[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

data securtiy - full control permission in ADUC properties

Posted on 2011-09-26
20
Medium Priority
?
393 Views
Last Modified: 2012-06-27
In AD users and computers - what risks do users having full control over the device pose?

Does that mean they can access all data on that device, or for that do we still refer to share/directory acl's and can ignore the permission shown if we right click the computers properties > security tab?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
  • 3
20 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 1400 total points
ID: 36598894
Nope. This means that they can do everything with that object in ADUC (move, delete, reset it's password, for groups add/remove members) but there is no physical access to the device, at all! :) The only exception is for users who are Domain Admins/Enterprise Admins members :) they have also full access to devices

Regards,
Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36598912
So technically if they have "full control" set via the properties in security in ADUC - they can access anything on that server, including all/any data?
0
 
LVL 3

Author Comment

by:pma111
ID: 36598928
Surely MBSA should include that as a check in its product - users with full control over a device.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:pma111
ID: 36598931
And can they only reset the password if they know the current password?
0
 
LVL 3

Author Comment

by:pma111
ID: 36598938
And how do you mean:

"but there is no physical access to the device, at all! :) "

?? Can you clarify?

Thanks iSiek
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599030
So :)

Full Control means that object in an OU can be moved to another OU, deleted from the domain but user with that permission cannot log on to the device with full control. By default regular users can log on to any PC (if you didn't restrict that) and have access to any folder where users or everyone or DOmain Users have granted at least read&execute permissions

When you delegate users ability to reset and unlock account,they don't need to know it. They can change it via ADUC console and unlock account or disable/enable

Full Control to an object is not equal to Full Rights on a device (server/computer).

Krzysztof
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36599033
Are you talking about just giving a normal user access to ADUC?

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 36599067
Mike - no, I just wondered when you right click a server/computer in ADUC and go to securtity tab of its properties - what exactly these permissions are and if some where granted to everyone group or another group - what risk they pose
0
 
LVL 3

Author Comment

by:pma111
ID: 36599077
>>Full Control to an object is not equal to Full Rights on a device (server/computer).


But then if they could rechange the admin password have they not just given themselves full rights tot he device?

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36599097
Ok then Krzysztof gave a good answer about move/delete/

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 36599113
In terms of security though and security of the data on that device - are we saying reviewing the permissions listed in ADUC on the security tab of its property arent really included in security audits on member servers?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 600 total points
ID: 36599126
Correct you would have to look/dump the ACLs in AD to see who has rights there.  It is one of the places I think AD can still improve.  (rights/role reporting).  

Thanks

Mike
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599138
Normally they shouldn't be able to reste Domain Admins/Enterprise Admins password. They should be able to restart only regular users password

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36599152
So by an auditor not worrying about permissions set in the security tab of the objects (in this case a server) properties - they wont be missing any major security flaw that could lead to unauthorised access to that device?

Thanks
0
 
LVL 3

Author Comment

by:pma111
ID: 36599161
>>Normally they shouldn't be able to reste Domain Admins/Enterprise Admins password. They should be able to restart only regular users password

What about a local admin password on a member server?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599177
Yes, they couldn't be able to do anything with these rights on a device.

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36601424
Don't worry about local administrator password. It cannot be set/reset over ADUC. From that console you can only manage/modify domain user accounts.

Local administrator password is store in local SAM database on particular PC/Server. To be able to disable/enable or reset local admin password, you need to have local admin rights also (the only way is an administrators group membership on that machine).

The other option is to use 3rd party booting CDs with "hacking" soft. To prevent users from running them, set up BIOS password and remove CD/USB media from allowed booting options. Disable also running boot menu.

After that you may be sure that you secured local workstations.

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708286
So, can we do something more for you? Or maybe you have additional questions to us? :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36708328
No think thats all...

I will exclude such "permissions" from any audit scopes as the risk doesnt seem to be there
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708358
Great! Glad we could help you :)

Krzysztof
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question