![]() ![]() Company owns a PC and if the decision is that Help Desk employee or company administrator can connect to any PC to fix the problem, must be group policy enabling that. "Enterprise" version must not behave like version designed for the home user. No questions must be asked on the user side (exept first Yes/No to allow connection) for connection of authorized Help desk technicians (if such domain policy is in place). Every second counts for expensive Help Desk employee, nobody has the time to talk to non-advanced local user that he must press one or another button.ģ. And this does not improve the security at all - third party programs are installed that share desktop including all the UAC prompts. UAC prompt on local user side makes this feature totally useless. Instead, it should work over separate port only for RA.Ģ. Help desk initiated RA requires to open dangerous ports common with other windows features in firewall. Remote assistance (RA) is really needed in the enterprise and 95% is the following scenario - Help Desk employee with admin rights must help local person who does not have admin rigts and in 90% of cases Help Desk employee need to open computer management tools or other things that require admin credentials (for example, to install additional program, etc.)ġ. The reason behind this design decision is that if RA was architected to allow the Helper to remotely elevate the User’s privileges, the User would be able to terminate the RA session and thus steal local admin credentials from the Helper.Īnyone can comment if this problem is fixed in Windows7? This means that if the User is a standard user on her computer while the Helper is a local administrator on the User’s computer, the Helper can only have administrative privileges on the User’s computer if the User can first supply those credentials.Įnforcing this limitation is essential to ensure the security of Vista desktops. In other words, the Helper can only respond to UAC prompts on the User’s computer using the User’s own credentials. ![]() It is important to understand that the Secure Desktop on the User’s computer is not remoted to the Helper’s computer. This consent requires either clicking Continue (if the user is a local admin on her computer) or by entering local admin credentials (if she is a standard user on her computer). The user must provide consent to a UAC prompt to return to her normal desktop and continue working. UAC elevation prompts are displayed on the Secure Desktop instead of the user’s normal desktop to protect the user from unknowingly allowing malware to run with elevated privileges on her computer. The Secure Desktop mode is the same mode that a user sees when she logs on to her computer or presses the Secure Attention Sequence (SAS) keystroke (Ctrl+Alt+Delete). Typically, User Account Control (UAC) prompts appear on the Secure Desktop (which is not remoted) and consequently the Helper cannot see or respond to Secure Desktop prompts. When a User consents to having a Helper share control of her computer during a Remote Assistance session, the User has the option of allowing the Helper to respond to UAC prompts (Figure 23-1). basically, the user must allow the helper to have admin access by providing their own admin credentials in order to prevent them from stealing local admin priviledges from the helper, which is moot because they already must have local admin priviledges! At least MS should have provided a Group Policy setting that turns off UAC for RA in a Domain or something similar. Thanks Microsoft for making our jobs that much more difficult and costly.īelow is an excerpt from the Vista Resource Kit book (from ) This is a design "feature" that essentially makes it impossible for a company to help their users unless the users are granted local admin rights on the PC, unless a third party product is used or UAC is disabled. If UAC is enabled, the user MUST respond to a UAC prompt when allowing remote assistance. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |