RDP nego: add options to disable target connection fallbacks (WAB-10220)

What can be fallback: - NLA Kerberos authentication fail -> fallback to NLA NTLM authentication - NLA authentication fail -> fallback to TLS connection only In this case, will try authentication RDP logon then windows login screen - Target has disabled TLS -> fallback to RDP legacy *Very* legacy target
wallix · May 30, 2024 · 1fda00f · 1fda00f
1 parent 3b8ef7c
commit 1fda00f
Show file tree

Hide file tree

Showing 26 changed files with 322 additions and 84 deletions.
diff --git a/projects/redemption_configs/autogen/doc/acl_dialog.txt b/projects/redemption_configs/autogen/doc/acl_dialog.txt
@@ -64,6 +64,14 @@ cfg::mod_rdp::enable_nla ⇐ mod_rdp:enable_nla   [bool]
 cfg::mod_rdp::enable_kerberos ⇐ mod_rdp:enable_kerberos   [bool]
     If enabled, NLA authentication will try Kerberos before NTLM.
     (if enable_nla is disabled, this value is ignored).
+cfg::mod_rdp::allow_nla_ntlm_fallback ⇐ mod_rdp:allow_nla_ntlm_fallback   [bool]
+    Allow NTLM fallback if Kerberos authentication fail.
+    (if enable_kerberos is disabled, this value is ignored).
+cfg::mod_rdp::allow_tls_only_fallback ⇐ mod_rdp:allow_tls_only_fallback   [bool]
+    Allow TLS only fallback if NLA authentication fail.
+    (if enable_nla is disabled, this value is ignored).
+cfg::mod_rdp::allow_rdp_legacy_fallback ⇐ mod_rdp:allow_rdp_legacy_fallback   [bool]
+    Allow Standard RDP Security (Legacy) fallback if TLS connection fail.
 cfg::mod_rdp::tls_min_level ⇐ mod_rdp:tls_min_level   [uint32_t]
     Minimal incoming TLS level 0=TLSv1, 1=TLSv1.1, 2=TLSv1.2, 3=TLSv1.3
 cfg::mod_rdp::tls_max_level ⇐ mod_rdp:tls_max_level   [uint32_t]

diff --git a/projects/redemption_configs/autogen/doc/config.json b/projects/redemption_configs/autogen/doc/config.json
@@ -754,6 +754,37 @@
       "aclToProxy": true,
       "logStategy": "1"
     },
+    {
+      "section": "mod_rdp",
+      "name": "allow_nla_ntlm_fallback",
+      "type": "bool",
+      "value": true,
+      "description": "Allow NTLM fallback if Kerberos authentication fail.\n(if enable_kerberos is disabled, this value is ignored).",
+      "rdp": true,
+      "aclToProxy": true,
+      "logStategy": "1"
+    },
+    {
+      "section": "mod_rdp",
+      "name": "allow_tls_only_fallback",
+      "type": "bool",
+      "value": true,
+      "description": "Allow TLS only fallback if NLA authentication fail.\n(if enable_nla is disabled, this value is ignored).",
+      "rdp": true,
+      "aclToProxy": true,
+      "logStategy": "1"
+    },
+    {
+      "section": "mod_rdp",
+      "name": "allow_rdp_legacy_fallback",
+      "type": "bool",
+      "value": true,
+      "description": "Allow Standard RDP Security (Legacy) fallback if TLS connection fail.",
+      "rdp": true,
+      "aclToProxy": true,
+      "advanced": true,
+      "logStategy": "1"
+    },
     {
       "section": "mod_rdp",
       "name": "tls_min_level",

