• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 196
  • Last Modified:

Terminal Server Security issue

I have installed a Windows terminal 2003 server; I need the users to have the ability to right/edit the registry (so the application will work properly) - they are not suffused to edit it manually!!! Or having administrative rights on the server

Right now Im kind of bypassing this problem with "Quick Menu Builder" and the environment option in the active directory

Anyone?
0
siltech
Asked:
siltech
  • 4
  • 3
  • 2
  • +1
1 Solution
 
Ali_JasCommented:
this looks as an operating issue to me, You'd better ask the question there, because more experts will be able to help you.
0
 
Ali_JasCommented:
errr.. operating system issue... not operating issue :S
0
 
siltechAuthor Commented:
its about Group policy
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Ali_JasCommented:
Group policy is also OS related, not networking.

networking here is by means of routers, cabeling and so on.
I should just delete the question here and move it to the OS section.
0
 
MBarber1957Commented:
A quick way would be to add them to a group on the server, then make that group a member of the LocalAdmin / Administrators group on the local box. That's if you trust them with such authority. This would give them full control of the local machine (not the same as a network administrator).
0
 
RLGSCCommented:
Siltech,

When you say "modify the registry", I presume that you mean the entire contents of the registry, not User-specific information.

If they have the right to modify the registry, then they can modify the registry -- period.

Certainly unintentionally, the rights and privileges to manipulate the registry create the potential to compromise the integrity of the system. The most common example of this is the dangers of adware/spyware.

I would suggest a thorough review of the application to determine what, exactly, are its needs and requirements. The answer from the developers that "we just need to manipulate the registry" is a poor answer. Once you allow manipulation of the registry, the integrity of the system is destroyed.

I hope that the above is helpful.

- Bob (aka RLGSC)
0
 
siltechAuthor Commented:
that That’s exactly the problem, I can't trust them and I can't let them to act as administrators or change the administrative rights

I what them to be a standard users with the ability to right to the registry , without the run command, access to the control panel ecc…
0
 
siltechAuthor Commented:
maybe I just duplicate the administrator to a differnt user and lock some icons for this user with "power toy"
what do you think about this?
0
 
RLGSCCommented:
Siltech,

What you are asking for is a contradiction.

If they have the rights to modify the registry, then they can compromise the system -- period. It does not matter whether it is deliberate (e.g., using REGEDIT) or accidental (e.g., spyware, adware, ActiveX).

What needs to be examined very carefully is what the application is doing that requires registry access, and whether it is operating in an appropriate manner. I have done these reviews on a variety of platforms, and it is often amazing what the justifications for administrative rights are, and how unneeded they are (on a different platform, I just taught a 4 hour seminar on how to delegate management rights over specific applications WITHOUT granting overall administrative rights).

I hope that this information is helpful.

- Bob (aka RLGSC)
0
 
siltechAuthor Commented:
Right now I solved it with "quick menu builder"

When a user logs on to the server he has an html menu with "buttons" for his unique applications

This "menu" configured to start automatically as an active directory environment
When a user is trying to close the menu and "playing" with the MS Desktop, the session ends automatically and forces the user to log off

What do you think on the solution?
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now