Is there any way to restrict access to a computers 'Computer Management' con
sole.
I am asking, because we are running a Windows 2000 AD, and through testing h
ave realized that a regular domain users can manage a server remotely throug
h Computer Management. We want to restrict access to just this utility, with
out infringing on network a
ccess to th servers, because they do hold network resources that have to be 
accessed on a regular basis. If someone can give me all the possible securit
y steps that can be performed, and I will try them to see what best meets ou
r needs.

Thanks in advance

[ Post a follow-up to this message ]

Regular users can "see" remote computers via Computer Management, but can no
t do much
of anything if they do not have administrative credentials for the target co
mputer.
Of course I still understand the concern and you can disable the Computer Ma
nagement
console for users via Group Policy/user configuration/administrative
templates/Windows components/Microsoft Management console/restricted and per
mitted
snapins. Keep in mind that doing such at the domain level will restrict all 
users
including administrators unless you filter the policy scope to exempt admini
strators
by giving administrators "deny permissions" to the apply permission for the 
GPO.  ---
Steve

http://support.microsoft.com/defaul...kb;en-us;322176

"Mick35" <anonymous@discussions.microsoft.com> wrote in message
news:E028C0EC-3C26-4637-B52E-44902B06739C@microsoft.com...
quote:

> Is there any way to restrict access to a computers 'Computer Management' c
onsole.
> I am asking, because we are running a Windows 2000 AD, and through testing have[/Q
UOTE]
realized that a regular domain users can manage a server remotely through Co
mputer
Management. We want to restrict access to just this utility, without infring
ing on
network access to th servers, because they do hold network resources that ha
ve to be
accessed on a regular basis. If someone can give me all the possible securit
y steps
that can be performed, and I will try them to see what best meets our needs.[QUOTE]
>
> Thanks in advance

[ Post a follow-up to this message ]

I ask because a regular user who does not have admin rights on the regular c
omputer was able to stop services on the target PC. I originally thought the
 same thing until we tested it. Let say USER1 who does not have admin rights
 on PC2 was able to connect
via Computer management from PC2, and was able to stop some services on PC1.
 ????, just did not make sense.

Thanks

[ Post a follow-up to this message ]

I don't think a regular user can stop any operating system service in a defa
ult
installation - definitely no critical services. You might want to run Securi
ty
Configuration and Analysis tool comparing to the setup security template on 
that
computer to see what it reports for services and verify that the user accoun
t you are
using does not have administrator/power user rights on the target computer. 
On
workstation computers that are not offering shares, yet you want to manage r
emotely,
consider modifying the user right assignment for access this computer from t
he
network to contain only the administrators group. --- Steve



"Mick35" <anonymous@discussions.microsoft.com> wrote in message
news:9E526477-8FAB-4CAD-B737-2AC35C2B8331@microsoft.com...
quote:

> I ask because a regular user who does not have admin rights on the regular computer[/color
]

was able to stop services on the target PC. I originally thought the same th
ing until
we tested it. Let say USER1 who does not have admin rights on PC2 was able t
o connect
via Computer management from PC2, and was able to stop some services on PC1.
 ????,
just did not make sense.
quote:

>
> Thanks

[ Post a follow-up to this message ]

Hey Steve, thanks for the info on the tool. Is there any special section I s
hould be loking. I ran the tool and analyzed the data. I opened each sub ite
m, but could not find anything abnormal. Is there a Red X or something I sho
uld be seeing if there is a
problem. All I saw were green check marks, and anything that did not have an
 icon next to it was 'Not Defined'

Thanks
Mike

[ Post a follow-up to this message ]

Hello,

What privileges does the user in question have on PC1, since that it where
the services are being stopped?

Dale Weiss MCSA MCSE CISSP
PSS Security

This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms
specified at http://www.microsoft.com/info/cpyright.htm

[ Post a follow-up to this message ]

If the marks were all green, then you have default settings in the security 
setup
template. I still don't understand how a regular user can stop services. If 
you look
at the setup security template/services and select edit security you will se
e the
permissions that users have to the service and I don't think everyone/users 
have
permissions by default to stop any service.  --- Steve


"Mick35" <anonymous@discussions.microsoft.com> wrote in message
news:2BF16987-0EE1-402B-B5C6-43706423B2E8@microsoft.com...
quote:

> Hey Steve, thanks for the info on the tool. Is there any special section I should[
/QUOTE]
be loking. I ran the tool and analyzed the data. I opened each sub item, but
 could
not find anything abnormal. Is there a Red X or something I should be seeing
 if there
is a problem. All I saw were green check marks, and anything that did not ha
ve an
icon next to it was 'Not Defined'[QUOTE]
>
> Thanks
> Mike

[ Post a follow-up to this message ]