• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 132
  • Last Modified:

Block all 'Domain Users' from logon to 30 critical PCs except a group of 40 authorized users

https://www.experts-exchange.com/questions/29056334/Steps-to-block-AD-IDs-from-login-to-30-critical-PCs.html

I'll need to revisit the above EE post : I've just implemented the simplest solution by Lee W ie  
ID: 42292327  by removing "Domain Users"  from the local "Users" group on 2 of the PCs, rebooted them but using one of the 'unauthorized' AD Id, could still logon to the 2 critical PCs, so this solution did not work.  Why is it not working as Lee W   suggested?

Under the local  "Users" group, there are 2 more members (after removing "Domain Users"):  could these 2 groups be the reason why the unauthorized AD Ids could still login?
  1. NT AUTHORITY\Authenticated Users (S-1-5-11)
  2. NT AUTHORITY\INTERACTIVE (S-1-5-4)
I guess it's not safe to remove the above 2 from local "Users" group, right?


I'm looking for the next simplest solution, so which among them are easiest
considering there are 30 PCs with 40 authorized staff?

Currently if we issue  "Net user /domain   any_AD_Id" , output will show
a line "Could logon to any workstations" : guess this is (one of) the problem
0
sunhux
Asked:
sunhux
  • 4
  • 3
  • 3
  • +3
7 Solutions
 
RobertSystem AdminCommented:
I would create a security group with the users that should be allowed to logon to the computers then create a GPO and apply it to the machines. The policy would need to set the "allow logon locally" to be only that security group.

https://technet.microsoft.com/en-us/library/dn221980%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
1
 
arnoldCommented:
An affirmative approach is better and easier to implement compared to trying to reverse access

Likely, the two users in question had membership in a group that at some point became authorized.

The other difficulty inherent to a situation you find your self in.
I know users can be limited to the computers to which they can login, have not looked wherhe the computer object can be set within ad which users, groups are authorized to access this system.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
1. NT AUTHORITY\Authenticated Users (S-1-5-11)
  2. NT AUTHORITY\INTERACTIVE (S-1-5-4)
I guess it's not safe to remove the above 2 from local "Users" group, right?

Why wouldn't it be?

As long as the user is a member of AT LEAST 1 group in the list of Users, that should be all you need.

I wouldn't remove Interactive, but I would definitely remove Authenticated Users - Any user that logs in is authenticated!

Further, it's extremely unwise implementing ANY forum recommendation without TESTING first.  And testing is easy - setup a VM and TEST!
1
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
MacleanSystem EngineerCommented:
I haven't read the article mentioned but what I would do is create 1 GPO for special PC access, and under security filtering remove all options, then add a AD security group containing the 30 PC's in question.
When done edit the GPO and go to

Computer Configuration>>Policies>>Windows Settings>>Security Settings>>Local Policies.

In here select "Allow logon locally" and select the user group allowed to access the PC's targeted through the security filtering group.
Alternatively fill in the "Deny Log on locally" and select the user group of users not allowed to log on and do not use the "Allow Log in locally"
Deny is more powerful so doing it the alternative way might force what you are looking for.

I would assume that to work. Do test first of course to a test PC.
1
 
sunhuxAuthor Commented:
> I would definitely remove Authenticated Users - Any user that logs in is authenticated!
If we remove the above, then the authorized payment staff also won't be able to login then?
So do we still remove this??

I'm not Wintel-trained: care to provide step by step (with screenshots attached here) instructions?
MacClean's instructions are quite detailed but will help if screen shots are attached
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
1
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
If we remove the above, then the authorized payment staff also won't be able to login then?
So do we still remove this??

Of course... and you ADD the payment staff's group...
1
 
arnoldCommented:
You have to be careful with the allow log on to include all the requisite groups security group and administrators..

Another option is to use restricted groups on these systems, kicking out all users from users to only include a security group.

In either situation a member of this security group is authorized to access all the restricted PCs.  If you need to more tightly manage access, this means you have to have a security group for each system where each system will only allow local login to members of the group named for the computer.
This way you more tightly control the number of individual who can have access to each system.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Let me rephrase, what I think arnold is saying.

Instead of specifying each group that can access the machine, create a SPECIAL group called (for example) Restricted Computer Access.  Then ONLY members of that group can log in to those 30 critical machines.  Then you put the 40 authorized users in that one group and it doesn't matter if they are payment groups or anything else...
0
 
arnoldCommented:
Thanks lee,

For sake of simplicity you have three systems to which restricted access is needed.
System1
System2
System3

You either create a single secure_my_systems and this group is the allow local login on each of the three systems

A more controlled
Securoty_system1
Security_system2
Sevurity_system3
Each system will have its own security group authorizing access.
This way only members of sevurity_system1 will be allowed to login into system1.
Potentially excluding administrative users unless specifically authorized.

It all depends on requirement and level of security you now have to apply.
Potentially those systems are sensitive such that granting a significant

Another possibility is to use smartcards and on,y a user authorized that way will be able to access.


Two factor auth with key fab ..........
0
 
sunhuxAuthor Commented:
So with the instructions from Arnold & Lee (the last 3 above), do I still need to:
a) create an OU to group these 30 critical PCs ?  (this is rather complicated for me to comprehend as a non-Wintel person)
b) remove the following  from being a member of the local "Users" group :
     1. NT AUTHORITY\Authenticated Users (S-1-5-11)  
     2. NT AUTHORITY\INTERACTIVE (S-1-5-4)
0
 
arnoldCommented:
The difficulty as noted is you wish to impose restrictions after the fact.
what is the issue, organization
You could use an AD security group, restricted_computers
Add these computers as members of this security group
Create a GPO computer that changes the allow local logon on to the created security group Authorized_users_to_access_servers of which only individuals authorized access.
Using the security filter as to which systems this Computer GPO applies to you would replace the authenticated_user with restricted_computers

In this situation, a record has to be maintain to add a new system that serves this role/function to the restricted_computers security group in a similar way one ould have if there was a specific OU into which the system would need to be placed into.

If you have a forest, creating similar Branch_Restircted_system_OU  into which theses systems need to be placed into...during the upgrade cycles.
0
 
MacleanSystem EngineerCommented:
Open Group Policy Management & Right click Group Policy Objects to select "New"

Create New GPO
On the new GPO under the tab Scope, remove authenticated users and put in the group name or the PC names on which you wish to allow special users.

2.1.png
Right click the new GPO and select EDIT, then browse down to Computer Configuration>>Policies>>Windows Settings>>Security Settings>>Local Policies>>User Rights Assignment & select "Access this computer from the network". then when the option is highlighted either double click it to edit, or right click & select properties

Access from network
On adding user or group select who is allowed to access the PC over the network.
e.g. Administrators and the group of users you authorized. Click "Check name" as well to make sure what you typed is correct.
Mine is an example showing local user group administrators. If you use a domain group I would expect to see "DOMAIN\Special Users" or whatever the group is named.

4.PNG
When done browse the AD for your test OU Folder containing once of the restricted PC's, link the policy, wait a few minutes for replication (15 usually works) reboot the test PC, and try to log in as a non authorized user.
If blocked, test an authorized users.
If both successful you can apply the GPO to the remaining systems. If not post here for advise.
1
 
sunhuxAuthor Commented:
Very much appreciated Mclean.

Give me 2 more days & I'll close this
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now