diff --git a/projects/redemption_configs/autogen/include/configs/autogen/acl_and_spec_type.hpp b/projects/redemption_configs/autogen/include/configs/autogen/acl_and_spec_type.hpp
@@ -83,6 +83,9 @@ template<> struct acl_and_spec_type<cfg::mod_rdp::open_session_timeout> { using
 template<> struct acl_and_spec_type<cfg::mod_rdp::disabled_orders> { using type = ::configs::spec_types::list<unsigned>; };
 template<> struct acl_and_spec_type<cfg::mod_rdp::enable_nla> { using type = bool; };
 template<> struct acl_and_spec_type<cfg::mod_rdp::enable_kerberos> { using type = bool; };
+template<> struct acl_and_spec_type<cfg::mod_rdp::allow_nla_ntlm_fallback> { using type = bool; };
+template<> struct acl_and_spec_type<cfg::mod_rdp::allow_tls_only_fallback> { using type = bool; };
+template<> struct acl_and_spec_type<cfg::mod_rdp::allow_rdp_legacy_fallback> { using type = bool; };
 template<> struct acl_and_spec_type<cfg::mod_rdp::tls_min_level> { using type = uint32_t; };
 template<> struct acl_and_spec_type<cfg::mod_rdp::tls_max_level> { using type = uint32_t; };
 template<> struct acl_and_spec_type<cfg::mod_rdp::cipher_string> { using type = std::string; };

diff --git a/projects/redemption_configs/autogen/include/configs/autogen/authid.hpp b/projects/redemption_configs/autogen/include/configs/autogen/authid.hpp
@@ -5,5 +5,5 @@
 namespace configs
 {
     enum class authid_t : unsigned;
-    constexpr authid_t max_authid {245};
+    constexpr authid_t max_authid {248};
 }
diff --git a/projects/redemption_configs/autogen/include/configs/autogen/cfg_ini_pack.hpp b/projects/redemption_configs/autogen/include/configs/autogen/cfg_ini_pack.hpp
@@ -67,6 +67,9 @@ cfg::mod_rdp::open_session_timeout,
 cfg::mod_rdp::disabled_orders,
 cfg::mod_rdp::enable_nla,
 cfg::mod_rdp::enable_kerberos,
+cfg::mod_rdp::allow_nla_ntlm_fallback,
+cfg::mod_rdp::allow_tls_only_fallback,
+cfg::mod_rdp::allow_rdp_legacy_fallback,
 cfg::mod_rdp::tls_min_level,
 cfg::mod_rdp::tls_max_level,
 cfg::mod_rdp::cipher_string,
@@ -357,6 +360,9 @@ constexpr SectionAndName const ini_names[] = {
 {"mod_rdp"_zv, "disabled_orders"_zv},
 {"mod_rdp"_zv, "enable_nla"_zv},
 {"mod_rdp"_zv, "enable_kerberos"_zv},
+{"mod_rdp"_zv, "allow_nla_ntlm_fallback"_zv},
+{"mod_rdp"_zv, "allow_tls_only_fallback"_zv},
+{"mod_rdp"_zv, "allow_rdp_legacy_fallback"_zv},
 {"mod_rdp"_zv, "tls_min_level"_zv},
 {"mod_rdp"_zv, "tls_max_level"_zv},
 {"mod_rdp"_zv, "cipher_string"_zv},

diff --git a/projects/redemption_configs/autogen/include/configs/autogen/cp_mapping.hpp b/projects/redemption_configs/autogen/include/configs/autogen/cp_mapping.hpp
@@ -16,6 +16,9 @@ cp_spec = {
         ('mod_rdp:disabled_orders', 'disabled_orders', "27"),
         ('mod_rdp:enable_nla', 'enable_nla', True),
         ('mod_rdp:enable_kerberos', 'enable_kerberos', False),
+        ('mod_rdp:allow_nla_ntlm_fallback', 'allow_nla_ntlm_fallback', True),
+        ('mod_rdp:allow_tls_only_fallback', 'allow_tls_only_fallback', True),
+        ('mod_rdp:allow_rdp_legacy_fallback', 'allow_rdp_legacy_fallback', True),
         ('mod_rdp:tls_min_level', 'tls_min_level', 0),
         ('mod_rdp:tls_max_level', 'tls_max_level', 0),
         ('mod_rdp:cipher_string', 'cipher_string', "ALL"),

diff --git a/projects/redemption_configs/autogen/include/configs/autogen/rdp_cp_spec.hpp b/projects/redemption_configs/autogen/include/configs/autogen/rdp_cp_spec.hpp
@@ -66,6 +66,18 @@ enable_nla = boolean(default=True)
 # (if enable_nla is disabled, this value is ignored).
 enable_kerberos = boolean(default=False)
 
