Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Windows Server 2003 Security Question

from [Des Atkinson] Network Security [Permanent Link]
Subject: Windows Server 2003 Security Question
Date: Thu, 6 Oct 2005 10:03:11 +0100 
Hi,

I have  a security question please concerning the use of OpenSSH server
on a Windows Server 2003 system that acts as the ActiveDirectory/Domain
Controller system (let us call the domain MYDOM).

Both my client machine (running Windows 2000 Pro at Service Pack 5) and
the server (Windows Server 2003 Enterprise Edition at Service Pack 1)
are running OpenSSH_4.1p1. I wish to connect between the two using
public key authentication, and the user I am using at both ends is the
same one called usersrv. This user was set up on the Active Directory
machine and is therefore a domain user. So ./usersrv (i.e.
MYDOM/usersrv) is the logon user for the sshd service.

Now to install the OpenSSH service initially on the AD/DC system
requires local admin rights plus the other usual special permissions for
./usersrv so that the service can be installed and started.

Our requirement is that ./usersrv be demoted as soon as possible from
the local Administrators group on the AC/DC system. Ideally this would
be once the service was installed. However what we have found by
experimentation is that you must make an initial OpenSSH connection
between the client and the server and that the connecting user must have
Admin rights on the AD/DC system. Once that is done you can then demote
the ./userv user from the local Admin group on the AC/DC system.
Thereafter public key authentication will continue to work so long as
you use the same user at both ends (which we are). You can also stop and
restart the sshd service successfully.

Is there a way around this, please? We know that after demoting the
./usersrv user connection using password authentication, or using public
key authentication with a different user at each end will not work -
however that does not worry us. However is there a way that we can get
public key authentication to work first time using the same domain user
at each end where that user does not have local admin rights on the
AC/DC Windows Server?

*************************************
Des Atkinson
Technical Director
Metron Technology Ltd.
Osborne House, Trull Road
Taunton, TA1 4PX
tel: +44 (0)1823 259231
fax: +44 (0)1823 334502
e-mail: desa@metron.co.uk
www: http://www.metron.co.uk/
**************************************
Views expressed are those of the sender only
& should not be taken as company policy.
**************************************
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Windows Server 2003 Security Question, Des Atkinson <=
Previous by Date:  Proble facing in ssh connection through Unix batch application, Udit Narayan Mishra
Next by Date:  Re: Problems acrossed platforms., Mike Sweeney
Previous by Thread:  Proble facing in ssh connection through Unix batch application, Udit Narayan Mishra
Next by Thread:  Not attached to tty..., Bhalaji Narayanan
Indexes:  [Date] [Thread] [Top] [All Lists]