[THIN] Re: Terminal Services Configuration

• From: "Berny Stapleton" <berny@xxxxxxxxxxxxxxxxx>
• To: thin@xxxxxxxxxxxxx
• Date: Mon, 23 Jun 2008 14:06:44 +0100

It is possible to disable the administrator account via local security
policy and that's exactly how we are doing it. I have written up a security
policy that we are applying to the machine, and I have a batch file of
subinacl commands that make permissions changes to the registry and
filesytem for the new users and administrators groups.

I am trying to limit scope, and there are things that I want the new admin
user to be able to do, and others that I don't. Changing TS config is one
thing that I would like them to be able to do; acting as part of the
operating system, I don't.

It's an un-attended install for us, so ghosting the server I don't care too
much about, I just rebuild the box, drop a couple of software components on
it, re-harden it, and drop it back off into the wild. I can have it back
within a day, and that's good enough for the business.

Berny



2008/6/23 Joe Shonk <joe.shonk@xxxxxxxxx>:

> Is that really necessary?  It is not recommended (nor possible via normal
> means) to disable the administrator's account.  If you're worried about
> someone getting in the machine and having admin rights then keep the scope
> of the administrators group to the local administrator and keep a ghost
> image of the server for easy recovery.
>
> Joe
>
>
> On Mon, Jun 23, 2008 at 5:15 AM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx>
> wrote:
>
>> The administrator account on this host is disabled, and I am trying to
>> replace it. Effectively, I want the Administrator SID to be useless,
>> unfortunately from what I have seen so far is that Windows is hard coded in
>> places to use the Administrator SID, so this is going to be impossible. I
>> would like to get as close to it as possible though.
>>
>> The only way I can get the admin account back now is to boot off a CD and
>> modify the registry offline.
>>
>> Berny
>>
>>
>> 2008/6/23 Joe Shonk <joe.shonk@xxxxxxxxx>:
>>
>> Run with elevated rights?
>>>
>>> Joe
>>>
>>> On Mon, Jun 23, 2008 at 4:23 AM, Berny Stapleton <
>>> berny@xxxxxxxxxxxxxxxxx> wrote:
>>>
>>>> Hi all,
>>>>
>>>> Does anyone know how to allow permissions to modify / configure the
>>>> Terminal Services Configuration without adding someone to the 
>>>> Administrators
>>>> group?
>>>>
>>>> I have given the user Full Control on the permissions tab, but they
>>>> can't modify the configuration...
>>>>
>>>> Thanks,
>>>>
>>>> Berny
>>>>
>>>
>>>
>>
>

• References:
  • [THIN] Terminal Services Configuration
    • From: Berny Stapleton
  • [THIN] Re: Terminal Services Configuration
    • From: Joe Shonk
  • [THIN] Re: Terminal Services Configuration
    • From: Berny Stapleton
  • [THIN] Re: Terminal Services Configuration
    • From: Joe Shonk

Other related posts:

• » [THIN] Terminal Services Configuration
• » [THIN] Re: Terminal Services Configuration
• » [THIN] Re: Terminal Services Configuration
• » [THIN] Re: Terminal Services Configuration
• » [THIN] Re: Terminal Services Configuration
• » [THIN] Re: Terminal Services Configuration
• » [THIN] Re: Terminal Services Configuration
• » [THIN] Re: Terminal Services Configuration
• » [THIN] Terminal Services Configuration
• » [THIN] Re: Terminal Services Configuration
• » [THIN] Re: Terminal Services Configuration
• » [THIN] Re: Terminal Services Configuration

1. Home
2. thin
3. Archive
4. 06-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---