Add FreeRDP_RestrictedAdminModeSupported for server-side

include/freerdp/settings_types_private.h

@@ -289,7 +289,8 @@ struct rdp_settings
 	SETTINGS_DEPRECATED(ALIGN64 BOOL AadSecurity);                  /* 1112 */
 	SETTINGS_DEPRECATED(ALIGN64 char* WinSCardModule);              /* 1113 */
 	SETTINGS_DEPRECATED(ALIGN64 BOOL RemoteCredentialGuard);        /* 1114 */
-	UINT64 padding1152[1152 - 1115];                                /* 1115 */
+	SETTINGS_DEPRECATED(ALIGN64 BOOL RestrictedAdminModeSupported); /* 1115 */
+	UINT64 padding1152[1152 - 1116];                                /* 1116 */
 
 	/* Connection Cookie */
 	SETTINGS_DEPRECATED(ALIGN64 BOOL MstscCookieMode);      /* 1152 */

libfreerdp/common/settings_getters.c

@@ -493,6 +493,9 @@ BOOL freerdp_settings_get_bool(WINPR_ATTR_UNUSED const rdpSettings* settings,
 		case FreeRDP_RestrictedAdminModeRequired:
 			return settings->RestrictedAdminModeRequired;
 
+		case FreeRDP_RestrictedAdminModeSupported:
+			return settings->RestrictedAdminModeSupported;
+
 		case FreeRDP_SaltedChecksum:
 			return settings->SaltedChecksum;
 
@@ -1245,6 +1248,10 @@ BOOL freerdp_settings_set_bool(WINPR_ATTR_UNUSED rdpSettings* settings,
 			settings->RestrictedAdminModeRequired = cnv.c;
 			break;
 
+		case FreeRDP_RestrictedAdminModeSupported:
+			settings->RestrictedAdminModeSupported = cnv.c;
+			break;
+
 		case FreeRDP_SaltedChecksum:
 			settings->SaltedChecksum = cnv.c;
 			break;

libfreerdp/common/settings_str.h

@@ -207,6 +207,8 @@ static const struct settings_str_entry settings_map[] = {
 	{ FreeRDP_RemoteFxOnly, FREERDP_SETTINGS_TYPE_BOOL, "FreeRDP_RemoteFxOnly" },
 	{ FreeRDP_RestrictedAdminModeRequired, FREERDP_SETTINGS_TYPE_BOOL,
 	  "FreeRDP_RestrictedAdminModeRequired" },
+	{ FreeRDP_RestrictedAdminModeSupported, FREERDP_SETTINGS_TYPE_BOOL,
+	  "FreeRDP_RestrictedAdminModeSupported" },
 	{ FreeRDP_SaltedChecksum, FREERDP_SETTINGS_TYPE_BOOL, "FreeRDP_SaltedChecksum" },
 	{ FreeRDP_SendPreconnectionPdu, FREERDP_SETTINGS_TYPE_BOOL, "FreeRDP_SendPreconnectionPdu" },
 	{ FreeRDP_ServerLicenseRequired, FREERDP_SETTINGS_TYPE_BOOL, "FreeRDP_ServerLicenseRequired" },

libfreerdp/core/nego.c

@@ -59,7 +59,8 @@ struct rdp_nego
 	UINT32 RequestedProtocols;
 	BOOL NegotiateSecurityLayer;
 	BOOL EnabledProtocols[32];
-	BOOL RestrictedAdminModeRequired;
+	BOOL RestrictedAdminModeRequired;  /* Client-side */
+	BOOL RestrictedAdminModeSupported; /* Server-side */
 	BOOL RemoteCredsGuardRequired;
 	BOOL RemoteCredsGuardActive;
 	BOOL RemoteCredsGuardSupported;
@@ -1254,7 +1255,18 @@ BOOL nego_process_negotiation_request(rdpNego* nego, wStream* s)
 		return FALSE;
 	}
 	if (flags & RESTRICTED_ADMIN_MODE_REQUIRED)
-		WLog_Print(nego->log, WLOG_INFO, "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED");
+	{
+		if (nego->RestrictedAdminModeSupported)
+		{
+			WLog_Print(nego->log, WLOG_INFO, "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED");
+		}
+		else
+		{
+			WLog_Print(nego->log, WLOG_ERROR,
+			           "RDP_NEG_REQ::flags RESTRICTED_ADMIN_MODE_REQUIRED but disabled");
+			return FALSE;
+		}
+	}
 
 	if (flags & REDIRECTED_AUTHENTICATION_MODE_REQUIRED)
 	{
@@ -1483,7 +1495,7 @@ BOOL nego_send_negotiation_response(rdpNego* nego)
 		if (freerdp_settings_get_bool(settings, FreeRDP_SupportGraphicsPipeline))
 			flags |= DYNVC_GFX_PROTOCOL_SUPPORTED;
 
