Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Active Directory

from [Wayne Anderson] Network Security [Permanent Link]
Subject: RE: Active Directory
Date: Mon, 3 Sep 2007 09:55:19 -0600 
It sounds to me like you may have issues with rights delegation.  Ideally
you should not be using the administrators group to assign permissions to
perform specific tasks.  Instead, you should use domain based groups that
have been assigned specific AD rights or specific localized privileges.  For
example, if you have someone involved in your web applications that should
have admin on the 10 servers for web apps but not for any other server in
the organization, you construct a group called "IT - WebApp Admins" which is
by default assigned no rights at the AD level.  You login to the 10 servers
or whatever that make up the administrative scope for this privilege and
assign this new group administrator rights locally.

This can be more time consuming to implement but is a far more granular
implementation of rights in the long term.

Now as far as specifically locking out an administrator irregardless of
admin rights that may already be assigned is through one of two methods.
Either the local security policy (pre-vista) or the assignment of security
policy through a GPO (nearly any windows OS in a domain environment).  You
need to deny logon locally and/or deny logon through the network.  The only
other thing you need to consider here is that your RDP rights assignment for
a given machine may include blanket permissions for administrators group.
You will want to look at that.

As far as disabling a computer is concerned, are you looking to physically
disable it so it will not turn on or simply remove it from network use?  At
the present time, I am guessing the latter but in either case there is no
way to authoritatively do either without moving beyond MS/Windows
environment and work on the network switch.  In a Server 2008 environment
with appropriate hardware, the answer for the latter is excersizing Network
Access Protection (NAP) which one would hope was already in your network
infrastructure.

NAP: http://technet.microsoft.com/en-us/network/bb545879.aspx 

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of wjbox1-guard@yahoo.com
Sent: Thursday, August 30, 2007 12:19 AM
To: focus-ms@securityfocus.com
Subject: Active Directory

What is the easiest way to lock an lower level administrator from using the
PC via Active Directory? 

When disabling a computer what else can be done with out having to block the
IP address or MAC to make sure the PC does not get on the network and or
changed the computer name?
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: Active Directory, Wayne Anderson <=
Previous by Date:  Re: NTFS default special permissions, Ansgar -59cobalt- Wiechers
Next by Date:  Re: NTFS default special permissions, Megan Kielman
Previous by Thread:  Re: NTFS default special permissions, Megan Kielman
Next by Thread:  SecurityFocus Microsoft Newsletter #358, rkeith
Indexes:  [Date] [Thread] [Top] [All Lists]