Re: Security Template question
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/27/05
- Previous message: Neville: "NetSvc and Power Users"
- In reply to: Chris Hall: "Re: Security Template question"
- Next in thread: Chris Hall: "Re: Security Template question"
- Reply: Chris Hall: "Re: Security Template question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Jan 2005 16:29:47 -0700
"Chris Hall" <someone@microsoft.com> wrote in message
news:e9NG597AFHA.3824@TK2MSFTNGP10.phx.gbl...
> Roger,
>
> I was wondering if I wanted to limit what person(s) were or were not to be
> allowed membership to a group, how would I do that and ensure that it
> wouldn't not be changed in the future? Currently, we have a total of 5 in
my
> department, all of which are members of the administrators group. Also, 4
of
> us share the administrator password. I am trying to tighten ALL security,
so
> I'm thinking that I should remove all members from the administrators
group,
> change the administrator password and use delegation of authority to
handle
> day-to-day administration like creating/modifying users/groups. By
> controlling administrative access, I would be able to control the ability
of
> people adding users to groups willy-nilly.
>
> One thing I say about handling administrative tasks was to use multiple
> usernames for administrators. Each of us would have a username with basic
> rights and another with administrative rights. Do you use this in your
> network?
>
Yes, sort of. What I advocate is giving everyone a normal user account,
and letting them know that this is the account for day-to-day use.
Then, those that have delegated responsibilities have a "privileged"
account, which is to be used only when its powers are being used.
Depending on circumstances, this might be a full admin but more often
it is only a plain user account that has been delegated powers and/or
granted specific access or right, all according to task.
If the sensitivity of the environment warrants, where the privileged
account are allowed to be used, allowed to login, is something one
should also look at (is it a secure, secured and healthy desktop? on
a non-sniffed, non-sniffable network, etc.)
I do believe there are trade offs between a shared admin account (no
individual accountability in the logged actions) and individual admin
accounts - the biggest being that everyone wants one. There should
be very few, and with use of delegation they do not need to be used
all that often (at least this is so of DA, i.e. Domain Admin, and this is
absolutely so of EA and SA)
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:uPFApAnAFHA.1452@TK2MSFTNGP11.phx.gbl... > > major bloop . . . > > > the restricted group definition. (However, if there are > > > memberships defined of the resticted group in other groups, > > should have said > > "However, if there are _no_ memberships defined for the restricted . . ." > > -- > > Roger > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > > news:OLad22kAFHA.1188@tk2msftngp13.phx.gbl... > > > Not sure I totally follow your question. > > > > > > If you ask how would you let someone manage the group > > > (its members and its memberships) after the group is under > > > control of a resticted group definition, the answer is that > > > they must be able to edit the settings in that GPO holding > > > the restricted group definition. (However, if there are > > > memberships defined of the resticted group in other groups, > > > i.e. that tab is blank in the restricted group definition, then > > > the group can be added to other groups in the normal way.) > > > > > > -- > > > Roger Abell > > > Microsoft MVP (Windows Security) > > > MCSE (W2k3,W2k,Nt4) MCDBA > > > "Chris Hall" <someone@microsoft.com> wrote in message > > > news:OhuJckkAFHA.3416@TK2MSFTNGP09.phx.gbl... > > > > Thanks Steve & Roger. I would assume that when it comes to restricting > > > > memberships to & of groups(nesting groups), I would use Delegation of > > > > Authority to restrict that. > > > > > > > > > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > > > > news:uIan1hBAFHA.2700@TK2MSFTNGP14.phx.gbl... > > > > > Also, just a little info . . . > > > > > You will notice that for a Restricted Group definition there > > > > > are both members within and memberships of the group > > > > > that you can specify. > > > > > The members you state are to be within the group will be > > > > > the exact and total membership in the group (at least it will > > > > > be that way immediately after the policy is applied). > > > > > However, if you leave the memberships of the group not > > > > > defined, then the group that is being restricted can have > > > > > whatever nesting in other groups. If however you enter > > > > > a group in the memberships of area, then that will become > > > > > the complete and total set of groups in which the restricted > > > > > group will be nested as a member. > > > > > > > > > > -- > > > > > Roger Abell > > > > > Microsoft MVP (Windows Server System: Security) > > > > > MCDBA, MCSE W2k3+W2k+Nt4 > > > > > "Chris Hall" <someone@microsoft.com> wrote in message > > > > > news:uXIeA$%23$EHA.1264@TK2MSFTNGP12.phx.gbl... > > > > > > Good afternoon, > > > > > > > > > > > > I am using the W2K Security Hardening Guide templates as a > starting > > > > point > > > > > > to > > > > > > secure our workstations/servers. Looking at the Restricted Groups, > I > > > > want > > > > > > to > > > > > > add groups and make the appropriate restrictions. Would I be > correct > > > to > > > > > > assume that having a group in the Restricted Groups, such as > Server > > > > > > Operators, I would be able to assign users and the security > template > > > > would > > > > > > keep other users from being added once the policy is applied? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Previous message: Neville: "NetSvc and Power Users"
- In reply to: Chris Hall: "Re: Security Template question"
- Next in thread: Chris Hall: "Re: Security Template question"
- Reply: Chris Hall: "Re: Security Template question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
