Windows station permissions, remote control programs, lower priviledge accounts

From: ATarasul@SpencerStuart.com
Date: 02/18/03

  • Next message: Thomas Cameron: "RE: Unhappy face icon on NT 4 workstation" 
    Date: Tue, 18 Feb 2003 10:58:45 -0600
From: <ATarasul@SpencerStuart.com>
To: <focus-ms@securityfocus.com>

    I've found that a big stumbling block to run remote control programs
    under
    lower priviledge accounts are default security set on window station and

    desktop kernel objects.
    As they allow by default access by LocalSystem it's impossible to run
    remote control
    program on lower privilidged account.
    I've tested this on Terminal Services, VNC and PCAnywhere.

    Is anybody have any idea about how to reconfigure windows to change
    permission on window station and
    desktop kernel objects? Are any tools exists to do this? Can this change
    be persisted?

    As for suggestion to microsoft I think there should be additional user
    right on policy/user rights - "allow remote control" which will set
    those security access automatically.

    Thanks
    Alexander