 | |||
|
|
||
| |||
| |||
| |||
| |
|
Home > Network security FAQ: Managing user rights |
| |
|
|
|
|
| Windows IT management tips: |
|
||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|
|||||||||||||||||||||||||||||||||||||
Don't forget to visit our library of all of Wes's expert advice. You can also ask him a Windows networking question of your own!. Handling the dangers of network users with too many rights Q: Some of my employees are seeking privileges that I feel compromise the integrity of my network. Could you share some best practices for network security so that I can prove how dangerous these priveges are? A: Politics is probably the second most difficult thing the balance against security (the first being money). This is what I use as a measuring stick. If someone can't provide a valid *business* justification for the escalated privileges, I fight strongly against providing them. If a business application requires escalated privileges, I escalate the issue with that vendor to make it clear to them that requiring escalated privileges is against the corporate security policy, and that if they can't provide a workaround, we won't be buying or using their product. In today's environment, many software vendors have more restrictive access requirements that they can run under, but that they do not always make publicly known (you need to ask for them). If all else fails though, I then work under the basic premise of the most restrictive rights possible. So before I make a user a local administrator, I will check and see if they can do what they need to do as a power user. Before I make a user a power user, I will check to see if I can grant specific rights to the user (or more practically to a group the user is a member of) or specific rights to the appropriate registry keys or files. The bottom line here though is that you are 100% correct in how you are approaching this issue, and unfortunately this is one of the more unpleasant aspects of security administration. Your best weapon is the ability to demonstrate how the users can perform all of their required business responsibilities at the lower privilege level. Good luck!! View questions and answers from all of our Windows security experts here. Preventing domain admins from logging onto domain controllers Q: How can I prevent certain users who are domain administrators from logging onto domain controllers? A: That depends on the kind of user they are. If they are a member of a group that grants them rights on domain controllers (for example, Domain Admins) there really isn't a way to do that. If your domain is small enough, you could specify the list of computers they are allowed to login to, excluding the domain controllers, but I think this would rapidly become unmanageable (every time you add a computer, potentially you need to update the list of computers they can login to) as well as being rendered ineffective if the users in question are domain admins (they can always come in behind you and undo it). Now, assuming that this is not a domain admin, the ability to logon to a domain controller is defined in the Default Domain Controllers Group Policy. You can view this by right clicking on the Domain Controllers OU in Active Directory Users and Computers and selecting "Properties". Click on the "Group Policy" tab, select the policy and click "Edit". Navigate using the Group Policy Object Editor to the following branch: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment In the right hand window, look for either "Log on locally" or "Allow Logon Locally" (it differs depending on which version of Windows you are using). Double click on the policy and add/remove users from that list accordingly and check the box next to "Define these policy settings:" to define who will be allowed to logon locally. By default, the following accounts/groups can logon locally to domain controllers:
As always, rather than directly editing the Default Domain Controllers Group Policy, you should create a new group policy object with the settings you want. Also, be advised that changing the default settings can cause unexpected and potentially damaging results to your systems. View questions and answers from all of our Windows security experts here.
Granting access to resources in a multiple domain environment Q: We have four servers with Windows Server 2003. In every server there is a domain with Exchange Server 2003. The main domain is in the CITY and every domain has the server address 192.168.1.1, 192.168.2.1, 192.168.3.1, 192.168.5.1. When one user logs into other servers or finds any resources in other servers, a message appears that they have no privileges for this resource. We revised the DNS in every server and applied Microsoft patches, but the problem persists. What can we do to resolve this? A: One thing I'm not clear on is whether you have multiple domains. It appears that you do and I'm going to work on that assumption as it fits with what I think is likely happening. A common misconception with Windows domains is that if trusts exist between domains, users can access any resources, any where. This is commonly due to an expectation that comes from a single domain environment. In a single domain environment, all users are by default a member of the Domain Users group which is in turn automatically a member of the local Users group. This allows all users to access all resources (by default) with out much effort. This is not the case in a multiple domain environment however. No "automatic" group memberships occur between domains. Consequently, you have to explicitly grant access to resources for users in members of another domain. So, let's say you have DOMAIN1 and DOMAIN2 and you want users in DOMAIN1 to access resources on SERVER1 in DOMAIN2.
View questions and answers from all of our Windows security experts here.
|
|
|
||||||||||||||||||||||||||||||||||||
|
|
 |  |  | |  | |  | |  | |  | |  | |  | |  | |  | |
|
|
About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS |
|
|
||
|
|||||||
