Windows 2003 "Secure" approach for remote execution of commands (least priv)

  • Thread starter Thread starter msb-2007@nospam.nospam
  • Start date Start date
M

msb-2007@nospam.nospam

Ok, I'm trying to figure out the "best" (ie: simple, yet secure) way to
provide some limited remote command execution priviledges for a subset of
non-admin users.

We don't want to this team to be a domain admin group, but want them to be
able to remotely enumerate network connections (ala "netstat -a -n -b") and
the running processes on remote domain machines.

We looked at using psexec for the netstat, but I don't really see a secure
way to limit user rights with that approach.. if they can psexec something
remotely, I suspect they'd effectively have a vector to run various
applications as admin (which is pretty much the same as giving them local
admin rights)

I'm thinking that a VBS/WMI script might be the better approach... but I'm
not sure if this needs local admin rights as well and if I can limit the
access permissions or not.

We've got a VBS/WMI script for the running processes, but nothing for the
functional equivalent of "netstat -a -n -b". So the first question is, does
anyone know how to remotely enumerate network connections and process
linkages through WMI?

The second question is whether or not there is a way to grant a user group
just enough permissions to read the appropriate objects, but not make them
local admins?

Finally, is there actually a way to use psexec to securely grant a domain
group the rights to run a few apps remotely, but not give them the functional
equivalent of local admin rights?

Thanks in advance!

-Matt
 
what ever happened to 24hr response to managed newsgroups???



"msb-2007@nospam.nospam" wrote:

> Ok, I'm trying to figure out the "best" (ie: simple, yet secure) way to
> provide some limited remote command execution priviledges for a subset of
> non-admin users.
>
> We don't want to this team to be a domain admin group, but want them to be
> able to remotely enumerate network connections (ala "netstat -a -n -b") and
> the running processes on remote domain machines.
>
> We looked at using psexec for the netstat, but I don't really see a secure
> way to limit user rights with that approach.. if they can psexec something
> remotely, I suspect they'd effectively have a vector to run various
> applications as admin (which is pretty much the same as giving them local
> admin rights)
>
> I'm thinking that a VBS/WMI script might be the better approach... but I'm
> not sure if this needs local admin rights as well and if I can limit the
> access permissions or not.
>
> We've got a VBS/WMI script for the running processes, but nothing for the
> functional equivalent of "netstat -a -n -b". So the first question is, does
> anyone know how to remotely enumerate network connections and process
> linkages through WMI?
>
> The second question is whether or not there is a way to grant a user group
> just enough permissions to read the appropriate objects, but not make them
> local admins?
>
> Finally, is there actually a way to use psexec to securely grant a domain
> group the rights to run a few apps remotely, but not give them the functional
> equivalent of local admin rights?
>
> Thanks in advance!
>
> -Matt
>
 
Back
Top