Computer Management security

[Guest]

Is there any way to restrict access to a computers 'Computer Management' console.
I am asking, because we are running a Windows 2000 AD, and through testing have realized that a regular domain users can manage a server remotely through Computer Management. We want to restrict access to just this utility, without infringing on network access to th servers, because they do hold network resources that have to be accessed on a regular basis. If someone can give me all the possible security steps that can be performed, and I will try them to see what best meets our needs.

Thanks in advance

 

[Steven L Umbach]

Regular users can "see" remote computers via Computer Management, but can not do much
of anything if they do not have administrative credentials for the target computer.
Of course I still understand the concern and you can disable the Computer Management
console for users via Group Policy/user configuration/administrative
templates/Windows components/Microsoft Management console/restricted and permitted
snapins. Keep in mind that doing such at the domain level will restrict all users
including administrators unless you filter the policy scope to exempt administrators
by giving administrators "deny permissions" to the apply permission for the GPO. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;322176

Is there any way to restrict access to a computers 'Computer Management' console.
I am asking, because we are running a Windows 2000 AD, and through testing have

realized that a regular domain users can manage a server remotely through Computer
Management. We want to restrict access to just this utility, without infringing on
network access to th servers, because they do hold network resources that have to be
accessed on a regular basis. If someone can give me all the possible security steps
that can be performed, and I will try them to see what best meets our needs.

 

[Guest]

I ask because a regular user who does not have admin rights on the regular computer was able to stop services on the target PC. I originally thought the same thing until we tested it. Let say USER1 who does not have admin rights on PC2 was able to connect via Computer management from PC2, and was able to stop some services on PC1. ????, just did not make sense.

Thanks

 

[Steven L Umbach]

I don't think a regular user can stop any operating system service in a default
installation - definitely no critical services. You might want to run Security
Configuration and Analysis tool comparing to the setup security template on that
computer to see what it reports for services and verify that the user account you are
using does not have administrator/power user rights on the target computer. On
workstation computers that are not offering shares, yet you want to manage remotely,
consider modifying the user right assignment for access this computer from the
network to contain only the administrators group. --- Steve

I ask because a regular user who does not have admin rights on the regular computer

was able to stop services on the target PC. I originally thought the same thing until
we tested it. Let say USER1 who does not have admin rights on PC2 was able to connect
via Computer management from PC2, and was able to stop some services on PC1. ????,
just did not make sense.

 

[Guest]

Hey Steve, thanks for the info on the tool. Is there any special section I should be loking. I ran the tool and analyzed the data. I opened each sub item, but could not find anything abnormal. Is there a Red X or something I should be seeing if there is a problem. All I saw were green check marks, and anything that did not have an icon next to it was 'Not Defined

Thank
Mike

 

[Dale Weiss]

Hello,

What privileges does the user in question have on PC1, since that it where
the services are being stopped?

Dale Weiss MCSA MCSE CISSP
PSS Security

This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms
specified at http://www.microsoft.com/info/cpyright.htm

 

[Steven L Umbach]

If the marks were all green, then you have default settings in the security setup
template. I still don't understand how a regular user can stop services. If you look
at the setup security template/services and select edit security you will see the
permissions that users have to the service and I don't think everyone/users have
permissions by default to stop any service. --- Steve

Hey Steve, thanks for the info on the tool. Is there any special section I should

be loking. I ran the tool and analyzed the data. I opened each sub item, but could
not find anything abnormal. Is there a Red X or something I should be seeing if there
is a problem. All I saw were green check marks, and anything that did not have an
icon next to it was 'Not Defined'