Welche Berechtigungen benötige ich im Umgang mit Dameware?
Dies ist ein kleines Handout aus den USA für den Umgang mit Dameware:
The Mini Remote Control program currently offers four authentication methods, three of which are integrated into the Operating System's built-in security. For your reference, the following information is from the internal help files (accessible by opening the MRC program and clicking on the blue “?” at the top right of the toolbar).
Proprietary Challenge Response:
This authentication method allows you to manually enter a username and password in the remote machine's DMRC client agent properties to allow access with the Mini Remote Control. The username and password are stored in an encrypted format in the registry of the remote machine.
Windows NT Challenge/Response:
This authentication method uses the Operating Systems built in security for authentication to gain access to a remote machine with the DMRC. This option allows you to use the DMRC's group options as well as NT Challenge / Response pass-through.
Encrypted Windows Logon:
The Encrypted Windows Logon is similar to the Windows NT Challenge / Response authentication method except that the Encrypted Windows Logon sends the username and password to the remote machine in an encrypted format. This authentication method is designed for primarily for situations were NT Challenge/Response authentication will not work or when Windows NT Challenge Response fails.
Smart Card Logon (version 5.5 and above):
DameWare's Mini Remote Control software now has the ability to access remote machines via Smart Card and interactively enter the PIN to login, just as if you physically walked up to the console of the remote machine. DameWare Development's Remote Smart Card Authentication and Interactive Smart Card Login functionality also does not require any Middleware, and it also does not require a Smart Card reader on the remote machine.
Local Administrator rights are required on the remote machine to install, remove, start, stop, or upgrade/downgrade the Mini Remote Control (MRC) Client Agent Service. However, Administrator rights are not required to simply make a connection provided the MRC Client Agent Service is already installed and running on the remote machine. Please also keep in mind that the DMRC program always authenticates locally to the remote machine. Even if the Mini Remote Client Agent Service is already installed on the remote machine, you must be able to authenticate locally to that machine (i.e. Login at the console using the supplied credentials). If a user does not have sufficient rights to log into a machine if he or she were physically at the machine, he or she will not be able to log into that machine using our software either. The credentials must be a member of one of the following groups on the remote machine:
- Power Users
- Server Operators
- Account Operators
- Backup Operators
- Print Operators
Our software allows you to connect over a LAN or the internet, even without VPN. You can connect through firewalls/routers as long as there is TCP connectivity between the two machines. The DameWare Mini Remote Control program can connect to remote machines that are members of a WorkGroup, members of a Domain, or stand-alone machines as long as there is TCP connectivity between the machines. As you may know, version 7 also has support for IPv6 as well and some new features to make this type of connection more feasible.
The way it works with DameWare's Mini Remote Control (MRC) is different than other remote control software which involves installing some type of ActiveX control and then connecting to a web-server out on the Internet. Our software establishes a straight TCP connection from the local machine to the remote machine. So, if the MRC client agent service is already installed and running on the remote machine, you will need to configure the firewall to allow the TCP connection on the one designated TCP port on which the service is installed and running.
You can also use features such as the Reverse connection from the MRC client agent service on the remote machines, setup a proxy machine on the remote LAN, or even create an IPv6 Invitation which is part of the new IPv6 features in version 7.x.
Let me explain the Permission Required behavior as of 6.9 and hopefully help you out (you can reference the article linked to below for more information):
Permission Required, Waiting for Client to Accept Connection, and Non-Administrator Mode
The “Permission Required” behavior depends on the level of rights within the O/S security that the person trying to connect has. It has to do with your level of rights within the Operating System security on the remote machine (i.e. Administrator vs. Non-Administrator), the desktop state, and the two permission required settings. If you do not have Administrator rights (Non-Administrators), the settings on the Access tab of the MRC client agent service must be considered, not the setting on the Additional Settings tab. Within the Client Agent Service, in the Access tab, you will find the following settings: "Permission Required for these Account Types," "Disconnect if at Logon Desktop," and "View only for these account types." These are options for when non-Administrators attempt to connect to a remote machine.
When you attempt to connect to a remote machine and it is not at the Logon Desktop or Lock screen, hence a user is currently logged into the desktop, if "Permission Required for these Account Types" is enabled, then the currently logged on user will be prompted to Allow or Deny the non-Administrator's connection attempt. If it is not enabled, the Non-Administrator will be allowed to connect without permission in "Non-Administrator Mode." One thing to note is that if the "Permission Required" setting is enabled on the "Additional Settings" tab, it will override the "Permission Required for these Account Types" setting and prompt every connection attempt for permission. This specific functionality (i.e. Non-Admin mode) was implemented back in 6.9, the current version is 18.104.22.168.
Lastly, keep in mind that Administrators can modify the settings of the MRC client agent service and remove/install the service with different settings. Administrator is the highest level of rights within the O/S security and our software does not increase or decrease a user's level of rights.