Hi perhaps a tick box for the users to disable this which can be over
ridden by an admin but which action sends a notification to the user
this has happened.
Would enable both sides to feel they have control :)
Nick Couchman wrote:
On Sun, Apr 19, 2020 at 12:03 AM Chris Misztur <[email protected]
<mailto:[email protected]>> wrote:
This is worth bringing up again. As a Guacamole admin I have the
ability to click on any connected user sessions and view/control
without the user's permission.
This is preventing us from completely eliminating MS RD Gateway
for HR security reasons.
I can see both sides of this. On the one hand, if you don't trust the
people administering your Guacamole instance to the point where they
could see what's on a screen, do you really trust them? Say the
active sharing could be completely disabled, or wasn't present at all
- a rogue Guacamole admin could still create a connection that someone
in HR would use that would pass all of that data through a
Man-in-the-Middle trap and record everything. Or set the recording
parameters of the Guacamole connection such that the entire screen
session, including visible content, mouse clicks, and keystrokes, are
recorded, and there would be no way for the HR person using that
connection to know that this is going on. I'll take a moment to point
out that I'm reasonably certain the same would be true for the MS RDP
Gateway connection - it is perfectly plausible that an admin could
MITM or redirect traffic on that platform such that the end HR user
wouldn't know the difference. So, should the ability for an admin to
see the active session really be that big of a deal?? Also, I believe
the admin access to the connections is audited in the History table
the same as any other access, so there should be an audit trail.
On the other hand, it doesn't seem totally unreasonable to me to be
able to turn this feature off if you so choose. Having been a part of
environments in the past and audits in the present where you're asking
about the level of access people have to certain data, I can certainly
see situations where it'd be nice to be able to either tick that box
for audit or security compliance purposes, or to give certain groups
the feeling that they're protected.
I'll see if the other project folks want to weigh in on this - perhaps
implementing either a global setting (guacamole.properties) to turn
off the admin connection sharing across the board, or a per-connection
parameter that makes the connection exclusive - does not allow anyone,
even an admin, to join the connection - or both?
-Nick
--
Regards
David Barber
