Re: Admin Rights required on Terminal Services

[Security <security () ucw com au>]

Hi Guys,

I'm am a security noob so take this with a grain of salt...

With the TS config for a custom writen prog, if you cannot give admin 
rights to everyone (fair enough), one thing you could do is start 
security "failure" auditing for everything on the TS box.

When the program is run, if it cannot access a certain item, and the 
program crashs/closes, there will be a failure audit in the event log.
You can then use group policy to give access to that specific area, eg 
"increase privilege" to a group that was created to control access for 
this program.

Or,

Why not give admin access to users and use group policy to remove any 
icons or access paths to any sensitive areas.

I am very interested in the outcome of this thread. Please continue to 
post ideas.

Cheers

Todd Cummings.

Andrew Shore wrote:

> Have you tried running the NTCOMPAT security policy rather than giving
> users elevated right.
>
> Admin privilege on a terminal server is asking for trouble.
>
> Andy 
>
> -----Original Message-----
> From: sf_mail_sbm () yahoo com [mailto:sf_mail_sbm () yahoo com] 
> Sent: 17 March 2005 15:46
> To: security-basics () securityfocus com
> Subject: Admin Rights required on Terminal Services
>
>
>
> Dear List,
>
> We have an application that needs local admin rights to run
>
> This is a legacy application, and cannot be run as a service
>
> We are planning to run the application on a Terminal Services server
> (Win 2K3)
>
> Clients cannot run the application thru TS, since they do not have local
> admin rights
>
> One option is to put the users as local admins, and restrict the menus
> to which they have access through Group Policy
>
> Is there any other way to make users run the application without givin
> them local admin rights?
>
> Tried to look at "runas", but user will need to enter the administrator
> password
>
> Thank u all for ur help
>
> Ronish
>
>
>
>
>