Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Risks with the Interactive local account being added to the local GP in the create global objects user rights to enable enhanced functionality in the newer App space developed in house and potentially

Posted on 2010-08-31
3
Medium Priority
?
615 Views
Last Modified: 2012-05-10
The Server8.inf file that is imported in the SOE build process on the Citrix servers in both farms, which is the server SOE that is applied to all servers and we make adjustments based on requirements, has as a component (line 58) some adjustments to the local user account 'INTERACTIVE'
 
In particular this account is removed from the local user rights assignment, 'Create Global Objects'
 
We have found recently with some of the Oracle in house created front end applications, being they run under the user context and create named pipes to Oracle backend based on tnsnames.ora files rather than a SystemDSN that these application/s (also some .net apps) throw access exceptions and security audit outputs such as SeCreateGlobalPrivilege failures
 
By including the Interactive account on the Create Global objects, as is the case on a Desktop, we can allow applications to function correctly under a non privilege user context eg not require the Application AD group to be added to Power users locally and in some cases the Local Admins group.
 
Question is, Would there be any IT security issues with the Interactive local account being added to the local GP in the create global objects user rights to enable enhanced functionality in the newer App space developed in house and potentially remove some elevated privileges that have been applied in other cases?

If so what what would be a consequence and remedy?
 
0
Comment
Question by:susmonkey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 6

Accepted Solution

by:
up_grayed_out earned 2000 total points
ID: 33567854
There's a previous EE thread with some good info on this.
http://www.experts-exchange.com/Security/Operating_Systems_Security/Q_23914851.html

MS basically recommends that you restrict this right to admins. That said, I've had to make the same exception in order to support Oracle. You are still in keeping with the least privelege principal, since the account actually needs this right to perform it's intended action. Simply giving the account this right, is a lot more fine-tuned then making the account an admin, so you're doing your best to mitigate any risk.

So, in summary, I'd give the account the create global objects right.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 34434153
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question