+# Allow NTLM fallback if Kerberos authentication fail.
+# (if enable_kerberos is disabled, this value is ignored).
+allow_nla_ntlm_fallback = boolean(default=True)
+
+# Allow TLS only fallback if NLA authentication fail.
+# (if enable_nla is disabled, this value is ignored).
+allow_tls_only_fallback = boolean(default=True)
+
+# Allow Standard RDP Security (Legacy) fallback if TLS connection fail.
+#_advanced
+allow_rdp_legacy_fallback = boolean(default=True)
+
 # Minimal incoming TLS level 0=TLSv1, 1=TLSv1.1, 2=TLSv1.2, 3=TLSv1.3
 tls_min_level = integer(min=0, default=0)
 

diff --git a/projects/redemption_configs/autogen/include/configs/autogen/set_value.tcc b/projects/redemption_configs/autogen/include/configs/autogen/set_value.tcc
@@ -595,6 +595,30 @@ void Inifile::ConfigurationHolder::set_value(zstring_view key, zstring_view valu
                 value
             );
         }
+        else if (key == "allow_nla_ntlm_fallback"_zv) {
+            ::config_parse_and_log(
+                this->section_name, key.c_str(),
+                static_cast<cfg::mod_rdp::allow_nla_ntlm_fallback&>(this->variables).value,
+                ::configs::spec_type<bool>{},
+                value
+            );
+        }
+        else if (key == "allow_tls_only_fallback"_zv) {
+            ::config_parse_and_log(
+                this->section_name, key.c_str(),
+                static_cast<cfg::mod_rdp::allow_tls_only_fallback&>(this->variables).value,
+                ::configs::spec_type<bool>{},
+                value
+            );
+        }
+        else if (key == "allow_rdp_legacy_fallback"_zv) {
+            ::config_parse_and_log(
+                this->section_name, key.c_str(),
+                static_cast<cfg::mod_rdp::allow_rdp_legacy_fallback&>(this->variables).value,
+                ::configs::spec_type<bool>{},
+                value
+            );
+        }
         else if (key == "tls_min_level"_zv) {
             ::config_parse_and_log(
                 this->section_name, key.c_str(),

diff --git a/projects/redemption_configs/autogen/include/configs/autogen/str_authid.hpp b/projects/redemption_configs/autogen/include/configs/autogen/str_authid.hpp
@@ -31,6 +31,9 @@ namespace configs
         "mod_rdp:disabled_orders"_zv,
         "mod_rdp:enable_nla"_zv,
         "mod_rdp:enable_kerberos"_zv,
+        "mod_rdp:allow_nla_ntlm_fallback"_zv,
+        "mod_rdp:allow_tls_only_fallback"_zv,
+        "mod_rdp:allow_rdp_legacy_fallback"_zv,
         "mod_rdp:tls_min_level"_zv,
         "mod_rdp:tls_max_level"_zv,
         "mod_rdp:cipher_string"_zv,

diff --git a/projects/redemption_configs/autogen/include/configs/autogen/str_ini.hpp b/projects/redemption_configs/autogen/include/configs/autogen/str_ini.hpp
@@ -370,6 +370,24 @@ R"gen_config_ini(## Config file for RDP proxy.
 # (acl config: proxy ⇐ mod_rdp:enable_kerberos)
 #enable_kerberos = 0
 
+# Allow NTLM fallback if Kerberos authentication fail.
+# (if enable_kerberos is disabled, this value is ignored).
+# (type: boolean (0/no/false or 1/yes/true))
+# (acl config: proxy ⇐ mod_rdp:allow_nla_ntlm_fallback)
+#allow_nla_ntlm_fallback = 1
+
+# Allow TLS only fallback if NLA authentication fail.
+# (if enable_nla is disabled, this value is ignored).
+# (type: boolean (0/no/false or 1/yes/true))
+# (acl config: proxy ⇐ mod_rdp:allow_tls_only_fallback)
+#allow_tls_only_fallback = 1
+
+# Allow Standard RDP Security (Legacy) fallback if TLS connection fail.
+# (type: boolean (0/no/false or 1/yes/true))
+#_advanced
+# (acl config: proxy ⇐ mod_rdp:allow_rdp_legacy_fallback)
+#allow_rdp_legacy_fallback = 1
+
 # Minimal incoming TLS level 0=TLSv1, 1=TLSv1.1, 2=TLSv1.2, 3=TLSv1.3
 # (min = 0)
 # (acl config: proxy ⇐ mod_rdp:tls_min_level)