13 Replies Latest reply on Aug 8, 2008 8:26 AM by phoffmann

    Shutdown & Manage Local Users and Groups privileges




      We're running LANDesk v8.8 and 8.8 SP1 across a series of cores and we've discovered the ability to perform at least two tasks that have serious security consequences.


      1. Shutdown privilege


      It appears if any (admin or non-admin) LANDesk user logs into the 32bit console and can see a computer they can shut this computer down. Even if you have removed the Remote Control rights - if you can see the machine in your scope you have the Shutdown and Reboot option available when you right click a machine.


      We have created an agent that removes all modules (Remote Control, Custom Forms, Software Distribution & Profile Migration) leaving inventory only and deployed this to a server. We then had a user who was not an admin over the server, but could see the server in their scope successfully shut the server down. In their permissions they had Software Dist, Patch Mgmt and Remote Control rights - but since these options had been removed from the agent how is it possible they can perform such a significant task as being able to shutdown a server?


      We have a number of cases where we want to grant some individuals the ability to query inventory information for all machines in a defined scope, but if granting someone the ability to 'see' a machine in LANDesk also grants them the ability to shut it down then this is a serious security risk.


      Is it possible to disable this feature? Is it maybe a permission that is set somewhere that we haven't noticed? Is this by design and if so why? I can see the point of someone requiring the ability to perform this function but it shouldn't be available carte blanche to every single person who has visibility over the server!


      I'm aware that I can scope-out machines to remove rights to stop people doing this, but we have a requirement for some people to see all machines to track HW and SW inventory; therefore they need to see all machines.


      Why present the option to remove the Remote Control module and the Reboot option from within here, when it's possible to do this take with no user interaction/confirmation direct from the console?


      I need to know if this is a bug or feature or if anyone else has experienced this as in my opinion it is a major security problem.


      2. Manage Local Users and Groups


      In a similar scenario to the Shutdown privilege it is possible if a user is a LANDesk admin, regardless of their rights over a machine to create a local user on a machine, make this user an admin and then use it to log on to that server. This only applies to LANDesk admins and it could be argued that if a person is a LANDesk admin they are 'trusted' or should have the ability to perform this task.


      This isn't always the case and we've specifically designed an agent for servers removing the ability to patch, remote control, etc as we just want inventory over a server. It appears that despite locking away the rights to stop deployment and remote control it is possible for a LANDesk admin to create themselves an account and use it to log onto a server with admin rights, even though they should not have admin rights over this server.


      We have a couple of scenarios where we have LANDesk admins but do not want them to perform this task as it could lead to a security breach. Why should a LANDesk admin be able to perform this role and what benefit does it bring? If a user is already an admin over that machine (or a domain admin) they can create user accounts, but using the Local System privileges of LANDesk to create admin user accounts (albeit local accounts) could be perceived as a back door into the system.


      We want inventory for all machines and the ability to track assets using LANDesk, but we don't want all these elevated rights that you seem to receive when you drop an agent on a machine.


      I need to know again if this is a bug or feature and how it's possible to remove these options without making the installation non-standard or non-supported.



        • 1. Re: Shutdown & Manage Local Users and Groups privileges
          MarXtar ITSMMVPGroup





          Can't check in a console right now if there is a specific privilidge setting so will trust your testing.



          For power off/shutdown, you can simply remove the file poweroff.exe on the client system. I believe that is what is being called to perform the action and it will fail without it.



          For the LANDesk Admin side, you MUST trust your LANDesk Admin.  There are SO many ways they could get around turning this feature off anyway since they have the ability to perform any kind of remote task through software distribution.  This is simply by design.  Perhaps you should consider the inventory only configuration discussed in a previous post.  That way there is no active management agent on the box, it only sends inventory.



          Mark Star - http://www.marxtar.com



          Home of Power State Notifier & Wake-On-WAN for LANDesk






          • 2. Re: Shutdown & Manage Local Users and Groups privileges
            zman Master
            1. I believe the Reboot option (Right Click on main device - first option not under remote control) is linked to the Remote Control right.  So removing Remote Control privilige will remove this option. Simply removing the reboot option under remote control does not remove this function. Seems odd. Maybe Paul and others have a way to disable this without removing the ability to remote control. Be very careful about removing the poweroff util since any SWD packages that need a reboot will not reboot. So it sounds like your agent config does not include remote control? If this is the case, then just remove the RC privilege and you should be golden.

            2. Agree with Mark. Comes down to trust. I look at the Console as a gun. Yes you can give a gun to somebody without any bullets and think you are safe, however, they can go to any gun store and buy ammo. Gun locks can be bypassed. Just like a gun, you should never be relaxed/thoughtless while using it or giving it out.

            • 3. Re: Shutdown & Manage Local Users and Groups privileges
              phoffmann SupportEmployee

              So ...


              ... I don't think this can be disabled easily. I seem to recall an ER being logged for this some time ago - open a support ticket and get yourself added/submit the enhancement request.


