Re: Computer Management Security Problem
From: Dave W. (DaveW_at_discussions.microsoft.com)
Date: 07/27/04
- Next message: carls: "windows 2000 user sign in"
- Previous message: Dave Munday: "Home Folder Permissions"
- In reply to: Steven L Umbach: "Re: Computer Management Security Problem"
- Next in thread: Steven L Umbach: "Re: Computer Management Security Problem"
- Reply: Steven L Umbach: "Re: Computer Management Security Problem"
- Reply: Steven L Umbach: "Re: Computer Management Security Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Jul 2004 14:18:02 -0700
Steve, you could be on the right track. In monitoring the events, I see that the user triggered an event 578 (privilege use) and the privilege "Se TakeOwnership Privlege" was listed. Is there a way to remove this privilege (or to block it on the target machine from being released)?
I have check all other built-in and other groups and most users simply belong to the "Domain User" group with no specific or extra privileges.
Thanks again Steve.
"Steven L Umbach" wrote:
> Hi Dave.
>
> It is true that in a default domain configuration a domain user can use Computer
> Management and navigate to a domain controller to view certain information, though
> not for example the security log. A domain user however should not be able to start
> and stop services [in a default installation] and create shares on a domain
> controller. My guess is that either a user or users have credentials to privileged
> accounts on the domain controller or are a member of a privileged group on the domain
> controller. Note that XP Pro computers can have stored credentials.
>
> What I would do is to enable auditing of logon events in Domain Controller Security
> Policy to see exactly how these users are being authenticated to your domain
> controllers. You can also go into Computer Management/shares -sessions to see what
> users are currently connected and from what computers. I would check the membership
> of all privileged groups on your domain controller in AD Users and Computers such as
> administrators, domain admins, enterprise admins, print operators, account
> management, etc - ALL those built in groups looking for unneeded users OR groups as
> members. Then change [or force change at next logon] the passwords for any users in
> any of those groups. Make sure that a bare minimum of users are in any administrators
> group for the domain and remind others not to give out their passwords to developers
> and such. Enable auditing of account management in your Domain Controller Security
> Policy so you can monitor changes to user accounts/groups and enable password
> complexity for the domain if not done so already. It may be possible at one time that
> someone reconfigured services to allow domain users to reset them. I would run the
> Security Configuration and Analysis tool against the setup security.inf template to
> see if any discrepancies exist between default service security configuration and
> actual configuration which you could then change assuming changes were done in the
> Local security Policy and not in Domain Controller Security Policy The link below
> explains how to use the SCA tool if you have never used it. --- Steve
>
> http://www.lokbox.net/SecureXP/secAnalysis.asp
>
> "Dave W." <DaveW@discussions.microsoft.com> wrote in message
> news:69F66799-5783-400D-9AC6-A6B57B04309D@microsoft.com...
> > Hello Steve,
> >
> > The users are not domain administrators, they are only local administrators.
> Further, the DC has been configured so that each user can only log into their own
> computer (based on their user profile, this has been restricted). Regardless, even
> with those restrictions, they can remotely "manage" the DC or any other PC and have
> complete access.
> >
> > I have confirmed that they can only log into their own machines so that level of
> security is working. They cannot log directly into the DC or my PC (as an example)
> yet they can remotely manage the DC or my PC and set up new shares, etc.
> >
> > Dave
> >
> > "Steven L Umbach" wrote:
> >
> > > Do they really need to be "domain administrators". If possible see if they can be
> > > functional as local administrators on domain computers they need full access to
> by
> > > adding their domain account to the local administrators group. If they have to be
> > > domain administrators, then you can not realistically restrict them. You can try
> by
> > > using Group Policy to restrict their access to mmc snapins, though that would
> > > restrict access to their local computer also and they could undo that policy
> > > restriction if they know how to. Such restrictions are in Group Policy/user
> > > configuration/administrative templates. --- Steve
> > >
> > >
> > > "Dave W." <Dave W.@discussions.microsoft.com> wrote in message
> > > news:425AF01A-8687-4539-B4AB-65F639CC6D27@microsoft.com...
> > > > We use a Windows 2003 DC and have found that all of our users can choose the
> > > "Manage" on "My Computer" and then choose the domain controller PC as the PC to
> > > manage. They can then add shares, shut down services, etc. which defeats all the
> > > security.
> > > >
> > > > How can I prevent users from specifying another computer name in the computer
> > > management console snap-in and/or how do I restrict a computer from allowing on
> > > specific users to connect.
> > > >
> > > > Note that all of our users are administrators which I know is bad, but they are
> > > software developers and need to constantly re-install, update registries, etc.
> > > >
> > >
> > >
> > >
>
>
>
- Next message: carls: "windows 2000 user sign in"
- Previous message: Dave Munday: "Home Folder Permissions"
- In reply to: Steven L Umbach: "Re: Computer Management Security Problem"
- Next in thread: Steven L Umbach: "Re: Computer Management Security Problem"
- Reply: Steven L Umbach: "Re: Computer Management Security Problem"
- Reply: Steven L Umbach: "Re: Computer Management Security Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
