RE: User rights on Terminal Services

• Previous message: Geoff Craig: "RE: Logging mechanism in IIS (was RE: code red---- on system that is already (and has been) patched)"
• Maybe in reply to: Antoine Borg: "User rights on Terminal Services"
• Next in thread: Sullivan, Glenn: "RE: User rights on Terminal Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Fred.Langston@guardent.com
To: antoineborg@onvol.net, focus-ms@securityfocus.com
Date: Thu, 6 Mar 2003 15:58:52 -0500 

This content came off this list previously, but I did not retain the author
information - sorry to the creator:

Narrowing down registry/file rights
 
In my office, I give permissions according to registry, and folders on
particular systems. I use regmon.exe and filemon.exe then run the failing
app to monitor what is happening when the app loads and fails. From here I
look for Access Denied errors for files and reg. keys then grant access
(through gpo) to only these very specific keys. Often it is just a .dll that
didn't inherit permissions from the system folder properly during install.

Hope this helps.

Fred Langston, CISSP
  Senior Principal Consultant
  W: 206.903.8147 x223 F: 206.903.1862 M: 425.765.3330
  Seattle, WA www.Guardent.com
________________________________________
G U A R D E N T
  Enterprise Security and Privacy Programs

-----Original Message-----
From: Antoine Borg [mailto:antoineborg@onvol.net]
Sent: Thursday, March 06, 2003 11:15 AM
To: focus-ms@securityfocus.com
Subject: User rights on Terminal Services

Hi ..

Win2k Server with all latest patches and Terminal Services installed.

We have a custom built application that we got from a third-party that is
causing problems through terminal services. Through my login the program
works w/o problems but I am an administrator and do not wish to have to
assign admin rights to every user who may need to access the stuff remotely.

Can anyone give me an indication as to what rights one may need for:

1) Opening and closing files from a folder on the server (I gave the
respective users full rights on these folders, but the problems still crop
up)
2) Creating/loading/using ActiveX Controls and COM servers.

I am not sure if there is any registry tomfoolery in it - what is the best
way to discover if the program uses the registry? (I'm slightly new at this;
I realise this is a newbie question, so go easy on me)

Oh, FYI, the problems I refer to are all ActiveX related and refer to the
fact that some controls cannot be loaded and/or created properly.

Thanks

Antoine

----------
Indecision is the key to flexibility.

• Previous message: Geoff Craig: "RE: Logging mechanism in IIS (was RE: code red---- on system that is already (and has been) patched)"
• Maybe in reply to: Antoine Borg: "User rights on Terminal Services"
• Next in thread: Sullivan, Glenn: "RE: User rights on Terminal Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]