> The solution to this configuration error is to stop the rcmd service on the > server and when you need access use the netsvc command to start it. Since > only the admin has the permissions to stop and start services I think this > should pretty much cure the problem. However I'd really like to hear from > anyone who has ideas on this one. > > Geo. Several possible solutions to remote UNIX style management of NT machines: To solve the RCMD.EXE problem (and quote the MS help files): Security is provided in two ways: The logged-on user must have interactive logon privileges on the target computer in order to connect to it. Any programs executed on the target computer are executed impersonating the logged-on user. Any access validation (such as opening files) is performed as if the user were logged on to the local computer. So simply tighten up permission on the server, remember by default the group everyone can pretty much run amuck on the system, so simply remove the group everyone's (and any other global/local groups or users that do not need access to the files/etc) permissions from any file/programs you deem sensitive (which should be most of them), this will keep the FP users out of trouble. A better solution would be to create a FP users group and simply give then no access to any sensitive areas. After quickly looking at the installation instructions for "RSHSVC.EXE: TCP/IP Remote Shell Service" I noticed a "Open RSHSVC.HTM now" link. The following is from rshsvc.htm: Security Contents In order to set up client access to the Remote Shell service, you must place a .rhosts file in the %Systemroot%\System32 folder\Drivers\Etc folder. The .rhosts file should contain one or more entries of the following type, each entry appearing on one line: <C1> <U1> [<U2> <U3> ....] where: C1 is the name of the computer from which the RSH client can be run U1, U2, and so on, are names of users who are granted access to the Remote Shell service. _________________________________________________________________ This is from NT Server Reskit Suppliment #2, I didn't bother to check the original or Suppliment #1, but I suspect the same applies. Using the .rhosts properly would seem to me to cut the risk down considerably and be a better alternative in many ways then RCMD.EXE. -seifried
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:50:07 PDT