Sophos Endpoint

Discussions SATC and run-as sessions on the Terminal Server never logged out

Sophos Endpoint requires membership for participation - click to join

Thread Info

State Not Answered
Replies 2 replies
Subscribers 12 subscribers
Views 680 views
Users 0 members are here

Options

Suggested

SATC and run-as sessions on the Terminal Server never logged out

LHerzog 1 month ago

As we have opened a new case on it 07354794, I wonder if this is a known result, because I cannot find any information about it.

Scenario:

Fully setup SATC Client / Firewall for a Windows 2022 terminal server .

User logins on the firewall are working as expected (at least when adding manual iptable lines for SATC traffic on port 6060. Ref. Case: 06506059).

User A logs on the terminal server. SATC sends new login for User A to firewall.

Firewall shows User A as Thin Client User.

User A runs a program on the terminal server as User AB (run-as). SATC sends new login for User AB to firewall.

Firewall shows User A and user AB as Thin Client User.

User A closes the program run by User AB. SATC sends nothing to firewall.

Firewall still shows User A and user AB as Thin Client User.

User A logs off from the terminal server. SATC sends logout info for User A to firewall.

Firewall shows only user AB as Thin Client User.

This state will remain on the firewall forever until you manually disconnect the user on the firewall or you restart the terminal server.

Endpoint:

Licensed	Assigned	Version
Core Agent		2024.1.0.51 BETA
Sophos Intercept X		2024.1.0.45.1 BETA
Managed Detection and Response		2023.2.0.3
XDR		2024.1.0.51 BETA

Non-EAP Products also affected.

Firewall: SFOS 19.5.3

Updated the tags
[edited by: Gladys at 2:26 AM (GMT -7) on 30 May 2024]

Parents

0 LHerzog 1 month ago

I think the problem here is that windows does not create a logout event when a run-as process is terminated. I assume SATC is only checking some Logon Events in the Security Event Log.

This could probably be kept track of by SATC checking new "logon with explicit credentials" of the initial Logon ID like 0x3AE82D8 of User A creating new EventIDs 4648 and 4672 when using the run-as with User AB.

When the initial Logon ID 0x3AE82D8 is finally logged out of the Terminal Server with EventID 4647 followed by EventID 4634 the SATC could send a logoff information to the firewall for all user sessions spawned by User A.

I think it may be tricky if different users on a Terminal Server would be using the same user for run-as commands like User A and User B spawn a process by run-as with User XY. Where XY would be some Admin account on a remote system.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 LHerzog 1 month ago

I think the problem here is that windows does not create a logout event when a run-as process is terminated. I assume SATC is only checking some Logon Events in the Security Event Log.

This could probably be kept track of by SATC checking new "logon with explicit credentials" of the initial Logon ID like 0x3AE82D8 of User A creating new EventIDs 4648 and 4672 when using the run-as with User AB.

When the initial Logon ID 0x3AE82D8 is finally logged out of the Terminal Server with EventID 4647 followed by EventID 4634 the SATC could send a logoff information to the firewall for all user sessions spawned by User A.

I think it may be tricky if different users on a Terminal Server would be using the same user for run-as commands like User A and User B spawn a process by run-as with User XY. Where XY would be some Admin account on a remote system.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 LHerzog 16 days ago in reply to LHerzog

Development has confirmed the behavior. It seems this is a rare use case on terminal servers together with Sophos networking. Support for this may come in the future.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel