Solved

Terminal Server Security issue

Posted on 2004-10-21
194 Views
Last Modified: 2013-11-21
I have installed a Windows terminal 2003 server; I need the users to have the ability to right/edit the registry (so the application will work properly) - they are not suffused to edit it manually!!! Or having administrative rights on the server

Right now Im kind of bypassing this problem with "Quick Menu Builder" and the environment option in the active directory

Anyone?
0
Question by:siltech
    10 Comments
     
    LVL 1

    Expert Comment

    by:Ali_Jas
    this looks as an operating issue to me, You'd better ask the question there, because more experts will be able to help you.
    0
     
    LVL 1

    Expert Comment

    by:Ali_Jas
    errr.. operating system issue... not operating issue :S
    0
     

    Author Comment

    by:siltech
    its about Group policy
    0
     
    LVL 1

    Expert Comment

    by:Ali_Jas
    Group policy is also OS related, not networking.

    networking here is by means of routers, cabeling and so on.
    I should just delete the question here and move it to the OS section.
    0
     
    LVL 3

    Expert Comment

    by:MBarber1957
    A quick way would be to add them to a group on the server, then make that group a member of the LocalAdmin / Administrators group on the local box. That's if you trust them with such authority. This would give them full control of the local machine (not the same as a network administrator).
    0
     
    LVL 8

    Accepted Solution

    by:
    Siltech,

    When you say "modify the registry", I presume that you mean the entire contents of the registry, not User-specific information.

    If they have the right to modify the registry, then they can modify the registry -- period.

    Certainly unintentionally, the rights and privileges to manipulate the registry create the potential to compromise the integrity of the system. The most common example of this is the dangers of adware/spyware.

    I would suggest a thorough review of the application to determine what, exactly, are its needs and requirements. The answer from the developers that "we just need to manipulate the registry" is a poor answer. Once you allow manipulation of the registry, the integrity of the system is destroyed.

    I hope that the above is helpful.

    - Bob (aka RLGSC)
    0
     

    Author Comment

    by:siltech
    that That’s exactly the problem, I can't trust them and I can't let them to act as administrators or change the administrative rights

    I what them to be a standard users with the ability to right to the registry , without the run command, access to the control panel ecc…
    0
     

    Author Comment

    by:siltech
    maybe I just duplicate the administrator to a differnt user and lock some icons for this user with "power toy"
    what do you think about this?
    0
     
    LVL 8

    Expert Comment

    by:RLGSC
    Siltech,

    What you are asking for is a contradiction.

    If they have the rights to modify the registry, then they can compromise the system -- period. It does not matter whether it is deliberate (e.g., using REGEDIT) or accidental (e.g., spyware, adware, ActiveX).

    What needs to be examined very carefully is what the application is doing that requires registry access, and whether it is operating in an appropriate manner. I have done these reviews on a variety of platforms, and it is often amazing what the justifications for administrative rights are, and how unneeded they are (on a different platform, I just taught a 4 hour seminar on how to delegate management rights over specific applications WITHOUT granting overall administrative rights).

    I hope that this information is helpful.

    - Bob (aka RLGSC)
    0
     

    Author Comment

    by:siltech
    Right now I solved it with "quick menu builder"

    When a user logs on to the server he has an html menu with "buttons" for his unique applications

    This "menu" configured to start automatically as an active directory environment
    When a user is trying to close the menu and "playing" with the MS Desktop, the session ends automatically and forces the user to log off

    What do you think on the solution?
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    857 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now