Solved

Security hole!

Posted on 2004-08-05
5
240 Views
Last Modified: 2013-12-04

All: Something is wrong with our usermanager for NT. domain users can logon locally to all member servers including domain controllers. I cant figure out where they are getting this level of access. Also, under User Rights Policy in User manager, the logon locally right does this apply to all workstations in the domain or just the domain controllers themselves?

Please help, the previous admin made all kinds of changes to the usermanaer policies and i cant figure out which ones are default and not.
0
Comment
Question by:SANG501
  • 2
  • 2
5 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11728841
You could reapply the policy template for domain servers on your server. it would close down the policy that were changed, and reapply the "default" server security policy for domain servers.

It's up to you :)
0
 
LVL 83

Expert Comment

by:oBdA
ID: 11729425
In NT4, domain users can by default logon locally to any member server; they shouldn't be able to logon to a DC.
The permissions you set in User Manager for Domains will only apply to the machine you're running it on (or better: where you have UMfD focused on); this is not a global domain setting of some sort.
The default "log on locally permisssion" are
for DCs: Administrators, Server Operators, Account Operators, Print Operators, Backup Operators
for member servers and workstations: Administrators, Backup Operators, Power Users, Users, Guests
0
 
LVL 1

Author Comment

by:SANG501
ID: 11729470
Thanks for the detailed response.

When I try to set the focus to my domain controllers to change the local logon policy, i get the message, " <server> is a member of domain "DOMAIN". Focus will be set to domain "DOMAIN." How can I change the local logon policy for domain controllers?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 11729547
It's fine if you leave it focused on your domain; it will only influence your DCs then. You can use the focus change to do changes remotely on other machines.
And just in case, here are the other default permissions:

Manage auditing and security log
DC: Administrators
MS/WS: Administrators

Back up files and directories
DC: Administrators, Server Operators, Backup Operators
MS/WS: Administrators, Backup Operators

Restore files and directories
DC: Administrators, Server Operators, Backup Operators
MS/WS: Administrators, Backup Operators

Change system time
DC: Administrators, Server Operators
MS/WS: Administrators, Power Users

Access this computer from network
DC: Administrators, Everyone
MS/WS: Administrators, Power Users, Everyone

Shut down the system
DC: Administrators, Server Operators, Account Operators, Print Operators, Backup Operators
MS/WS: Administrators, Backup Operators, Power Users, Users, Guests

Add workstations and member servers to domain
DC: None (Members of the domain's Administrators and Account Operators groups can always add workstations to a domain, whether or not they have this right assigned to them. This right is needed only to enable users who are not members of these groups to add workstations to the domain. With this right, Windows NT Server does not have to check that the user is a member of the Administrators or Account Operators group.)
MS/WS: N/A

Take ownership of files and other objects
DC: Administrators
MS/WS: Administrators

Load and unload device drivers
DC: Administrators
MS/WS: Administrators

Force shutdown from a remote system
DC: Administrators, Server Operators
MS/WS: Administrators, Power Users
0
 
LVL 1

Author Comment

by:SANG501
ID: 11729570
You're the best. Thanks!
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question