RE: Windows station permissions, remote control programs, lower priviledge accounts

From: ATarasul@SpencerStuart.com
Date: 02/19/03

  • Next message: dave: "RE: Windows station permissions, remote control programs, lower priviledge accounts" 
    Date: Tue, 18 Feb 2003 17:09:54 -0600
From: <ATarasul@SpencerStuart.com>
To: <Alex.Lee@Nextel.com>, <focus-ms@securityfocus.com>

    Alex,
    While this is correct the core binary still running as LocalSystem. So
    if buffer overflow will be explored during initial authentication the
    exploit code will run in context of LocalSystem.
    This what I'm trying to prevent.
    The remote control programs not alone - a lot of Microsoft core services
    just can not live without running as LocalSystem.
    On my opinion there should be no remotely facing piece of code running
    as high privilidged account.
    Microsoft is moving in this direction by creating LocalService,
    NetworkService accounts (in XP? Or Win2003?).

    -----Original Message-----
    From: Lee, Alex (NHQ)-EDS [mailto:Alex.Lee@Nextel.com]
    Sent: Tuesday, February 18, 2003 5:03 PM
    To: Tarasul, Alexander; focus-ms@securityfocus.com
    Subject: RE: Windows station permissions, remote control programs, lower
    priviledge accounts

    Once connected via a remote control program...
    -- You can logout. Then login as a user with appropriate rights.
    -- Shift-Right-Click & use RunAs to run a program as a user with
    appropriate rights. I'm particularly fond of running .MSCs (MS Mgt
    Consoles, like DEVMGMT.MSC) & regedit this way. Even when I'm at the
    PC, just to avoid logout/login times.
    -- XCMD allows you to specify the user/pass to connect to the remote PC
    as.
     
    Though WMI isn't a remote control program, it does allow you to connect
    to a remote PC & access/modify many things.

            -----Original Message-----
            From: ATarasul@SpencerStuart.com
    [mailto:ATarasul@SpencerStuart.com]
            Sent: Tue 2/18/2003 11:58 AM
            To: focus-ms@securityfocus.com
            Cc:
            Subject: Windows station permissions, remote control programs,
    lower priviledge accounts
            
            

            I've found that a big stumbling block to run remote control
    programs
            under
            lower priviledge accounts are default security set on window
    station and
            
            desktop kernel objects.
            As they allow by default access by LocalSystem it's impossible
    to run
            remote control
            program on lower privilidged account.
            I've tested this on Terminal Services, VNC and PCAnywhere.
            
            Is anybody have any idea about how to reconfigure windows to
    change
            permission on window station and
            desktop kernel objects? Are any tools exists to do this? Can
    this change
            be persisted?
            
            As for suggestion to microsoft I think there should be
    additional user
            right on policy/user rights - "allow remote control" which will
    set
            those security access automatically.
            
            Thanks
            Alexander