Solved

Security hole!

Posted on 2004-08-05
5
246 Views
Last Modified: 2013-12-04

All: Something is wrong with our usermanager for NT. domain users can logon locally to all member servers including domain controllers. I cant figure out where they are getting this level of access. Also, under User Rights Policy in User manager, the logon locally right does this apply to all workstations in the domain or just the domain controllers themselves?

Please help, the previous admin made all kinds of changes to the usermanaer policies and i cant figure out which ones are default and not.
0
Comment
Question by:SANG501
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11728841
You could reapply the policy template for domain servers on your server. it would close down the policy that were changed, and reapply the "default" server security policy for domain servers.

It's up to you :)
0
 
LVL 84

Expert Comment

by:oBdA
ID: 11729425
In NT4, domain users can by default logon locally to any member server; they shouldn't be able to logon to a DC.
The permissions you set in User Manager for Domains will only apply to the machine you're running it on (or better: where you have UMfD focused on); this is not a global domain setting of some sort.
The default "log on locally permisssion" are
for DCs: Administrators, Server Operators, Account Operators, Print Operators, Backup Operators
for member servers and workstations: Administrators, Backup Operators, Power Users, Users, Guests
0
 
LVL 1

Author Comment

by:SANG501
ID: 11729470
Thanks for the detailed response.

When I try to set the focus to my domain controllers to change the local logon policy, i get the message, " <server> is a member of domain "DOMAIN". Focus will be set to domain "DOMAIN." How can I change the local logon policy for domain controllers?
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 11729547
It's fine if you leave it focused on your domain; it will only influence your DCs then. You can use the focus change to do changes remotely on other machines.
And just in case, here are the other default permissions:

Manage auditing and security log
DC: Administrators
MS/WS: Administrators

Back up files and directories
DC: Administrators, Server Operators, Backup Operators
MS/WS: Administrators, Backup Operators

Restore files and directories
DC: Administrators, Server Operators, Backup Operators
MS/WS: Administrators, Backup Operators

Change system time
DC: Administrators, Server Operators
MS/WS: Administrators, Power Users

Access this computer from network
DC: Administrators, Everyone
MS/WS: Administrators, Power Users, Everyone

Shut down the system
DC: Administrators, Server Operators, Account Operators, Print Operators, Backup Operators
MS/WS: Administrators, Backup Operators, Power Users, Users, Guests

Add workstations and member servers to domain
DC: None (Members of the domain's Administrators and Account Operators groups can always add workstations to a domain, whether or not they have this right assigned to them. This right is needed only to enable users who are not members of these groups to add workstations to the domain. With this right, Windows NT Server does not have to check that the user is a member of the Administrators or Account Operators group.)
MS/WS: N/A

Take ownership of files and other objects
DC: Administrators
MS/WS: Administrators

Load and unload device drivers
DC: Administrators
MS/WS: Administrators

Force shutdown from a remote system
DC: Administrators, Server Operators
MS/WS: Administrators, Power Users
0
 
LVL 1

Author Comment

by:SANG501
ID: 11729570
You're the best. Thanks!
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Jailbreak and Rooting on mobile devices 10 165
Need to disable SSL Cipher 7 295
PCI compliance 16 59
Is attached iPhone screen an IOC 5 34
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question