Support
Authorization

Newsletter

  Settings

Disabling remote access if local user logged in?

 

Forums list
Topics list
New topics
Search
Rules
Help
Login: 
Register

Pages: 1
  Views: 10461Topic:: «Disabling remote access if local user logged in?» on forum: Network management general discussion
#1
Hi,

I'm interested in finding out if Radmin can be set up to disallow incoming connections if a user is already logged into the machine, or if a connection can be disallowed if the connection isn't coming from a user who is currently logged in locally.

This question came up because of the availability to sensitive data to prying eyes.

Thanks.
Edited: chris forrest 04/17/2009 13:26:34
Profile
#2
Hi Chris

Have a look at this thread ...
http://www.radmin.com/support/forum/read.php?FID=30&TID=13800

... I don't know if that change would be in the next release ... ?

Furthermore, I presume the second part of your question means the refusal of a Radmin connection if there is already a user logged on locally? If that's the case I doubt if Radmin will specifically take account of that.
Profile
#3
As an afterthought, as far as local logons go there are probably a few workarounds you could employ. For example you could have policy-driven logon/logoff script which turn the Radmin Server service off/on respectively. This would stop Radmin access while a user was logged on and restore that capability when they logged off.

That wouldn't solve all of your problems by any means, but it may help to form one part of a workable solution.
Edited: Paul B 04/17/2009 16:46:31
Profile
#4
That was kind of what I wa
Quote
Paul B wrote:
As an afterthought, as far as local logons go there are probably a few workarounds you could employ. For example you could have policy-driven logon/logoff script which turn the Radmin Server service off/on respectively. This would stop Radmin access while a user was logged on and restore that capability when they logged off.

That wouldn't solve all of your problems by any means, but it may help to form one part of a workable solution.


That's kind of where I was headed with my question.

Another one:

With the option to have the locally logged in user click a prompt to accept an incoming connection turned on, what happens if nobody is logged into the machine to accept the incoming connection?
Profile
#5
You have the choice in the Radmin Server settings of auto allow or auto deny after the prescribed time is up.
Profile
#6
Paul, the problem with your idea of a logon/logoff script would be that RAdmin gives you control of the console session. This means you still would have to log into the console (assuming you're connecting for Full Control) after connecting with RAdmin, whereupon the logon script would terminate your RAdmin connection!

A better (and simpler) solution might be to configure RAdmin to use Windows Security, and assign permissions to user accounts that have rights locally on the workstation, so that only users who can sit down at that workstation and log on have permission to log on via RAdmin. (You could lock it down further as needed.)

This wouldn't address the possibility of denying an RAdmin connection when someone is already logged on, though. To do that, you could possibly do something fancy with a logon script, where the logon script altered the RAdmin server settings (via a registry patch, probably) to require the local user's permission for incoming connections and deny after the timeout. Then a logoff script could change the RAdmin server settings back to allowing incoming connections with no requirement of a local user's permission.

Just my thoughts ...
smile:)
Profile
#7
Hey, whatcha doing back "in exile"? smile;)

Ah ... I see you're yourself again now I've actually got round to posting!

You're right in that I hadn't considered that! However the logon/logoff scripts would simply have to disable/enable or pause/resume the Radmin service depending on the identity of the current user. So a user could be reserved for a "genuine" local logon only and the script would affect the Radmin service for "any other user".

And that's similar to your last paragraph. As you say, there are various variations on a theme, though without knowing precise requirements nothing I can think at the moment is especially elegant! smile:)
Edited: Paul B 04/19/2009 17:14:58
Profile
#8
A hammer is never really elegant ... but sometimes it IS the right tool for the job. smile8)

BTW, kudos on how busy you've been - it didn't take you long to surpass my total message count!

smile;)
Profile
#9
Quote
Paul B wrote:
You have the choice in the Radmin Server settings of auto allow or auto deny after the prescribed time is up.


Right, but what happens if it is set to auto deny and nobody is around the machine to accept?

Next, where can I set the number of concurrent Radmin connections to 1?
Profile
#10
Quote
chris forrest wrote:
... what happens if it is set to auto deny and nobody is around the machine to accept?

Then the remote user cannot access the machine. There is no point in using an "ask user" and "auto deny" policy if you expect or require people to access an unattended machine.

Quote

Next, where can I set the number of concurrent Radmin connections to 1?

Currently, you can't. See this thread ...
http://www.radmin.com/support/forum/read.php?FID=30&TID=13800
Edited: Paul B 04/21/2009 18:24:25
Profile
#11
Probably feature of limiting connections amount won't be implemented, there is why:
Imagine that for some reason remote user login then connections aborts, but without immediate TCP/IP timeout. Or remote user just forget about his connection, then nobody will be able to connect to this Radmin server until issue resolves. Hovewer it is still the subject of discussion in Famatech.
Profile
#12
Quote
Eugene Idzikovsky wrote:
Probably feature of limiting connections amount won't be implemented.

I think it would be a good idea to implement this. It's up to the people administering the server to decide whether reducing the number of concurrent users to 1 is acceptable (for example on the basis that log on locally is available). You could also enforce a inactive session timeout after so many minutes _if_ the number of concurrent users is set to 1. So after say, 15 minutes of inactivity Radmiin Server drops the connection and Locks or Logs Off the server.

It's just a question of additional flexibility. The more flexible the product is the more people will buy it. No-one would be forced to set a connection limit of one would they - it's a decision individual users would have to take responsibility for.

And maybe this also ties in with other discussions about protecting Radmin settings to stop _any_ user with a full connection changing the settings - the idea of another permissions level like "Radmin Admin smile:)" who _is_ allowed to change settings.
Profile
#13
Quote
Paul B wrote:
Quote
Eugene Idzikovsky wrote:
Probably feature of limiting connections amount won't be implemented.

I think it would be a good idea to implement this. It's up to the people administering the server to decide whether reducing the number of concurrent users to 1 is acceptable (for example on the basis that log on locally is available). You could also enforce a inactive session timeout after so many minutes _if_ the number of concurrent users is set to 1. So after say, 15 minutes of inactivity Radmiin Server drops the connection and Locks or Logs Off the server.

It's just a question of additional flexibility. The more flexible the product is the more people will buy it. No-one would be forced to set a connection limit of one would they - it's a decision individual users would have to take responsibility for.

And maybe this also ties in with other discussions about protecting Radmin settings to stop _any_ user with a full connection changing the settings - the idea of another permissions level like "Radmin Admin smile:)" who _is_ allowed to change settings.


Paul is right here. This is a feature we'd like to ensure that servers with the most sensitive and critical information aren't being worked on at the same time. You don't have to limit it by default but since this app only does console level access, it would help to give the users some ability to limit how many concurrent connections there are to whichever console at a certain time.
Profile
#14
I've discussed that with Dmitry Znosko. This wish will be reviewed before the release.
Profile
Pages: 1

Users browsing this topic
Number of guests: 2, registered members: 0, in total hidden: 0

Radmin 3.5

Windows 8 Compatible

DOWNLOAD

Free for 30 days

BUY NOW

Only $49 per lifetime license
for  50 PCs - $29.8 per remote PC
for 100 PCs - $24.9 per remote PC
for 150 PCs - $23.3 per remote PC
from 200 PCs - $22 per remote PC
Follow us on Twitter
Famatech Corporation Copyright © 1999-2014 Famatech. All rights reserved.