This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Antonis_Hassiot
Contributor
‎2022-06-14 05:23 AM
Jump to solution

Restrict RDP clipboard access with Harmony Endpoint when using Remote access.

I am trying to ensure that users that log on to VPN and RDP to their machine, can't copy/paste text/files over the RDP session. 

In Windows 10 this is controlled by the following registry: HKLM/SOFTWARE\Microsoft\Terminal Server Client\DisableClipboardRedirection. Set REG_DWORD to 1 for disable, 0 for enable clipboard.

clipboard.PNG

You can create a Compliance->Applications/Files check -> Modify and check registry, input the above key name in the registry value name, check REG_DWORD under "Reg type" and Exist under "Check registry key and value". 

redirection.PNG

The problem is that it seems the compliance check, goes and checks the wrong registry location. I found this is the case, by selecting Action=Update. I found that it updated the following location: HKLM/SOFTWARE\WOW6432Node\Microsoft\Terminal Server Client\DisableClipboardRedirection. So it's adding WOW6432Node in the registry path. 
Any idea on why this happens and how to resolve it? 

Setting the REG_DWORD to 1 on the WOW6432Node path doesn't disable the Clipboard in RDP. 

The machine running Harmony Endpoint is Windows 10 x64. 

1 Solution

Accepted Solutions
kwo
Participant
‎2022-06-19 07:06 AM
Jump to solution

I had the same issue with another key under HKLM\Software in the past and according to TAC Compliance blade on 64-Bit windows checks are checking both 64-Bit and 32-Bit location of the registry but can only remediate the 32-Bit RegKey.

Therefore you have to workaround this by using a remediation batch script that will explicitly set the 64-Bit Key.

Example remediation batch script content (everything in one line):

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client" /v DisableClipboardRedirection /t REG_DWORD /d 1 /f /reg:64

this is because the Compliance blade is running as a 32-Bit process

 

 

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
‎2022-06-17 02:33 PM
Jump to solution

WOW6432Node is the correct path, at least according to this: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
kwo
Participant
‎2022-06-19 07:06 AM
Jump to solution

I had the same issue with another key under HKLM\Software in the past and according to TAC Compliance blade on 64-Bit windows checks are checking both 64-Bit and 32-Bit location of the registry but can only remediate the 32-Bit RegKey.

Therefore you have to workaround this by using a remediation batch script that will explicitly set the 64-Bit Key.

Example remediation batch script content (everything in one line):

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client" /v DisableClipboardRedirection /t REG_DWORD /d 1 /f /reg:64

this is because the Compliance blade is running as a 32-Bit process

 

 

Antonis_Hassiot
Contributor
‎2022-06-21 08:59 AM
In response to kwo
Jump to solution

When I input the above line under "Registry value", it fails to Save the configuration. I guess something is wrong with the statement. I am running 81.10 on a cloud server. Is there some documentation on how to write the statement for this version? I see that different versions position the 'reg add' verb in different locations in the statement.  

0 Kudos
kwo
Participant
‎2022-06-21 02:00 PM
In response to Antonis_Hassiot
Jump to solution

You can't put this into the value field. You have to define a remediation action and use the above line in a .bat file hosted on a webserver and downloadable from all clients

0 Kudos
Antonis_Hassiot
Contributor
‎2022-06-24 02:36 AM
In response to kwo
Jump to solution

Thanks. 

I tried a remediation action to run the .bat file from an internet located web server and also from a location on the client PC (File://C:\Program Files (x86)\Checkpoint), but I get the same error in both cases: 

clired.png

When I perform a curl, it downloads the file from the URL fine. Also when I test running the .bat file manually with admin rights, it adds the registry key ok.  Not sure if it's rights issue. I use Run as System option.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events