Solved

Security hole!

Posted on 2004-08-05
5
235 Views
Last Modified: 2013-12-04

All: Something is wrong with our usermanager for NT. domain users can logon locally to all member servers including domain controllers. I cant figure out where they are getting this level of access. Also, under User Rights Policy in User manager, the logon locally right does this apply to all workstations in the domain or just the domain controllers themselves?

Please help, the previous admin made all kinds of changes to the usermanaer policies and i cant figure out which ones are default and not.
0
Comment
Question by:SANG501
  • 2
  • 2
5 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11728841
You could reapply the policy template for domain servers on your server. it would close down the policy that were changed, and reapply the "default" server security policy for domain servers.

It's up to you :)
0
 
LVL 83

Expert Comment

by:oBdA
ID: 11729425
In NT4, domain users can by default logon locally to any member server; they shouldn't be able to logon to a DC.
The permissions you set in User Manager for Domains will only apply to the machine you're running it on (or better: where you have UMfD focused on); this is not a global domain setting of some sort.
The default "log on locally permisssion" are
for DCs: Administrators, Server Operators, Account Operators, Print Operators, Backup Operators
for member servers and workstations: Administrators, Backup Operators, Power Users, Users, Guests
0
 
LVL 1

Author Comment

by:SANG501
ID: 11729470
Thanks for the detailed response.

When I try to set the focus to my domain controllers to change the local logon policy, i get the message, " <server> is a member of domain "DOMAIN". Focus will be set to domain "DOMAIN." How can I change the local logon policy for domain controllers?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 11729547
It's fine if you leave it focused on your domain; it will only influence your DCs then. You can use the focus change to do changes remotely on other machines.
And just in case, here are the other default permissions:

Manage auditing and security log
DC: Administrators
MS/WS: Administrators

Back up files and directories
DC: Administrators, Server Operators, Backup Operators
MS/WS: Administrators, Backup Operators

Restore files and directories
DC: Administrators, Server Operators, Backup Operators
MS/WS: Administrators, Backup Operators

Change system time
DC: Administrators, Server Operators
MS/WS: Administrators, Power Users

Access this computer from network
DC: Administrators, Everyone
MS/WS: Administrators, Power Users, Everyone

Shut down the system
DC: Administrators, Server Operators, Account Operators, Print Operators, Backup Operators
MS/WS: Administrators, Backup Operators, Power Users, Users, Guests

Add workstations and member servers to domain
DC: None (Members of the domain's Administrators and Account Operators groups can always add workstations to a domain, whether or not they have this right assigned to them. This right is needed only to enable users who are not members of these groups to add workstations to the domain. With this right, Windows NT Server does not have to check that the user is a member of the Administrators or Account Operators group.)
MS/WS: N/A

Take ownership of files and other objects
DC: Administrators
MS/WS: Administrators

Load and unload device drivers
DC: Administrators
MS/WS: Administrators

Force shutdown from a remote system
DC: Administrators, Server Operators
MS/WS: Administrators, Power Users
0
 
LVL 1

Author Comment

by:SANG501
ID: 11729570
You're the best. Thanks!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now