Security hole found! 4

[SelbyGlenn]

Working in a private school I was shocked to find that some students had managed to join their private laptops to our domain! It turns out that by default, any Authenticated User has the right to join up to 10 workstations to the domain.

I can't believe that Microsoft have allowed this by default.

Luckily there's a simple fix to this. In the properties of the Domain Controllers OU in AD, open the Default Domain Controllers policy. Expand Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment. Edit the policy "Add Workstations to the Domain". Remove Authenticated Users and add Domain Admins.


Glenn
BEng MCSE CCA

 

[Grenage]

Are you sure about that? I find it hard to believe that's a default selection.

I know that ours certainly wasn't.

Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[SelbyGlenn]

It's definately the default. Here's a quote from a Microsoft MCSE study guide book:

Domain users can also create computer objects through an interesting, indirect process. When a computer is joined to the domain and an account does not exist, Active Directory creates a computer object automatically, by default, in the Computers OU. Each user in the Authenticated Users group (which is, in effect, all users) is allowed to join 10 computers to the domain, and can therefore create as many as 10 computer objects in this manner.

Glenn
BEng MCSE CCA

 

[Grenage]

That is indeed quite shocking. Thank you for the information.

Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[Roadki11]

Great tip, i didnt know that, and mine was set at authenticated users also.

RoadKi11

 

[tfg13]

It is also annotated here:

http://technet2.microsoft.com/Windo...a0ef-4cb9-af9a-f30182a25bf71033.mspx?mfr=true

However, this does not mean that you "trust" everything that Microsoft does. In the old days of Win2K, did you leave the "everyone" setting on all drives/shares of a PC/server? I would hope not.

I don't think this is a Microsoft hole, I think it was done this way as Microsoft wanted ease of use for all the users of a domain with minimal whining. If you, as the domain administrator, want to go above and beyond what is the "default" of Microsoft, by all means.....

 

[porkchopexpress]

Yep it's been a pain in the back side since the beginning of Active Directory.

 

[dilettante]

Be interesting to see what breaks when you change this setting.

Web users via NTLM authentication (Outlook Web Access)?

Terminal Services clients?

 

[porkchopexpress]

Why do you feel that preventing domain users from adding computers to the domain would affect those services dilettante?

 

[tfg13]

I'm with porkchopexpress on this one. None of those services require adding a client to the domain. We have this set up on our domain, yet are able to do OWA, and TS.....

 

[SelbyGlenn]

I've been running with the changes for three weeks now and there have been no knock on effects. We have TS and OWA here and all are fine.

We did get one student complaining that he could no longer join his laptop to the domain!!!!

Glenn
BEng MCSE CCA

 

[tfg13]

And that is a good thing SelbyGlenn...

 

[LadySlinger]

Thanks!

I just made that change. We have a couple people on our network that are not allowed to have their laptops to connect to it.

 

[porkchopexpress]

Apparently a senior engineer who was responsible for this area of Active Directory asked beta testers for Windows 2000 repeatedly for feedback on if admins would like users who were local admins to be able to add their stations to the domain. He didn't get any feedback so decided to allow it and limit it to 10.