Login/Register
Allow remote desktop users to access a global Windows mutex
Asked Answered
cwindowswinapimutexrdp
U

1

1

My environment:

  • Windows Server 2012 R2 with Remote Desktop Services installed on it.
  • Programming with C

Problem:

  1. User U1 connects to the Windows Server via RDP and creates a global mutex (CreateMutex with the Global\\ prefix)

    • User U1 creates the global Windows mutex with the following permissions:
      • CREATOR
      • SYSTEM
      • ADMINISTRATORS

  2. User U2 connects to the Windows Server via RDP and tries to get a handle to the global mutex

  3. U2 fails due to the lack of access rights (since U2 is not an admin, not a system and he is not the creator as well)

    • Received "Access is denied"

I tried to resolve the problem by adding one more permissions which is for the current AD domain users and it worked.

Is this solution secured enough? On other words, what is the proper way of granting access rights to allow mutliple-RDP users to access the mutex?

Thank you

Ushas answered 28/6, 2018 at 9:9 Comment(6)
simply set security descriptor on mutex which allow access to all. say set DACL to 0Stratocracy
But it is a security vulnerability if I allow access to all. could it be that I am wrong? And if yes, could you explain why it is not considered as a security vulnerability?Ushas
in what security vulnerability ? in that you allow access to all to your custom mutex (about nobody except your soft) even know ? what sense for somebody (except make your soft incorrect working) access this mutex ?Stratocracy
Why not use an AD Group or use a builtin group such as Remote Desktop User, Authenticated Users, Domain Users etc ?Actino
@Actino It sounds good, so which group in contained in the other? Should I allow both of the groups (RDP + Authenticated) to access my object or one of them is enough?Ushas
It's your choice but ultimately it depends on who needs access to your mutex. Follow A(D)GLP principle (en.wikipedia.org/wiki/AGDLP) and add the user to the group that actually require access. @AnanKaysActino
B
0

I used this code for remote desktop and mutex. The MutexSecurity is necessary to access an already open mutex on a other RDP session.

        var mSec = new System.Security.AccessControl.MutexSecurity();

        // Add a rule that grants the current user the 
        // right to enter or release the mutex.
        System.Security.Principal.SecurityIdentifier everyone = new System.Security.Principal.SecurityIdentifier(System.Security.Principal.WellKnownSidType.WorldSid, null);

        var rule = new System.Security.AccessControl.MutexAccessRule(everyone,
            System.Security.AccessControl.MutexRights.Synchronize | System.Security.AccessControl.MutexRights.Modify,
            System.Security.AccessControl.AccessControlType.Allow);
        mSec.AddAccessRule(rule);

        // Add a rule that denies the current user the 
        // right to change permissions on the mutex.
        rule = new System.Security.AccessControl.MutexAccessRule(everyone,
            System.Security.AccessControl.MutexRights.ChangePermissions,
            System.Security.AccessControl.AccessControlType.Deny);
        mSec.AddAccessRule(rule);

        using (var mutex = new System.Threading.Mutex(false, $"Global\\AnDietzeMutex", out bool createdNew, mSec)); {
        }
Bathulda answered 18/10, 2023 at 13:2 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.