[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Risks with allowing users 'Create Global Objects' right in Local Policy

Posted on 2008-11-18
1
Medium Priority
?
7,636 Views
Last Modified: 2013-12-04
Hi Experts,

I have been having an issue with users accessing an Oracle based application within a Citrix enivironment.  After much research, i discovered that if I go to the Local Security Settings>User Rights Assignment>Create global objects policy and add those users to that right, the application launches properly and is able to establish a db connection.  My question is, what are the ramifications or risks with providing non-admin users this access?  Am I opening up my Citrix servers to abuse by giving too much power to these users?  I have done some research and cannot find any real substantial case for or against allowing this right other than "only give to right to trusted users".  Any insight would be greatly appreciated.
0
Comment
Question by:jamesdow
1 Comment
 
LVL 19

Accepted Solution

by:
CoccoBill earned 2000 total points
ID: 23075757
From the Threats And Countermeasures guide:

"Create global objects

This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right.

The possible values for the Create global objects setting are:
"      A user-defined list of accounts
"      Not Defined

Vulnerability

Users who can create global objects could affect processes that run under other users' sessions. This capability could lead to a variety of problems, such as application failure or data corruption.

Countermeasure

Restrict the Create global objects user right to members of the local Administrators and Service groups.

Potential Impact

None. This is the default configuration."

http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch04n.mspx
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question