Solved

Risks with the Interactive local account being added to the local GP in the create global objects user rights to enable enhanced functionality in the newer App space developed in house and potentially

Posted on 2010-08-31
3
606 Views
Last Modified: 2012-05-10
The Server8.inf file that is imported in the SOE build process on the Citrix servers in both farms, which is the server SOE that is applied to all servers and we make adjustments based on requirements, has as a component (line 58) some adjustments to the local user account 'INTERACTIVE'
 
In particular this account is removed from the local user rights assignment, 'Create Global Objects'
 
We have found recently with some of the Oracle in house created front end applications, being they run under the user context and create named pipes to Oracle backend based on tnsnames.ora files rather than a SystemDSN that these application/s (also some .net apps) throw access exceptions and security audit outputs such as SeCreateGlobalPrivilege failures
 
By including the Interactive account on the Create Global objects, as is the case on a Desktop, we can allow applications to function correctly under a non privilege user context eg not require the Application AD group to be added to Power users locally and in some cases the Local Admins group.
 
Question is, Would there be any IT security issues with the Interactive local account being added to the local GP in the create global objects user rights to enable enhanced functionality in the newer App space developed in house and potentially remove some elevated privileges that have been applied in other cases?

If so what what would be a consequence and remedy?
 
0
Comment
Question by:susmonkey
3 Comments
 
LVL 6

Accepted Solution

by:
up_grayed_out earned 500 total points
ID: 33567854
There's a previous EE thread with some good info on this.
http://www.experts-exchange.com/Security/Operating_Systems_Security/Q_23914851.html

MS basically recommends that you restrict this right to admins. That said, I've had to make the same exception in order to support Oracle. You are still in keeping with the least privelege principal, since the account actually needs this right to perform it's intended action. Simply giving the account this right, is a lot more fine-tuned then making the account an admin, so you're doing your best to mitigate any risk.

So, in summary, I'd give the account the create global objects right.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34434153
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question