Solved

Risks with the Interactive local account being added to the local GP in the create global objects user rights to enable enhanced functionality in the newer App space developed in house and potentially

Posted on 2010-08-31
3
604 Views
Last Modified: 2012-05-10
The Server8.inf file that is imported in the SOE build process on the Citrix servers in both farms, which is the server SOE that is applied to all servers and we make adjustments based on requirements, has as a component (line 58) some adjustments to the local user account 'INTERACTIVE'
 
In particular this account is removed from the local user rights assignment, 'Create Global Objects'
 
We have found recently with some of the Oracle in house created front end applications, being they run under the user context and create named pipes to Oracle backend based on tnsnames.ora files rather than a SystemDSN that these application/s (also some .net apps) throw access exceptions and security audit outputs such as SeCreateGlobalPrivilege failures
 
By including the Interactive account on the Create Global objects, as is the case on a Desktop, we can allow applications to function correctly under a non privilege user context eg not require the Application AD group to be added to Power users locally and in some cases the Local Admins group.
 
Question is, Would there be any IT security issues with the Interactive local account being added to the local GP in the create global objects user rights to enable enhanced functionality in the newer App space developed in house and potentially remove some elevated privileges that have been applied in other cases?

If so what what would be a consequence and remedy?
 
0
Comment
Question by:susmonkey
3 Comments
 
LVL 6

Accepted Solution

by:
up_grayed_out earned 500 total points
ID: 33567854
There's a previous EE thread with some good info on this.
http://www.experts-exchange.com/Security/Operating_Systems_Security/Q_23914851.html

MS basically recommends that you restrict this right to admins. That said, I've had to make the same exception in order to support Oracle. You are still in keeping with the least privelege principal, since the account actually needs this right to perform it's intended action. Simply giving the account this right, is a lot more fine-tuned then making the account an admin, so you're doing your best to mitigate any risk.

So, in summary, I'd give the account the create global objects right.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34434153
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
small, multi network, problem 3 38
SolarWind and DNS Server 12 41
ADMT DNS registration issues 4 24
Server Room Hardware 5 50
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now