[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 396
  • Last Modified:

data securtiy - full control permission in ADUC properties

In AD users and computers - what risks do users having full control over the device pose?

Does that mean they can access all data on that device, or for that do we still refer to share/directory acl's and can ignore the permission shown if we right click the computers properties > security tab?
0
pma111
Asked:
pma111
  • 10
  • 7
  • 3
2 Solutions
 
Krzysztof PytkoActive Directory EngineerCommented:
Nope. This means that they can do everything with that object in ADUC (move, delete, reset it's password, for groups add/remove members) but there is no physical access to the device, at all! :) The only exception is for users who are Domain Admins/Enterprise Admins members :) they have also full access to devices

Regards,
Krzysztof
0
 
pma111Author Commented:
So technically if they have "full control" set via the properties in security in ADUC - they can access anything on that server, including all/any data?
0
 
pma111Author Commented:
Surely MBSA should include that as a check in its product - users with full control over a device.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
pma111Author Commented:
And can they only reset the password if they know the current password?
0
 
pma111Author Commented:
And how do you mean:

"but there is no physical access to the device, at all! :) "

?? Can you clarify?

Thanks iSiek
0
 
Krzysztof PytkoActive Directory EngineerCommented:
So :)

Full Control means that object in an OU can be moved to another OU, deleted from the domain but user with that permission cannot log on to the device with full control. By default regular users can log on to any PC (if you didn't restrict that) and have access to any folder where users or everyone or DOmain Users have granted at least read&execute permissions

When you delegate users ability to reset and unlock account,they don't need to know it. They can change it via ADUC console and unlock account or disable/enable

Full Control to an object is not equal to Full Rights on a device (server/computer).

Krzysztof
0
 
Mike KlineCommented:
Are you talking about just giving a normal user access to ADUC?

Thanks

Mike
0
 
pma111Author Commented:
Mike - no, I just wondered when you right click a server/computer in ADUC and go to securtity tab of its properties - what exactly these permissions are and if some where granted to everyone group or another group - what risk they pose
0
 
pma111Author Commented:
>>Full Control to an object is not equal to Full Rights on a device (server/computer).


But then if they could rechange the admin password have they not just given themselves full rights tot he device?

0
 
Mike KlineCommented:
Ok then Krzysztof gave a good answer about move/delete/

Thanks

Mike
0
 
pma111Author Commented:
In terms of security though and security of the data on that device - are we saying reviewing the permissions listed in ADUC on the security tab of its property arent really included in security audits on member servers?
0
 
Mike KlineCommented:
Correct you would have to look/dump the ACLs in AD to see who has rights there.  It is one of the places I think AD can still improve.  (rights/role reporting).  

Thanks

Mike
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Normally they shouldn't be able to reste Domain Admins/Enterprise Admins password. They should be able to restart only regular users password

Krzysztof
0
 
pma111Author Commented:
So by an auditor not worrying about permissions set in the security tab of the objects (in this case a server) properties - they wont be missing any major security flaw that could lead to unauthorised access to that device?

Thanks
0
 
pma111Author Commented:
>>Normally they shouldn't be able to reste Domain Admins/Enterprise Admins password. They should be able to restart only regular users password

What about a local admin password on a member server?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Yes, they couldn't be able to do anything with these rights on a device.

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Don't worry about local administrator password. It cannot be set/reset over ADUC. From that console you can only manage/modify domain user accounts.

Local administrator password is store in local SAM database on particular PC/Server. To be able to disable/enable or reset local admin password, you need to have local admin rights also (the only way is an administrators group membership on that machine).

The other option is to use 3rd party booting CDs with "hacking" soft. To prevent users from running them, set up BIOS password and remove CD/USB media from allowed booting options. Disable also running boot menu.

After that you may be sure that you secured local workstations.

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
So, can we do something more for you? Or maybe you have additional questions to us? :)

Krzysztof
0
 
pma111Author Commented:
No think thats all...

I will exclude such "permissions" from any audit scopes as the risk doesnt seem to be there
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Great! Glad we could help you :)

Krzysztof
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now