Data Center Security

 View Only

  • 1.  DCS privilege de-escalation feature

    Posted Oct 06, 2015 07:19 AM

    Hi Guys,

    We are currently doing a POC for DCS and has bump into a scenario where we are hoping to get your recommendations. Scenario is show below:

    Customer wants to block the Administrator account to access the file server that is hardened by DCS using remote desktop. How can we block the Administrator account if they are using DHCP and AD? What policy would best fit this scenario?



  • 2.  RE: DCS privilege de-escalation feature
    Best Answer

    Posted Oct 06, 2015 09:36 AM

    Think more in terms of who you want to allow remote desktop access.  Then construct your policy around those users. 

    Suggestion: Place all allowed users into a distinct AD group rather than listing them individually.

    You'll want to control SESSENV.DLL. This is the remote desktop configuration service and it will want to write to <user>\AppData\Local\Temp

    Allow the write, then monitor the events for awhile.  You will probably have to wildcard the path, but I'm not sure exactly where in the path you'll need to place the wildcard.

     

    Hope that helps!

    Will



  • 3.  RE: DCS privilege de-escalation feature

    Posted Oct 07, 2015 03:16 AM

    Thanks for the prompt reply

    your input is really helpful.

     

    thanks again



  • 4.  RE: DCS privilege de-escalation feature

    Posted Oct 07, 2015 02:35 PM

    You're very welcome.  Please feel free to reach out again if you need additional help.

     

    Best Regards

    Will



  • 5.  RE: DCS privilege de-escalation feature

    Posted Oct 07, 2015 03:30 PM

    Sure,

    Thanks again.



  • 6.  RE: DCS privilege de-escalation feature

    Posted Oct 09, 2015 04:40 AM
      |   view attached

    Hi Will V,

    I tried your given procedure but still I can remote the client. pls see the attached screenshot.