Remote restart without disabling UAC or enabling admin account

This topic contains 5 replies, has 2 voices, and was last updated by  Ron 9 months, 1 week ago.

  • Author
    Posts
  • #60151

    Mark
    Participant

    I have a workgroup of few Win 10 PCs I need to control from a Win7 laptop. All of them have the same user name and password. I'm developing a Powershell script that asks for user's choice to run Software1, Software2 etc on a remote machine, then it adds a shortcut link to it into StartUp folder on that PC and restarts it. So far I have troubles restarting remote machines in a secure way.

    I've tried several solutions but they all come with some side effects.

    If I Enable-PSRemoting, it sets LocalAccountTokenFilterPolicy to 1, so the command

    Restart-Computer -Computername  -Force

    doesn't prompt for credentials since they are the same locally and remotely, so I need to create an additional User2 with admin rights, exclude everyone but this User2 from “Force shutdown from a remote system” policy so that it works properly.

    Good. Now my machines require password for remote restart. But with PSRemoting enabled any person or malware who has gotten access to my laptop can run

    Invoke-Command -ComputerName  -ScriptBlock {cmd /c "del c:\*.*" /f /q /s}

    without being prompted for credentials on any machine in the workgroup. Is there a way to force authorization in this scenario, when the same username/password are used on client and server?

    I've also tried remote access with WMI. Same thing. If I disable UAC via LocalAccountTokenFilterPolicy a command like

    Invoke-WmiMethod -ComputerName  -Class Win32_Process -Name Create -ArgumentList 'cmd /c del c:\*.* /f /q /s'

    can be executed without authorization.

    I followed Microsoft's suggested workaround, leaved remote UAC enabled, created User2, granted it all necessary permitions in COM security and WmiMgmt, let WMI through firewall and voila! User1 cannot execute remote WMI commands while User2 can. Well some of them. Shutdown with this command

    Invoke-WmiMethod -ComputerName  -Class Win32_Process -Name Create -ArgumentList 'shutdown /r'

    is a no-go. As well as executing VBS scripst, for instance.

    So, eventually I've come with a solution. I set LocalAccountTokenFilterPolicy to 1 and assign “Force shutdown from a remote system” policy to User2 only. And I also have to disable Administrator shares by appropriate registry key, otherwise with UAC disabled all files on all of my machines are accessible remotely. I manually share the Startup folder to User2 only. If don't enable PSRemoting and let WMI through firewall I cannot run code through these windows. Kinda works, but who knows how many holes are still there that I am not aware of?

    The last resort – enabling built-in admin account – works like a charm in every situation above. Access problems? Admin password solves them all.

    I'm still curious if there a way to shutdown remote machine in a workgroup (not on a domain) having same username/password without disabling UAC or enabling admin account? Or maybe someone could shed light on other strategies for setting a remote machine to run the software of choice on start-up and restart it remotely.

  • #60189

    Ron
    Participant

    I can't test this at the moment, but can't you just force the use of credentials?

    $cred = get-credential
    
    restart-computer -credential $cred ....
    • #60201

      Mark
      Participant

      Sure I can. But the problem is not on the client side. The problem is that the server readily accepts that command without credentials. As long as it has LocalAccountTokenFilterPolicy set to 1 (as dictated by Enable-PSRemoting in my case) and both machines have the same username/password. I see that as a security breach and look for ways to mitigate it.

    • #60204

      Ron
      Participant

      Right, but you should not be logged in as an admin. Restrict those rights to a special account on the remote machines and use that account for your commands, but don't logon under that account.

    • #60210

      Mark
      Participant

      That's what I'm trying to achieve, just don't know where to start.

      I have User1 which is the default admin on servers. And User2 I intend to use for remote manipulations. I know I can downgrade User1 to standard user, but that deprives it from many useful rights like software installation, task scheduling etc. I want to be more selective, like being able to use PS Remoting with User2 but have it blocked for User1. Generally, I want User1 to be the king when logged in locally but I need to restrict this account from anything that has a word "remote" in it. How can this be done?

  • #60217

    Ron
    Participant

    We'll have to wait to see if anyone has a specific solution for your request. But, as a rule with security in general, regardless of OS/System, if you want to be completely secure, you don't login as an admin. You use whatever mechanism is available to you to launch a specific process AS the admin, and you are never at risk of someone running admin commands remotely without a password. It's not convenient, but strict security never is.

You must be logged in to reply to this topic.