How To Use ResHacker To Secure Your Terminal Server Environments
Everyone understands the need to lock down your Terminal servers so that (malicious) users cannot damage or compromise the system. It’s nice when Microsoft or other vendors provide you with tools to lockdown their software. Sometimes that isn’t the case and you have to get down and dirty. ResHacker is a tool that fits that description nicely.
This is how the creator of ResHacker, Angus Johnson, describes what his tool does: “Resource Hacker is a freeware utility to view, modify, rename, add, delete and extract resources in 32bit Windows executables and resource files (*.res). It incorporates an internal resource script compiler and decompiler and works on Win95, Win98, WinME, WinNT, Win2000 and WinXP operating systems.”
I always tend to describe it as a tool that’s let you modify 32 bit applications, dll’s, ocx files and scr files. This means that you can “edit” applications. You can change dialogs in an application, change or remove graphics or even remove access to certain application functionality.
Why Use ResHacker?
Indeed, why would you use ResHacker? Even if you have never used ResHacker before you read this article, the description of the program I gave (editing executables and dll’s) doesn’t quite put it up there in the mainstream lockdown tools area with say, Group Policy. That’s nothing to worry about though because ResHacker isn’t a tool that you want to use as your preferred lockdown tool, but rather as a tool you put to use when all others have failed.
I think we can all think of applications that have certain options that you really don’t want users to access. I know I’ve used ResHacker a couple of times to lockdown an application that would otherwise have been unfit to be released in a production environment.
I can recall applications that would have a menu called “browse for program”. And if there’s no registry key or .ini file parameter to disable this kind of functionality, you’re basically stuck between a rock and a hard place.
Like I said, ResHacker is a very versatile tool you can use to manage all kinds of 32-bit applications. I’ve used it on a couple of occasions. Although I will not, for obvious reasons, use the applications I’ve used ResHacker on as an example, I can still give you a typical example of how you can use ResHacker to lock down an application in your environment.
Windows Task Manager
Task manager is a decent tool as far I’m concerned. However, by default it gives you a lot of information and options. In a Terminal Server environment, you might not want to have all those options available to your users. For example, the Set Priority option when right-clicking on a process in the “processes” tab isn’t an option you want your users to have.
There is however no way – as far as I know – to disable to this functionality with something like Group Policy. The only option that Group Policy does allow is to remove access to Task manager all together. This is too much of a good thing because it does definitely offer users some useful options, like being able to end tasks from the “applications” tab.
This is where ResHacker comes in. Let’s take a look and see if we can “edit” task manager to suit our needs. Fire up ResHacker and browse to C:\Windows\system32 and open taskmgr.exe. This should look something like this:
The layout depicted above is one of an application that is well suited for “editing” with ResHacker. Typically, the “Menu” and “Dialog” folders are the places to be when you want to remove (access to) certain parts of the application.
In our case we want to get rid of the context menu that allows you to set the priority of a process. When you browse through the “Menu” and “Dialog” folders you’ll find lots of interesting stuff. For example, in dialog 121 you’re able to alter the columns that appear on the “processes” tab of Task Manager:
Fun stuff indeed, but not what we’re looking for. It turns out that the functionality we want to edit is in a menu called “Banana” (I guess some fruit-loving developer at Microsoft was doing a little too much overtime…). Anyway, if you take a look at the “Banana” menu you’ll see that this is probably the one that facilitates the context menu on a process in the processes tab of Task manager.
So how do we alter the menu to our needs? Well, you could start removing menu items on the right hand side of ResHacker and see what happens. I however think removing this context menu as a whole is no problem as a user should never need to use this menu on a Terminal Server. So go ahead and delete the “1033” subfolder of the Menu called 111. You should right-click on the “1033” subfolder of the Menu called 111 and select “delete resource”;
After that you can save the file as something to your liking. Be sure to add the .exe extension to the file. When you execute this program you’ll see that the context menu in the “processes” tab of Task Manager is not available.
One can probably think of several other features that could be removed from task manager to make it better suited for use in Terminal Server environments. To this end I’ve created a very much stripped down Task Manager, called “TS Task Manager”. The “TS Task Manager” was created using only ResHacker.
This “TS Task Manager” basically only allows you to use the “applications” tab. everything else is disabled. I’ve posted this “TS Task Manager” to Thincomputing.net. The download is an .msi file which installs the “TS Task Manager” and replaces all calls to the old taskmgr.exe but does not overwrite the original taskmgr executable. When using TS Task Manager you can safely give users access to the useful options of Task Manager and still preserve security. Download the “TS Task Manager” here. Be sure to read the readme!
Another common scenario in which Resource Hacker can be used is when an application needs to branded. The company “look and feel” can easily be applied by replacing and editing the images in the “Bitmap” and “Icon” section.
Remember that ResHacker is only suited for editing 32-bit code. If you need to edit 16 bit code, you could take a look at eXeScope ($20).
The disadvantages of using Resource Hacker to lock down your (Terminal Server) applications are obvious. “Editing” applications with ResHacker isn’t a nice and tidy solution and the results of editing an application with ResHacker are sometimes unpredictable. You should of course rigorously test your newfound application before you even think about getting it ready for production environments.
ResHacker does not work with every application. As you get more familiar with ResHacker you’ll see that some applications for example only allow you to alter the “Version Info” which basically renders ResHacker useless. This is because of the way the program is coded and there’s not much you can do about it.
The biggest drawback however of using ResHacker is that you probably lose all right to support from the vendor associated with the application. This of course makes sense because basically what you’re doing is editing their code.
Using ResHacker to lock down your (Terminal Server) applications can be a lifesaver when all your other options have been exhausted. It usually goes even further than regular lockdown options go, but it is also a lot less refined. You could say that ResHacker’s strength is also its weakness.
You can download ResHacker here.