"Secure" approach for remote execution of commands (least priv)

  • Thread starter msb-2007@nospam.nospam
  • Start date
M

msb-2007@nospam.nospam

Ok, I'm trying to figure out the "best" (ie: simple, yet secure) way to
provide some limited remote command execution priviledges for a subset of
non-admin users.

We don't want to this team to be a domain admin group, but want them to be
able to remotely enumerate network connections (ala "netstat -a -n -b") and
the running processes on remote domain machines.

We looked at using psexec for the netstat, but I don't really see a secure
way to limit user rights with that approach.. if they can psexec something
remotely, I suspect they'd effectively have a vector to run various
applications as admin (which is pretty much the same as giving them local
admin rights)

I'm thinking that a VBS/WMI script might be the better approach... but I'm
not sure if this needs local admin rights as well and if I can limit the
access permissions or not.

We've got a VBS/WMI script for the running processes, but nothing for the
functional equivalent of "netstat -a -n -b". So the first question is, does
anyone know how to remotely enumerate network connections and process
linkages through WMI?

The second question is whether or not there is a way to grant a user group
just enough permissions to read the appropriate objects, but not make them
local admins?

Finally, is there actually a way to use psexec to securely grant a domain
group the rights to run a few apps remotely, but not give them the functional
equivalent of local admin rights?

Thanks in advance!

-Matt
 
M

msb-2007@nospam.nospam

what ever happened to 24hr response to managed newsgroups???



"msb-2007@nospam.nospam" wrote:

> Ok, I'm trying to figure out the "best" (ie: simple, yet secure) way to
> provide some limited remote command execution priviledges for a subset of
> non-admin users.
>
> We don't want to this team to be a domain admin group, but want them to be
> able to remotely enumerate network connections (ala "netstat -a -n -b") and
> the running processes on remote domain machines.
>
> We looked at using psexec for the netstat, but I don't really see a secure
> way to limit user rights with that approach.. if they can psexec something
> remotely, I suspect they'd effectively have a vector to run various
> applications as admin (which is pretty much the same as giving them local
> admin rights)
>
> I'm thinking that a VBS/WMI script might be the better approach... but I'm
> not sure if this needs local admin rights as well and if I can limit the
> access permissions or not.
>
> We've got a VBS/WMI script for the running processes, but nothing for the
> functional equivalent of "netstat -a -n -b". So the first question is, does
> anyone know how to remotely enumerate network connections and process
> linkages through WMI?
>
> The second question is whether or not there is a way to grant a user group
> just enough permissions to read the appropriate objects, but not make them
> local admins?
>
> Finally, is there actually a way to use psexec to securely grant a domain
> group the rights to run a few apps remotely, but not give them the functional
> equivalent of local admin rights?
>
> Thanks in advance!
>
> -Matt
>
 
You must log in or register to reply here.

Similar threads

R
A domain user is attempting to log into a client system that is part of the Remote domain for the first time, but the system is not connected to the d
Replies
0
Views
31
Roopesh M P
R
E
Group Policy - Windows 2019 - Remote procedure call was cancelled. Error 8007071a
Replies
0
Views
56
elhananplistiev
E
P
  • Article
Update on the Recall preview feature for Copilot+ PCs
Replies
0
Views
62
Pavan Davuluri
P
Y
  • Article
How to prepare for Windows 10 end of support by moving to Windows 11 today
Replies
0
Views
23
Yusuf Mehdi, Executive Vice President, Consumer
Y
M
  • Article
Latest innovations for Microsoft Edge for Business – your secure enterprise browser optimized for AI
Replies
0
Views
77
Microsoft Edge Team
M
Back
Top Bottom