|
|
 |
|
|
Pages: 1
Security Policy Question regarding Logon ?
(Click here to view the original thread with full colors/images)
Posted by: rookie420
Hi,
I have installed Windows server 2000 & windows 2003 and I made it Domain Controller. I am trying to implement Active Directory technology.
I have a small network of around 50 PCs. We have Windows XP professional and Windows 98 and Windows Millenium.
What I am trying to do is:
For any given machine I would like to DENY LOCAL LOGON for all users including Administrator of the local workstation.
1. How can I achieve this in Windows XP Professional ?
2. On the Log On to Windows screen, is it possible for me to see only:
USERNAME:
PASSWORD:
Log on to: (domains...)
note: in "Log on to" currently I am seeing the domain name and XYZ (this computer)
I want to remove XYZ(this computer) and the only option the user should see is DOMAIN NAME.
3. Will the Domain Administrator have full rights on the local client computers ?
Thank you.
Posted by: Kdr Kane
Please forget this idea.
You've come up with a "solution", but I'm not understanding what you're trying to accomplish. There are better ways of installing security on the workstations.
You'd be much better off if you upgrade all your workstations to Windows XP. What are you going to do about the Win9x computers on which this procedure has no effect?
Once you go down the road of using "Deny" permissions, you'll be screwed up for life. And anybody that follows you will condemn you to hell.
Posted by: rookie420
I am going to upgrade all win 98 to Windows XP professional.
1. I want all the users to log in to Domain and they shouldn't be able to "log on locally"
2. On the Log On to Windows screen, is it possible for users to see only:
USERNAME:
PASSWORD:
Log on to: (domains...)
note: in "Log on to" drop down menu, currently I am seeing the domain name and XYZ (this computer)
I want to remove XYZ(this computer) and the only option the user should see is DOMAIN NAME, so that they are forced to log into Domain.
3. Why I want the users to log into domain because of the many features of A.D such as publishing software, scripts etc..
4. Do I have to go to all client pcs running XP and configure the LOCAL SECURITY POLICY and enable "DENY LOCAL LOGON" ? or Can I do this from Domain Policy ?
5. Is it possible to remove Local Administrator from Workstation and add in his place Domain Administrator ?
Regards,
rk420
Posted by: Kdr Kane
 Quote:
|
1. I want all the users to log in to Domain and they shouldn't be able to "log on locally"
|
They can't logon with "local" credentials because they don't have the ability to create a local account. So, they can't by default.
Quote:
|
2. On the Log On to Windows screen, is it possible for users to see only:
|
Why restrict them from logging on to trusted (maybe in the future) domains? They can't logon with credentials to untrusted domains. They can only logon with credentials from your single domain if that's all you got.
Quote:
|
3. Why I want the users to log into domain because of the many features of A.D such as publishing software, scripts etc..
|
Well, yes. That's the way it works. See above about only having domain credentials.
Quote:
|
4. Do I have to go to all client pcs running XP and configure the LOCAL SECURITY POLICY and enable "DENY LOCAL LOGON" ? or Can I do this from Domain Policy ?
|
You could do this, but then NOBODY could logon to the workstation.
Quote:
|
5. Is it possible to remove Local Administrator from Workstation and add in his place Domain Administrator ?
|
No. But you can rename the Adminstrator account and make a decoy account named Administrator that is disabled. Domain Admins are automatically added to the local administrators group.
You should set up a test domain and figure out how things work in the default environment.
Posted by: rookie420
--------------------------------------------------------------------------------
1. I want all the users to log in to Domain and they shouldn't be able to "log on locally"
--------------------------------------------------------------------------------
Quote:
They can't logon with "local" credentials because they don't have the ability to create a local account. So, they can't by default.
|
--------------------------------------------------------------------------------
2. On the Log On to Windows screen, is it possible for users to see only:
--------------------------------------------------------------------------------
Quote:
Why restrict them from logging on to trusted (maybe in the future) domains? They can't logon with credentials to untrusted domains. They can only logon with credentials from your single domain if that's all you got.
|
--------------------------------------------------------------------------------
4. Do I have to go to all client pcs running XP and configure the LOCAL SECURITY POLICY and enable "DENY LOCAL LOGON" ? or Can I do this from Domain Policy ?
--------------------------------------------------------------------------------
Quote:
You could do this, but then NOBODY could logon to the workstation.
|
Thank you for your reply
However I am still not satisfied. Let me explain you the situation.
We are using Peer-2-Peer network right now. Several users have Windows XP Professional and they have created their own LOCAL USER ACCOUNTS, and some of the users also know the password for the local administrator on their Windows XP workstation. Some users have been playing with their IP addresses. They keep changing the IP addresses and this results in IP conflicts.
Now, what I want to do is force all users to log only to DOMAIN, they shouldn't be able to log in LOCALLY so they can change the ip address and install unlicensed software etc...
so two important questions :
Q1: How can I force all the users to LOG ON TO DOMAIN ? (ofcourse I will make the workstations part of domain)
Q2: Do I have to disable local user accounts ?
or
Do I have to enable DENY LOCAL LOGON on workstation (local security policy) or
in Default Domain Policy ?
I will appreciate any answers.
Thank you.
regards,
rk420
Posted by: Bleyn
Ah...
From what it sounds like, the first thing you probably do is go change the local Administrator password on all of the systems. Seriously. You can already see what sort of trouble people who shouldn't have it are getting into when they do have it. And its not like they should have much room to complain about it. If they aren't part of your computer/network admin/support team, they probably don't need access to the admin account anyway. Not to mention the fact that if they do need some special access for a certain application, there are better ways to give it to them than giving them the admin login.
The next thing you can do at the same time that will help is lock all of the users in XP down to limited accounts. With a limited account in XP, they should not have the access to do things like change the IP addresses. It is the equivelent of a User mode accound in Win2k. It will also keep them being able from forcing a change to the admin account password.
BTW, if you have the XP systems set to do Win2k style logins where they have to type the user name and password, be sure to change the password on all of the admin accounts. One of those accounts is named administrator, is semi-hidden such that you might not see it in the Users control panel unless someone has logged into it, and does not have a password by default.
I would suggest doing these things first.
As has been said before, the only good way to deny your users access to local access is to delete their local accounts, so that the only login they have is the one set up on the domain controller. And before you go doing that, you really want to give everyone a chance to back up all their documents to a file server.
Attempting to deny local access to the administrator account is just asking for trouble. If a computer is crashed, you might need that local account available.
Changing admin passwords, and locking accounts down to limited/user mode will give you time to figure everything out with configuration of a domain controller before you roll it out on everyone. And it should stop a lot of the things that are causing problems right now.
Posted by: rookie420
Thank you for your reply.
Quote:
From what it sounds like, the first thing you probably do is go change the local Administrator password on all of the systems.
|
That's possible....but then i have to change the local administrator password for all the clients, and it is not advisable to use same password for 50+ workstations...plus suppose if i need to change the password of administrator then i have to visit all 50+ workstations and change it.
Quote:
The next thing you can do at the same time that will help is lock all of the users in XP down to limited accounts.
|
yes, that is another solution without using Domain Network...that lock all the users to limited accounts...
Quote:
As has been said before, the only good way to deny your users access to local access is to delete their local accounts, so that the only login they have is the one set up on the domain controller. And before you go doing that, you really want to give everyone a chance to back up all their documents to a file server.
|
So, that means no need to go and configure local logon policy on all client pcs ? right ? just delete the local user accounts...and tune the local security policy such as disable INTERNET CONNECTION OPTIONS etc..
Quote:
Attempting to deny local access to the administrator account is just asking for trouble. If a computer is crashed, you might need that local account available.
|
Ok.
I have few remote clients (around 400 miles away from me) connected to our network by Leased Lines...They are using XP Professional...my question is simple, is there a way to lock down their local accounts remotely or do I have to go to their pcs and delete local accounts ?
(do i have to make a script that configures the registry settings to delete the local users or deny local logon for all users except for administrator?)
But I am interested in going for Active Directory solution.
WHY ?
suppose the management tomorrow decides to restrict the users to open only homepage...then i have to configure the local security policy on all the workstations (50+)....But if I have Active Directory implemented then I can just configure the Policy settings for the container/OU...instead of going to each client and configuring local security settings...
finally, what are the steps i have to take on.
