Solved

data securtiy - full control permission in ADUC properties

Posted on 2011-09-26
20
383 Views
Last Modified: 2012-06-27
In AD users and computers - what risks do users having full control over the device pose?

Does that mean they can access all data on that device, or for that do we still refer to share/directory acl's and can ignore the permission shown if we right click the computers properties > security tab?
0
Comment
Question by:pma111
  • 10
  • 7
  • 3
20 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 350 total points
ID: 36598894
Nope. This means that they can do everything with that object in ADUC (move, delete, reset it's password, for groups add/remove members) but there is no physical access to the device, at all! :) The only exception is for users who are Domain Admins/Enterprise Admins members :) they have also full access to devices

Regards,
Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36598912
So technically if they have "full control" set via the properties in security in ADUC - they can access anything on that server, including all/any data?
0
 
LVL 3

Author Comment

by:pma111
ID: 36598928
Surely MBSA should include that as a check in its product - users with full control over a device.
0
 
LVL 3

Author Comment

by:pma111
ID: 36598931
And can they only reset the password if they know the current password?
0
 
LVL 3

Author Comment

by:pma111
ID: 36598938
And how do you mean:

"but there is no physical access to the device, at all! :) "

?? Can you clarify?

Thanks iSiek
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599030
So :)

Full Control means that object in an OU can be moved to another OU, deleted from the domain but user with that permission cannot log on to the device with full control. By default regular users can log on to any PC (if you didn't restrict that) and have access to any folder where users or everyone or DOmain Users have granted at least read&execute permissions

When you delegate users ability to reset and unlock account,they don't need to know it. They can change it via ADUC console and unlock account or disable/enable

Full Control to an object is not equal to Full Rights on a device (server/computer).

Krzysztof
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36599033
Are you talking about just giving a normal user access to ADUC?

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 36599067
Mike - no, I just wondered when you right click a server/computer in ADUC and go to securtity tab of its properties - what exactly these permissions are and if some where granted to everyone group or another group - what risk they pose
0
 
LVL 3

Author Comment

by:pma111
ID: 36599077
>>Full Control to an object is not equal to Full Rights on a device (server/computer).


But then if they could rechange the admin password have they not just given themselves full rights tot he device?

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36599097
Ok then Krzysztof gave a good answer about move/delete/

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 36599113
In terms of security though and security of the data on that device - are we saying reviewing the permissions listed in ADUC on the security tab of its property arent really included in security audits on member servers?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 150 total points
ID: 36599126
Correct you would have to look/dump the ACLs in AD to see who has rights there.  It is one of the places I think AD can still improve.  (rights/role reporting).  

Thanks

Mike
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599138
Normally they shouldn't be able to reste Domain Admins/Enterprise Admins password. They should be able to restart only regular users password

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36599152
So by an auditor not worrying about permissions set in the security tab of the objects (in this case a server) properties - they wont be missing any major security flaw that could lead to unauthorised access to that device?

Thanks
0
 
LVL 3

Author Comment

by:pma111
ID: 36599161
>>Normally they shouldn't be able to reste Domain Admins/Enterprise Admins password. They should be able to restart only regular users password

What about a local admin password on a member server?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36599177
Yes, they couldn't be able to do anything with these rights on a device.

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36601424
Don't worry about local administrator password. It cannot be set/reset over ADUC. From that console you can only manage/modify domain user accounts.

Local administrator password is store in local SAM database on particular PC/Server. To be able to disable/enable or reset local admin password, you need to have local admin rights also (the only way is an administrators group membership on that machine).

The other option is to use 3rd party booting CDs with "hacking" soft. To prevent users from running them, set up BIOS password and remove CD/USB media from allowed booting options. Disable also running boot menu.

After that you may be sure that you secured local workstations.

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708286
So, can we do something more for you? Or maybe you have additional questions to us? :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36708328
No think thats all...

I will exclude such "permissions" from any audit scopes as the risk doesnt seem to be there
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708358
Great! Glad we could help you :)

Krzysztof
0

Join & Write a Comment

Suggested Solutions

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now