Re: Computer Management Security Problem
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 07/27/04
- Next message: cheryl fischer: "Re: Importing Personal Certificates"
- Previous message: angryblack: "changing the password for the admin account"
- In reply to: Dave W.: "Re: Computer Management Security Problem"
- Next in thread: Dave W.: "Re: Computer Management Security Problem"
- Reply: Dave W.: "Re: Computer Management Security Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Jul 2004 19:06:13 GMT
Hi Dave.
It is true that in a default domain configuration a domain user can use Computer
Management and navigate to a domain controller to view certain information, though
not for example the security log. A domain user however should not be able to start
and stop services [in a default installation] and create shares on a domain
controller. My guess is that either a user or users have credentials to privileged
accounts on the domain controller or are a member of a privileged group on the domain
controller. Note that XP Pro computers can have stored credentials.
What I would do is to enable auditing of logon events in Domain Controller Security
Policy to see exactly how these users are being authenticated to your domain
controllers. You can also go into Computer Management/shares -sessions to see what
users are currently connected and from what computers. I would check the membership
of all privileged groups on your domain controller in AD Users and Computers such as
administrators, domain admins, enterprise admins, print operators, account
management, etc - ALL those built in groups looking for unneeded users OR groups as
members. Then change [or force change at next logon] the passwords for any users in
any of those groups. Make sure that a bare minimum of users are in any administrators
group for the domain and remind others not to give out their passwords to developers
and such. Enable auditing of account management in your Domain Controller Security
Policy so you can monitor changes to user accounts/groups and enable password
complexity for the domain if not done so already. It may be possible at one time that
someone reconfigured services to allow domain users to reset them. I would run the
Security Configuration and Analysis tool against the setup security.inf template to
see if any discrepancies exist between default service security configuration and
actual configuration which you could then change assuming changes were done in the
Local security Policy and not in Domain Controller Security Policy The link below
explains how to use the SCA tool if you have never used it. --- Steve
http://www.lokbox.net/SecureXP/secAnalysis.asp
"Dave W." <DaveW@discussions.microsoft.com> wrote in message
news:69F66799-5783-400D-9AC6-A6B57B04309D@microsoft.com...
> Hello Steve,
>
> The users are not domain administrators, they are only local administrators.
Further, the DC has been configured so that each user can only log into their own
computer (based on their user profile, this has been restricted). Regardless, even
with those restrictions, they can remotely "manage" the DC or any other PC and have
complete access.
>
> I have confirmed that they can only log into their own machines so that level of
security is working. They cannot log directly into the DC or my PC (as an example)
yet they can remotely manage the DC or my PC and set up new shares, etc.
>
> Dave
>
> "Steven L Umbach" wrote:
>
> > Do they really need to be "domain administrators". If possible see if they can be
> > functional as local administrators on domain computers they need full access to
by
> > adding their domain account to the local administrators group. If they have to be
> > domain administrators, then you can not realistically restrict them. You can try
by
> > using Group Policy to restrict their access to mmc snapins, though that would
> > restrict access to their local computer also and they could undo that policy
> > restriction if they know how to. Such restrictions are in Group Policy/user
> > configuration/administrative templates. --- Steve
> >
> >
> > "Dave W." <Dave W.@discussions.microsoft.com> wrote in message
> > news:425AF01A-8687-4539-B4AB-65F639CC6D27@microsoft.com...
> > > We use a Windows 2003 DC and have found that all of our users can choose the
> > "Manage" on "My Computer" and then choose the domain controller PC as the PC to
> > manage. They can then add shares, shut down services, etc. which defeats all the
> > security.
> > >
> > > How can I prevent users from specifying another computer name in the computer
> > management console snap-in and/or how do I restrict a computer from allowing on
> > specific users to connect.
> > >
> > > Note that all of our users are administrators which I know is bad, but they are
> > software developers and need to constantly re-install, update registries, etc.
> > >
> >
> >
> >
- Next message: cheryl fischer: "Re: Importing Personal Certificates"
- Previous message: angryblack: "changing the password for the admin account"
- In reply to: Dave W.: "Re: Computer Management Security Problem"
- Next in thread: Dave W.: "Re: Computer Management Security Problem"
- Reply: Dave W.: "Re: Computer Management Security Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
