Remote Administration

Introduction

NTUtils programs may be run on the local machine, or they may be run against a remote machine. The remote machine does not require NTUtils to already exist on that machine.

When using NTUtils programs for remote administration, the machine on which the command is invoked is called the source computer, and the machine on which the command is executed is called the target computer. The source computer will copy the NTUtils program to the target computer and remotely invoke it.

Common Options

For consistency, all NTUtils programs accept the same options for remote administration:

-c [ --computer ] arg
-u [ --username ] arg
-p [ --password ] [arg]

• computer - Specifies the target computer, by name or IP address
• username - Specifies the user name used to log into the target computer; this may be a simple username or a DOMAIN\USER string
• password - Specifies the password to use to log into the target computer; if the optional argument is not provided, the NTUtils program will prompt for a password

If no user name or password is specified, the NTUtils program will attempt to log in using the default credentials. If a user name but no password is specified, the NTUtils program will attempt to log in using the default password associated with that user name.

The username and password should be for an account in the Administrators group. To be precisely correct, this is not actually required, but they do have to be for an account that allows network logins and installation and control of services - which by default is only the members of the Administrators group.

Security Note: Be aware that specifying a password on the command line makes it available to be easily seen by other programs.

Requirements

The source computer may be running any NT-based OS.

The target computer has more complicated OS requirements: it may be running Windows NT 4, Windows 2000, or Windows 2003 Server. The target computer may not be running Windows XP Home. The target computer may be running Windows XP Professional if that computer is either a member of a domain or has turned off "simple file sharing".

Remote administration becomes complicated with Windows XP because of simple file sharing. Simple file sharing means that every user logging into that machine (via Windows Networking) over the network only receives Guest authentication instead of their actual user authentication. Since Guest users cannot run arbitrary programs remotely, NTUtils programs will fail. This "feature" is enabled by default in Windows XP Professional and cannot be disabled at all in Windows XP Home.

Networks and Network Logons

In Windows networks, a user is only supposed to log onto a remote machine once. The logon creates a network session, and then network connections are established using that session. (In reality, it is possible to have two network sessions to the remote computer if you use the computer name for one session and the computer IP address for the other). Creating a network connection with a different username than an existing session will result in an error.

A user may initiate a network session with a remote computer by establishing a network connection to the IPC$ share. This can be done with the command line net use \\COMPUTER_NAME (remember to escape the backslashes if you're using the Cygwin shell). The net use program will prompt for a username and password if necessary. NTUtils programs will recognize pre-existing network connections; the following bullet points define the behavior of NTUtils programs in every network connection scenario:

• If there are no network connections to the target computer, the NTUtils program will create one using the IPC$ share. This network connection is deleted when the NTUtils program exits. If specified, the NTUtils program will use the --username and --password options to authenticate the network connection (prompting for the password if it is not supplied as an argument). If the username and password are not specified, the NTUtils program will authenticate the network connection using the currently logged-on user's username and password.
• If there is an existing network connection to the target computer's IPC$ share:
  • If the --username option is specified (and the username option is different than the username for the existing network connection), the NTUtils program will output a warning, e.g., Warning: Already logged on to COMPUTER_NAME as EXISTING_CONNECTION_USERNAME; ignoring request to log on as USERNAME_OPTION_VALUE, and will proceed using the existing network connection. The network connection is not deleted when the NTUtils program exits. In this case, any --username and --password options are ignored.
  • Otherwise, the NTUtils program will silently use the existing network connection. The network connection is not deleted when the NTUtils program exits.
• If there is an existing network connection to the target computer, but not to the IPC$ share (for example, a mapped network drive):
  • If the --username option is not specified (or it is the same as the username for the existing network connection), the NTUtils program uses the authentication for the existing network connection. In this case, the NTUtils program will create a network connection to the IPC$ share. This network connection (but not the already existing network connection) is deleted when the NTUtils program exits. The --password option does not have to be specified in this case, since the user already has a connection to the remote computer.
  • Otherwise, there is a mismatch between the username for an existing network connection and the username specified as an option. The NTUtils program will proceed and attempt to create a network connection to the IPC$ share, but this will fail with an error message, e.g., Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed.

This predictable behavior of NTUtils programs allows for two common remote administration strategies:

• Independent usage - where there are no persistent network logons. Each NTUtils program will create its own network connection when it is invoked, using username and password information independently.
• Common logons - allowing an administrator to log on to multiple machines (using the net use command). Each NTUtils program will use the existing logons and only requires a --computer option to specify the remote computer.

How It Works

When an NTUtils program is instructed to run against a target computer, it will perform the following steps in order to execute remotely:

1. Log in to the target computer, if necessary. Specifically, use Windows Networking to add a non-redirected network connection to \\computer\IPC$. IPC$ is a standard Windows share used for network logins.
2. Copy the NTUtils program to the target computer. Specifically, do a normal CopyFile to \\computer\ADMIN$, renaming the file slightly. ADMIN$ is another standard Windows share that points to the base Windows directory, e.g., c:\windows or d:\winnt. The file name is not exactly the same to avoid conflicts in case a user has placed the NTUtils program in their Windows directory (which is not a recommended practice, BTW).
3. Install the NTUtils program on the target computer as a service, and start it. This is done using the remote administration capabilities of the Service Manager API.
4. The NTUtils program, when running as a service, will create a named pipe and wait for a connection.
5. The NTUtils program on the source machine will connect to that named pipe and send the commands.
6. The target NTUtils program performs the requested action, and reports any results back to the source NTUtils program.
7. The source NTUtils program prints the results of the remote action.
8. Cleanup, of course. Uninstallation of the service and deletion of the file on the target machine, and cancelling the network connection to \\computer\IPC$.

When It Messes Up

It is possible that some part of the NTUtils program will not properly operate when running remotely. However, all of the remote administration support code is designed to automatically recover from such failures or crashes. When an NTUtils program detects an improper pre-existing state, it will output a warning and continue; for example, when installing the service on the target machine, if the service is already installed, the NTUtils program will output a warning and then continue as though it had installed it (attempting to uninstall it when complete).

Possible causes for this type of failure include manual intervention, network errors, and multiple operators running the same NTUtils program remotely against the same target computer at one time. In this latter case, probably only one of the operators will see any warning or error messages, and there would be no lingering effects after both programs complete. It is possible in this situation that one of the programs will fail.

Security

All passwords are sent only to the Windows Networking (WNet) API; they are not sent in cleartext over the network connection.

The NTUtils program's commands and responses are sent in cleartext. This may be changed in a future version.

Impersonation is used by the named pipe server, to ensure that no other program connecting to that named pipe may use it for a malicious purpose.