Security issue, user has obtained domain admin rights?

[CCFAdmin]

Hello....

Maybe I'm crazy or perhaps I've overlooking something.

Right now my XP stations have local admin accounts with a password that only I know. Then all users have power user accounts on the domain. I noticed that if one logs in as the local admin of the machine the can change the power user to an admin of the domain! Thus allowing them to login my servers.

It seems the local admin password was leaked to one of my users, she then logged on as the local admin and changed her domain permissions to admin.

What? why is this possible? How can I prevent this.....

Any help would be appreciated, thanks!

C

 

[gpalmer711]

First off shoot the person that got your password and changed their permissions.

And yes it is right that they can do this, I have just tried it on my test machine here and it worked.

As to how to stop it i'm looking into it now.

Greg Palmer

----------------------------------------
Any feed back is appreciated.

 

[CCFAdmin]

Thanks for the quick response... Its unsettling that this is possible.

BTW, I'm changing all local passwords this weekend, BUT I would like to give a few local admin rights, but certainly not to the entire domain.

Thanks

Let me know if come up with something!!!!

 

[gpalmer711]

I've had a look into this and it seems that local admins have full access to the domain. Even when you set new users up and select the group that they are attached to as administrators, it warns you that they have full access to Machine and Domain!!

I can't personally think of a way around this - perhaps one of our saviours b(Stayin' Alive)castner or Waltzin (linney) Matilda have some ideas!!

Greg Palmer

----------------------------------------
Any feed back is appreciated.

 

[Jontmke]

This should only work if the local admin user is also a Domain admin. The local admin user should not even be a domain user.

Jon

There is much pleasure to be gained from useless knowledge. (Bertrand Russell)

 

[CCFAdmin]

I can't beleive this.... So if I want to givn a user local admin rights, then I must give them domain admin rights? This is absurd.

It looks like none of my users will local admins, as of now!!!

The only work around I can think of so far would be to change the admin name on the domain, and set it as an a true admin, then create a "dummy" admin domain account, allowing these users to be a member of it. I'm not too familar with group policies, but maybe it could help....

Any thoughts from the experts?

Thanks

 

[gpalmer711]

Jontmke,
IF you set a new user up by using the "control userpassword2" command from Run. Then whenever you add someone to the local Administrators group then you are warned that they have access to Domain as well. Perhaps I have set something up to allow this to happen??

Greg Palmer

----------------------------------------
Any feed back is appreciated.

 

[wolluf]

Don't understand this - what Jon said is correct. Just being a local admin gives user NO rights on the domain. If the users are getting domain admin rights, something else must be setting this (btw - afaik, Power Users is a local only group - don't think there is a domain Power User group).

 

[Jontmke]

I reiterate: The local admin should not even be a user created in the domain. We use the same admin password for our boxes that only we (IT) know. And of course there is no "Administrator" user for the domain.
And when you do give admin rights make sure it is set for only that box. It should show what you are giving rights to: This computer or the domain.

Jon

There is much pleasure to be gained from useless knowledge. (Bertrand Russell)

 

[gpalmer711]

Wolluf and Jontmke,
I am not disputing what you are saying in any means, I do not have much experience networking with XP. However even on my standalone machine at home. When I set up a new user and give them admin rights it says that they have full access to the domain. Please see

http://www.palmersoft.co.uk/users.JPG

Any Thoughts?

Greg Palmer

----------------------------------------
Any feed back is appreciated.

 

[CCFAdmin]

Greg,

Yes is what what you are seeing, per your attached image....

My test to others would be to go to a regular user's machine and log in locally. Then go to the users tab, select the the domain user (for the domain, not the local account and change he/she to an admin. Save and close...


Then check your computer/user settings in AD, this user will be listed as an admin in the members of tab.

Is there a policy to prevent this? Or am I missing something!!!

Thanks

 

[CCFAdmin]

Everyone,

Any thoughts on this?

Charles

 

[Digitalcandy]

Let me clear the confusion.

If your local ADMINISTRATOR account has the same password as your domain ADMINISTRATOR, then the local Admin can do whatever the domain admin can do. Even if the computer is not joined to the domain this will be true. What a jacked up security flaw in my opinion.

This assumes two things

1. Usernames are exactly the same
2. Passwords are exactly the same

 

[bcastner]

DigitalCandy,

Jontmke answered this already: "This should only work if the local admin user is also a Domain admin. The local admin user should not even be a domain user."

If you have not changed the local admin username and password from the default your result will obtain. But why did you not change it?

When XP joins a Domain the local workstation is treated as a Domain itself, a seperate entity. You cannot change the user rights to the "true" Domain by fiddling with the security rights in the local workstation Domain with a local logon.

 

[gpalmer711]

It would seem the idiot that set the network up here set the Local Computers Admin Name as Password the same as the Domain. Luckily this is a small office and we all have admin rights anyway

After creating a new user and giving them admin rights I can not access the server, it prompts for domain username and password.

However this does not explain why MS warn that Local Users with admin rights have access to the Domain. Probably just code they have copied from somewhere else and not changed the prompt.

Thanks for the info all.

Greg Palmer

----------------------------------------
Any feed back is appreciated.

 

[bcastner]

Well, the message does not quite say that. "....users have unrestricted rights to the computer/domain."

I agree it is not as clear as it could be, but it is consistent with the notion that you select "This workstatiion" under the Domain scroll box during logon to perform a local console login.

 

[CCFAdmin]

OK, so I'm still lost....

My local admin and domain admin have different usernames and passwords.... Username is admin for local and administrator for the domain.

BUT, the user knows (or at least knew until I changed it) the local admin password. They logged in as the local admin and went to the user settings. They then clicked on thier doamin account which was set as power user, then changed it to an administrator on the domain. This grants them admin right to not only the local machine and the domain!

Yes it could be argued that I not allows users to know the local admin info, BUT, even so I see it as a flaw that one could change domain status with a local account.

How can I fix this?

Thanks

 

[bcastner]

Make sure memebers of the Local Admin Group and not members of the Domain Admin Group.

 

[CCFAdmin]

How do I do this? Under the user setting on a workstation, I see member of admin or domain admin. I don't see local admin. IS this something that should be set at the workstation or on the server through group policies?

Thanks

 

[bcastner]

On a local workstation Administrator is the local Administrator name by default, it can be changed. The Group Name is Administrator.

Any Domain Group Membership rules would be done at the Server, but is not a Group Policy issue.