RE: Windows station permissions, remote control programs, lower priviledge accounts

From: dave (dave@netmedic.net)
Date: 02/19/03

  • Next message: dave: "RE: Defeating password cracking" 
    From: "dave" <dave@netmedic.net>
To: <ATarasul@SpencerStuart.com>, <focus-ms@securityfocus.com>
Date: Tue, 18 Feb 2003 18:41:16 -0500

    Alexander,

    I am not sure if I am reading this right, but you can run remote control via
    an ordinary user. If you are referring to modifying or creating new remote
    objects then there are some permission modifications you have to make.

    Dave

     
    _____________________
    Dave Kleiman
    dave@netmedic.net
    www.netmedic.net

     

    >> -----Original Message-----
    >> From: ATarasul@SpencerStuart.com [mailto:ATarasul@SpencerStuart.com]
    >> Sent: Tuesday, February 18, 2003 11:59
    >> To: focus-ms@securityfocus.com
    >> Subject: Windows station permissions, remote control programs, lower
    >> priviledge accounts
    >>
    >> I've found that a big stumbling block to run remote control programs
    >> under
    >> lower priviledge accounts are default security set on window station and
    >>
    >> desktop kernel objects.
    >> As they allow by default access by LocalSystem it's impossible to run
    >> remote control
    >> program on lower privilidged account.
    >> I've tested this on Terminal Services, VNC and PCAnywhere.
    >>
    >> Is anybody have any idea about how to reconfigure windows to change
    >> permission on window station and
    >> desktop kernel objects? Are any tools exists to do this? Can this change
    >> be persisted?
    >>
    >> As for suggestion to microsoft I think there should be additional user
    >> right on policy/user rights - "allow remote control" which will set
    >> those security access automatically.
    >>
    >> Thanks
    >> Alexander