RE: Admin Rights required on Terminal Services

• Previous message: Andy Cuff [Talisker]: "GIAC Dilution"
• In reply to: sf_mail_sbm_at_yahoo.com: "Admin Rights required on Terminal Services"
• Next in thread: Andrew Shore: "RE: Admin Rights required on Terminal Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <sf_mail_sbm@yahoo.com>, <security-basics@securityfocus.com>
Date: Thu, 17 Mar 2005 11:10:52 -0600

The right answer, of course, is to fix the application. No normal user
application should need admin.

Baring that, "Local Admin" is a bunch of rights - 98% of which your
application does not need. It's painful, but you could work through the
app, figuring out one at a time what rights they really need (create files
in this directory. Read that file, etc.). Then build an account/group with
just those necessary rights. Once you have the account/group, you can

* Add the necessary (and only the necessary) users to the group

Or

* Use RUNAS, giving out only the password to the special userid, not the
admin password.

-----Burton

-----Original Message-----
From: sf_mail_sbm@yahoo.com [mailto:sf_mail_sbm@yahoo.com]
Sent: Thursday, March 17, 2005 9:46 AM
To: security-basics@securityfocus.com
Subject: Admin Rights required on Terminal Services

Dear List,

We have an application that needs local admin rights to run

This is a legacy application, and cannot be run as a service

We are planning to run the application on a Terminal Services server (Win
2K3)

Clients cannot run the application thru TS, since they do not have local
admin rights

One option is to put the users as local admins, and restrict the menus to
which they have access through Group Policy

Is there any other way to make users run the application without givin them
local admin rights?

Tried to look at "runas", but user will need to enter the administrator
password

Thank u all for ur help

Ronish

• Previous message: Andy Cuff [Talisker]: "GIAC Dilution"
• In reply to: sf_mail_sbm_at_yahoo.com: "Admin Rights required on Terminal Services"
• Next in thread: Andrew Shore: "RE: Admin Rights required on Terminal Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Permissions (EVERYONE POST TO THIS) ... Removing Admin rights from your users is the prudent thing to do. ... without the IT Administrator providing these services and applications. ... priveledes, and before you know it, you have lost control of your network. ... (microsoft.public.win2000.security) Re: Software Audit & Enforcement - Required? ... domain admin password. ... Who then has access to the Admin rights on the companies ... The local admin account on each laptop is disabled by default, ... You prevent people from installing software by removing them from ... (microsoft.public.security) Re: Running programs for non-previleged users on XP ... insist a user be able to use an application without having Admin rights. ... on running the software under the Local Admin context. ... >> The administrator group user finishes installing the program. ... (microsoft.public.win2000.security) Re: XP & W2K server User rights need help ... accounts. ... This narrows the issue, since any admin ... > Here is another fact, this domain server had to be> replaced so a new one was created, in the old domain> server non of the users had accounts only the computers ... >>> Accounts in AD Power users with admin rights to local ... (microsoft.public.windowsxp.security_admin) Re: Administrators Permission on Network ... >network administrators, but all i did was set up ... That bank needs a new admin. ... >>they'd never have given you local admin rights to begin ... (microsoft.public.security)