NT Authentication

[LHuisingh]

I have added a domain group to the MS logon part of server setup. When I attempt to connect using an account that is a member of the group everything works fine. When I try to connect using a different account that is NOT part of the group I am still allowed access. It does not appear to be rejecting access. I am using 1.0.0 RC18.

Larry Huisingh

[Rudi De Vos]

Are you sure the second user is not local admin.....
A local admin have always access, even when he is not member of the group.

[Marscha]

is this with the new ms-logon (see [topic=637][/topic]) or the ms-logon that comes with RC18?

[Rudi De Vos]

RC18 grant permission for every user that is able to use
the service manager (local admin check)

If you can use the service manager, you can remote install/uninstall vnc, this users HAVE ALWAYS ACCESS.
No need to block them, because they always can grant themself access.

[LHuisingh]

Yes, it turned out that the second user was in the administrators group. I removed that user account from the admin group and rebooted both machines. When I tried with the second one again it crashed the server. I get the following error message

"0x100011f2 referenced memory at 0x00000002. The memory could not be "read"."

I have not tried the new ms-logon yet. This is with RC18. I will try out the new ms-logon next.

Thank you.

[Schra]

If you can use the service manager, you can remote install/uninstall vnc, this users HAVE ALWAYS ACCESS.
No need to block them, because they always can grant themself access.

Hi,

nevertheless I would like to have an option to disallow the local admins to connect to VNC.

Why? Because we have PCs wich are used by many users - every day another. These users need to be in the local admin group and so we added the "domain users"-group to the local admin group and this is (unfortunately) not arguable.

So every user can connect to each PC - that's a big no for our VNC-project. Even with a query window it's not ok, because the "normal user" clicks on every popup-window
Only our "helpdesk" should be able to connect to these PCs.

By the way - is it possible two switch the order of the confirmations? I think it's better to check first the client-->server permission to establish a connection and then query the server-user.

Greetings
Schra

[LHuisingh]

I just tried the new ms-logon. I put in the registry key with a DWORD value of 1 as well. I modified the group name to use the full domain\group specification and it worked fine. The first user that was part of an authorized group was granted access as desired and the second user (not an authorized group member, non-admin user) was denied access and this time the server didn't crash.

I noticed that if you make changes to the authorized user list you have to stop and start the server for the changes to take effect. It would be nice if it would take place right away.

[Rudi De Vos]

Code: Select all

we added the "domain users"-group to the local admin group

Everybody has full controle on every machine...
They can remote install vnc
They can change the local and remote registry of every PC
They are allowed to reset,shutdown every PC you controle.
They can stop the virus checkers beause they use to much cpu....

How do you gonna block the user for changing the "disallow the local admins", they are allowed to change the value from any remote pc.

What local admin rights does the users need, does they need to install there own services ?
You better create your own "power user group" with needed permissions and add the "domain users" in that group

[Schra]

Thanks for your answer!

Code: Select all

They can change the local and remote registry of every PC

No, because of various policies and the disabled "file- and printersharing" a user can't edit the registry remotly.

Code: Select all

What local admin rights does the users need, does they need to install there own services ?

They need full control over installation of drivers + programs, changing the network settings and so on (required because of technicans outside the office at the customers).


Because of data privacy a normal "domain user" shouldn't connect remotly to another PC with VNC - and no, he can't go to this PC and change the stettings from the PC directly (half way around the world/another department with security doors).

As said before - the domain users thing inside the local admin group isn't changeable and a default user with local admin rights on such a remote PC shouldn't be allowed to log on. Yes, I know, that a user with experience can circumvent such blocking, but we have to follow the rules of our works council.

I hope you understand the problem now a little bit better (my first post wasn't very clear).

[Rudi De Vos]

An easy solution for it...
authlogonuser.dll does the check for local admin.

If you don't install this dll, no local admin check.

[yaddyaddayadda]

i removed the dll to see if i could skip the local authentication and the program complained looking for auth.dll. how can i "uninstall" this particular dll.

[Rudi De Vos]

auth.dll is needed...authlogonuser.dll is not

It contain the logging for vnc connections.

[yaddyaddayadda]

i tried removing the authlogonuser.dll , the auth.dll is already in the directory, and restarting the machien to make sure the service isn't using the authlogonuser.dll somehow and i get an error "you selected ms-logon but the auth.dll was not found, and it hangs up the ultravnc client as well.

I'm guessing that because the "server" pc is in a workgroup (not authenticated into the domain) and the client pc is authenticated in the domain that i'm going to have problems using the domain to provide authentication for the server. But i'll keep testing it regardless and hope that i'll work it out. maybe there can be some extra settings aloow a work around