Nope but it doesn't matter. If they can install a service (or replace a file a service uses) they have too much power, let alone schedule a task. Heck when you get down to it, physical access to the box is all that is needed but we try to forget that one or else no one would ever put a DC anywhere but within their eyesight and then only in a sealed room with 4 locks on steel doors.
The whole thing as we have pointed out time and again is trust and compensating controls. You will never be 100% secure, what you do is try to make as few concessions as you possibly can. Not allowing people normal interactive access or the ability to write to the disk system is one layer that I absolutely recommend for Domain Controllers. Also don't recommend giving hardly anyone access to AD via builtin groups such as acc op and admin and dom admin, etc. Again, this can be compromised but it does require even more intent and knowledge to pull off. Also you don't accidently get viruses and other things running on DCs you shouldn't have there. I am actually waiting for the offline password editor dude who makes the bootable floppy/cd to do the next logical step to help get onto 2K+ Domain Controllers. That guy is bright, I am actually surprised he hasn't gone ahead and done it already. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, May 24, 2004 6:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... You can restrict access to Task Scheduler using GPO (Admin Templates\Windows Components\Task Scheduler) and by changing permissions on %SYSTEMROOT%\Tasks folder, but there are other ways around. BTW, I remember reading somewhere that "at" command uses old style API which is not enforced by GPO, and therefore the only way around is to change the ACL on Tasks folder. Anyone remembers the details ? Guy On Mon, 2004-05-24 at 14:44, Roger Seielstad wrote: > The problem, as you're most likely aware, is that server admins have > access to the Task Scheduler, which means they can kick things off as > LocalSystem, which means the DC is then 0wn3d.(owned) > > Not sure what I'd do in your shoes. I'm fortunate enough to have > really good IT folk in my remote locations with DCs. I'm also > fortunate enough to be 6'5" tall, built like an NFL lineman, and have > an expense account with which I can purchase plane tickets to their > location to engage in what my ex-Army junior admin refers to as "wall to wall counseling." > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Chris Lynch [mailto:[EMAIL PROTECTED] > > Sent: Friday, May 21, 2004 5:11 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > I know. I agree that this isn't good security practice. I wouldn't > > recommend this as well. But, for the lack of space in most > > locations (and we are only talking about 4 locations), we would just > > like to give the local tech access to that DC only and no other DC > > in the domain. I can restrict them to log onto that DC local to > > them only (via GPO). I might just give them Server Operators > > rights, restrict them to log onto that DC only, and call it a day. > > > > Thanks, > > > > Chris > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger > > > Seielstad > > > Sent: Friday, May 21, 2004 10:19 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > > > True... I musta read half the question (again). > > > > > > > > > -------------------------------------------------------------- > > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > > Inovis Inc. > > > > > > > > > > -----Original Message----- > > > > From: joe [mailto:[EMAIL PROTECTED] > > > > Sent: Friday, May 21, 2004 12:41 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > > > > > I am not sure that fits his requirements for this one... > > > > > > > > Sounds like he is file sharing from the DC (not something I > > > personally > > > > recommend) and obviously it would be a bit much to dcpromo down > > > > and back up to add a new share. > > > > > > > > joe > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger > > > > Seielstad > > > > Sent: Friday, May 21, 2004 11:54 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > > > > > I like Joe Richard's option - DCPromo it out, let the tech > > > work on it, > > > > and DCPromo it back in > > > > > > > > > > > > -------------------------------------------------------------- > > > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > > > Inovis Inc. > > > > > > > > > > > > > -----Original Message----- > > > > > From: Chris Lynch [mailto:[EMAIL PROTECTED] > > > > > Sent: Friday, May 21, 2004 11:27 AM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: [ActiveDir] Domain Controller Security... > > > > > > > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > Hash: SHA1 > > > > > > > > > > I'm wondering if anyone has accomplished the following: > > > > > > > > > > Provided different security policies to multiple DC's > > > > within the same > > > > > domain, but different OU's for field techs to manage > > > > resources on just > > > > > that DC without giving Server Operators rights. > > > > > > > > > > I have almost all of the requirements resolved, except the > > > > ability to > > > > > create shares. I have modified the security on the > > > > > HKLM\System\CurrentControlSet\Services\LanManserver and > > > > > HKLM\System\ControlSet001\Services\LanManserver with no success. > > > > > Every document I have read about where the shares > > definitions are > > > > > stored are located in these two reg keys. > > > > > > > > > > I know the simple way would be to deploy another server to > > > > > that location and give them local Administrator rights. But, > > > management > > > > > doesn't want to do this. > > > > > > > > > > Thanks for any input, > > > > > > > > > > Chris Lynch > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > > > > Version: PGP 8.0.3 > > > > > Comment: Public PGP Key for Chris Lynch > > > > > > > > > > iQA/AwUBQK4f0m9fg+xq5T3MEQKvyACfR40Wo0raZykKESlI9BlWQnO9CREAoI > > > > > r4 > > > > > BT+9sM9+/PU1ca4fioHgTuMm > > > > > =k33B > > > > > -----END PGP SIGNATURE----- > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP 8.0.3 > > Comment: Public PGP Key for Chris Lynch > > > > iQA/AwUBQK5wem9fg+xq5T3MEQIcQgCbBHD/3P2lldjPMQYIuYX+bQbcy/gAn0JN > > HwFDAdmSI6kCuPCiwfkBn9ST > > =T64Z > > -----END PGP SIGNATURE----- > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
