|
View Full Version : Re: Computer Management Security Problem
Do they really need to be "domain administrators". If possible see if they can be
functional as local administrators on domain computers they need full access to by
adding their domain account to the local administrators group. If they have to be
domain administrators, then you can not realistically restrict them. You can try by
using Group Policy to restrict their access to mmc snapins, though that would
restrict access to their local computer also and they could undo that policy
restriction if they know how to. Such restrictions are in Group Policy/user
configuration/administrative templates. --- Steve
"Dave W." wrote in message
news:425AF01A-8687-4539-B4AB-65F639CC6D27@microsoft.com...
> We use a Windows 2003 DC and have found that all of our users can choose the
"Manage" on "My Computer" and then choose the domain controller PC as the PC to
manage. They can then add shares, shut down services, etc. which defeats all the
security.
>
> How can I prevent users from specifying another computer name in the computer
management console snap-in and/or how do I restrict a computer from allowing on
specific users to connect.
>
> Note that all of our users are administrators which I know is bad, but they are
software developers and need to constantly re-install, update registries, etc.
>
|
Hi Dave.
It is true that in a default domain configuration a domain user can use Computer
Management and navigate to a domain controller to view certain information, though
not for example the security log. A domain user however should not be able to start
and stop services [in a default installation] and create shares on a domain
controller. My guess is that either a user or users have credentials to privileged
accounts on the domain controller or are a member of a privileged group on the domain
controller. Note that XP Pro computers can have stored credentials.
What I would do is to enable auditing of logon events in Domain Controller Security
Policy to see exactly how these users are being authenticated to your domain
controllers. You can also go into Computer Management/shares -sessions to see what
users are currently connected and from what computers. I would check the membership
of all privileged groups on your domain controller in AD Users and Computers such as
administrators, domain admins, enterprise admins, print operators, account
management, etc - ALL those built in groups looking for unneeded users OR groups as
members. Then change [or force change at next logon] the passwords for any users in
any of those groups. Make sure that a bare minimum of users are in any administrators
group for the domain and remind others not to give out their passwords to developers
and such. Enable auditing of account management in your Domain Controller Security
Policy so you can monitor changes to user accounts/groups and enable password
complexity for the domain if not done so already. It may be possible at one time that
someone reconfigured services to allow domain users to reset them. I would run the
Security Configuration and Analysis tool against the setup security.inf template to
see if any discrepancies exist between default service security configuration and
actual configuration which you could then change assuming changes were done in the
Local security Policy and not in Domain Controller Security Policy The link below
explains how to use the SCA tool if you have never used it. --- Steve
http://www.lokbox.net/SecureXP/secAnalysis.asp
"Dave W." wrote in message
news:69F66799-5783-400D-9AC6-A6B57B04309D@microsoft.com...
> Hello Steve,
>
> The users are not domain administrators, they are only local administrators.
Further, the DC has been configured so that each user can only log into their own
computer (based on their user profile, this has been restricted). Regardless, even
with those restrictions, they can remotely "manage" the DC or any other PC and have
complete access.
>
> I have confirmed that they can only log into their own machines so that level of
security is working. They cannot log directly into the DC or my PC (as an example)
yet they can remotely manage the DC or my PC and set up new shares, etc.
>
> Dave
>
> "Steven L Umbach" wrote:
>
> > Do they really need to be "domain administrators". If possible see if they can be
> > functional as local administrators on domain computers they need full access to
by
> > adding their domain account to the local administrators group. If they have to be
> > domain administrators, then you can not realistically restrict them. You can try
by
> > using Group Policy to restrict their access to mmc snapins, though that would
> > restrict access to their local computer also and they could undo that policy
> > restriction if they know how to. Such restrictions are in Group Policy/user
> > configuration/administrative templates. --- Steve
> >
> >
> > "Dave W." wrote in message
> > news:425AF01A-8687-4539-B4AB-65F639CC6D27@microsoft.com...
> > > We use a Windows 2003 DC and have found that all of our users can choose the
> > "Manage" on "My Computer" and then choose the domain controller PC as the PC to
> > manage. They can then add shares, shut down services, etc. which defeats all the
> > security.
> > >
> > > How can I prevent users from specifying another computer name in the computer
> > management console snap-in and/or how do I restrict a computer from allowing on
> > specific users to connect.
> > >
> > > Note that all of our users are administrators which I know is bad, but they are
> > software developers and need to constantly re-install, update registries, etc.
> > >
> >
> >
> >
|
On Tue, 27 Jul 2004 11:34:03 -0700, "Dave W."
wrote:
>The users are not domain administrators, they are only local administrators. Further, the DC has been configured so that each user can only log into their own computer (based on their user profile, this has been restricted). Regardless, even with those restrictions, they can remotely "manage" the DC or any other PC and have complete access.
Check your DC. I suspect a user group has been granted access or
placed in a group that allows access, this isn't the default for
standard users, even local admins on their own systems.
Jeff
>I have confirmed that they can only log into their own machines so that level of security is working. They cannot log directly into the DC or my PC (as an example) yet they can remotely manage the DC or my PC and set up new shares, etc.
>
>Dave
>
>"Steven L Umbach" wrote:
>
>> Do they really need to be "domain administrators". If possible see if they can be
>> functional as local administrators on domain computers they need full access to by
>> adding their domain account to the local administrators group. If they have to be
>> domain administrators, then you can not realistically restrict them. You can try by
>> using Group Policy to restrict their access to mmc snapins, though that would
>> restrict access to their local computer also and they could undo that policy
>> restriction if they know how to. Such restrictions are in Group Policy/user
>> configuration/administrative templates. --- Steve
>>
>>
>> "Dave W." wrote in message
>> news:425AF01A-8687-4539-B4AB-65F639CC6D27@microsoft.com...
>> > We use a Windows 2003 DC and have found that all of our users can choose the
>> "Manage" on "My Computer" and then choose the domain controller PC as the PC to
>> manage. They can then add shares, shut down services, etc. which defeats all the
>> security.
>> >
>> > How can I prevent users from specifying another computer name in the computer
>> management console snap-in and/or how do I restrict a computer from allowing on
>> specific users to connect.
>> >
>> > Note that all of our users are administrators which I know is bad, but they are
>> software developers and need to constantly re-install, update registries, etc.
>> >
>>
>>
>>
|
"Dave W." wrote in message
news:76F25C7C-C5CC-4492-873F-FB917CF0E176@microsoft.com...
> Steve, you could be on the right track. In monitoring the events, I see that the
user triggered an event 578 (privilege use) and the privilege "Se TakeOwnership
Privlege" was listed. Is there a way to remove this privilege (or to block it on the
target machine from being released)?
>
> I have check all other built-in and other groups and most users simply belong to
the "Domain User" group with no specific or extra privileges.
>
> Thanks again Steve.
>
> "Steven L Umbach" wrote:
>
> > Hi Dave.
> >
> > It is true that in a default domain configuration a domain user can use Computer
> > Management and navigate to a domain controller to view certain information,
though
> > not for example the security log. A domain user however should not be able to
start
> > and stop services [in a default installation] and create shares on a domain
> > controller. My guess is that either a user or users have credentials to
privileged
> > accounts on the domain controller or are a member of a privileged group on the
domain
> > controller. Note that XP Pro computers can have stored credentials.
