Re: Security Template question
From: Chris Hall (someone_at_microsoft.com)
Date: 01/27/05
- Next message: John John: "Re: firewall"
- Previous message: Benny Hauk: "Re: service principal name for the VMRC server could not be regist"
- In reply to: Roger Abell: "Re: Security Template question"
- Next in thread: Steven L Umbach: "Re: Security Template question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 08:59:35 -0500
Thanks for the input.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uNCZB6$AFHA.2192@TK2MSFTNGP14.phx.gbl...
> "Chris Hall" <someone@microsoft.com> wrote in message
> news:e9NG597AFHA.3824@TK2MSFTNGP10.phx.gbl...
> > Roger,
> >
> > I was wondering if I wanted to limit what person(s) were or were not to
be
> > allowed membership to a group, how would I do that and ensure that it
> > wouldn't not be changed in the future? Currently, we have a total of 5
in
> my
> > department, all of which are members of the administrators group. Also,
4
> of
> > us share the administrator password. I am trying to tighten ALL
security,
> so
> > I'm thinking that I should remove all members from the administrators
> group,
> > change the administrator password and use delegation of authority to
> handle
> > day-to-day administration like creating/modifying users/groups. By
> > controlling administrative access, I would be able to control the
ability
> of
> > people adding users to groups willy-nilly.
> >
> > One thing I say about handling administrative tasks was to use multiple
> > usernames for administrators. Each of us would have a username with
basic
> > rights and another with administrative rights. Do you use this in your
> > network?
> >
>
> Yes, sort of. What I advocate is giving everyone a normal user account,
> and letting them know that this is the account for day-to-day use.
> Then, those that have delegated responsibilities have a "privileged"
> account, which is to be used only when its powers are being used.
> Depending on circumstances, this might be a full admin but more often
> it is only a plain user account that has been delegated powers and/or
> granted specific access or right, all according to task.
> If the sensitivity of the environment warrants, where the privileged
> account are allowed to be used, allowed to login, is something one
> should also look at (is it a secure, secured and healthy desktop? on
> a non-sniffed, non-sniffable network, etc.)
> I do believe there are trade offs between a shared admin account (no
> individual accountability in the logged actions) and individual admin
> accounts - the biggest being that everyone wants one. There should
> be very few, and with use of delegation they do not need to be used
> all that often (at least this is so of DA, i.e. Domain Admin, and this is
> absolutely so of EA and SA)
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
>
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:uPFApAnAFHA.1452@TK2MSFTNGP11.phx.gbl...
> > > major bloop . . .
> > > > the restricted group definition. (However, if there are
> > > > memberships defined of the resticted group in other groups,
> > > should have said
> > > "However, if there are _no_ memberships defined for the restricted . .
> ."
> > > --
> > > Roger
> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > news:OLad22kAFHA.1188@tk2msftngp13.phx.gbl...
> > > > Not sure I totally follow your question.
> > > >
> > > > If you ask how would you let someone manage the group
> > > > (its members and its memberships) after the group is under
> > > > control of a resticted group definition, the answer is that
> > > > they must be able to edit the settings in that GPO holding
> > > > the restricted group definition. (However, if there are
> > > > memberships defined of the resticted group in other groups,
> > > > i.e. that tab is blank in the restricted group definition, then
> > > > the group can be added to other groups in the normal way.)
> > > >
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "Chris Hall" <someone@microsoft.com> wrote in message
> > > > news:OhuJckkAFHA.3416@TK2MSFTNGP09.phx.gbl...
> > > > > Thanks Steve & Roger. I would assume that when it comes to
> restricting
> > > > > memberships to & of groups(nesting groups), I would use Delegation
> of
> > > > > Authority to restrict that.
> > > > >
> > > > >
> > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > > > > news:uIan1hBAFHA.2700@TK2MSFTNGP14.phx.gbl...
> > > > > > Also, just a little info . . .
> > > > > > You will notice that for a Restricted Group definition there
> > > > > > are both members within and memberships of the group
> > > > > > that you can specify.
> > > > > > The members you state are to be within the group will be
> > > > > > the exact and total membership in the group (at least it will
> > > > > > be that way immediately after the policy is applied).
> > > > > > However, if you leave the memberships of the group not
> > > > > > defined, then the group that is being restricted can have
> > > > > > whatever nesting in other groups. If however you enter
> > > > > > a group in the memberships of area, then that will become
> > > > > > the complete and total set of groups in which the restricted
> > > > > > group will be nested as a member.
> > > > > >
> > > > > > --
> > > > > > Roger Abell
> > > > > > Microsoft MVP (Windows Server System: Security)
> > > > > > MCDBA, MCSE W2k3+W2k+Nt4
> > > > > > "Chris Hall" <someone@microsoft.com> wrote in message
> > > > > > news:uXIeA$%23$EHA.1264@TK2MSFTNGP12.phx.gbl...
> > > > > > > Good afternoon,
> > > > > > >
> > > > > > > I am using the W2K Security Hardening Guide templates as a
> > starting
> > > > > point
> > > > > > > to
> > > > > > > secure our workstations/servers. Looking at the Restricted
> Groups,
> > I
> > > > > want
> > > > > > > to
> > > > > > > add groups and make the appropriate restrictions. Would I be
> > correct
> > > > to
> > > > > > > assume that having a group in the Restricted Groups, such as
> > Server
> > > > > > > Operators, I would be able to assign users and the security
> > template
> > > > > would
> > > > > > > keep other users from being added once the policy is applied?
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: John John: "Re: firewall"
- Previous message: Benny Hauk: "Re: service principal name for the VMRC server could not be regist"
- In reply to: Roger Abell: "Re: Security Template question"
- Next in thread: Steven L Umbach: "Re: Security Template question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
