"Secure" approach for remote execution of commands (least priv)

[Guest msb-2007@nospam.nospam]

Ok, I'm trying to figure out the "best" (ie: simple, yet secure) way to

provide some limited remote command execution priviledges for a subset of

non-admin users.

 

We don't want to this team to be a domain admin group, but want them to be

able to remotely enumerate network connections (ala "netstat -a -n -b") and

the running processes on remote domain machines.

 

We looked at using psexec for the netstat, but I don't really see a secure

way to limit user rights with that approach.. if they can psexec something

remotely, I suspect they'd effectively have a vector to run various

applications as admin (which is pretty much the same as giving them local

admin rights)

 

I'm thinking that a VBS/WMI script might be the better approach... but I'm

not sure if this needs local admin rights as well and if I can limit the

access permissions or not.

 

We've got a VBS/WMI script for the running processes, but nothing for the

functional equivalent of "netstat -a -n -b". So the first question is, does

anyone know how to remotely enumerate network connections and process

linkages through WMI?

 

The second question is whether or not there is a way to grant a user group

just enough permissions to read the appropriate objects, but not make them

local admins?

 

Finally, is there actually a way to use psexec to securely grant a domain

group the rights to run a few apps remotely, but not give them the functional

equivalent of local admin rights?

 

Thanks in advance!

 

-Matt

[Guest msb-2007@nospam.nospam]

RE: "Secure" approach for remote execution of commands (least priv)

 

what ever happened to 24hr response to managed newsgroups???

 

 

 

"msb-2007@nospam.nospam" wrote:

> Ok, I'm trying to figure out the "best" (ie: simple, yet secure) way to

> provide some limited remote command execution priviledges for a subset of

> non-admin users.

>

> We don't want to this team to be a domain admin group, but want them to be

> able to remotely enumerate network connections (ala "netstat -a -n -b") and

> the running processes on remote domain machines.

>

> We looked at using psexec for the netstat, but I don't really see a secure

> way to limit user rights with that approach.. if they can psexec something

> remotely, I suspect they'd effectively have a vector to run various

> applications as admin (which is pretty much the same as giving them local

> admin rights)

>

> I'm thinking that a VBS/WMI script might be the better approach... but I'm

> not sure if this needs local admin rights as well and if I can limit the

> access permissions or not.

>

> We've got a VBS/WMI script for the running processes, but nothing for the

> functional equivalent of "netstat -a -n -b". So the first question is, does

> anyone know how to remotely enumerate network connections and process

> linkages through WMI?

>

> The second question is whether or not there is a way to grant a user group

> just enough permissions to read the appropriate objects, but not make them

> local admins?

>

> Finally, is there actually a way to use psexec to securely grant a domain

> group the rights to run a few apps remotely, but not give them the functional

> equivalent of local admin rights?

>

> Thanks in advance!

>

> -Matt

>