Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 618
  • Last Modified:

Risks with the Interactive local account being added to the local GP in the create global objects user rights to enable enhanced functionality in the newer App space developed in house and potentially

The Server8.inf file that is imported in the SOE build process on the Citrix servers in both farms, which is the server SOE that is applied to all servers and we make adjustments based on requirements, has as a component (line 58) some adjustments to the local user account 'INTERACTIVE'
 
In particular this account is removed from the local user rights assignment, 'Create Global Objects'
 
We have found recently with some of the Oracle in house created front end applications, being they run under the user context and create named pipes to Oracle backend based on tnsnames.ora files rather than a SystemDSN that these application/s (also some .net apps) throw access exceptions and security audit outputs such as SeCreateGlobalPrivilege failures
 
By including the Interactive account on the Create Global objects, as is the case on a Desktop, we can allow applications to function correctly under a non privilege user context eg not require the Application AD group to be added to Power users locally and in some cases the Local Admins group.
 
Question is, Would there be any IT security issues with the Interactive local account being added to the local GP in the create global objects user rights to enable enhanced functionality in the newer App space developed in house and potentially remove some elevated privileges that have been applied in other cases?

If so what what would be a consequence and remedy?
 
0
susmonkey
Asked:
susmonkey
1 Solution
 
up_grayed_outCommented:
There's a previous EE thread with some good info on this.
http://www.experts-exchange.com/Security/Operating_Systems_Security/Q_23914851.html

MS basically recommends that you restrict this right to admins. That said, I've had to make the same exception in order to support Oracle. You are still in keeping with the least privelege principal, since the account actually needs this right to perform it's intended action. Simply giving the account this right, is a lot more fine-tuned then making the account an admin, so you're doing your best to mitigate any risk.

So, in summary, I'd give the account the create global objects right.
0
 
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now