Adding logic to detect and log invalid RDP settings

remoting/host/desktop_session_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "remoting/host/desktop_session_win.h"
 
 #include <sddl.h>
 
 #include <limits>
 #include <memory>
@@ skipping 68 matching lines @@
 
 // Default dots per inch used by RDP is 96 DPI.
 const int kDefaultRdpDpi = 96;
 
 // The session attach notification should arrive within 30 seconds.
 const int kSessionAttachTimeoutSeconds = 30;
 
 // The default port number used for establishing an RDP session.
 const int kDefaultRdpPort = 3389;
 
+// Used for validating the required RDP registry values.
+const int kRdpConnectionsDisabled = 1;
+const int kNetworkLevelAuthEnabled = 1;
+const int kSecurityLayerTlsRequired = 2;
+
 // The values used to establish RDP connections are stored in the registry.
+const wchar_t kRdpSettingsKeyName[] =
+    L"SYSTEM\\CurrentControlSet\\Control\\Terminal Server";
 const wchar_t kRdpTcpSettingsKeyName[] = L"SYSTEM\\CurrentControlSet\\"
     L"Control\\Terminal Server\\WinStations\\RDP-Tcp";
 const wchar_t kRdpPortValueName[] = L"PortNumber";
+const wchar_t kDenyTsConnectionsValueName[] = L"fDenyTSConnections";
+const wchar_t kNetworkLevelAuthValueName[] = L"UserAuthentication";
+const wchar_t kSecurityLayerValueName[] = L"SecurityLayer";
 
 // DesktopSession implementation which attaches to the host's physical console.
 // Receives IPC messages from the desktop process, running in the console
 // session, via |WorkerProcessIpcDelegate|, and monitors console session
 // attach/detach events via |WtsConsoleObserver|.
 class ConsoleSession : public DesktopSessionWin {
  public:
   // Same as DesktopSessionWin().
   ConsoleSession(
     scoped_refptr<AutoThreadTaskRunner> caller_task_runner,
@@ skipping 67 matching lines @@
 
     // Points to the desktop session object receiving OnRdpXxx() notifications.
     base::WeakPtr<RdpSession> desktop_session_;
 
     // This class must be used on a single thread.
     base::ThreadChecker thread_checker_;
 
     DISALLOW_COPY_AND_ASSIGN(EventHandler);
   };
 
+  // Examines the system settings required to establish an RDP session.
+  // This method returns false if the values are retrieved and any of them would
+  // prevent us from creating an RDP connection.
+  bool VerifyRdpSettings();
+
   // Retrieves a DWORD value from the registry.  Returns true on success.
   bool RetrieveDwordRegistryValue(const wchar_t* key_name,
                                   const wchar_t* value_name,
                                   DWORD* value);
 
   // Used to create an RDP desktop session.
   base::win::ScopedComPtr<IRdpDesktopSession> rdp_desktop_session_;
 
   // Used to match |rdp_desktop_session_| with the session it is attached to.
   std::string terminal_id_;
@@ skipping 42 matching lines @@
                         monitor),
       weak_factory_(this) {
 }
 
 RdpSession::~RdpSession() {
 }
 
 bool RdpSession::Initialize(const ScreenResolution& resolution) {
   DCHECK(caller_task_runner()->BelongsToCurrentThread());
 
+  if (!VerifyRdpSettings()) {
+    LOG(ERROR) << "Could not create an RDP session due to invalid settings.";
+    return false;
+  }
+
   // Create the RDP wrapper object.
   HRESULT result = rdp_desktop_session_.CreateInstance(
       __uuidof(RdpDesktopSession));
   if (FAILED(result)) {
     LOG(ERROR) << "Failed to create RdpSession object, 0x"
                << std::hex << result << std::dec << ".";
     return false;
   }
 
   ScreenResolution local_resolution = resolution;
@@ skipping 62 matching lines @@
   // See http://crbug.com/137696.
   NOTIMPLEMENTED();
 }
 
 void RdpSession::InjectSas() {
   DCHECK(caller_task_runner()->BelongsToCurrentThread());
 
   rdp_desktop_session_->InjectSas();
 }
 
+bool RdpSession::VerifyRdpSettings() {
+  // Verify RDP connections are enabled.
+  DWORD deny_ts_connections_flag = 0;
+  if (RetrieveDwordRegistryValue(kRdpSettingsKeyName,
+                                 kDenyTsConnectionsValueName,
+                                 &deny_ts_connections_flag) &&
+      deny_ts_connections_flag == kRdpConnectionsDisabled) {
+    LOG(ERROR) << "RDP Connections must be enabled.";
+    return false;
+  }
+
+  // Verify Network Level Authentication is disabled.
+  DWORD network_level_auth_flag = 0;
+  if (RetrieveDwordRegistryValue(kRdpTcpSettingsKeyName,
+                                 kNetworkLevelAuthValueName,
+                                 &network_level_auth_flag) &&
+      network_level_auth_flag == kNetworkLevelAuthEnabled) {
+    LOG(ERROR) << "Network Level Authentication for RDP must be disabled.";
+    return false;
+  }
+
+  // Verify Security Layer is not set to TLS.  It can be either of the other two
+  // values, but forcing TLS will prevent us from establishing a connection.
+  DWORD security_layer_flag = 0;
+  if (RetrieveDwordRegistryValue(kRdpTcpSettingsKeyName,
+                                 kSecurityLayerValueName,
+                                 &security_layer_flag) &&
+      security_layer_flag == kSecurityLayerTlsRequired) {
+    LOG(ERROR) << "RDP SecurityLayer must not be set to TLS.";
+    return false;
+  }
+
+  return true;
+}
+
 bool RdpSession::RetrieveDwordRegistryValue(const wchar_t* key_name,
                                             const wchar_t* value_name,
                                             DWORD* value) {
   DCHECK(key_name);
   DCHECK(value_name);
   DCHECK(value);
 
   base::win::RegKey key(HKEY_LOCAL_MACHINE, key_name, KEY_READ);
   if (!key.Valid()) {
     LOG(WARNING) << "Failed to open key: " << key_name;
@@ skipping 309 matching lines @@
                                 exploded.hour,
                                 exploded.minute,
                                 exploded.second,
                                 exploded.millisecond,
                                 passed.c_str());
 
   last_timestamp_ = now;
 }
 
 }  // namespace remoting