1. Domain Controller
2. Workstations
3. Do I have to remove "Authenticated users" from both Domain Controller and Workstation...because when I enable/disable anything in local security policy on client, such as disable access to internet options in IE, and when I log in as Administrator@local then i get this message:"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator" ; I am getting the same message when I log on as Administrator@domain. Any clues how to solve this problem ? Doesn't the Domain policy overwrite the local security policy in case when i log in as administrator@domain ?
4. In local security settings for workstation what is the best security setting ?
- Add Administrator@local ?
- Add Users@domain ?
- Add authenticated users@domain ?
- Add Domain Users@domain ?
- Add Domain Computers@domain ?
Thanks for the help folks,
regards,
rk420
Posted by: Kdr Kane
First off, welcome to the world of W2K Admin. Don't get ahead of yourself. Take it a step at a time.
You have a slew of issues here. You are not likely to get your users to agree that they can't be administrators on their computers. You need to get a company policy from management that allows you to remove everyone as local admin before you can really do anything. If they're local admin, you CANNOT stop them from using local accounts. And in most domains, especially one as undeveloped as yours, requires your users to be local admins unless you have a software delivery and installation system set up.
Your problem is that you don't have a secure network. You also don't have a true domain if your users are still using peer-to-peer. It's possible to disable peer-to-peer by disabling the Server Service for the workstations in AD. This is one reason why you want your workstations segregated in their own OU from the Accounts and Servers. Again, you better get management to back you up if you want to disable the Server Service.
Quote:
so two important questions :
Q1: How can I force all the users to LOG ON TO DOMAIN ? (ofcourse I will make the workstations part of domain)
Q2: Do I have to disable local user accounts ?
or
Do I have to enable DENY LOCAL LOGON on workstation (local security policy) or
in Default Domain Policy ?
|
Again, I'm going to tell you that you can't do this unless you remove all users from local admin. You can actually do this by logon script. And no, I don't have an example handy, there are plenty of sites that have startup script examples.
You still seem to be stuck on using DENY permissions. Get over it. It's simply wrong thinking. I can only think of one or two situations where DENY permissions might be alright and this situation is definitely not one of them.
For now, you need to concentrate on getting everybody onto an NT OS such as XP and make sure everyone is trained on using their domain account. Make sure you have all your shares set up on member servers so the users can store their data on the server for backup. Get rid of local printers and have the users utilize printer shares on the servers to IP based printers.
Get some logon scripts to automatically map their drives and printers to the servers. Implement Folder Redirection to put their My Documents folder on the server.
That's quite a bit to do. Once you get that all done, then it'll be time to figure out how your going to start delivering software, service packs and patches. At this point, you can start testing to see whether your software can be installed for users that are non-admin and how to make that work.
Posted by: rookie420
Thank you for ur reply, Kane.
Definetely I am going to get the approval from management to
(a) delete local user accounts
(b) remove admin rights from the users
(c) force them to use Domain Server
1. So the first step for me would be to remove Local Users.
Either by going to each workstation and removing them OR using logon script.
the next step
2. I will join the workstations to Domain....right now they are using Peer-to-peer network (workgroup) network. This again can be achieved by going to each workstation and configuring or using script.
My other concern is that no user should be able to plug in the network cable and configure the TCP/IP and come on the network
this was the original problem.
We are working in workgroup environment...and there are some users who:
1. Play with their IP addresses
2. unauthorized employees bring their own pcs, connect to LAN (they configure ip address by themselves) and download software from the server;They also use Internet and download videos & music.
3. The problem of unlicensed software being installed.
etc etc..
So we have decided to implement Active Directory Services to control all this headache.
So, how and where do I start from ???
Posted by: Kdr Kane
I don't think that the users modifying their IP addresses is a problem. Maybe you can explain why. At least it's not a problem once they are in the domain. I'd just simply say that the machines need to be part of the domain. It's a security boundary and should suffice.
As for downloading, you'll need a proxy server and firewall to keep them from doing that until you can get all the users removed as local administrators. This will also prevent them from changing their IP addresses if you are so intent on this.
