Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 252
  • Last Modified:

Security hole!


All: Something is wrong with our usermanager for NT. domain users can logon locally to all member servers including domain controllers. I cant figure out where they are getting this level of access. Also, under User Rights Policy in User manager, the logon locally right does this apply to all workstations in the domain or just the domain controllers themselves?

Please help, the previous admin made all kinds of changes to the usermanaer policies and i cant figure out which ones are default and not.
0
SANG501
Asked:
SANG501
  • 2
  • 2
1 Solution
 
Yan_westCommented:
You could reapply the policy template for domain servers on your server. it would close down the policy that were changed, and reapply the "default" server security policy for domain servers.

It's up to you :)
0
 
oBdACommented:
In NT4, domain users can by default logon locally to any member server; they shouldn't be able to logon to a DC.
The permissions you set in User Manager for Domains will only apply to the machine you're running it on (or better: where you have UMfD focused on); this is not a global domain setting of some sort.
The default "log on locally permisssion" are
for DCs: Administrators, Server Operators, Account Operators, Print Operators, Backup Operators
for member servers and workstations: Administrators, Backup Operators, Power Users, Users, Guests
0
 
SANG501Author Commented:
Thanks for the detailed response.

When I try to set the focus to my domain controllers to change the local logon policy, i get the message, " <server> is a member of domain "DOMAIN". Focus will be set to domain "DOMAIN." How can I change the local logon policy for domain controllers?
0
 
oBdACommented:
It's fine if you leave it focused on your domain; it will only influence your DCs then. You can use the focus change to do changes remotely on other machines.
And just in case, here are the other default permissions:

Manage auditing and security log
DC: Administrators
MS/WS: Administrators

Back up files and directories
DC: Administrators, Server Operators, Backup Operators
MS/WS: Administrators, Backup Operators

Restore files and directories
DC: Administrators, Server Operators, Backup Operators
MS/WS: Administrators, Backup Operators

Change system time
DC: Administrators, Server Operators
MS/WS: Administrators, Power Users

Access this computer from network
DC: Administrators, Everyone
MS/WS: Administrators, Power Users, Everyone

Shut down the system
DC: Administrators, Server Operators, Account Operators, Print Operators, Backup Operators
MS/WS: Administrators, Backup Operators, Power Users, Users, Guests

Add workstations and member servers to domain
DC: None (Members of the domain's Administrators and Account Operators groups can always add workstations to a domain, whether or not they have this right assigned to them. This right is needed only to enable users who are not members of these groups to add workstations to the domain. With this right, Windows NT Server does not have to check that the user is a member of the Administrators or Account Operators group.)
MS/WS: N/A

Take ownership of files and other objects
DC: Administrators
MS/WS: Administrators

Load and unload device drivers
DC: Administrators
MS/WS: Administrators

Force shutdown from a remote system
DC: Administrators, Server Operators
MS/WS: Administrators, Power Users
0
 
SANG501Author Commented:
You're the best. Thanks!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now