> >
> > What I would do is to enable auditing of logon events in Domain Controller
Security
> > Policy to see exactly how these users are being authenticated to your domain
> > controllers. You can also go into Computer Management/shares -sessions to see
what
> > users are currently connected and from what computers. I would check the
membership
> > of all privileged groups on your domain controller in AD Users and Computers such
as
> > administrators, domain admins, enterprise admins, print operators, account
> > management, etc - ALL those built in groups looking for unneeded users OR groups
as
> > members. Then change [or force change at next logon] the passwords for any users
in
> > any of those groups. Make sure that a bare minimum of users are in any
administrators
> > group for the domain and remind others not to give out their passwords to
developers
> > and such. Enable auditing of account management in your Domain Controller
Security
> > Policy so you can monitor changes to user accounts/groups and enable password
> > complexity for the domain if not done so already. It may be possible at one time
that
> > someone reconfigured services to allow domain users to reset them. I would run
the
> > Security Configuration and Analysis tool against the setup security.inf template
to
> > see if any discrepancies exist between default service security configuration and
> > actual configuration which you could then change assuming changes were done in
the
> > Local security Policy and not in Domain Controller Security Policy The link below
> > explains how to use the SCA tool if you have never used it. --- Steve
> >
> > http://www.lokbox.net/SecureXP/secAnalysis.asp
> >
> > "Dave W." wrote in message
> > news:69F66799-5783-400D-9AC6-A6B57B04309D@microsoft.com...
> > > Hello Steve,
> > >
> > > The users are not domain administrators, they are only local administrators.
> > Further, the DC has been configured so that each user can only log into their own
> > computer (based on their user profile, this has been restricted). Regardless,
even
> > with those restrictions, they can remotely "manage" the DC or any other PC and
have
> > complete access.
> > >
> > > I have confirmed that they can only log into their own machines so that level
of
> > security is working. They cannot log directly into the DC or my PC (as an
example)
> > yet they can remotely manage the DC or my PC and set up new shares, etc.
> > >
> > > Dave
> > >
> > > "Steven L Umbach" wrote:
> > >
> > > > Do they really need to be "domain administrators". If possible see if they
can be
> > > > functional as local administrators on domain computers they need full access
to
> > by
> > > > adding their domain account to the local administrators group. If they have
to be
> > > > domain administrators, then you can not realistically restrict them. You can
try
> > by
> > > > using Group Policy to restrict their access to mmc snapins, though that would
> > > > restrict access to their local computer also and they could undo that policy
> > > > restriction if they know how to. Such restrictions are in Group Policy/user
> > > > configuration/administrative templates. --- Steve
> > > >
> > > >
> > > > "Dave W." wrote in message
> > > > news:425AF01A-8687-4539-B4AB-65F639CC6D27@microsoft.com...
> > > > > We use a Windows 2003 DC and have found that all of our users can choose
the
> > > > "Manage" on "My Computer" and then choose the domain controller PC as the PC
to
> > > > manage. They can then add shares, shut down services, etc. which defeats all
the
> > > > security.
> > > > >
> > > > > How can I prevent users from specifying another computer name in the
computer
> > > > management console snap-in and/or how do I restrict a computer from allowing
on
> > > > specific users to connect.
> > > > >
> > > > > Note that all of our users are administrators which I know is bad, but they
are
> > > > software developers and need to constantly re-install, update registries,
etc.
> > > > >
> > > >
> > > >
> > > >
> >
> >
> >
|
The user right you mention is the right that by default gives administrators the
right to take ownership of files and folders and on a domain controller that would
mean the domain administrators group. I don't believe it has anything to do with
what your experiencing as far as users having powers on the domain controllers. I
agree with Jeff in that it must be related to a user having too much rights due to
group membership on built in domain accounts or knowing credentials to a privileged
account. I have never seen a regular domain user be able to create/modify shares on a
domain controller. I would create an test account that is just in the users group and
see if you can use that account to create shares on a domain controller. The link
below shows default user rights on a domain controller which you may want to verify
as "effective" settings in Local Security Policy. --- Steve
http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/appxb.mspx
"Dave W." wrote in message
news:76F25C7C-C5CC-4492-873F-FB917CF0E176@microsoft.com...
> Steve, you could be on the right track. In monitoring the events, I see that the
user triggered an event 578 (privilege use) and the privilege "Se TakeOwnership
Privlege" was listed. Is there a way to remove this privilege (or to block it on the
target machine from being released)?
>
> I have check all other built-in and other groups and most users simply belong to
the "Domain User" group with no specific or extra privileges.
>
> Thanks again Steve.
