Options
Groups with login rights on DC?
Pash
Member Posts: 1,600 ■■■■■□□□□□
Which groups can login to the domain controller by default?
I have 4 accounts that i need to use purely for domain user administration, so I understand that the account opperators group is the group for this. But can they logon if the only server in the AD is the dc?
I have 4 accounts that i need to use purely for domain user administration, so I understand that the account opperators group is the group for this. But can they logon if the only server in the AD is the dc?
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Comments
-
Options
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Just install the adminpak.exe on their workstation. No need to allow login directly to the server.All things are possible, only believe. -
Options
Mishra
Member Posts: 2,468 ■■■■□□□□□□
This sounds like a question you could have tested yourself. Is there a reason why you didn't try it? -
Options
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
Install the Adminpak as Sprkymrk stated and then use delegation to grant User account manipulation rights as needed to the users for the OUs they need to work with. MUCH more secure.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
OptionsPash
Member Posts: 1,600 ■■■■■□□□□□
This server sit's on a DMZ, therefore local login options is our only solution. The reason I havent tried this is because i dont want to mess with the gpo yet.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
-
OptionsMishra
Member Posts: 2,468 ■■■■□□□□□□
Pash wrote:This server sit's on a DMZ, therefore local login options is our only solution. The reason I havent tried this is because i dont want to mess with the gpo yet.
I'm not sure where GPO would hold you back. You should just create a test account, put them in the account operators group, then try to login locally. If not then I know the server operators group will work for local login.
You should be able to give it a try with no problem. -
Options
RTmarc
Member Posts: 1,082 ■■■□□□□□□□
DC on a DMZ = major security risk...just an FYI.
Also, no local logins on a Domain Controller. -
OptionsAhriakin
Member Posts: 1,799 ■■■■■■■■□□
Pash wrote:This server sit's on a DMZ, therefore local login options is our only solution. The reason I havent tried this is because i dont want to mess with the gpo yet.
As mentioned earlier (again, yes I know I'm regurgitating parts of other posts, just trying to be complete
) being on a DMZ shouldn't be a problem, exempting the filters on the firewall controlling the security zones blocking access. We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
Options
royal
Member Posts: 3,352 ■■■■□□□□□□
In most cases a DC in a DMZ is a bad idea. There are cases where you have a separate AD domain in your DMZ to control servers through GPO and other functions. This is less of a security concern if it's still isolated from your internal network. If your corporate DC which serves your corporate clients is on your DMZ, like the others stated, this is a major security issue.“For success, attitude is equally as important as ability.” - Harry F. Banks -
OptionsPash
Member Posts: 1,600 ■■■■■□□□□□
Haha, yes if it was a DC bearing AD for normal reasons yes it would be a bad idea. But its just effectvively a RADIUS server with AD installed to manage user accounts for a wireless LAN (it authenticates with a juniper firewall).
Yes we could easily manage traffic policies to allow access to the server. Infact we do currently for deployment remotely from our office (over vpn). However, the administration will be done by the end customer. And its under their own requests that we don't allow network traffic from any network to the server. So we are going to either use an ip kvm switch with a pc located at their helpdesk area in the building (which is pretty secure), or only allow console login in the comms room itself (fort knocks)....although nothing can stop the angry employee with a bee up his/her bonet...but yeh.
Im onsite tommorow, im gonna play properly with the group settings, i think i know which groups are given rights by default. But ill just get my desired effect tommorow and then hand it over to the customer to destroy this week
Cheers for your response though.DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me. -
OptionsPash
Member Posts: 1,600 ■■■■■□□□□□
The solution we presented to the customer may not be the best but we deployed it as follows:
Juniper firewall ssg5 series
HP DLXX server with no RAID.
Win2003 server + Active Directory + IAS RADIUS
Policy on RADIUS to talk only to juniper firewall as client (server on a DMZ)
Cat5 KVM switch patched to customers helpdesk area, no network connectivity here so no RDP, just a direct console link. Account operators group as suggested above (thanks Mishra) is used for the customer administrators.
We still need to provide remote support for this wlan auth server, so having it on a DMZ with correctly configured firewall policies and a RADIUS policy that ONLY talks to the firewall I would of thought is as secure as you can get. Correct me if I am wrong.
*Future Improvements*
Captive Portal - Much easier for administration.
Btw I don't wanna seem like I think I know a super huge amount about these subjects...I need a lot more practice. Im always all ears to suggestions so please if you have any blurt them out anytime
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
