Console permissions

dshonwood · ‎02-27-2012

Couple of things concern me. I was able to access the interface without logging in. So anyone on my domain can get into this console?? If that is true, that means anyone can open the web console and reboot servers and workstations at will? Is there a way to prevent this?

dteague · ‎02-29-2012

I don't work for IT in my company, but in our Risk Management department. I use LanSweeper as an independent tool, so I can keep tabs on IT, and make sure that nothing "off the books" is going on.

The funny thing is that most of my companies IT staff is now using LanSweeper, as they trust the data that comes from it more than what comes from their own tools.

Just wait until I audit them this year.

dshonwood · ‎02-28-2012

Appreciate the input... I did as instructed by lansweeper forum admin and that should work for now. Sometimes at my location we get REAL security friendly. If managers could remote lock users to desktops in handcuffs 8 hours a day, they would.

Thanks again both of you.

dteague · ‎02-28-2012

I've had LanSweeper for several years, so somethings I guess I just take for granted. With the exception of rescanning, all the options are run as the user that is viewing the webpage.

We have several items that you need to be elevated privledges to execute, and we use ShellRunAs to allow for that.

dshonwood · ‎02-28-2012

I see your point and I understand the command it is using. Where in any configuration settings is it saying that your executing that command via windows authentication? By default only local administrators group members can run that command line. How does Lansweeper action know who is using the command if it is not running the initial console using authentication?

I would just assume to make sure none of the users could access the console as we do not have any "power" users so to speak on our domain and no need to see that info.

FYI... this is coming from a long time Dameware NT utilities user and had to have authentication to do some of the actions and custom actions used in our domain. So consider me "new" to not having to actually "authenticate" to use certain tools.

dteague · ‎02-28-2012

dshonwood wrote:
Couple of things concern me. I was able to access the interface without logging in. So anyone on my domain can get into this console?? If that is true, that means anyone can open the web console and reboot servers and workstations at will? Is there a way to prevent this?

I don't know your enviroment, but just because they can click on the button does not mean they can reboot the remote computer. All that button is doing is executing SHUTDOWN command. If they have rights today to type SHUTDOWN -r -m \\computername from a COMMAND prompt, LanSweeper is not giving them any more access.

For over a year we had LanSweeper open to everyone in the company, but just reciently deceided to lock it down. There was no abuse, as there is nothing that I would consider confidential information in it, we just deceided to lock it down.

Only issue we have had with locking it down is now techs can't get to it via their BlackBerrys.

Hemoco · ‎02-28-2012

Please refer to this knowledge base article for info on restricting web console access. Website access is currently "all or nothing". Role based access is planned for Lansweeper version 5.0. We do not yet have a release date for this version.

Console permissions

New to Lansweeper?

Try Lansweeper For Free