RE: Windows station permissions, remote control programs, lower priviledge accounts

From: Lee, Alex (NHQ)-EDS (Alex.Lee@Nextel.com)
Date: 02/19/03

Next message: ATarasul@SpencerStuart.com: "RE: Windows station permissions, remote control programs, lower priviledge accounts"

Previous message: dave: "RE: Defeating password cracking"
Maybe in reply to: ATarasul@SpencerStuart.com: "Windows station permissions, remote control programs, lower priviledge accounts"
Next in thread: James Kelly: "RE: Windows station permissions, remote control programs, lower priviledge accounts"
Reply: James Kelly: "RE: Windows station permissions, remote control programs, lower priviledge accounts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 18 Feb 2003 18:02:34 -0500
From: "Lee, Alex (NHQ)-EDS" <Alex.Lee@Nextel.com>
To: <ATarasul@SpencerStuart.com>, <focus-ms@securityfocus.com>

Once connected via a remote control program...
-- You can logout. Then login as a user with appropriate rights.
-- Shift-Right-Click & use RunAs to run a program as a user with appropriate rights. I'm particularly fond of running .MSCs (MS Mgt Consoles, like DEVMGMT.MSC) & regedit this way. Even when I'm at the PC, just to avoid logout/login times.
-- XCMD allows you to specify the user/pass to connect to the remote PC as.

Though WMI isn't a remote control program, it does allow you to connect to a remote PC & access/modify many things.

        -----Original Message-----
        From: ATarasul@SpencerStuart.com [mailto:ATarasul@SpencerStuart.com]
        Sent: Tue 2/18/2003 11:58 AM
        To: focus-ms@securityfocus.com
        Cc:
        Subject: Windows station permissions, remote control programs, lower priviledge accounts



        I've found that a big stumbling block to run remote control programs
        under
        lower priviledge accounts are default security set on window station and

        desktop kernel objects.
        As they allow by default access by LocalSystem it's impossible to run
        remote control
        program on lower privilidged account.
        I've tested this on Terminal Services, VNC and PCAnywhere.

        Is anybody have any idea about how to reconfigure windows to change
        permission on window station and
        desktop kernel objects? Are any tools exists to do this? Can this change
        be persisted?

        As for suggestion to microsoft I think there should be additional user
        right on policy/user rights - "allow remote control" which will set
        those security access automatically.

        Thanks
        Alexander

Next message: ATarasul@SpencerStuart.com: "RE: Windows station permissions, remote control programs, lower priviledge accounts"
Previous message: dave: "RE: Defeating password cracking"
Maybe in reply to: ATarasul@SpencerStuart.com: "Windows station permissions, remote control programs, lower priviledge accounts"
Next in thread: James Kelly: "RE: Windows station permissions, remote control programs, lower priviledge accounts"
Reply: James Kelly: "RE: Windows station permissions, remote control programs, lower priviledge accounts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]