Although computers were once isolated and had minimal or little interaction with other computers, today's computers interact with a wide variety of other computers through Local Area Networks (LANs), Wide Area Networks (WANs), dial-up connections, and so forth. With the wide-spread growth of the Internet, connectivity between computers is becoming more important and has opened up many new applications and technologies. The growth of large-scale networks, and the wide-spread availability of low-cost personal computers, has fundamentally changed the way that many people work, interact, communicate, and play.
One increasing popular form of networking may generally be referred to as virtual computing systems, which can use protocols such as Remote Desktop Protocol (RDP), Independent Computing Architecture (ICA), and others to share a desktop and other applications with a remote client. Such computing systems typically transmit the keyboard presses and mouse clicks or selections from the client to a server, relaying the screen updates back in the other direction over a network connection (e.g., the Internet). As such, the user has the experience as if their machine is operating as part of a LAN, when in reality the client device is only sent screenshots of the applications as they appear on the server side.
In such virtual computing environments, clients typically rely on the configuration file (e.g., RDP file) to provide a number of settings for the user's connection to the remote or terminal server. These settings include, but are not limited to, server name, username, device redirection options, remote program executables (i.e., applications accessible by a user), and other settings that specify how the virtual computing session is launched. As can be seen, these settings control virtually all aspects of a remote session such as security protocols, display options including screen resolution and/or color depth, resource accessibility by the client and/or server (e.g., applications, drives, etc.), and other features and options.
As can easily be seen, because these configuration files affect many sensitive (e.g., security and performance) aspects of a remote session, these settings are an important attack vector in many threats against both the client system and the remote or terminal server. Today, this attack vector can be completely under the attacker's control. For example, the configuration file can be constructed anonymously and no information may be available to the client about its origins. Consequently, while launching a session the default user experience has to be designed for the worst-case, least-trusted scenario with scary warnings and frequent pop-ups that increase in complexity as the remote server feature set expands. These warnings are often inappropriate, which desensitizes the users and trains them to ignore all warnings, a suboptimal result. The effect is unacceptable security, poor performance, and bad user experience.
Nevertheless, there exits great potential harm for such an attack. For instance, if a malicious entity could compromise the configuration file, then the user may unintentionally expose parts of their system that are controlled by the secure settings. For example, if the server name entity was comprised, a malicious entity could redirect the user to a rogue server. Furthermore, if the device redirection option was compromised as well, the malicious entity could choose to redirect the user's local disk to the malicious server. The server would then have access to the data on the user's local machine. In a remote program scenario, if the malicious entity comprises the remote program executable setting, they could choose to run a malicious application; e.g., “format C:” where “C:” could be the user's redirected local drive—thereby wiping the user's hard drive clean.
In addition to the settings that have security and performance implications, the configuration file contains a number of settings that should be modifiable by the user. For example, the user should typically be able to modify the color depth and resolution of their connection. Accordingly, the problem exists in configuring a way to secure portions of a configuration file, while still allowing a client to modify settings that are less likely to be prone or used for attack purposes.