Re: Security Treats
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 09/30/04
- Next message: Joel McCravy: "windows 2000 server, Windows xp logon"
- Previous message: Steven L Umbach: "Re: NT workstations cant see shares on Windows 2000 server"
- In reply to: Oli Restorick [MVP]: "Re: Security Treats"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Sep 2004 22:25:39 GMT
Gee I though you were just concerned that they could install a keyboard
logger. --- Steve
"Oli Restorick [MVP]" <oli@mvps.org> wrote in message
news:OEWxewmpEHA.3572@TK2MSFTNGP10.phx.gbl...
> That may be a possibility (although I understood that it wasn't all that
> easy), but it wasn't what I was thinking.
>
> Think about your machine and what happens when you log in. When you log
> in, several programs can start in the background, because they're in the
> computer's "startup" group, or other launching points.
>
> Now, imagine that a malicious user wants to gain domain admin access. All
> he has to do is to make a script that will add a new user to the domain
> and give that user domain admin rights, make that script launch when
> somebody logs in and then persuade an administrator to come over and fix
> some "problem". When they log in, the administrator unwittingly gives
> away domain admin.
>
> This isn't a bug or a problem in Windows and Microsoft aren't going to
> "fix" this.
>
> Now, it may be the case that you don't give your users the power user or
> administrator level access to the local machine that's required to cause
> things to run when somebody logs into a machine.
>
> That's good, but there are two reasons why this is not enough. The first
> is that there's nearly always a gap between what you think is true and
> what is actually true. You may think that nobody has power user or
> administrator to any machines, but this is an common way to make some
> poorly-written software run.
>
> The other reason is that if sombody has physical access to your computer,
> they can change the way that computer behaves. Sure, it may take some
> effort, but given the right software, it's actually not difficult to gain
> local admin access given physical access to a machine.
>
> So, how should you change your ways and still allow you or your helpdeesk
> people to do their job? If you have group policy, it's fairly easy.
>
> Create a new security group and call it, say, "Helpdesk". Create some
> workstation admin accounts and place them in the group.
>
> Make sure your workstation accounts reside in an OU (rather than the
> default "computers" container) and create a new group policy object on
> that OU.
>
> Then, create a new Group Policy object and set up a computer startup
> script
> (Computer Configuration | Windows Settings | Scripts (Startup/Shutdown) |
> Startup
>
> For name, use "net"
> For parameters, use "localgroup administrators domain\helpdesk /add"
>
> This will execute the command "net localgroup administrators
> domain\helpdesk /add" each time a machine affected by the policy boots.
>
> Additionally, you should aim to not even log in at your own workstation
> with domain admin credentials. You can do this and still allow your
> regular accouunt to do day-to-day activities such as creating users and
> resetting passwords by using the delegation of control wizard. If you do
> this, make sure you always delegate permissions to a group, rather than
> individual users.
>
> Hope this helps
>
> Oli
>
>
>
>
>
>
> <anonymous@discussions.microsoft.com> wrote in message
> news:2d7b01c4a4a6$3bb831b0$a301280a@phx.gbl...
>> Oli - why?
>> I realize it creates a local domain admin profile. Is
>> this so that someone doesn't use L0ft or the like to
>> extract the password? Thanks.
>
>
- Next message: Joel McCravy: "windows 2000 server, Windows xp logon"
- Previous message: Steven L Umbach: "Re: NT workstations cant see shares on Windows 2000 server"
- In reply to: Oli Restorick [MVP]: "Re: Security Treats"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
