Absolutely. Physical access means you own the box, no realistic large scale way around it. It is one of the fundamental security rules with MS products at the moment. With one maybe two downloads and the machine going offline you now have at least Domain Admin rights.
If you have locked down interactive access though, you can watch closely for logons and such as well as watch closely for outages, particularly down events where the machine knows it went down and has been restarted and it isn't something scheduled through the DAs. Giving someone interactive rights makes it a little less easy to monitor for things that shouldn't be happening on the machines. That is my opinion though, I am huge on not doing things from servers themselves, that is what the remote admin functionality is all about. There are times when it is difficult or impossible to not do something from the console or from TS such as boxes that are in secure networks with only a port or two open to them. At that point, it is tough to do anything else unless you go the SSH way. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Tuesday, September 14, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller I'm going to drift a little bit off topic, but I suspect this is pertinent. While this strategy is technically correct, let's not fool ourselves. Physical access to the DC are the keys to the kingdom, not interactive logon rights. If I can touch the system I'm just a few downloads away from starting to hack the database. There are so many aspects to securing AD, and this is rule number one. So having said that, I think a better approach to these situations is to ask 'what do I really want to accomplish?' rather than simply 'how do I do X or Y?' >From Mark's response, granting folks the ability to 'look around' as he put it, there are much better approaches to accomplishing what I am assuming is his goal of letting people monitor the server (if the goal is different then the solution is probably different). You can certainly monitor many of the things outlined in Mark's reply using remote tools that require neither an interactive session nor physical access - checking settings and runing services can all be done (perhaps with a touch of creaticity) using MOM or Spotlight or a host of other methods. Anyhow, don't want to get too far into the weeds, but in my opinion, physical access is just as if not more important than interactive or local logons. Solve the problem, not the single technical point, and you're probably better off. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, September 14, 2004 9:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's. Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Is it really important why ? I just want to know how it might be done. I am weird like that. Thanks for any other tips anyone might have. -----Original Message----- From: ASB [mailto:[EMAIL PROTECTED] Sent: Montag, 13. September 2004 21:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Logging on to a Domain Controller ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Because? -ASB ----- Original Message ----- From: Abbiss, Mark <[EMAIL PROTECTED]> Date: Mon, 13 Sep 2004 14:32:47 +0200 Subject: [ActiveDir] Logging on to a Domain Controller To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> I am going round in circles and am now completely confused ! I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. I have applied a group policy to the "Domain Controllers " OU which sets the "Computer configuration -> windows settings -> security settings -> local policies -> user rights assignment " to give this group "Log on locally" rights. I have also ensured that the group policy is applied to all authorised users. I have no problem logging on as I am an Enterprise Admin, however, the other admins are denied the ability to log on. Therefore, I modified the local DC security settings to give the same group the "Log on locally" right. Still they cannot log on. Please, what could I be missing ? Do I need to set access rights anywhere else ? Can I do anything to troubleshoot what rights this group is getting ? Many thanks for any help. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
