SBS 2000 accounts security settings

From: Perikles P. Mourikis (mourikis@dreamtech.gr)
Date: 06/03/02


Date: Mon, 3 Jun 2002 14:21:06 +0300
From: "Perikles P. Mourikis" <mourikis@dreamtech.gr>
To: <focus-ms@securityfocus.com>

I have noticed that Microsoft's product Small Business Server 2000 (SBS 2000) has the "Guest" template group being a member of Domain Guests , Guests and Domain Users.
Also ISR_MACHINE and IWAM_MACHINE are members of Domain Users and Guests.
Does anybody knows any known issues with removing the Domain Users membership from these accounts?
Are there any known exploits of this configuration? (assuming the SBS 2000 is patched properly...)

TIA
Perikles
 



Relevant Pages

  • Re: User configuration question
    ... Those accounts are configured ... where use of the security group of these web users in the policies ... > There's only one network card in the system, ... > I've also found out that I can even remove them from the "Domain Users" ...
    (microsoft.public.windows.server.security)
  • Re: Domain account iwth restricted rights
    ... Normally the "Authenticated Users" special group has the logon locally ... The Domain Users causes the "Logon Locally" right to be present ... So you need both different permissions and different rights perhaps. ... What is the best way to lock down these accounts? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain account iwth restricted rights
    ... primary group and each was removed from Domain Users. ... The Domain Users causes the "Logon Locally" right to be present ... So you need both different permissions and different rights perhaps. ... What is the best way to lock down these accounts? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changes to ACL disappear
    ... > inheritance on the adminSDHolder container will stop the ACE entries from ... > service accounts to set the AdminCount to 0. ... > "Domain Users' from "Print Operators" for this to work. ...
    (microsoft.public.windows.server.security)
  • Re: Creating Computer Accounts in the Active Directory
    ... I have tried Domain Users; that did not work correctly either. ... and the Administrators are nested in FAR too many ... >> accounts in the Active Directory using VBScript. ... >> specify a GROUP that may join to the machine to the domain other than ...
    (microsoft.public.windows.server.active_directory)