r/sysadmin u/TheJesusGuy Blast the server with hot air Sep 14 '24

My business shares a single physical desktop with RDP open between 50 staff to use Adobe Acrobat Pro 2008. Question

I have now put a stop to this, but my boss "IT Director" tells me how great it was and what a shame it is that its gone. I am now trying to find another solution, for free or very cheap, as I'm getting complaints about PDF Gear not handling editing their massive PDF files. They simply wont buy real licenses for everyone.

What's the solution here, and can someone put into words just how stupid the previous one was?

Edit - I forgot to say the machine was running Windows 8! The machine also ran all our network licenses and a heap of other unmaintained software, which I have slowly transferred to a Windows 10, soon 11 VM.

1.0k Upvotes

96% Upvoted

View all comments

Show parent comments

6

u/mdervin Sep 14 '24

How is this set up any more vulnerable than giving your users email?

I mean, if a hacker is getting through my modern firewall that I spend a lot of money on, avoiding my modern EDR which I spent a lot of money on, jumping through my patched and best practices AD and RDP, winds up exploiting a 2008 software that we haven’t spent a dime on which nukes the entire corporate system including backups…

You think the problem is the old adobe application?

7

u/[deleted] Sep 14 '24 edited 18d ago

[removed] — view removed comment

-1

u/mdervin Sep 14 '24

Well that’s OP’s fault, a segmented network doesn’t cost a thing.

1

u/[deleted] Sep 14 '24 edited 18d ago

[removed] — view removed comment

2

u/mdervin Sep 14 '24

Skill issue. You can spin up a *nix server to handle routing.

1

u/Mindestiny Sep 14 '24

No, the problem is all the serious security holes they opened on a long since EOS legacy endpoint so they could circumvent licensing requirements for said application.

This setup is in no way "equivalent to giving users email"

0

u/mdervin Sep 14 '24

How.

Tell us how a bad actor can exploit an Acrobat Pro on a windows 8 machine but otherwise secured network.

4

u/Mindestiny Sep 14 '24

Joe from Accounting downloads a PDF that has a malicious script embedded in it.

If Joe opened that PDF on his patched workstation with his up to date PDF software, the exploit would be blocked - but he's not gonna do that.  EDR software doesn't pick up on it because nothing was executed because the file was never opened.

Instead Joe sends that PDF over to an unpatched endpoint using an ancient version of Adobe Acrobat that is still vulnerable.  Joe opens PDF, exploit runs successfully, code is executed, endpoint is compromised and gives the attacker a direct backdoor to the "secure" network, where they can then do whatever they want - deploy ransomware, laterally attack other systems, exfiltrate data, you name it.

-1

u/mdervin Sep 14 '24

Once again. Skill issue on OP.
https://www.grouppolicy.biz/2010/06/updated-how-to-make-adobe-reader-more-secure-using-group-policy/

2

u/Mindestiny Sep 14 '24

That doesn't at all address the risk. You wanted an example of a valid attack vector, I gave you one. "Skill issue" indeed.

-1

u/mdervin Sep 14 '24

You are bringing up an attack vector that is eliminated by a 15 year old registry setting.

0

u/Mindestiny Sep 15 '24

I'm not even going to keep arguing with you about this, it's clear you have no intention of actually having a conversation and you're otherwise just wrong.

0

u/[deleted] Sep 15 '24

[removed] — view removed comment

0

u/Mindestiny Sep 16 '24

And now your name calling, classy.

→ More replies

1

u/Mammoth_Loan_984 Sep 15 '24

It very much feels like you’re being obtuse on purpose.

Do you often find joy in finding contrarian viewpoints to argue?

0

u/mdervin Sep 15 '24

I’m not being obtuse, I’m just calling securitards out for being hysterical bed-wetters.

1

u/Mammoth_Loan_984 Sep 15 '24

The issue is you’re coming up with all these exceptions and workarounds to a problem more easily solved by: simply not running a win 8 machine that 50 end users regularly access for an unlicensed product via RDP.

Sure you can do everything you just mentioned, creating a rube goldberg machine which then requires constant upkeep and maintenance. Of course it’s technically possible.

Or, more simply, you can come up with a real solution.

0

u/mdervin Sep 15 '24

Do I spend 5,000 a year for software or do I spend 45 minutes locking down a machine?

1

u/Mammoth_Loan_984 Sep 15 '24 edited Sep 15 '24

Git gud

1

u/EnergyPanther Sep 14 '24

You are comparing email, a critical business function that really doesn't have an alternative, to whatever this RDP to pdf situation is?

No wonder there is always tension between IT and security. How does anyone think having a single computer with tons of RDP sessions on it is (watering hole ) like having email? If orgs weren't getting absolutely demolished by ransomware left and right I'd be laughing.

1

u/mdervin Sep 14 '24

That’s the problem with security people, they have so little technical expertise, the only solutions involve a five figure outlay.

Come up with a real world risk for this situation.

JavaScript is disabled.

Passwords are cycled

MFA is enabled for vpn access.

1

u/EnergyPanther Sep 14 '24

Oh no JavaScript is disabled? It's a shame there aren't literally dozens of other options for payloads! Got me there. As an aside -- did you know that sending a password-protected zip that contains a barely customized Cobalt Strike beacon inflated to >70MB can run in environments running MDE or Crowdstrike? Yeah imagine my surprise!

Let's say I somehow figure out how to make a payload that isn't js (apparently impossible)...wow look at that, passwordless access! I hope your users don't store sensitive material in documents or the browser...oh wait you probably enforce frequent password rotation so yeah I'm sure they do. Plus if I'm able to get local admin/system on the beachhead machine, your passwords mean nothing when I can steal session tokens.

I actually laughed about the MFA on a VPN. Cool, you've made password spraying / brute forcing more difficult. See above why that doesn't matter. It should obviously still be implemented though so gold star for you!

Ya know, the condescending talk about security people having 'so little technical expertise' is actually less insulting after your real brain buster of a situation. Plus the fact that you're apparently ok with the situation OP described. A SIXTEEN year old adobe product (i.e. riddled with vulnerabilities​) sitting on a Win 8 machine (lol) that has probably half of the organizations credentials/tokens on it at any given time.

1

u/mdervin Sep 14 '24

So you don’t have any way to get it on the machine.

0

u/EnergyPanther Sep 15 '24

Yeah users definitely never follow links, open random attachments downloaded from the internet, follow Google ad links that lead to malicious files, visit a compromised site that's been hijacked for drive by downloads, etc etc. Ready to move those goalposts?

Honestly the fact that you think disabling js (LOL I just saw your link from 2010 about disabling js in PDFs, as if PDF weaponization hasn't advanced in the past 15 years! literally laughed out loud, thank you), cycling passwords, and having MFA enabled on a VPN makes your environment bullet proof just goes to show how out of touch you are with security. Additionally the fact that I need to spell out how these malicious vectors can end up in your environment really reveals how little you know about TTPs employed by threat actors, from skids up to advanced threats.

You do you boo. I hope for your sake your ignorance doesn't bite your org...or more importantly, the users and their data you are probably putting at risk. ✌

1

u/mdervin Sep 15 '24

So that’s simple enough, just block internet access for that windows 8 machine.