Solved

Security hole!

Posted on 2004-08-05
5
231 Views
Last Modified: 2013-12-04

All: Something is wrong with our usermanager for NT. domain users can logon locally to all member servers including domain controllers. I cant figure out where they are getting this level of access. Also, under User Rights Policy in User manager, the logon locally right does this apply to all workstations in the domain or just the domain controllers themselves?

Please help, the previous admin made all kinds of changes to the usermanaer policies and i cant figure out which ones are default and not.
0
Comment
Question by:SANG501
  • 2
  • 2
5 Comments
 
LVL 15

Expert Comment

by:Yan_west
Comment Utility
You could reapply the policy template for domain servers on your server. it would close down the policy that were changed, and reapply the "default" server security policy for domain servers.

It's up to you :)
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
In NT4, domain users can by default logon locally to any member server; they shouldn't be able to logon to a DC.
The permissions you set in User Manager for Domains will only apply to the machine you're running it on (or better: where you have UMfD focused on); this is not a global domain setting of some sort.
The default "log on locally permisssion" are
for DCs: Administrators, Server Operators, Account Operators, Print Operators, Backup Operators
for member servers and workstations: Administrators, Backup Operators, Power Users, Users, Guests
0
 
LVL 1

Author Comment

by:SANG501
Comment Utility
Thanks for the detailed response.

When I try to set the focus to my domain controllers to change the local logon policy, i get the message, " <server> is a member of domain "DOMAIN". Focus will be set to domain "DOMAIN." How can I change the local logon policy for domain controllers?
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
It's fine if you leave it focused on your domain; it will only influence your DCs then. You can use the focus change to do changes remotely on other machines.
And just in case, here are the other default permissions:

Manage auditing and security log
DC: Administrators
MS/WS: Administrators

Back up files and directories
DC: Administrators, Server Operators, Backup Operators
MS/WS: Administrators, Backup Operators

Restore files and directories
DC: Administrators, Server Operators, Backup Operators
MS/WS: Administrators, Backup Operators

Change system time
DC: Administrators, Server Operators
MS/WS: Administrators, Power Users

Access this computer from network
DC: Administrators, Everyone
MS/WS: Administrators, Power Users, Everyone

Shut down the system
DC: Administrators, Server Operators, Account Operators, Print Operators, Backup Operators
MS/WS: Administrators, Backup Operators, Power Users, Users, Guests

Add workstations and member servers to domain
DC: None (Members of the domain's Administrators and Account Operators groups can always add workstations to a domain, whether or not they have this right assigned to them. This right is needed only to enable users who are not members of these groups to add workstations to the domain. With this right, Windows NT Server does not have to check that the user is a member of the Administrators or Account Operators group.)
MS/WS: N/A

Take ownership of files and other objects
DC: Administrators
MS/WS: Administrators

Load and unload device drivers
DC: Administrators
MS/WS: Administrators

Force shutdown from a remote system
DC: Administrators, Server Operators
MS/WS: Administrators, Power Users
0
 
LVL 1

Author Comment

by:SANG501
Comment Utility
You're the best. Thanks!
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Russian pop up ad virus 8 102
IE Plugin Issue 4 60
Excel file "Document not saved" 8 101
firewall inside of network 9 65
As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now