Additional administrative restriction - disable Generate session URL/code menu option

Advertisement

jo1515
Joined:
Posts:
3

Additional administrative restriction - disable Generate session URL/code menu option

Hello,

Is it possible to include the "Session > Generate session URL/code" menu option in the list of Administrative restrictions (https://winscp.net/eng/docs/administration#configuring).

And of course the result would be: after the required Reqistry change, the menu option would be disabled/greyed out.

Thank you!
J

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
36,051
Location:
Prague, Czechia

Re: Additional administrative restriction - disable Generate session URL/code menu option

Why do you want that?

Reply with quote

jo1515
Joined:
Posts:
3

Hi Martin,
some application users would prefer to use the "File > Custom commands", when connected with WinSCP, but the "Generate session URL/code" option does not allow us to use "Security > Remember password for duration of session", since they should not have direct access to the password itself.
These users do not use the "Generate session URL/code" option, so if we could disable this, we may eliminate one way of reading a managed password and think about mitigating others.

Thank you!
J

Reply with quote

martin
Site Admin
martin avatar

What do you mean by "does not allow us to use "Security > Remember password for duration of session""? What exactly are you trying to prevent? What does this have to do with Custom commands?

Reply with quote

jo1515
Joined:
Posts:
3

Hello,

Sorry for not being very clear:
1. since the "Generate session URL/code" menu option makes it easy for users to read the current password in use,
2. we cannot use the "Security > Remember password for duration of session" setting.
3. As a consequence, users cannot use the File > Custom commands when they right click on a file during a session.

So, in our case with this administrative restriction, we could maybe use the "Security > Remember password for duration of session" setting, because it blocks the "Generate session URL/code" menu option, making it somewhat harder for the end user to get hold of the current password.
But, they can use the right click and use File > Custom commands on a session without prompting for a password again (which they don't know, since it is managed).
Kind regards,
J

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
36,051
Location:
Prague, Czechia

But they would be able to do run a (local) custom command like this to get the password:
cmd /k echo !P

Reply with quote

Guest

Hi Martin,

indeed that would torpedo the whole thing.
(In this case WinSCP would run on a proxy as a Remoteapp and cmd could be controlled there, but it's probably not worth the effort, considering the users could use ssh and commands to achieve the same thing)
Thank you for your time!
J

Reply with quote

Advertisement

You can post new topics in this forum