Re: Computer Management Security Problem

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 07/28/04 

Date: Wed, 28 Jul 2004 01:23:33 GMT

The user right you mention is the right that by default gives administrators the
right to take ownership of files and folders and on a domain controller that would
mean the domain administrators group. I don't believe it has anything to do with
what your experiencing as far as users having powers on the domain controllers. I
agree with Jeff in that it must be related to a user having too much rights due to
group membership on built in domain accounts or knowing credentials to a privileged
account. I have never seen a regular domain user be able to create/modify shares on a
domain controller. I would create an test account that is just in the users group and
see if you can use that account to create shares on a domain controller. The link
below shows default user rights on a domain controller which you may want to verify
as "effective" settings in Local Security Policy. --- Steve

http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/appxb.mspx

"Dave W." <DaveW@discussions.microsoft.com> wrote in message
news:76F25C7C-C5CC-4492-873F-FB917CF0E176@microsoft.com...
> Steve, you could be on the right track. In monitoring the events, I see that the
user triggered an event 578 (privilege use) and the privilege "Se TakeOwnership
Privlege" was listed. Is there a way to remove this privilege (or to block it on the
target machine from being released)?
>
> I have check all other built-in and other groups and most users simply belong to
the "Domain User" group with no specific or extra privileges.
>
> Thanks again Steve.
>
> "Steven L Umbach" wrote:
>
> > Hi Dave.
> >
> > It is true that in a default domain configuration a domain user can use Computer
> > Management and navigate to a domain controller to view certain information,
though
> > not for example the security log. A domain user however should not be able to
start
> > and stop services [in a default installation] and create shares on a domain
> > controller. My guess is that either a user or users have credentials to
privileged
> > accounts on the domain controller or are a member of a privileged group on the
domain
> > controller. Note that XP Pro computers can have stored credentials.
> >
> > What I would do is to enable auditing of logon events in Domain Controller
Security
> > Policy to see exactly how these users are being authenticated to your domain
> > controllers. You can also go into Computer Management/shares -sessions to see
what
> > users are currently connected and from what computers. I would check the
membership
> > of all privileged groups on your domain controller in AD Users and Computers such
as
> > administrators, domain admins, enterprise admins, print operators, account
> > management, etc - ALL those built in groups looking for unneeded users OR groups
as
> > members. Then change [or force change at next logon] the passwords for any users
in
> > any of those groups. Make sure that a bare minimum of users are in any
administrators
> > group for the domain and remind others not to give out their passwords to
developers
> > and such. Enable auditing of account management in your Domain Controller
Security
> > Policy so you can monitor changes to user accounts/groups and enable password
> > complexity for the domain if not done so already. It may be possible at one time
that
> > someone reconfigured services to allow domain users to reset them. I would run
the
> > Security Configuration and Analysis tool against the setup security.inf template
to
> > see if any discrepancies exist between default service security configuration and
> > actual configuration which you could then change assuming changes were done in
the
> > Local security Policy and not in Domain Controller Security Policy The link below
> > explains how to use the SCA tool if you have never used it. --- Steve
> >
> > http://www.lokbox.net/SecureXP/secAnalysis.asp
> >
> > "Dave W." <DaveW@discussions.microsoft.com> wrote in message
> > news:69F66799-5783-400D-9AC6-A6B57B04309D@microsoft.com...
> > > Hello Steve,
> > >
> > > The users are not domain administrators, they are only local administrators.
> > Further, the DC has been configured so that each user can only log into their own
> > computer (based on their user profile, this has been restricted). Regardless,
even
> > with those restrictions, they can remotely "manage" the DC or any other PC and
have
> > complete access.
> > >
> > > I have confirmed that they can only log into their own machines so that level
of
> > security is working. They cannot log directly into the DC or my PC (as an
example)
> > yet they can remotely manage the DC or my PC and set up new shares, etc.
> > >
> > > Dave
> > >
> > > "Steven L Umbach" wrote:
> > >
> > > > Do they really need to be "domain administrators". If possible see if they
can be
> > > > functional as local administrators on domain computers they need full access
to
> > by
> > > > adding their domain account to the local administrators group. If they have
to be
> > > > domain administrators, then you can not realistically restrict them. You can
try
> > by
> > > > using Group Policy to restrict their access to mmc snapins, though that would
> > > > restrict access to their local computer also and they could undo that policy
> > > > restriction if they know how to. Such restrictions are in Group Policy/user
> > > > configuration/administrative templates. --- Steve
> > > >
> > > >
> > > > "Dave W." <Dave W.@discussions.microsoft.com> wrote in message
> > > > news:425AF01A-8687-4539-B4AB-65F639CC6D27@microsoft.com...
> > > > > We use a Windows 2003 DC and have found that all of our users can choose
the
> > > > "Manage" on "My Computer" and then choose the domain controller PC as the PC
to
> > > > manage. They can then add shares, shut down services, etc. which defeats all
the
> > > > security.
> > > > >
> > > > > How can I prevent users from specifying another computer name in the
computer
> > > > management console snap-in and/or how do I restrict a computer from allowing
on
> > > > specific users to connect.
> > > > >
> > > > > Note that all of our users are administrators which I know is bad, but they
are
> > > > software developers and need to constantly re-install, update registries,
etc.
> > > > >
> > > >
> > > >
> > > >
> >
> >
> >

Relevant Pages

  • Re: Security Breach in AD! Help!
    ... For the domain check the membership of the administrators group, ... on every user account in any of those ... success and failure in Domain Controller Security Policy. ... admin credentials on. ...
    (microsoft.public.win2000.security)
  • Re: Local Admin vs Domain Admin problems
    ... I went to the domain controller and added the user to the "administrators" ... The primary group is still set to users though. ... > account and a disabled guest account. ...
    (microsoft.public.win2000.security)
  • Re: Computer Management Security Problem
    ... user triggered an event 578 (privilege use) and the privilege "Se TakeOwnership ... >> not for example the security log. ... >> accounts on the domain controller or are a member of a privileged group on the ... Note that XP Pro computers can have stored credentials. ...
    (microsoft.public.win2000.security)
  • Re: Setting SeSecurityPrivilege on IWbemServices in C++
    ... > If you are local administrator of the Domain Controller, ... > but they are propagated and all-enabled in the OSF communication (across the ... > identity was snapshot-ed before you enabled the privilege. ...
    (microsoft.public.win32.programmer.wmi)
  • Re: Adding a Privilege via LsaAddAccountRights()
    ... On a fresh Win2K Server with SP4 that is a Domain Controller, ... This privilege was introduced with SP4. ... account, nothing happens. ... ASPNET account has this privilege. ...
    (microsoft.public.platformsdk.security)