Securing a Win2k3 Network

[cookie_monster]

With restricted groups any non specified member is removed from the local group.

[azrael78]

Is that apart of the restricted users thing mentioned above ?

Yeah it is - another thing you should double check is that your Local Admin account does NOT have the same password as your Domain Admin account.

This is another way he could have potentially messed around with shares and NTFS permissions on the network - however in order to get that password, he'd either have to guess it, crack it or somehow take control of the account itself without a password change.

I've never heard of anything except perhaps an NT Service able to run-as an account without the need for the password (SYSTEM, NETWORK SERVICE, LOCAL SERVICE).

However that 'Do not store NTLM hashes' thing noted above sounds good - can't believe I overlooked it before now - will be turning that one on.

Az

[cookie_monster]

I've never heard of anything except perhaps an NT Service able to run-as an account without the need for the password (SYSTEM, NETWORK SERVICE, LOCAL SERVICE).

They all still have a password but the password is managed by Windows.

[dave20046]

Since changing the network password I've not heard a whisper, checked the kids docs again today he's got a few scripts for website cracking, injectors etc.

I'm concerned the restricted groups gpo hasn't worked though, I put it into place last week and logged onto a computer today and there was definiteley more than local groups that the one I specified.

[dave20046]

Just ran some quick tests:

Presumably you have set Authenticated Users or Administrators to Full Control in the share permissions?

You need to remove both of those groups and specify others such as Domain Admins, and the specific user groups defined in your AD; students, teachers etc.

Yes you're right, I thought it was the ntfs perms that locked it down though?
What's your thinking?

[tmcd35]

Yes you're right, I thought it was the ntfs perms that locked it down though?
What's your thinking?

Maybe that is what he ment?

We have the share permissions set to Everyone 'Full Control' here then the folders NTFS permissions lock it down.

[dave20046]

Maybe that is what he ment?

We have the share permissions set to Everyone 'Full Control' here then the folders NTFS permissions lock it down.

Yeah, I just want to make sure though.
Curretnyl I have the share perms, authenticated users full control and the ntfs perms are locked down to the correct security groups/users

[p858snake]

Thanks for the above, I wasn't aware of the restricted groups setting I'll look into it and get it enforced. I'll nip round as many vulnerable stations as possible to alter the bios settings too (was hoping I could avoid that!)...

Most brands like dell have software packages so that you can remotely monitor/alter bios on client machines these days

[cookie_monster]

Since changing the network password I've not heard a whisper, checked the kids docs again today he's got a few scripts for website cracking, injectors etc.

I'm concerned the restricted groups gpo hasn't worked though, I put it into place last week and logged onto a computer today and there was definiteley more than local groups that the one I specified.

I only manage the local administrators group to do that you need to open the GPO click add group and either browse for the local group or type it exactly, it should be the name of the local computer group so Administrators for 'Group Name', then add any domain groups that you want e.g. 'Domain\Domain Admins', 'Domain\ITSupport' AND you must name local users as well so 'Administrator' or the new name if you rename the local admin any accounts not listed will be removed.
The policy also needs to be a machine policy attached to an OU containing the computers you wish it to manage.

[tmcd35]

Most brands like dell have software packages so that you can remotely monitor/alter bios on client machines these days

Does the machine need vPro support (is there an AMD equivalent?) to do this?