>
> "Steven L Umbach" wrote:
>
> > Hi Dave.
> >
> > It is true that in a default domain configuration a domain user can use Computer
> > Management and navigate to a domain controller to view certain information,
though
> > not for example the security log. A domain user however should not be able to
start
> > and stop services [in a default installation] and create shares on a domain
> > controller. My guess is that either a user or users have credentials to
privileged
> > accounts on the domain controller or are a member of a privileged group on the
domain
> > controller. Note that XP Pro computers can have stored credentials.
> >
> > What I would do is to enable auditing of logon events in Domain Controller
Security
> > Policy to see exactly how these users are being authenticated to your domain
> > controllers. You can also go into Computer Management/shares -sessions to see
what
> > users are currently connected and from what computers. I would check the
membership
> > of all privileged groups on your domain controller in AD Users and Computers such
as
> > administrators, domain admins, enterprise admins, print operators, account
> > management, etc - ALL those built in groups looking for unneeded users OR groups
as
> > members. Then change [or force change at next logon] the passwords for any users
in
> > any of those groups. Make sure that a bare minimum of users are in any
administrators
> > group for the domain and remind others not to give out their passwords to
developers
> > and such. Enable auditing of account management in your Domain Controller
Security
> > Policy so you can monitor changes to user accounts/groups and enable password
> > complexity for the domain if not done so already. It may be possible at one time
that
> > someone reconfigured services to allow domain users to reset them. I would run
the
> > Security Configuration and Analysis tool against the setup security.inf template
to
> > see if any discrepancies exist between default service security configuration and
> > actual configuration which you could then change assuming changes were done in
the
> > Local security Policy and not in Domain Controller Security Policy The link below
> > explains how to use the SCA tool if you have never used it. --- Steve
> >
> > http://www.lokbox.net/SecureXP/secAnalysis.asp
> >
> > "Dave W." wrote in message
> > news:69F66799-5783-400D-9AC6-A6B57B04309D@microsoft.com...
> > > Hello Steve,
> > >
> > > The users are not domain administrators, they are only local administrators.
> > Further, the DC has been configured so that each user can only log into their own
> > computer (based on their user profile, this has been restricted). Regardless,
even
> > with those restrictions, they can remotely "manage" the DC or any other PC and
have
> > complete access.
> > >
> > > I have confirmed that they can only log into their own machines so that level
of
> > security is working. They cannot log directly into the DC or my PC (as an
example)
> > yet they can remotely manage the DC or my PC and set up new shares, etc.
> > >
> > > Dave
> > >
> > > "Steven L Umbach" wrote:
> > >
> > > > Do they really need to be "domain administrators". If possible see if they
can be
> > > > functional as local administrators on domain computers they need full access
to
> > by
> > > > adding their domain account to the local administrators group. If they have
to be
> > > > domain administrators, then you can not realistically restrict them. You can
try
> > by
> > > > using Group Policy to restrict their access to mmc snapins, though that would
> > > > restrict access to their local computer also and they could undo that policy
> > > > restriction if they know how to. Such restrictions are in Group Policy/user
> > > > configuration/administrative templates. --- Steve
> > > >
> > > >
> > > > "Dave W." wrote in message
> > > > news:425AF01A-8687-4539-B4AB-65F639CC6D27@microsoft.com...
> > > > > We use a Windows 2003 DC and have found that all of our users can choose
the
> > > > "Manage" on "My Computer" and then choose the domain controller PC as the PC
to
> > > > manage. They can then add shares, shut down services, etc. which defeats all
the
> > > > security.
> > > > >
> > > > > How can I prevent users from specifying another computer name in the
computer
> > > > management console snap-in and/or how do I restrict a computer from allowing
on
> > > > specific users to connect.
> > > > >
> > > > > Note that all of our users are administrators which I know is bad, but they
are
> > > > software developers and need to constantly re-install, update registries,
etc.
> > > > >
> > > >
> > > >
> > > >
> >
> >
> >
|
|
|
|