Avatar of lsysamc
lsysamcFlag for United States of America

asked on 

domain users in local users group on servers

Looking for some opinions here.  When a server is joined to the domain, the domain users group is automatically added to the local users group on that server.  Has anyone noticed anything harmful or anything to watch for in removing this?

We disabled log on locally a while ago but that wasn't the issue we encountered.  This gave all users the ability to create folders and files and have read access on all the shares by default unless this was implicitly removed.  We had a user get infected with a ransom-ware virus and it was able to browse, server by server, every share on every server and try to encrypt these files.  (shares were not mapped)  We found it was able to read the files and create an encrypted version but not able delete the old copy so we didn't lose any data.  This did, however, imply to me that this default action on a server is a security risk.

Should domain users be removed from the local users group on servers?
Windows Server 2008Windows Server 2012Microsoft Server OS

Avatar of undefined
Last Comment
zalazar
ASKER CERTIFIED SOLUTION
Avatar of zalazar
zalazar

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of lsysamc
lsysamc
Flag of United States of America image

ASKER

When I create a share I normally remove security inheritance.  All the shares affected were old and did not have this removed so I was going to go ahead and remove it.  Is disabling inheritance along with disabling local login then the best practice?
Avatar of zalazar
zalazar

Can you tell if you are using "Advanced sharing" when creating shares or do you use the sharing wizard.
And is it correct that you want to remove the "Users" group ?
It's fine that you remove the group but you probably have to make sure that other groups are there/added which contain users that need to access the data.

Removing security inheritance is fine but to keep it managable this should only be done on the top directory level and maybe on a second level but not within the shared data.

What I use as a best practice is separate data disks (not the C-drive) for sharing data.
After creation you can remove and set the correct groups that need access to the data on the root of the disk. E.g. only "Administrators" and "SYSTEM.
The "Users" group can be removed or if User Account Control is enabled you could leave the "Users" group in, but only with "List folder contents" for "This folder only".
In this way the "Users" group is not propagated to the subdirectories.
If you would then create a share with "Advanced sharing" on a directory then you only have to add the addtional groups (which contain users) that need access to the data.
Normally I only assign "Read" and "Modify" permissions and no Full control.
Share permissions can normally be set to "Authenticated Users" with Change permissions.
Avatar of lsysamc
lsysamc
Flag of United States of America image

ASKER

Yes I'm using advanced sharing.  That's pretty close to how we set them up now.  It's just the older shares I still need to fix.  Thanks.  appreciate the help.
Avatar of zalazar
zalazar

You're welcome and thanks too.
Windows Server 2008
Windows Server 2008

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo