Logon issue

anonymous_wm

Logon issue

Postby anonymous_wm » Wed Feb 09, 2011 4:43 pm

We have installed the demo on three machines in a domain environment. Initially this seemed to work fine but upon next login none of the user accounts where WinMessenger was installed could login. "local policy will not allow you to log on interactively" is displayed on XP machines and a similar message on Win7. Other users can still login on these machines and the users affected can log onto other PC’s.

Somehow installing the program has edited local user policy that prevents logon? This can be undone in gpedit but it is not something we would wish to do on every machine.

User avatar
vypress
Posts: 66
Joined: Mon Dec 01, 2008 7:02 pm
Contact:

Re: Logon issue

Postby vypress » Wed Feb 09, 2011 4:45 pm

The problem has occurred because of you had specified an interactive user (your) account for using by the WinMessenger Service on step "Service Setup" of the installation wizard.
A user account credentials that are asked on mentioned installation step are used for impersonation by the WinMessenger Service to log on to your Microsoft Windows Network to list computers that are also joined to your network.
The WinMessenger installer assigns only minimum necessary rights for specified user to avoid any possible hackers’ attacks from a network. Because this account is impersonated by the service you must not to provide an interactive user account here to avoid any possible access to user’s personal documents and files. Notice that a service is running even if a user is not logged in so a malicious software can hypothetically use possible leaks of security in the service to access to user’s documents. The installer also denies several permissions for accounts that are used by the WinMessenger service because of reasons above.
Normally the installer creates a new weak user account on a local machine (option 1), the option 3 is intended for computer networks with domains to avoid creation of many weak user accounts in a domain. One account can be used for all computers in the domain.
I agree that there are not enough documentation about this topic yet. I confess that there is a problem in case of specifying an interactive user account on this installation step and we will make all necessary changes in future versions of WinMessenger to resolve it.
wm_service_setup.jpg
wm_service_setup.jpg (58.01 KiB) Viewed 5380 times

User avatar
vypress
Posts: 66
Joined: Mon Dec 01, 2008 7:02 pm
Contact:

Re: Logon issue

Postby vypress » Wed Feb 09, 2011 5:05 pm

To help you to fully restore your PC I list policy settings that may be changed by the WinMessenger installer:
Log on as a service
Deny logon as a batch job
Deny logon locally
Deny access to this computer from the network
Deny logon through Terminal Services

User avatar
vypress
Posts: 66
Joined: Mon Dec 01, 2008 7:02 pm
Contact:

Re: Logon issue

Postby vypress » Fri Apr 29, 2011 3:27 pm

We replaced the installation package today with a new one where this excessive security feature is removed.
Only one rigth "Log on as a service" is added to specified existing user account now.


Return to “WinMessenger”

Who is online

Users browsing this forum: No registered users and 2 guests