RE: adding computer objects to groups controlling access to file s
- From: Phillip McIntosh <PhillipMcIntosh@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 9 Jan 2007 02:07:00 -0800
Granting permissions to computer will work the same ways as for users :
If a computer SERVER01 is member of a group and t his group is grnated READ
permissions on a file, the computer SERVER01 is will authorized to read this
file.
Yep, realised that.
The permissions of a user on a PC and the one granted to SERVER01 are NOT
associated, since they are different security principals.
Yep, realised that.
BUT…Practically, if a user has enough privilege (mostly local admin), it can
run processes in the context of LocalSystem using tools such as PSExec (-s
parameter).and then gain the same permissions as the one grnated to
LocalSystem
That's exactly what I was trying to find out. I suspected a much.
Bascially it can be classified as a security issue.
Cool. Thanks Marc.
"Marc Lognoul" wrote:
Granting permissions to computer will work the same ways as for users :.
If a computer SERVER01 is member of a group and t his group is grnated READ
permissions on a file, the computer SERVER01 is will authorized to read this
file.
One difference is that two identities can be used: LocalSystem (aka SYSTEM)
and NetworkServices (in 2003 only) and it will be seen as DOMAIN\SERVER01$ in
audit logs.
The permissions of a user on a PC and the one granted to SERVER01 are NOT
associated, since they are different security principals.
BUT…Practically, if a user has enough privilege (mostly local admin), it can
run processes in the context of LocalSystem using tools such as PSExec (-s
parameter).and then gain the same permissions as the one grnated to
LocalSystem
Marc
"Phillip McIntosh" wrote:
Recently we have found that some of our admins are adding AD computer objects
to AD security groups that are used to grant permissions to file system
resources etc.
Normally, we would only add AD computer objects to the AD Security groups
associated with Apps managed by MS SMS.
Whilst our company policy dictates that AD computer objects should only be
added to AD groups associated with Apps, I'm need to understand the
implications of AD computer obejcts being added to other AD Security groups
(i.e. those with permissions to the file system).
What are the implications? Can any user on that PC gain access to the file
system shares via permissions associated with the computer object? What
about any malware on the machine? Can it use the permissions associated with
the computer object?
Is there anything else I need to be aware of in this situation?
- Follow-Ups:
- Re: adding computer objects to groups controlling access to file s
- From: Jorge Silva
- Re: adding computer objects to groups controlling access to file s
- Prev by Date: Re: DNS Creation issue on child domain.
- Next by Date: Re: Ports required for Internal Firewall between client and DC
- Previous by thread: Re: DNS Creation issue on child domain.
- Next by thread: Re: adding computer objects to groups controlling access to file s
- Index(es):
Relevant Pages
|
