Re: Admin Rights required on Terminal Services
From: Security (security_at_ucw.com.au)
Date: 03/21/05
- Previous message: John Pettitt: "Re: Is Dynamic WEP Secure Enough?"
- In reply to: Andrew Shore: "RE: Admin Rights required on Terminal Services"
- Next in thread: sf_mail_sbm_at_yahoo.com: "Re: Admin Rights required on Terminal Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Mar 2005 09:17:35 +1100 To: Andrew Shore <andrew.shore@holistecs.com>
Hi Guys,
I'm am a security noob so take this with a grain of salt...
With the TS config for a custom writen prog, if you cannot give admin
rights to everyone (fair enough), one thing you could do is start
security "failure" auditing for everything on the TS box.
When the program is run, if it cannot access a certain item, and the
program crashs/closes, there will be a failure audit in the event log.
You can then use group policy to give access to that specific area, eg
"increase privilege" to a group that was created to control access for
this program.
Or,
Why not give admin access to users and use group policy to remove any
icons or access paths to any sensitive areas.
I am very interested in the outcome of this thread. Please continue to
post ideas.
Cheers
Todd Cummings.
Andrew Shore wrote:
>Have you tried running the NTCOMPAT security policy rather than giving
>users elevated right.
>
>Admin privilege on a terminal server is asking for trouble.
>
>Andy
>
>-----Original Message-----
>From: sf_mail_sbm@yahoo.com [mailto:sf_mail_sbm@yahoo.com]
>Sent: 17 March 2005 15:46
>To: security-basics@securityfocus.com
>Subject: Admin Rights required on Terminal Services
>
>
>
>Dear List,
>
>We have an application that needs local admin rights to run
>
>This is a legacy application, and cannot be run as a service
>
>We are planning to run the application on a Terminal Services server
>(Win 2K3)
>
>Clients cannot run the application thru TS, since they do not have local
>admin rights
>
>One option is to put the users as local admins, and restrict the menus
>to which they have access through Group Policy
>
>Is there any other way to make users run the application without givin
>them local admin rights?
>
>Tried to look at "runas", but user will need to enter the administrator
>password
>
>Thank u all for ur help
>
>Ronish
>
>
>
>
>
>
- Previous message: John Pettitt: "Re: Is Dynamic WEP Secure Enough?"
- In reply to: Andrew Shore: "RE: Admin Rights required on Terminal Services"
- Next in thread: sf_mail_sbm_at_yahoo.com: "Re: Admin Rights required on Terminal Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
