Domain User in Local Admin Group for Software Installations
I am the IT person for a small company and we have a large group of engineers that need to install a wide range of software and updates on a frequent basis. I want to keep things secure but also make it so that I do not have to be present all the time.
My solution was to create a domain account named Software and I put Software into the Administrators group on each computer. When a user needs to do an upgrade or install, they send me a request, and I can give them the current credentials for Software. When they are done installing I change the password for Software. This has worked fine.
Now the problem. Users can use a previous password I have given them for the user Software. There is a laptop we use for PLC programming. About a month ago I allowed a user to install software using the Software. Yesterday I got a request for an upgrade and before I could reply I was told they got the upgrade done. I inquired how and was told they used the password I had given previously. Since the initial use of the account Software, I have changed the password for Software at least 6 times. Why was the old password still accepted?
Now I am thinking that I could create a local account for each computer and change that password, but that means keeping track of the password for that local account for 75 different computers. And will an old password still work in this scenario also?
My solution was to create a domain account named Software and I put Software into the Administrators group on each computer. When a user needs to do an upgrade or install, they send me a request, and I can give them the current credentials for Software. When they are done installing I change the password for Software. This has worked fine.
Now the problem. Users can use a previous password I have given them for the user Software. There is a laptop we use for PLC programming. About a month ago I allowed a user to install software using the Software. Yesterday I got a request for an upgrade and before I could reply I was told they got the upgrade done. I inquired how and was told they used the password I had given previously. Since the initial use of the account Software, I have changed the password for Software at least 6 times. Why was the old password still accepted?
Now I am thinking that I could create a local account for each computer and change that password, but that means keeping track of the password for that local account for 75 different computers. And will an old password still work in this scenario also?
If the laptop was not connected to the corporate network at the time the account was used AND it had been used at least once before on the machine, then it would have used cached credentials.
You could create a group policy for only those systems and disable cached credentials, but doing so would require them to log on locally whenever they weren't on the company LAN.
Or, if you're using newer versions of Windows server and client operating systems, you can setup the user as Protected - see:
Protected Users Security Group
https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx
From the above link:
Or, if you're using newer versions of Windows server and client operating systems, you can setup the user as Protected - see:
Protected Users Security Group
https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx
From the above link:
This domain-related, global group triggers non-configurable protection on devices and host computers running Windows Server 2012 R2 and Windows 8.1, and on domain controllers in domains with a primary domain controller running Windows Server 2012 R2. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer.
Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows.
The member of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. On a device running Windows 8.1, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is a member of the Protected User group.
The Kerberos protocol will not use the weaker DES or RC4 encryption types in the pre-authentication process. This means that the domain must be configured to support at least the AES cipher suite.
The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
The default Kerberos Ticket Granting Tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center (ADAC). This means that when four hours has passed, the user must authenticate again.
Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows.
The member of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. On a device running Windows 8.1, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is a member of the Protected User group.
The Kerberos protocol will not use the weaker DES or RC4 encryption types in the pre-authentication process. This means that the domain must be configured to support at least the AES cipher suite.
The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
The default Kerberos Ticket Granting Tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center (ADAC). This means that when four hours has passed, the user must authenticate again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The laptop was on the LAN so I am not sure why a cached credential was accepted.
I am running AD on a 2008 Servers so protected groups are not an option.
I do not want to make local accounts for each user so disabling the caching of credentials is not an option.
Some solution for a local account which I can control the password to is my best option for now.
I am running AD on a 2008 Servers so protected groups are not an option.
I do not want to make local accounts for each user so disabling the caching of credentials is not an option.
Some solution for a local account which I can control the password to is my best option for now.
Some solution for a local account which I can control the password to is my best option for now.Did you check the links posted in #a42286583?
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Accept: Shaun Vermaak (https:#a42286583)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Accept: Shaun Vermaak (https:#a42286583)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
Good luck!