Hi Nick, The way I see it, there's an in between as well It would be great to have an option where, when you join the connection, it at least pops up a box at the bottom corner of the users screen and reports the user who has joined the session. This way, at least the user knows that it's happened. That's the way I'd run mine.
Jason. On Apr. 22, 2020, 9:48 p.m., at 9:48 p.m., Nick Couchman <[email protected]> wrote: >On Sun, Apr 19, 2020 at 12:03 AM Chris Misztur <[email protected]> >wrote: > >> This is worth bringing up again. As a Guacamole admin I have the >ability >> to click on any connected user sessions and view/control without the >user's >> permission. >> >> This is preventing us from completely eliminating MS RD Gateway for >HR >> security reasons. >> >> >I can see both sides of this. On the one hand, if you don't trust the >people administering your Guacamole instance to the point where they >could >see what's on a screen, do you really trust them? Say the active >sharing >could be completely disabled, or wasn't present at all - a rogue >Guacamole >admin could still create a connection that someone in HR would use that >would pass all of that data through a Man-in-the-Middle trap and record >everything. Or set the recording parameters of the Guacamole >connection >such that the entire screen session, including visible content, mouse >clicks, and keystrokes, are recorded, and there would be no way for the >HR >person using that connection to know that this is going on. I'll take >a >moment to point out that I'm reasonably certain the same would be true >for >the MS RDP Gateway connection - it is perfectly plausible that an admin >could MITM or redirect traffic on that platform such that the end HR >user >wouldn't know the difference. So, should the ability for an admin to >see >the active session really be that big of a deal?? Also, I believe the >admin access to the connections is audited in the History table the >same as >any other access, so there should be an audit trail. > >On the other hand, it doesn't seem totally unreasonable to me to be >able to >turn this feature off if you so choose. Having been a part of >environments >in the past and audits in the present where you're asking about the >level >of access people have to certain data, I can certainly see situations >where >it'd be nice to be able to either tick that box for audit or security >compliance purposes, or to give certain groups the feeling that they're >protected. > >I'll see if the other project folks want to weigh in on this - perhaps >implementing either a global setting (guacamole.properties) to turn off >the >admin connection sharing across the board, or a per-connection >parameter >that makes the connection exclusive - does not allow anyone, even an >admin, >to join the connection - or both? > >-Nick
