Posted on 04-17-2015 12:37 PM
So I have some of my Freshmen class you have discovered a way to screen share and take control of other machines. Now this is starting to make the teachers unhappy and guess who gets the blame of it....
I am sure they are using the Shared on the left hand side of Finder and then looking through all the computers on the network. I need a way to end this and make sure they can no longer grab the access but I have a feeling that if I were to do so it would cancel the access with me as well. Which I am fine with because if there are issues I like to go speak face to face with them :P (which makes their day even happier!)
Any suggestions would be great in order to make their lives just a tad bit better when dealing with the IT guy!
Posted on 04-17-2015 01:39 PM
You can go into "Sharing" in System Preferences and change remote management to only allow access for specific users. Add the user you want to have remote access, which will prohibit anyone who isn't specifically allowed.
Posted on 04-17-2015 01:43 PM
If you want to script it you can use:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -users short,usernames,seperated,by,commas -access -on -restart -agent -privs -all -allowAccessFor -specifiedUsers
To get the man page on kickstart run:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -h
Posted on 04-17-2015 01:58 PM
In case its of interest, if the option for remote management is set allow all users, any non-admin user (even AD users) can use Apple Remote Desktop to send unix commands as the root user. Anything from gaining access to other users data, or deleting the entire target hard drive is possible when the Macs are configured with that option.
Definitely worth switching to specified users only!
Posted on 04-20-2015 08:28 PM
Posted on 04-21-2015 07:24 AM
Would simply changing the vnc port on the machines work?
Posted on 04-21-2015 09:02 AM
Why not set up Restricted Software items for both "Screen Sharing" and "Remote Desktop" and make sure to scope them to all student Macs. Be sure to use the restrict exact process name checkbox.
There's no reason they should need either of those applications to work on their systems. When someone remotely connects to a Mac over screen sharing, the Screen Sharing.app usually launches on their system (unless they have a copy of ARD and are using that instead) Blocking both of those should shut the applications down.
It should not interfere with your ability to remote control the Macs, I think. The process that kicks off in the background to control a screen is screensharingd if I'm not mistaken.
I would also go the measure of controlling who can control the screen through the kickstart options as mentioned above though.
Posted on 04-21-2015 12:41 PM
Hi there! I'm currently taking the CCT class in Los Angeles, and one of the first things we covered is using Recon to enroll a machine and set up a management account that is hidden from the login window and System Preferences.
You should use a hidden service account, such as casperadmin, set it as the "only" ssh account, and use a policy to block changes to the Sharing panel in System Preferences. This should stop 99% of your student shenanigans.
Posted on 04-21-2015 12:51 PM
Definitely a quick fix. You most likely already have a local account with administrative rights, and possibly one that is hidden as well. Make that account the only user setup in Remote Management. Deploy the script provided above via a policy scoped to your pranksters Macs and you're done. Got to admit that is pretty funny though...
Hi Brad. Get back to your class.
Posted on 04-22-2015 06:46 AM
As has been pointed out, the ideal way to solve this is by controlling which users can and cannot do remote access and screen sharing. Obscuring the vulnerability does not close it, and you're dealing with children having an abundance of curiosity and time, so somebody will figure out how to address the machines directly.
Posted on 04-27-2015 10:13 AM
Yep. I'm in agreement with pretty much everything posted here so far. With that said, I hope that there is some form of disciplinary action for students caught doing this. While it may seem to be a fun joke now, it's a real good way to get fired in the future (Them, not you).