              You can rename/delete POWEROFF.EXE yes (which is what I usually recommend in this sort of situation) - but your problem is that you break other things (guess what we call if you require a remote reboot?). Bit of a double-edged sword - you may end up with a lot more custom-scripting.


              And I absolutely agree with Zman + Mark's statements ... the notion to try and restrict a landesk admin is somewhat humourous. As long as they're a landesk admin they can just change scopes/permissions for themselves to a way in which they like, and that's that.


              Be restrictive to people whom you give that right to - it's the "big key", and trying to lock down admins who are out to get stuff done (such as rebooting a device) isn't going to stop them from doing it (there's many different ways to accomplish a task after all). So trust is what it comes down to (and let's face - most of us have better things to do than coming up with ways to screw this or that over) :).


              If you have specific requirements you'd like to see in the suite - even for RBA - feel free to log them as enhancement requests. RBA is a scalpel and its a difficult line to walk between keeping it simple enough (so that people don't trip over it) and at the same time keeping it complex enough to give people the right permissions for their job.


              It's a balance we're still working to master, even though we've had RBA for years now. The problem is not in being able to deny everything - LANDesk usually does things well because it does pretty complex things and makes the control thereof reasonably simple. RBA is one of the trickier things to balance in this regard :).


              Paul Hoffmann

              LANDesk EMEA Technical Lead.

              • 4. Re: Shutdown & Manage Local Users and Groups privileges
                zman Master





                On my test core if I remove the Remote Control Privilege on the user the Reboot  option is grayed out (8.8 SP1).  I would test this and see if you have the same results since this is my test core.  So this may be an option for him. Agree put in an ER to uncouple this from Remote Control.



                • 5. Re: Shutdown & Manage Local Users and Groups privileges

                  Firstly, thanks everyone for their responses - very prompt and useful as always


                  Maybe I need to create a little more empathy around the situation we're in. I can see the points raised, but to me and when I've explained them to some people in our organisation we see them as serious security risks. Maybe it's just the size of company and the complexity, but let me explain:


                  Shutdown: OK - so I can rename/disable the poweroff.exe file. No problem, apart from I'd be creating a non-std install for one. Two - How do I do this on all the agents where I have disabled software distribution? I disabled it on the server agents for a reason as I just wanted inventory - I didn't intend on going back and renaming .exe files.


                  What I can't understand is why would a standard user who just has inventory visibility over a series of machines need the right to shutdown a machine? If I wanted them to have this right I'd have enabled the Remote Control agent and granted the user the ability to do that. To present a user who has no rights other than to see inventory the ability to shutdown a machine (or in fact all machines in their scope) could create massive problems. Yes we trust our support staff, but if we trusted everyone 'that' much we'd just give everyone including all our users Enterprise Admin rights - you don't do it because you need to restrict control.


                  An ER isn't helping me here as the risk exists from today - I'm very interested to know why it was considered a requirement in the product in the first place?


                  Maybe we're the only ones worried that a Level 1 support person who just needs to check a serial number every now and then has the ability to shut down 500 machines!!


                  User and Groups and LANDesk Admin: While I can see that my comment probably is 'humorous' I am in fact very serious. Just because a user is a LANDesk admin; if we've designed the solution so an agent is only meant to report inventory - the ability for the admin to create a back door account into a server is very dangerous.


                  I'm not sure about other companies, but LANDesk shouldn't assume that a LANDesk administrator will always be a Domain Administrator.


                  Here is a scenario:


                  We have a number of machines that have been installed in a managed 3rd party data centre. We don't have admin access to these servers but have visibility of them. We want LANDesk's inventory and Software Licence management functionality so we can get a holistic view of our environment, however by getting this view we're effectively gaining complete control over these systems which could mean we're in breach of our contract with this managed company. So what do we do?


                  Do we have a situation where we have full control over a system that we shouldn't have full control of or do we ignore these machines and disregard them from our license and inventory management tool which is LANDesk. If we can't rely on our global asset management solution to have global coverage then what's the point in having it at all?


                  My point is: If we just want inventory, it means we just want inventory. No hacks, no non-standard configs, no having to trust and ensure someone 'might' not click the reboot button or create an admin account - we just want inventory.


                  My question is: why would a LANDesk admin need to use LANDesk to create a local admin user on a box? If they're a domain admin or already an admin over that server then it's fine - but like I said before don't assume this to be the case. I'm sure we can trust our staff and no one is going to cause a problem as we've said there are better ways to destroy a network then using LANDesk as the medium. I would just feel a great deal more comfortable if I could control what people could and couldn't do on the system and not effectively promote someone to Domain Admin status just by making them an admin of our LANDesk estate.


                  It seems that so much functionality has been built into the product that it has clouded and removed the boundaries between what abilities can be performed. If I just want a user to Remote Control to a machine and reboot it then just give me these options - don't present me with another Shutdown option on another context menu that can't be disabled and I can't control without hacking the system.


                  For me the biggest risk is the Shutdown option, which I don't believe should be available at all. The User and Group Management we can control, but I still stand by my comments.

