Click here to get back home

Is It Safe to Deny Administrators Login by Network to Domain Controller?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Is It Safe to Deny Administrators Login by Network to Domain Controller? Will 01-13-2007
Get Chitika Premium
Posted by Will on January 13, 2007, 2:40 pm
Please log in for more thread options
> > Security Policy for the Domain Controllers includes a Security Option to
> > "Deny Login to This Machine From Network". I want to enforce
> > administration of domain controllers by logging into the console, or by
> > logging in through Terminal Services. I don't want Administrators
> > exercising their privilege level over RPC, over file sharing, etc.
Can
> > I
> > simply add the Administrators group to the Deny Login from Network
> > security
> > option for the domain controllers to prevent such exposures?
> >
> > Are there other group policy options I should be changing at the same
time
> > to further enforce the above requirements?
>
> PS. Yes can do so provided you do want no administrative
> account to have ability to use what is denied. I mean, it will
> not break Windows, perhaps some post-install enterprises
> applications or service usages, but not Windows.


It turns out that Microsoft implements user group policy updates during a
*local* login by *using the network path* to do the update. By adding
administrator to the Deny Access from Network User Privilege, you lock out
the administrator account from group policy updates when you do a local
login!!

That by itself might not be a fatal thing, and you might even incorporate
moving the user in and out of that group when you need to do local
administrative tasks, but once you remove the user it doesn't change
anything. You are in a catch 22 where the user cannot apply the updated
GPO because it cannot use the network with its current security policy!
Nice design :)

--
Will



Posted by Roger Abell [MVP] on January 13, 2007, 10:07 pm
Please log in for more thread options
>> > Security Policy for the Domain Controllers includes a Security Option
>> > to
>> > "Deny Login to This Machine From Network". I want to enforce
>> > administration of domain controllers by logging into the console, or by
>> > logging in through Terminal Services. I don't want Administrators
>> > exercising their privilege level over RPC, over file sharing, etc.
> Can
>> > I
>> > simply add the Administrators group to the Deny Login from Network
>> > security
>> > option for the domain controllers to prevent such exposures?
>> >
>> > Are there other group policy options I should be changing at the same
> time
>> > to further enforce the above requirements?
>>
>> PS. Yes can do so provided you do want no administrative
>> account to have ability to use what is denied. I mean, it will
>> not break Windows, perhaps some post-install enterprises
>> applications or service usages, but not Windows.
>
>
> It turns out that Microsoft implements user group policy updates during a
> *local* login by *using the network path* to do the update. By adding
> administrator to the Deny Access from Network User Privilege, you lock out
> the administrator account from group policy updates when you do a local
> login!!
>
> That by itself might not be a fatal thing, and you might even incorporate
> moving the user in and out of that group when you need to do local
> administrative tasks, but once you remove the user it doesn't change
> anything. You are in a catch 22 where the user cannot apply the updated
> GPO because it cannot use the network with its current security policy!
> Nice design :)
>
Will,

As I said last week in a post to yourself. The access requirements are
simple: for DCs every account (user or computer) needs access to DCs;
for non-DCs no domain account must have access to the member.
That you can break GP application is true, as well as a host of other
things dependent on the access (DFS dereference if replica there,
login scripts, software install, etc.). Those however did not break
Windows per se, it is there and stable; you impaired features.

Again, I am attempting to understand you underlying objective, as
I have a feeling that the design intent is to use a different approach.

Roger



Posted by Joe Richards [MVP] on January 13, 2007, 6:26 pm
Please log in for more thread options
I am curious why you think this is good from a security standpoint? In
my experience, far more damage has been caused on DCs by people logged
in interactively who were either inexperienced or just plain stupid than
screwing things up remotely.

The main remote issue is folks who log on to Workstations interactively
with credentials that have administrative rights to servers. This
usually occurs with folks who use but a single ID for their normal daily
work as well as their admin duties. The main thing to do in that case
though, and what everyone *should* be doing is require at least two
accounts. One with admin rights and one for normal user work. The admin
account doesn't get a mailbox and is set up via some form of policy or
logon script to disallow interactive logon to workstations. Obviously an
intelligent admin can get around it but it is a nice reminder that they
aren't supposed to. Then if they need to do something they can then use
runas to make the remote connections.

Sure it may be possible to trace that traffic and possibly get some sort
of compromise going but it is FAR more likely, IMO, that some admin is
going to screw up while locally on a DC than someone picking off their
password or other critical data over the wire.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Will wrote:
> Security Policy for the Domain Controllers includes a Security Option to
> "Deny Login to This Machine From Network". I want to enforce
> administration of domain controllers by logging into the console, or by
> logging in through Terminal Services. I don't want Administrators
> exercising their privilege level over RPC, over file sharing, etc. Can I
> simply add the Administrators group to the Deny Login from Network security
> option for the domain controllers to prevent such exposures?
>
> Are there other group policy options I should be changing at the same time
> to further enforce the above requirements?
>

Posted by Roger Abell [MVP] on January 13, 2007, 10:17 pm
Please log in for more thread options
> Security Policy for the Domain Controllers includes a Security Option to
> "Deny Login to This Machine From Network". I want to enforce
> administration of domain controllers by logging into the console, or by
> logging in through Terminal Services. I don't want Administrators
> exercising their privilege level over RPC, over file sharing, etc. Can
> I
> simply add the Administrators group to the Deny Login from Network
> security
> option for the domain controllers to prevent such exposures?
>
> Are there other group policy options I should be changing at the same time
> to further enforce the above requirements?
>

Change only account attribute defining computers account is allowed
to log into, so that it states the DCs they are near.

Roger



Similar ThreadsPosted
Deny folder access for administrators January 24, 2006, 4:28 am
deny login to member servers April 11, 2006, 9:54 am
Deny Network access via a Policy - Help!!! September 2, 2005, 2:48 am
AD administrators and domain admins groups April 25, 2006, 12:26 pm
Domain Controller That Service a DMZ October 29, 2005, 9:58 pm
Domain Controller Security January 13, 2006, 4:43 pm
Domain Controller Security Policy August 12, 2005, 4:31 pm
Want to make an Admin for only one Domain Controller April 7, 2006, 4:42 pm
Client and Domain controller across a firewall March 31, 2008, 5:32 am
2003 Domain Controller not requesting certificate May 31, 2006, 2:53 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap