|
Posted by Roger Abell [MVP] on December 30, 2006, 11:02 pm
Please log in for more thread options
>> Hi Will,
>>
>> Jesper is quite correct in his response.
>>
>> You may be able to accomplish this objective more simply than
>> defining a group with all accounts except System however, if
>> your users are members of Users (or Domain Users and hence
>> of Users).
>>
>> I notice that System does not have Users in its token but does
>> have Authenticated Users, Administrators, and Everyone.
>
> How do you enumerate the user groups that SYSTEM belongs to?
>
Same as with any other account, via one of a few ways; ex.
once logged in as the account, use whoami /all is most simple.
>
>> Now, for this to work, you would need to have Interactive and
>> Authenticated Users removed from Users (I routinely remove
>> Interactive and Authenticated Users from Users anyway).
>>
>> So, if you just either made sure that each individual admin account
>> was member of Users (or Domain Users), or if you defined a group
>> that mirrored Administrators, and used these in place of Everyone
>> then you would not be auditing for System via those and could
>> avoid the duplications Jesper indicated.
> I've never been crazy about Authenticated Users as a concept as it
> embraces
> too many totally different things and just makes it harder to figure out
> what is or is not controlled in an ACL.
Authenticated Users was one of the worse inventions ever
to come along and change the NT permission landscape.
Actually it (to me) makes it easier to figure what is or is not
controlled by an ACL, since its use basically is saying (I do
not know specifics so I give and say any can). Its use as a
member in Users everywhere is a cop-out, pure and simple,
from the days with MS believed it sufficient and appropriate
to set things based solely upon requirement that they would
work, like the old Everyone Full Control default on drive
partitions. In order to effect control over what is allowed
to whom one must go about erasing this (ex. client systems
in deployment allow only the set of users tasked to use that
group of machines).
(OK - I will moderate that critique slightly. The addition of
Authenticated Users was itself not bad, as it originated to allow
making grants that did not include anonymous accesses. It is
the only slightly later abuse of it by adding it to Users and by
making use of it directly in ACLs all over the place that is
what deserves prior comment.)
> The only problem in your approach is you would need to think through what
> other kinds of access were previously covered by Authenticated Users and
> provide for those another way. For example, Domain Computers, Domain
> Controllers, Computers from Trusted domains, etc.
That is so for DCs.
For service point member servers or client systems I have
to remove those two in order to exert control over what
account can access the machine. If I break an access that
is fine, as that is the intent.
>
> It would sure be nice if Microsoft would publish a way to build a
> comprehensive list of all entities that might interact with a computer so
> we
> could control at that level when we want to.
>
The entity list is pretty simple.
If it is a DC every machine and user access it.
If it is not a DC, and there are none of the layered products on
it (i.e. Exchange, IIS, SMS, etc.), then no machine or domain user
must access it (none is required to in order to remain happy) so
back things down to no accesses and add the needed from there.
| 
XML Sitemap