                  • 6. Re: Shutdown & Manage Local Users and Groups privileges
                    MarXtar ITSMMVPGroup





                    Regarding your users and groups comments and the security.  With due respect what you are doing is failing to recognise what LANDesk is.  If you make someone an administrator of it, in essence you are giving them greater responsibility and power than an Domain or Enterprise Administrator could ever have.  The system has the potential to exert complete control over your entire environment in any number of ways.  You have to stop thinking that a LANDesk Administrator is not the same level as that of a domain administrator, in fact most organisations will have far more domain admins than LANDesk Admins.



                    Recognise LANDesk for what it really is and what it can do.  If you don't think a LANDesk administrator should have these rights then please explain how you expect them to do their job when that must entail having the ability to perform almost any kind of change to any kind of system.  In order to keep their client agents up to date they have to possess the ability to make remote changes to servers.  It is an important and very responsible position so don't underestimate it.



                    With regard to the user and group function, blame the number of customers that backed the ER to put this functionality in.



                    Mark Star - http://www.marxtar.com



                    Home of Power State Notifier & Wake-On-WAN for LANDesk






                    • 7. Re: Shutdown & Manage Local Users and Groups privileges



                      I have done this also (disabling the Remote Control option on the agent and removing rights) and yes the option to Reboot is greyed-out, but I can still shut a machine down from the main menu - see attached screenshot. This is where I see a contradiction and a huge risk that someone who has had the rights to Remote Control can shut any machine down they can see.


                      I've tried a couple of scenarios here - the only way I've found to remove the ability to stop a Shutdown from occuring to is completely remove the Remote Control rights from a user.


                      If you just disable the Reboot command the option is greyed out in the Remote Control sub-menu but the Shutdown option in the main menu still exists. If you remove Remote Control rights entirely then all options are greyed out in both the main menu and the Remote Control sub-menu. I also tried disabling Execute Programs, but that didn't make any difference either.


                      In summary it seems if a user has Remote Control rights they have the ability to shut a machine down without prompting or gaining the permission from the user regardless of whether the Remote Control module of the agent is installed or not.


                      So for users that just need inventory I can stop them, but our staff that need to Remote Control machines and have the rights can shutdown any machine - this is what we need to find a fix for.

                      • 8. Re: Shutdown & Manage Local Users and Groups privileges

                        I'm not really seeing where Aperry's users need to be LANDesk admins as opposed to LANDesk users... However, the ER to tie reboot rights to remote control rights is still required, and IMHO should be a sustaining bug fix.

                        • 9. Re: Shutdown & Manage Local Users and Groups privileges
                          zman Master

                          Agreed, although not applicable in my environment they should be decoupled - Remote Control and Reboot.  And while we are on the subjects of rights, how about some auditing capabilities. So even if the user has the rights to complete a LANDesk function, it is logged somewhere!!!!!!!!!!

                          • 10. Re: Shutdown & Manage Local Users and Groups privileges



                            I acknowledge and appreciate what you saying. I know we're giving LANDesk admins a lot of power, the situation I'm in here is that we want to control the power. I would expect something such as a limited 'Inventory only' agent that would just report on the HW and SW assets of a machine. Instead the only option I have is a restricted agent that can still grant complete control over the machine in which it resides on - this isn't a good option for us at all.


                            If you take my case in hand (with the 3rd party managed servers) you will see we do have such a requirement for pure visibility with no control whatsoever. We have other reasons too (but this is the main problem area for us)


                            I've raised threads and questions on inventory-only agents but it seems no such option exists out of the box and without doing an serious amount of hacking around with .ini files.


                            Like I said we 'can' control this, I'm just a little concerned that an Agent can't have specific roles removed without heavy amounts of tinkering at the risk of removing other features or de-stabilising the agent.

                            • 11. Re: Shutdown & Manage Local Users and Groups privileges
                              phoffmann SupportEmployee

                              Since I have a very limited time atm, I'm going to keep this short to just address one point. But good points being made by all involved - good good :). (Trying to deal with as many things as possible before I rush off for 2 weeks of much deserved hols )


                              Q: How do you run anything on a client with no software distribution?


                              A: Custom Scripts.


                              Custom scripts don't go through SDCLIENT, they go through the common base agent, which is on every workstation. So you just write a custom script which renames the executable. You can't schedule this as a policy, but you can just schedule it as a repeating task.


                              Paul Hoffmann

                              LANDesk EMEA Technical Lead.

                              • 12. Re: Shutdown & Manage Local Users and Groups privileges

                                Paul - Have a good holiday... You deserve it I'm sure


                                We'll have all this cleared up by the time you're back I'm sure... No dialling in or sat in cyber-cafes checking the forum for you though I hope



                                • 13. Re: Shutdown & Manage Local Users and Groups privileges
                                  phoffmann SupportEmployee

                                  chuckles - hardly.


                                  Holidays means "no work" in my book. What others do is their business. For my part, I'm going to be decidedly non-IT things .