Re: Curious Security Behavior

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 10/25/04

Next message: msnews.microsoft.com: "Send To Compressed (Zipped) Folder"
Previous message: Lanwench [MVP - Exchange]: "Re: out of range error"
In reply to: mjs: "Curious Security Behavior"
Next in thread: mjs: "Re: Curious Security Behavior"
Reply: mjs: "Re: Curious Security Behavior"
Messages sorted by: [ date ] [ thread ]

Date: Mon, 25 Oct 2004 09:39:19 -0400

mjs wrote:
> I am curious about a remote access behavior that I find puzzling.
> Why is it possible to remotely manage a computer (win2K) from a
> server (win2K3) without authenticating to it as long as the users
> name and password on the server "happen" to match a privileged one on
> the remote computer? This is true (maybe only pertinent) when the
> remote machine is not in the server's domain. When trying from a
> different PC (Win2K) also not in the domain to the target PC there is
> at least an authentication challenge of user name and password.
> Granted the likelihood is small of this happening but it does seem
> like strange/risky behavior. --- Mike

I may be unclear on exactly what you're asking or what your setup is:

If you have a domain controller, and try to manage workstation A which
belongs to the domain while logged into the server as an administrator, you
can do anything you like on workstation A because domain admins are members
of the local admins group on workstation A.

If workstation A doesn't belong to the domain, or isn't in a trusted domain,
you can't exactly "manage" it in ADUC on the server, but if the domain admin
account matches the local admin account on the workstation, it can be
accessed that way via the admin share(s) on the workstation. Note: you
really don't want your workstations' local admin credentials matching your
domain admin credentials anyway.

Next message: msnews.microsoft.com: "Send To Compressed (Zipped) Folder"
Previous message: Lanwench [MVP - Exchange]: "Re: out of range error"
In reply to: mjs: "Curious Security Behavior"
Next in thread: mjs: "Re: Curious Security Behavior"
Reply: mjs: "Re: Curious Security Behavior"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Installing MS patches remotely
... > Win2k Server, so I can't roll out patches that way. ... > remote workstation, then install as usual. ...
(microsoft.public.win2000.security)
Re: Remote Web Workplace Issue
... I had to "rebuild" my server. ... I could use RWW to a remote desktop on the ... I also am running a new workstation with Vista Ultimate that was never ... on that computer either but can use the remote desktop connection. ...
(microsoft.public.windows.server.sbs)
Re: Remote Web Workplace Issue
... RWW and Remote Desktop ... I had to "rebuild" my server. ... I also am running a new workstation with Vista Ultimate that was never ... on that computer either but can use the remote desktop connection. ...
(microsoft.public.windows.server.sbs)
Re: Setup client computer over RDP connection? Or how?
... through enabling remote desktop. ... So, how do i set up her client workstation (logged on as her, i ... Log into the workstation over RDP, ... Run connectcomputer from there. ...
(microsoft.public.windows.server.sbs)
Re: Securing win32_process.create ?
... The reason you are having problems is essentially because you're expecting an admin operation to be able to be performed by a user who does not have admin rights. ... Looking at TrueCrypt, it certainly does not look like it's been designed for remote instantiation, nor to run as a non-interactive remote process. ... would be allowed to run a process on a remote machine and you'd also ...
(microsoft.public.win32.programmer.wmi)