Remote Console Topics | Previous | Next
Caution
Permitting all users to connect to Remote Console Server can compromise server security, as Remote Console clients are given a Cmd session. Any user who is given access to a Cmd session can run any application as if they were physically logged on to the server.
On both the Windows NT 3.51 and Windows NT 4.0 platforms, Remote Console clients are limited to members of the Administrators group.
On Windows NT 4.0 or higher, however, while this limitation is the default, you may allow users not in the Administrators group to connect to Remote Console Server. Remote Console Server setup creates a local group on your computer called RConsole Users, which includes a list of users and global groups; to modify the members of this group, use User Manager. All members of the RConsole Users local group are permitted to connect to Remote Console Server Members of the Administrators group can always run Remote Console clients, whether or not they are members of RConsole Users.
Moreover, Remote Console Server setup adds the privilege "Log on as a batch file" to the RConsole Users group. This privilege is required when the clients use the /logon option.
Remote Console Server setup also adds the following registry entry:
Value = OtherAllowedUsersThis entry is a multi-string value that by default includes only one string: RConsole Users
For those in the OtherAllowedUsers list, a Cmd.exe process is started with the security context of the client. Therefore, such a Cmd process runs with the same security access token as if the client were physically logged on to the server.
Winlogon usually checks that a user who attempts to physically log on to a server has the special user right "Log on locally" (for more information on this right, refer to User Manager documentation). Remote Console Server does not check this privilege before granting access to the client. Therefore, if you configure the server to accept clients that are not members of the Administrators group, you should be aware that they have access to anything on the server, as if they were logged on to the server and running Cmd.
For better security in this case, check all file permissions so that these clients can only edit or modify files with access granted.
Note
The /logon option of the client now encrypts the password with a Data Encryption Standard (DES) algorithm.