Post a reply

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

Guest

Hi Martin,

indeed that would torpedo the whole thing.
(In this case WinSCP would run on a proxy as a Remoteapp and cmd could be controlled there, but it's probably not worth the effort, considering the users could use ssh and commands to achieve the same thing)
Thank you for your time!
J
martin

But they would be able to do run a (local) custom command like this to get the password:
cmd /k echo !P
jo1515

Hello,

Sorry for not being very clear:
1. since the "Generate session URL/code" menu option makes it easy for users to read the current password in use,
2. we cannot use the "Security > Remember password for duration of session" setting.
3. As a consequence, users cannot use the File > Custom commands when they right click on a file during a session.

So, in our case with this administrative restriction, we could maybe use the "Security > Remember password for duration of session" setting, because it blocks the "Generate session URL/code" menu option, making it somewhat harder for the end user to get hold of the current password.
But, they can use the right click and use File > Custom commands on a session without prompting for a password again (which they don't know, since it is managed).
Kind regards,
J
martin

What do you mean by "does not allow us to use "Security > Remember password for duration of session""? What exactly are you trying to prevent? What does this have to do with Custom commands?
jo1515

Hi Martin,
some application users would prefer to use the "File > Custom commands", when connected with WinSCP, but the "Generate session URL/code" option does not allow us to use "Security > Remember password for duration of session", since they should not have direct access to the password itself.
These users do not use the "Generate session URL/code" option, so if we could disable this, we may eliminate one way of reading a managed password and think about mitigating others.

Thank you!
J
martin

Re: Additional administrative restriction - disable Generate session URL/code menu option

Why do you want that?
jo1515

Additional administrative restriction - disable Generate session URL/code menu option

Hello,

Is it possible to include the "Session > Generate session URL/code" menu option in the list of Administrative restrictions (https://winscp.net/eng/docs/administration#configuring).

And of course the result would be: after the required Reqistry change, the menu option would be disabled/greyed out.

Thank you!
J