Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Local Admins have free reign on network

Posted on 2012-08-23
22
Medium Priority
?
722 Views
Last Modified: 2012-08-24
So my network is "locked down" for people who log on but it seems that local admins for computers not on the domain have access to everything.  

My users don't have local admin access but if one of them was to bring a laptop in and plug it into the network (not a part of the domain nor a domain user), they can get into everything.

How can I stop local admins from having access to folders?  I have a domain admins and domain users group.


Thanks,
Joe
0
Comment
Question by:ClaudeWalker
  • 10
  • 8
  • 2
  • +2
22 Comments
 
LVL 2

Expert Comment

by:zunder1990
ID: 38326780
If it is a network share or printer set the permission so that only domain users have access.
0
 
LVL 13

Expert Comment

by:xDUCKx
ID: 38326781
Are you referring to a network share where when they attempt to access it they are prompted for username and credentials?  If they are giving their credentials Domain\Username then it's working as designed.  If they are bypassing all of this and accessing your network shares without being challenged....that's.....well, impossible.

Excluding the "Everyone" group.  if "Everyone" has been given access to something then Everyone can get access.
0
 
LVL 2

Expert Comment

by:Baleboos
ID: 38326847
xDUCKx, if they have "Everyone" allowed, then the local users would also have access, unless there's a deny on local users and an allow on Everyone.

There might be a simple answer: Do you have a domain or a workgroup? Lol.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:ClaudeWalker
ID: 38326858
No, the foreign computer has access to it because it is a local admin on it's machine.  If they had physical access to the network or our company inhouse wireless password they could go anywhere by the very nature of them being a local admin on the machine that they own.

So for security rights I have:

System
Creator Owner
Domain Admins
Domain Users
domain\administrators
domain\users
domain@administrator
0
 
LVL 2

Expert Comment

by:Baleboos
ID: 38326874
That's looks like a GP misconfiguration on the server. What server are you running? They can't get network admin rights just because they have local admin rights. To check, why don't you try accessing something as a local LIMITED user?

If you cannot access as a local limited user, then I'm stumped. If you can, then there are a few GP policies that might be at fault.
0
 
LVL 2

Expert Comment

by:intellingence
ID: 38326889
From what you are saying sounds like all your share permissions and NTFS permissions on your network locations have "everyone" with at least "read" privileges. This has nothing to do with being local admin on the Workstation.

Check "share" tab and "NTFS/security" tab on your shared locations, unless your shares are living on FAT32 drive so you can only control "share" privileges.

Hope this helps
0
 
LVL 2

Expert Comment

by:Baleboos
ID: 38326898
intelligence: everyone would include their domain non-admins, who have no access. Also, everyone, on 2008 and later, does not include anonymous.
0
 

Author Comment

by:ClaudeWalker
ID: 38326936
Question:

Check "share" tab: are permissions over the network?

"NTFS/security": are permissions with the user either over the network or if logged on to the server?

Here is the share and ntfs permissions:
permissions
0
 

Author Comment

by:ClaudeWalker
ID: 38326940
At no point does it say "everyone"
0
 

Author Comment

by:ClaudeWalker
ID: 38326966
That's looks like a GP misconfiguration on the server. What server are you running? They can't get network admin rights just because they have local admin rights. To check, why don't you try accessing something as a local LIMITED user?

To keep things straight the computer in question in not on the domain.  It's on a workgroup (to simulate someone bringing in their own computer and plugging it into the wall, or getting on company non-guest wireless).

With the non-domain computer having it's local admin logged in, it has free reign.  With a limited account it asks for the admin password.
0
 
LVL 2

Expert Comment

by:Baleboos
ID: 38327115
Well, like I said, I am stumped. Maybe there's a policy that has local admins as domain admins. I could look around and see if I can locate something that sounds like the culprit.
0
 
LVL 2

Expert Comment

by:Baleboos
ID: 38327245
I don't think it has anything to do with GP as these computers aren't even joined in the domain.

Could you list the Server's Local Security Policy settings that start with "Network Access:"?

Also, log in from one of those clients and grab the corresponding entry on the server's security event log.
0
 

Author Comment

by:ClaudeWalker
ID: 38329633
Here is the local security policy (secpol.msc).  

Additionally, for our servers there are no "local" policies changed from GP.  

Thanks,
JOe K.

secpol.msc
0
 
LVL 2

Accepted Solution

by:
Baleboos earned 2000 total points
ID: 38329740
Try changing "Network access: Sharing and security model for local accounts" to "Guest only".

It's not the correct setup, but it will probably stop them until you figure out what's going on.
0
 

Author Comment

by:ClaudeWalker
ID: 38329927
Know one knows about it yet.  I just don't want them to find out about it.  

Why is that not the correct setup?

Secondly, what are the NTFS permissons I should have?  I changed a number of them and consequently mucked things up.  Although, all how need access have it, I'm worried it's not tight enough.

Here's what I have for defaults:

myDomain@administrator
myDomain\Domain Users
myDomain\Domain Admins
SYSTEM      (I think backup exec may need this)
Creator OWNER

Are these tight enough for NTFS permissons.  Share's are more refined.
0
 
LVL 2

Expert Comment

by:Baleboos
ID: 38330259
sounds fine. Although mydomain@administrator seems wrong syntax. Probably swap the two sides.
0
 

Author Comment

by:ClaudeWalker
ID: 38330271
true.  it is administrator@myDomain, I typed it wrong.

I have no idea why this problem is happening.  I don't want to not allow physical plugs on the network because we have financial auditors come in and plug in to our network.  It'd be a major pain to have to manually allow MAC addresses
0
 

Author Comment

by:ClaudeWalker
ID: 38330372
Here's a new development:  If I give any Administrator Share Permissions it gives this foreign Admin access

So if I give Administrators OR Domain Admins OR myDomain@administrator access the foriegn computer has access.  

However, if I remove all admin access and have joe@myDomain permission then it can't access it.

Just to belabor the point more

Permissions: has access
Joe@myDomain
myDomain\Administrators

Permissions: has access
Joe@myDomain
Domain Admins

Permissions: has access
Joe@myDomain
administrator@myDomain

Permissions: DOESN'T HAVE ACCESS
Joe@myDomain
0
 

Author Comment

by:ClaudeWalker
ID: 38330421
Disregard everything: This specific case has a specific bug.

If the local admin account on the foreign computer has the same password as the administrator account on the network then they have unrestricted access (as if they were administrator).

Crazy!
0
 
LVL 2

Expert Comment

by:intellingence
ID: 38330940
by: BaleboosPosted on 2012-08-23 at 13:21:59ID: 38326898

intelligence: everyone would include their domain non-admins, who have no access. Also, everyone, on 2008 and later, does not include anonymous.

Hands up... My mistake... Not analysing your query carefully enough...

If the local admin account on the foreign computer has the same password as the administrator account on the network then they have unrestricted access (as if they were administrator).

I'll take it Sabotage is not in option?
0
 

Author Closing Comment

by:ClaudeWalker
ID: 38331130
Not the answer but thanks for sticking with me.
0
 
LVL 2

Expert Comment

by:Baleboos
ID: 38331226
This is not a bug. If you have a local Administrator that has the same username and password as the domain admin, they will be able to access domain controllers only as the domain administrator is a local account on a DC and local accounts can be accessed from any other computer with a local account with an identical username and password.

I didn't consider the possibility that you are talking about a DC.

Change your domain admin password and Robert's your mother's sibling.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question