we have a cisco router, which configured with SNMP v3 and username is testAdmin. Is there any command to identify, whether this user has read-only permission or read-write?
Regards,
Sumesh.
You can try to write down the config with the community which you have.
http://www.ciscozine.com/how-to-save-configurations-using-snmp/
This will not affect any service and will prove you if the string is working.
The other option is to bring up loopback interface with some random number
Related
Im a newb to AWS, so please go easy on me. We currently just spun up a custom Windows 10 instance in AWS. I was able to login via RDP successfully, but I'd like to create a new user within the instance so they can login with a different user account using RDP. Any thoughts would be much appreciated.
Okay, After your response to my first, I think I see what you are asking. Plase watch this video:
https://www.youtube.com/watch?v=rgk2w3dQGSo
Download the RDP. Save it. You can then Edit the .rdp and enter the user name and password you created in Windows.
You can create users in the User Management Console in Windows. Ensure they have the rights needed (Remote Desktop User, Administrator, etc).
Enjoy!
Once an Amazon EC2 Windows instance has been launched, it is just a normal Windows computer.
Therefore, you should use use the standard Admin tools to create the user on the Windows computer, with their own username and password.
It is also recommended that you change the random Administrator password after initial login, or (even better) connect the instance to Active Directory or whatever standard authentication system your company uses.
Technoob here. I just figured out why all of you are having trouble. You need to go to the security group the machine is a part of and open port 3389 to your public IP address (ipchicken.com works). Enjoy
If you are trying to connect from another computer then you have to change the inbound rules.
Go to the security groups of your instance. Go to the inbound rules. Add ipv4 and ipv6 as a new rule and apply it. Download the RDP File and try to connect again. It worked for me.
Since version 5.50 the Bitvise SSH Server allows connected client to authenticate to Windows user account without providing this user's Windows password. See here: https://www.bitvise.com/ssh-server-version-history
I've checked it myself - it does indeed.
My question is of pure curiosity: what kind of sorcery is this? Is there any WinAPI that allows such thing or is this some kind of clever hack? I always thought it is impossible to impersonate as other user without a password (as even when configuring Windows service or scheduled task to "run as user" it is neccessary to provide one).
IIRC, the SSH server in Cygwin does the same thing.
If you have the appropriate privileges you can create an access token with ZwCreateToken, no password required. Such a token has some limitations. For example, you can't access network resources without a password and some encrypted material isn't accessible.
There's an explanation and some sample code here.
Since version 5.50, Bitvise SSH Server comes with a Windows authentication package. An authentication package can enhance the Windows logon process in custom ways. When the SSH server needs to log you in, but does not have a password (e.g. because you logged in with a public key), it calls the authentication package to construct a logon token which closely resembles the logon token that would have been created by Windows. As arx has noted, a session created this way does not contain your authentication credentials, so side effects are that you can't access things like network resources and EFS.
I have problem with creating service that has access to files on network disk.
Service must have admin rights and it will be run by users that don't have admin privileges.
I send path as UNC
and file is seen by service but it return ACCES_DENIED errors when try to open or do anything on Network drive.
When I run my service as server , everything works fine.
I try to find answer but everywhere I can found only partial answers that do not help me at all.
========
I read that standard service logged as SYSTEM can't have access to network.
So i tried to log id as
NetworkService, LocalService
It didn't work. After run it as one of those user my service can't save files on c:
Some kind of admin account.But I didn't manage to success on that.
Actually logged user.
I don't know how to get password for current user.
Still this will not work for user without admin rights.
========
Please tell me what can I do?
There are plenty of Services that use somehow network resources. How do they do that?
You need to configure your service to run as a user which has sufficient rights. In this case you are looking for rights to network shares. Typically that's going to need a domain user with appropriate rights. Normally you'd ask your network manager to create a dedicated user account for the purpose.
You appear to be labouring under some false information as to how services work. You talk about running the service under the account of the logged on user. Remember that services run when there are no users logged on. And remember that there may be multiple logged users at any point in time.
