Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: Restricting account to a computer only

from [Laura Robinson] Network Security [Permanent Link]
Subject: Re: Re: Restricting account to a computer only
Date: Thu, 14 Oct 2004 13:50:44 -0400 
As an FYI, it is not possible to create an account with *no* group membership.

Laura


From: Matt Ostiguy <ostiguy@gmail.com>
Date: 2004/10/06 Wed PM 03:14:45 EDT
To: Paul Aviles <paviles@adjoined.com>
CC: focus-ms@securityfocus.com
Subject: Re: Restricting account to a computer only

OOTB, Domain admins can logon to anything (because when you add a
machine to a domain, the domain admins group is added to the local
admin group, which has local logon right on both desktops and server),
and Domain users can only logon to workstations because Server does
not grant the local logon right to the local users group (which
contains the Domain Users group). Any account that is not a member of
either domain admins or users should not have any logon rights
anywhere. So, for your scenario, I might look at creating a user with
no group membership, and explicitly granting that account user rights
on the machine(s) as necessary. If you have multiple machines and/or
accounts performing this task, then I would probably use some
combination of group policy and groups to get this done

That said, figuring out what you need to assign might be difficult.
Does the product you are deploying (I am assuming it is a product due
to E2k not needing a service account) fully document what rights its
account needs?


On Tue, 5 Oct 2004 13:09:55 -0400, Paul Aviles <paviles@adjoined.com> wrote:

We want to restrict a service account only to login to one computer for
security reasons.

This is for an exchange 2000 server and obviously we don't want anyone
to use the account/password to read people's emails since the account
must be a member of the Domain Exchange Admin (yeah/neah?). I found an
option under Account / Login To, but it says at the top "This feature
requires the NetBIOS protocol. In Computer Name, type the pre-Windows
2000 computer name". We obviously don't use NetBios, is there any other
way to do this?
To make things even better... The Exchange server is also a DC...... I
didn't do it...

The same concern I have if we create an account and put them in the
Backup Operators group. What can restrict that account to login only on
servera for example and not in all other workstations n the domain?

Thanks so much for your help.

Paul

---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------





---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: Can we really block users from installing applications through Group policy?, Laura Robinson
Next by Date:  Re: Remote connections, GuidoZ
Previous by Thread:  RE: Restricting account to a computer only, Sergey V. Gordeychik
Next by Thread:  Can we really block users from installing applications through Group policy?, chang zhu
Indexes:  [Date] [Thread] [Top] [All Lists]