Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Restrict Windows login to certain IPs/hosts for certain domain accou

from [Wayne S. Anderson] Network Security [Permanent Link]
Subject: RE: Restrict Windows login to certain IPs/hosts for certain domain accounts?
Date: Fri, 27 Apr 2007 19:43:53 -0600 
Based on my understanding of what you are asking here, I would strongly
recommend approaching this from a minimal privilege standpoint.  Grant
certain rights on an individual system level for local objects to those
servers rather than trying to grant broader rights and then restrict the
login footprint where that account is valid.

Operate on the principle of least privilege.  Give the account nothing more
than it needs.  If it needs no rights anywhere on the domain other than on
those servers, (including the inability to logon) then modify existing GPOs
so that it is denied logon rights on all the computer objects in other OUs
other than the one that contains this server and do not grant any specific
allowed rights on any other servers.

Then grant the specific privileges on each system which is targeted for
administrative use for this account.

--------------------------------------
Wayne S. Anderson
"An sufficiently developed bug is indistinguishable from a feature."
http://www.linkedin.com/in/wayneanderson 

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of christopher@mallow.name
Sent: Friday, April 27, 2007 2:41 PM
To: focus-ms@securityfocus.com
Subject: Restrict Windows login to certain IPs/hosts for certain domain
accounts?

Hello to all,

I'm working with a particular client who would like to use a certain
domain account with local admin rights for config and other monitoring
via BMC, but would like to restrict that account so that it can only
log on to other systems from a single IP or a small range of IPs
(i.e., the monitoring servers), so that its local admin rights are not
used/abused by others. The client has Windows 2000 and 2003 servers,
and mostly 2000 and XP workstations. The client is using Cisco
Security Agent on the servers, so if that can factor in, that would be
fine, too. Essentially, we need an account with local admin that can
do anything on those systems for the monitoring but can't mess with AD
and can't be used from other locations by other users who might know
the password (or attackers who have guessed the password).

Is this possible? Would simply restricting local logon/TS logon via
user rights be enough? Anyone have ideas that might be helpful? I'm
wide open to suggestions; the Windows guys here are pretty good, but
even they aren't sure how to approach this. Thanks for any assistance.

Sincerely,
Chris Mallow
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Restrict Windows login to certain IPs/hosts for certain domain accounts?, christopher
Next by Date:  RE: Restrict Windows login to certain IPs/hosts for certain domain accounts?, Durr, Robert
Previous by Thread:  Restrict Windows login to certain IPs/hosts for certain domain accounts?, christopher
Next by Thread:  RE: Restrict Windows login to certain IPs/hosts for certain domain accounts?, Durr, Robert
Indexes:  [Date] [Thread] [Top] [All Lists]