-		if (freerdp_settings_get_bool(settings, FreeRDP_RestrictedAdminModeRequired))
+		if (nego->RestrictedAdminModeSupported)
 			flags |= RESTRICTED_ADMIN_MODE_SUPPORTED;
 
 		if (nego->RemoteCredsGuardSupported)
@@ -1721,6 +1733,13 @@ void nego_set_restricted_admin_mode_required(rdpNego* nego, BOOL RestrictedAdmin
 	nego->RestrictedAdminModeRequired = RestrictedAdminModeRequired;
 }
 
+void nego_set_restricted_admin_mode_supported(rdpNego* nego, BOOL enabled)
+{
+	WINPR_ASSERT(nego);
+
+	nego->RestrictedAdminModeSupported = enabled;
+}
+
 void nego_set_RCG_required(rdpNego* nego, BOOL enabled)
 {
 	WINPR_ASSERT(nego);

libfreerdp/core/nego.h

@@ -116,6 +116,7 @@ FREERDP_LOCAL BOOL nego_set_target(rdpNego* nego, const char* hostname, UINT16 p
 FREERDP_LOCAL void nego_set_negotiation_enabled(rdpNego* nego, BOOL NegotiateSecurityLayer);
 FREERDP_LOCAL void nego_set_restricted_admin_mode_required(rdpNego* nego,
                                                            BOOL RestrictedAdminModeRequired);
+FREERDP_LOCAL void nego_set_restricted_admin_mode_supported(rdpNego* nego, BOOL enabled);
 FREERDP_LOCAL void nego_set_RCG_required(rdpNego* nego, BOOL enabled);
 FREERDP_LOCAL void nego_set_RCG_supported(rdpNego* nego, BOOL enabled);
 FREERDP_LOCAL BOOL nego_get_remoteCredentialGuard(rdpNego* nego);

libfreerdp/core/peer.c

@@ -275,6 +275,8 @@ static BOOL freerdp_peer_initialize(freerdp_peer* client)
 	}
 
 	nego_set_RCG_supported(rdp->nego, settings->RemoteCredentialGuard);
+	nego_set_restricted_admin_mode_supported(rdp->nego, settings->RestrictedAdminModeSupported);
+
 	if (!rdp_server_transition_to_state(rdp, CONNECTION_STATE_INITIAL))
 		return FALSE;
 

libfreerdp/core/settings.c

@@ -884,6 +884,7 @@ rdpSettings* freerdp_settings_new(DWORD flags)
 	    !freerdp_settings_set_bool(settings, FreeRDP_RdstlsSecurity, FALSE) ||
 	    !freerdp_settings_set_bool(settings, FreeRDP_NegotiateSecurityLayer, TRUE) ||
 	    !freerdp_settings_set_bool(settings, FreeRDP_RestrictedAdminModeRequired, FALSE) ||
+	    !freerdp_settings_set_bool(settings, FreeRDP_RestrictedAdminModeSupported, TRUE) ||
 	    !freerdp_settings_set_bool(settings, FreeRDP_MstscCookieMode, FALSE) ||
 	    !freerdp_settings_set_uint32(settings, FreeRDP_CookieMaxLength,
 	                                 DEFAULT_COOKIE_MAX_LENGTH) ||

libfreerdp/core/test/settings_property_lists.h

@@ -148,6 +148,7 @@ static const size_t bool_list_indices[] = {
 	FreeRDP_RemoteFxImageCodec,
 	FreeRDP_RemoteFxOnly,
 	FreeRDP_RestrictedAdminModeRequired,
+	FreeRDP_RestrictedAdminModeSupported,
 	FreeRDP_SaltedChecksum,
 	FreeRDP_SendPreconnectionPdu,
 	FreeRDP_ServerLicenseRequired,