For me, the port was getting blocked through firewall, I had to add a inbound rule and specify the port which i was using in my application. This way firewall did not blocked my port for outgoing connections.
References:
https://www.firehousesoftware.com/webhelp/FH/Content/FHEnterprise/FHEnterpriseInstallationGuide/24_StaticPort.htm
What is the best way to send a password to a Windows Service? Our application needs a password in order to start. I don't care that services are "normally" supposed to run without user interaction. Its good enough for us that an operator can start the application and then log off.
On a unix system, I would just echo the password over stdin but the service has no stdin.
Currently, we use the DPAPI to just store the password using CryptProtectData. While this, works, it presents other problems that are beginning to become troublesome.
I'm guessing that I'll need to use some form of IPC between the service and the application that is sending the password but I'm not sure which method is appropriate, if any.
Thanks
Two main options:
You could listen on a socket on startup and wait for the required password to be supplied (maybe embed an SSH server in there, so that the password cannot be snooped over the wire)
My preferred option would be to read the password from a configuration file (that can be secured to the minimum readership) or registry setting (again, sufficiently secure such that only your service and administrators can read/change it)
Thanks for responding Rowland.
You could listen on a socket on
startup and wait for the required
password to be supplied (maybe embed
an SSH server in there, so that the
password cannot be snooped over the
wire)
I considered that but without certificate verification, wouldn't that leave us open to a man in the middle attack?
My preferred option would be to read
the password from a configuration file
(that can be secured to the minimum
readership) or registry setting
(again, sufficiently secure such that
only your service and administrators
can read/change it)
We're trying to follow "defense in depth" as much as possible such that if an attacker compromised the machine, he would not able to access our application.
You can use kerberos mutual authentication. There are few options and examples there.
But just wondering. On a compromised machine, There may be a key logger. So typing the password is never secure if you want to maintain security in this environment. The same problem exist afaik for unix terminals.
DPAPI in UserMode is really the best option, and storing the encrypted data in a protected location, e.g. registry key with limited ACL.
What exactly were the problems that are beginning to be troublesome? Maybe we can just solve those...
What exactly were the problems that
are beginning to be troublesome? Maybe
we can just solve those...
Currently, the application runs as the Local System account.
Our application stores a number of credentials in an encrypted file and uses the DPAPI (in UserMode) for the encryption.
Thus, when the application is installed, the installer is run as the Local System account. We also have a set of tools that ship with the application, some of which need access to this encrypted file and thus, they too need to run as the Local System account.
By the time the application is installed and started, we're heavily dependent on that account.
We're running into problems because one of our users wants to use the application to access a shared network drive. The Local System account has no such privileges and we can't simply run our service as a different user because our encrypted information is protected under the Local System Account.
We've tried to avoid the process of setting up a user account just for our application because it is installed across many different customers and environments, all of whom have wildly different security policies.
You can access a remote drive from a service running under system account. However, you will need to have credentials & share information to connect to the remote machine. You can use the API wnetaddconnection to gain access. Probably your encrypted file can store this credential as well.
I am currently trying to access a network share from my machine programaticaly using vc++ 6.0. I am using WNetAddConnection2 to connect to a share using my credentials.
I am facing the following problem:
Consider the case when there are 2 users trying to access the same remote share from same machine one after the other. Now once a user logins, the other user is not able to login into the share using his credentials until the 1st user logouts.
Also if the 1st user logs onto the remote-machine's root share, then the other user is not able to access anyother share on that machine.
Please let me know if there is any workaround for the same.
Thanks in advance
The answer depends on if the 1st user still needs access. If they don't, then call WNetCancelConnection2(). If they do, Keith Brown in his "Programming Windows Security" book has a trick of calling LogonUser() to establish a new logon session, which creates a new SMB "port" to avoid the conflict. After impersonation, your thread will be able to connect using different credentials.