I'm sorry to seem like I'm dodging the question, but if your users are bringing in their own computers and connecting to the network, that is a management problem. Users doing that should be fired for compromising the security of your network. They could be bringing in viruses and even maliciously sniffing your network.
You could configure DHCP to only give out static IP addresses to specific MAC addresses, however this will not prevent a user from changing their own IP configuration for that particular subnet. It's a headache to maintain such a network. And it's not very scalable.
Remember this, it doesn't matter how tight you lay down your security. If an abuser has physical access to a computer or network, you cannot stop your security from being compromised and still have a maintainable and scalable environment. These are management policy issues that MUST be enforced.
In addition, it's management's responsibility to notify their users that downloading and installing unauthorized software/media is a disciplinary offense. Management can be held legally liable for illegal software or media in their network environment. This is a business justification for purchasing firewalls and proxy servers. Non-company machines must never be allowed on the network.
The hardest part of your job will be the social engineering of your management. Good luck.
Posted by: EvilCable
I beleive a lot of this (like renaming the local admin account, disabling local computer logon and the like) can be handled thru group policy. Atleast, most of it can via the Windows 2003 AD (There are enhanced features in 2003 AD). At work we run a 400+ computer 2000 AD, at home I just run a 15 computer 2003 AD. I have noticed some differences, however, on the work computers, we use ghost and the local admin account is changed/passworded in the ghost. However, we do not disable the "domain" bar on the logon screen due to mutiple domains and the need to logon locally.
Posted by: EvilCable
Also wanted to addin, Kane has a very good point.
Company policy *NEEDS* to be enforced in situations such as that. You need to let the mgr know that empolyee issues (such as websurfing, email and such) need to be handled at the mgr level and *NOT* the systems level. If a person is abusing system resources soo badly that it needs to be handled via systems, then my opinion is, that person needs to be fired. Period.
This goes the same with brining in your own computer, or even setting up rules in outlook to forward email to your home account.
Posted by: rookie420
thank you for the suggestions and advice.
Quote:
|
As for downloading, you'll need a proxy server and firewall to keep them from doing that until you can get all the users removed as local administrators. This will also prevent them from changing their IP addresses if you are so intent on this
|
How changing an IP address is an issue ?
Okay, let me explain, we have several branches...My branch has 50+ users. Only some users - who are managers - are allowed to access internet. The proxy server, MS Proxy Server, is located in headoffice. Users connect to Headoffice via Leased Line.
There is an option in MS Proxy Server to give access to internet to only specific IP address..Some users - who are abusing system resources from my branch - have learnt how to change the IP address. So they change their IP address to the IP which has access to internet...and when the manager or the person whose IP address has been hijacked turns on the system, he gets the message "IP CONFLICT" ; so this is one major problem... --> IP THEFT.
Finding who stole the ip address is very hard...it is impossible...cuz we don't maintain a list of mac addresses...
this is one of the reasons...
for all the above mentioned reasons I want to implement DHCP + AD together...
the other thing, why i was asking that only users should see DOMAIN NAMES in the windows logon screen. When i was in university, our labs had Windows NT workstations connected to NT 4 Server...and there was no such option, LOG ON TO THIS COMPUTER....in the drop down menu the only options which i used to see were domain names...
>>>>> can anyone answer my questions... <<<<<
thanks.
Posted by: Kdr Kane
It's not difficult to identify whose computer has swiped an IP address.
Try nbtstat -A xxx.xxx.xxx.xxx. It should tell you who is logged on to that computer.
See? It's really just a matter of trying to figure out what you want to do. You're asking for a solution to a solution you came up with. You need to ask questions about how to fix a problem. Sometimes there is a fine line between the two and it may not be easy to identify the real problem.
DHCP and AD are not going to fix this problem. This is a disciplinary problem.
Posted by: rookie420
Quote:
It's not difficult to identify whose computer has swiped an IP address.
{snip}
|
other problems are: unlicensed software, virus, browser settings etc etc...
I believe all this can be solved by Active Directory.
Thanks for your help folks.
|
|
|
|
|
