RE: Windows 2000 security

From: Snow, Corey (csnow@deltadentalwa.com)
Date: 08/08/02 

From: "Snow, Corey" <csnow@deltadentalwa.com>
To: "'Marcus James'" <marcus01@post.com>
Date: Thu, 8 Aug 2002 14:36:41 -0700

> I have a simple question (I think). I am trying to secure a W2K
> professional workstation on a W2K network. I have hardened the box
> based on an ISF security checklist. However, I want to make sure
> that:
>
> 1) The domain administrator cannot login remotely
> 2) Nobody including, domain admin, can login from the console, except
> the owner of the box
>

If the machine is a member of a domain, you cannot do this (disallow the
domain admin from doing anything), at least not permanently. The
"Administrator" account of the windows domain of which a machine is a member
can bypass any security settings on the system, or change them at will using
various methods (Group Policy, etc). You may be able to prevent members of
the "Domain Administrators" *group* from doing anything, but "Administrator"
(or whatever it's been renamed to, if you did that) bypasses anything or can
take ownership of anything. They've got the ultimate trump card.

Any security settings in a Windows 2000 domain are managed at the domain
controller. If the domain admin wished, he or she could set the privileges
he or she wanted and apply them to every machine in the domain. Domain
member machines will override local settings with domain-level settings,
regardless of whether domain-level settings tighten or loosen security.

The only way to do what you're wanting to do is to make the machine a
standalone box- not a member of a domain at all. But you shouldn't need to-
in what circumstances should the domain adminstrator be disallowed from
logging onto a box within the domain he or she is ostensibly in control of?

Corey M. Snow- csnow@deltadentalwa.com
I don't speak for my employer.

 

#########################################################
The information contained in this e-mail and subsequent attachments may be privileged,
confidential and protected from disclosure. This transmission is intended for the sole
use of the individual and entity to whom it is addressed. If you are not the intended
recipient, any dissemination, distribution or copying is strictly prohibited. If you
think that you have received this message in error, please e-mail the sender at the above
e-mail address.
#########################################################

Relevant Pages

  • Re: Windows 2000 SP2 local policy settings not stored using SIDs?
    ... I think you finally answered my question about security settings in Win2k. ... After a few moments I was no longer able to log on to my server ...
    (NT-Bugtraq)
  • Re: Local Account & Password Policy Options Greyed out for Admins?
    ... it seems to have set the security settings back to what they should be. ... Still, the settings for the password and account lockout policies are greyed out, so they still cannot be changed. ... Reboot the computer and you should be able to change password policy in Local Security Policy. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: images blocked
    ... "Steve Cochran" wrote: ... wonder if there's some underlying security settings in that .NET Framework ... So you suggested the Tool> Options & uncheck the HTML content box? ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: images blocked
    ... thanks for the tips and I see my Yahoo web mail still has html graphics. ... "Steve Cochran" wrote: ... wonder if there's some underlying security settings in that .NET ... Have confirmed all the Security settings as described here ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Loginscript is lacking credentials.........
    ... computer configuration \ windows settings \ restricted groups ... machine is a member of the local administrators group him/herself, ... I was under the impressions that all GPO's ran with top admin credentials. ...
    (microsoft.public.windows.server.active_directory)