RE: Windows station permissions, remote control programs, lower priviledge accounts

From: James Kelly (jim@essistants.com)
Date: 02/20/03

Next message: Jens Mickerts: "AW: Restricting CmdExec Rights to Sysadmin"

Previous message: Levinson, Karl: "RE: [despammed] Defeating password cracking"
In reply to: Lee, Alex (NHQ)-EDS: "RE: Windows station permissions, remote control programs, lower priviledge accounts"
Next in thread: ATarasul@SpencerStuart.com: "RE: Windows station permissions, remote control programs, lower priviledge accounts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 19 Feb 2003 19:08:01 -0500
From: James Kelly <jim@essistants.com>
To: "'Lee, Alex (NHQ)-EDS'" <Alex.Lee@Nextel.com>, ATarasul@SpencerStuart.com, focus-ms@securityfocus.com

Question, when you Shift-Right-Click, and run something as another user,
how does that affect how it is logged?

Jim

-----Original Message-----
From: Lee, Alex (NHQ)-EDS [mailto:Alex.Lee@Nextel.com]
Sent: Tuesday, February 18, 2003 6:03 PM
To: ATarasul@SpencerStuart.com; focus-ms@securityfocus.com
Subject: RE: Windows station permissions, remote control programs, lower
priviledge accounts

Once connected via a remote control program...
-- You can logout. Then login as a user with appropriate rights.
-- Shift-Right-Click & use RunAs to run a program as a user with
appropriate rights. I'm particularly fond of running .MSCs (MS Mgt
Consoles, like DEVMGMT.MSC) & regedit this way. Even when I'm at the
PC, just to avoid logout/login times.
-- XCMD allows you to specify the user/pass to connect to the remote PC
as.

Though WMI isn't a remote control program, it does allow you to connect
to a remote PC & access/modify many things.

        -----Original Message-----
        From: ATarasul@SpencerStuart.com
[mailto:ATarasul@SpencerStuart.com]
        Sent: Tue 2/18/2003 11:58 AM
        To: focus-ms@securityfocus.com
        Cc:
        Subject: Windows station permissions, remote control programs,
lower priviledge accounts

        I've found that a big stumbling block to run remote control
programs
        under
        lower priviledge accounts are default security set on window
station and

        desktop kernel objects.
        As they allow by default access by LocalSystem it's impossible
to run
        remote control
        program on lower privilidged account.
        I've tested this on Terminal Services, VNC and PCAnywhere.

        Is anybody have any idea about how to reconfigure windows to
change
        permission on window station and
        desktop kernel objects? Are any tools exists to do this? Can
this change
        be persisted?

        As for suggestion to microsoft I think there should be
additional user
        right on policy/user rights - "allow remote control" which will
set
        those security access automatically.

        Thanks
        Alexander

Next message: Jens Mickerts: "AW: Restricting CmdExec Rights to Sysadmin"
Previous message: Levinson, Karl: "RE: [despammed] Defeating password cracking"
In reply to: Lee, Alex (NHQ)-EDS: "RE: Windows station permissions, remote control programs, lower priviledge accounts"
Next in thread: ATarasul@SpencerStuart.com: "RE: Windows station permissions, remote control programs, lower priviledge accounts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]