As i learnt on my Latest course, normal users ( in our case students ) have the ability to add 10 computer accounts to a Domain. i am the apprentice and do not want to fiddle too much, in case of breaking something and then being hunted through the building before experiencing a horrible painful death.
SO. i come to ask if anyone knows a simple solution to this security hole? Thanks.
Although this is technically true, if your network is fairly secure anyway - there should be no option that they can access to join a domain anyway. They shouldn't be allowed to get into the rename computer dialogue or anything like that.
The only place this may be an issue is students bringing in laptops from home and joining them to the domain but there are a number of different solutions to this.
This can be configured via group policy, haven't got time to check right now but surely this isn't the default anyway?
Creating a Computer Account Management Plan: Logon and Authentication should shed more light on the issue.
Specifically this bit:
BenAllow authenticated users to create new computer accounts. This approach might be desirable in organizations where users can be largely trusted. However, if you only want to trust a limited group of users, such as developers, for example, to create new computer accounts, you can control this by using the Security Configuration Manager to either assign or deny this right to users. By default, authenticated users are assigned the Add workstations to domain user right on the Group Policy object on domain controllers. This enables them to create up to 10 computer accounts in the domain by using the Network Identification Wizard. The wizard requests information about the computer name, the domain or workgroup that the computer is joining, and the domain users that are to be added to the local groups for local computer access, and uses this information and the credentials of the authenticated user to create a new account in Active Directory.
Hmm I've just checked our domain security pol(Administrative tools> Domain Security Policy > Local Policys > User Rights Assignment) and the default is indeed to allow users to create 10 computer accounts. This can be secured by configuring the policy option with users/groups that are to be permitted to create computer accounts.
It may also need changing within the Default Domain Controller Security Policy.
Think I'll have to take a closer look at the pols... I really wasn't expecting anything like that to be the default option argh
Last edited by Jamman960; 4th November 2009 at 10:34 AM.
Couldn't have put it better myself!
Indeed by default any user can add 10 machines.
I thought this was a well known security issue in Server 2003, I've always known about it, and restrict my network by specifying the groups that are allowed to add machines to the domain in the default domain controllers policy.
I've now since disabled all users apart from Administrators from adding computers to the domain.
Yep I remember reading an interview with an MS employee who worked on the AD design team. They just decided on a number out of the blue, he had a reason for it that I can't remember now but I remember laughing at it.
Surely it would be 0 by default with an option to enable it. BUT it's not a security flaw it was a 'thought' out design decision.
There are currently 1 users browsing this thread. (0 members and 1 guests)