Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Vista

Maintaining Desktop Health : Using Task Scheduler (part 2) - Task Scheduler Security, Task Scheduler User Interface

- Windows 10 Product Activation Keys Free 2019 (All Versions)
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
4/22/2013 5:37:09 PM

4. Task Scheduler Security

In the Windows Vista Task Scheduler, security is vastly improved. Task Scheduler supports a security isolation model in which each set of tasks running in a specific security context starts in a separate session. Tasks executed for different users are launched in separate window sessions, in complete isolation from one other and from tasks running in the machine (system) context. Passwords are stored (when needed) with the Credentials Manager (CredMan) service. Using CredMan prevents malware from retrieving the stored password, tightening security further.

In Windows Vista, the burden of credentials management in Task Scheduler is lessened. Credentials are no longer stored locally for the majority of scenarios, so tasks do not “break” when a password changes. Administrators can configure security services such as S4U and CredMan, depending on whether the task requires remote or local resources. S4U relieves the need to store passwords locally on the computer, and CredMan, though it requires that passwords be updated once per computer, automatically updates all scheduled tasks configured to run for the specific user with the new password.

Credentials Management

The Credentials Manager stores the target/credentials pair locally in the user profile CredMan store. Upon registration, Task Scheduler impersonates the user and stores the target/credentials pair. This process is also used to access resources that require non-Windows credentials. The Credentials Manager also manages credentials for service accounts and extends credentials handling for computer accounts.

User Security

You can locally and remotely activate tasks and run them on behalf of a user who is not logged on. Credentials on distributed tasks can be updated when credentials are changed in the authentication authority. User security has been extended to function in a non-Microsoft Active Directory environment across forests and across firewalls. These features allow tasks to be launched even if the task accesses a resource that requires non-Windows credentials.

Security Concepts

Task Scheduler uses standard Windows security functions provided by Service for Users (S4U). Upon registration, Task Scheduler authenticates credentials as a trusted service and stores identity only in a domain\user name format. Upon execution, S4U provides restricted token access based on the identity provided by Task Scheduler. S4U2Self implements the same functions as S4U for workgroups, stand-alone computers, and computers that belong to a domain but are not currently connected to that domain.

Note

For more information about S4U, see RFC 1510: The Kerberos Network Authentication Service (V5) at http://www.ietf.org/rfc/rfc1510.txt.


Securing Running Tasks

Task Scheduler supports an isolation model in which each set of tasks running in specific security context are launched in separate Desktops. The execution defined and launched by the trigger is handled by engines running in transient processes in a user or computer context. Tasks can be launched in a system account context, such as LocalSystem, LocalService, or NetworkService, or in a specified user account context. Tasks launched in a system account context will always run non-interactively in Session 0.

The CreateProcess function used to create tasks ensures that any Winstation created in a user context will run in a different session than Session 0. By default, all Winstations will be created in the same session.

Registration Permissions Matrix

The Task Scheduler service adheres to the following task registration permissions rules:

  • Any user can schedule any task for himself or herself.

  • Any user can schedule any task for anyone whose password they supply at registration.

  • An administrator or system account can schedule tasks for other users or security groups without supplying a password, with the following restrictions:

    • Only with the Run Only If Logged On flag set, which is similar to a logon script and consistent with current behavior

    • Only running in interactive mode

  • Tasks scheduled with RunOnlyIfUserLoggedon with no password will run only in interactive mode.

  • Tasks scheduled to run in system contexts such as LocalSystem, LocalService, or NetworkService will not run in interactive mode.

5. AT and Task Scheduler v1.0 Compatibility Modes

Task Scheduler provides two backward-compatibility modes:

  • AT Compatibility Mode Tasks registered through AT.exe are visible and can be modified by the Task Scheduler v1.0 GUI and the Task Scheduler command-line utility SchTasks.exe.

  • Task Scheduler v1.0 Compatibility Mode Tasks created or modified in the Task Scheduler v1.0 user interface and the Task Scheduler command-line utility SchTasks.exe are not accessible or visible through At.exe.

The Task Scheduler parser will determine at registration time whether the task can be converted to either of these compatibility modes.

6. Task Scheduler User Interface

The Task Scheduler user interface is now an MMC 3.0 snap-in, as shown in Figure 2.

Figure 2. Task Scheduler user interface.

The scope pane on the left contains the Scheduled Tasks Library sub-node under the root Task Scheduler node by default. The Library sub-node has all currently defined tasks listed under it, in a hierarchy of folders. The Microsoft subnode under the Scheduled Tasks Library contains a Windows subnode with default Windows system tasks used by operating system components, such as Reliability Monitor (RAC) and System Restore. Default system tasks are normally not modified.

The Results Pane in the center shows the task name and other relevant information about the currently selected task. The bottom part of the center pane contains a preview pane showing the definition details of the currently selected task in the list at top. Task definitions may be modified by either double-clicking the task name in the list, or selecting and right clicking or clicking the Properties action in the Actions Pane at right.

The Actions Pane on the right shows relevant actions for a selected task or scope node. New tasks can be created using the Create Basic Task action for wizard-based simple tasks, or using Create Task for full-featured tasks.

The Summary (home) page that shows up whenever you start Task Scheduler and have the top node selected displays a summary of task status for the system that includes how many tasks ran, how many succeeded or failed, and a list of currently active tasks that are not disabled or expired.

Other -----------------
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 4) - Using the Problem Reports And Solutions Control Panel
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 3) - Architecture of Windows Error Reporting, Configuring Windows Error Reporting
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 2) - Conceptual Components
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 1) - Error Reporting Cycle, Report Data Overview
- Maintaining Desktop Health : Using Performance Information And Tools
- Maintaining Desktop Health : Understanding the Windows System Assessment Tool
- Maintaining Desktop Health : Understanding Windows Eventing (part 2) - Event Viewer User Interface
- Maintaining Desktop Health : Understanding Windows Eventing (part 1) - Windows Eventing Capabilities
- Using Voice and Sounds : Associating a Sound with an Event, Using Alternatives to Sound
- Using Voice and Sounds : Letting Your Computer Do the Talking, Creating a Sound File
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
Celebrity Style, Fashion Trends, Beauty and Makeup Tips.
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server