Highlighted
Acclaimed Contributor.
Acclaimed Contributor.
836 views

Is there a (more) secure way ... to control

Hi!
ZCM (11 SP3) have relatively ok built in tools for instant managing of devices – remote control, file transfer, diagnostics. And ... it's good to have all these over a ZCC (and web) to access. But (keeping in mind targeting Windows devices) ... sometimes (very often to be honest) I need to have a quick look for Windows services, tasks, entire file system etc. and to accomplish it unattended way. So, usually I'd activated and used MS admin share for instant access to services, tasks from command prompt, Windows registry etc. (without taking over a remote (desktop) console and wo bothering user at all), also file system as necessary using Total Commander, more convenient comparing to File Transfer. That's good. But ... it requires opening a MS share which could be not the best way having in mind security. Is that correct? If so, maybe I have overlooked some options within ZCM to accomplish all this I described and used via MS share? Or ... some other (more secure comparing to activating MS admin share) suggested options to have?
More thanks, Alar.
Labels (2)
0 Likes
10 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is there a (more) secure way ... to control

But, anyway, should I keep distance of activating MS admin share? For purposes I described above.
Alar.
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Is there a (more) secure way ... to control

Simply use the "Access this Computer from the Network Policy" to restrict remote access to the computerto a few specific local accounts you manage via ZCM.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is there a (more) secure way ... to control

Hi and thanks Craig!
Yes, I'm using this policy to avoid regular admin to have access computers remotely. But, no-no-no, this isn't what I meant. I'll bring an example. I want to have list of running tasks on remote (Windows) computer. To be sure ... some x task running or not. And, when necessary, to kill some. Via ZCC I must use remote diagnostics, but this will take screen from user and ... not so convenient not for user nor for admin. Or, another example, must take a peek into registry, same way, same problem. Or have I overlooked something? Or, another example, must to upload or download or delete some file(s) on remote computer ... file transfer (when user is logged in) operates in user rights ... can't do anything beside areas where user have rights. Etc. So, I used MS admin share. And accessing from remote admin computer devices wo hassle. But, this will bring other risks, some "bad things" may use this share? Correct? Security risk. Even it's protected with secure password. Also, truth, I must anyway modify registry to have access over Windows UAC. So ... any better ideas?
More thanks, Alar.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Is there a (more) secure way ... to control

NovAlf,

psexec?

--

Shaun Pond
in my "day job" I work for ENGL; our aim is to make Windows deployment
easy


0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Is there a (more) secure way ... to control

Shaun Pond;2408522 wrote:
NovAlf,

psexec?

--

Shaun Pond
in my "day job" I work for ENGL; our aim is to make Windows deployment
easy



PSEXEC requires the Admin$ share as does any attempt to remotely issue commands to the server.
Nothing unsecure about having an Admin$ share so long as you control who can access it.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is there a (more) secure way ... to control

Hi and thanks!
Well, PSTools is no doubt tools-must-have, but, yes, depend also on MS admin-share. Probably, yes, to achieve what I want no good way over having it (MS share), anyway.
More thanks, Alar.
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Is there a (more) secure way ... to control

What "Bad" things could use this Share if you lock down via policy so that only 1-2 accounts are permitted to connect to the share and you manage those accounts?
Don't even give out the password to those accounts but create tools around those accounts that has the security embedded, which is far more than any high security environment of which I am aware does.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is there a (more) secure way ... to control

Hi again and thanks again!
Yeah, I don't know what is so bad about MS share when to keep some discipline. As You wrote - to know who is accessing it, keep pwd's safe etc. elementary.
I was asking almost same question here (at my site) – "why not use it!?". We could have at hand more flexible and more productive approach for ourselves to admin devices and also for customers to serve them. ... Still some fears about using it.
So, I thought, I'll ask here ("from people in the trenches"), maybe is something I overlooked within ZCM, maybe ... some other (good) options. 😃
More thanks, Alar.
0 Likes
Highlighted
Absent Member.
Absent Member.

Antw: Re: Is there a (more) secure way ... to control


Yes Alar,



ZfD was more usefull seeing from this objektiv (seeing the eventlog as an ZfD-Admin without interrupting a user , and so on...).

But ZCM is not very useful in this things.

One has forced to use MS-Utilities instead of ZCM...



I'm unconvinced if this is a good way...



Frank



>>> NovAlf<NovAlf@no-mx.forums.microfocus.com> 14.10.2015 15:46 >>>




Hi again and thanks again!
Yeah, I don't know what is so bad about MS share when to keep some
discipline. As You wrote - to know who is accessing it, keep pwd's safe
etc. elementary.
I was asking almost same question here (at my site) – "why not use
it!?". We could have at hand more flexible and more productive approach
for ourselves to admin devices and also for customers to serve them. ...
Still some fears about using it.
So, I thought, I'll ask here ("from people in the trenches"), maybe is
something I overlooked within ZCM, maybe ... some other (good) options.
😃
More thanks, Alar.


--
NovAlf
------------------------------------------------------------------------
NovAlf's Profile: https://forums.novell.com/member.php?userid=19735
View this thread: https://forums.novell.com/showthread.php?t=494567
0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Antw: Re: Is there a (more) secure way ... to control

Hi!
Yes, I remember these ZfD days. 😃
---
Also I remember in our University our Faculty was only (and first) one managing devices already (with ZfD) as other Faculties and IT department even didn't know how to do this. Same is in Uni today, but the IT dep forced us to abandon Novell soft (including years implemented ZCM, oh, sorry) ... and reality is ... nothing offered instead, nothing complete ... they use few times in year Ninite (Pro! – so, paying for it) for having devices up-to-date on some soft even having and paying for MS educational agreement including SCCM. ... And we had this all and even much more done with Novell/ZCM, years, they just ... demolish! Sorry for this side-talk.
---
But, yes, truth is we (in University and parallel with ZCM) days used MS sharing in way described here above. Why not!?
You mean "not good way" to use MS utilities in way written here or "not good way" for Novell/ZCM not having something instead?
As Windows is MS product we probably have to use some ... utilities and tools from MS and third parties, anyway, nothing wrong about that, but, yes, I miss I can't or don't know how I could accomplish this I described here with ZCM in way I could do with MS utilities/tools.
Of course, must say it here for not misunderstanding, mainly ZCM does the job very well. My concern and question is/was does using MS share etc. that way is ok keeping in mind security, and how other is ... handling this kind of approach.
More thanks, Alar.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.