Domain admin

Started by Dieselboy, August 04, 2016, 01:35:21 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Dieselboy

August 04, 2016, 01:35:21 AM
I have put a policy in place a bit like how Linux users run their systems. IE Administrator users (such as myself) are unprivileged like all other normal users. But if server admin functions are required, a UAC log in box will open and ask you to enter your credentials where I put in my individual admin credentials.

I provided a new admin account to one of my sys admins and explained the above. I said, don't RDP or log in with this account, use it like sudo (he's a unix guy). Basically, use your account you have now, if you need to do something that requires admin level privilege then the authentication box will pop up and they can enter the admin details to authenticate.
(I've restricted which normal accounts can RDP to servers)

So later on I wanted to check he was ok. I opened up task manager and see an active RDP Session with the domain admin account I said don't use to log in to RDP with, logged in. Not only that, the session was disconnected but still running :(

So because of that I had to implement something which prevents these admin accounts from logging in via RDP / interactive logon. I found that if I disabled this specifically in GPO, then we couldn't authenticate with UAC either. I found out that the same GPO item that stops you logging in interactively, also prevents auth. via UAC.

So I followed the below: http://www.authlite.com/kb/allow-runas-but-block-interactive-logon/

If I try to log in interactively now, it authenticates but then immediately logs me off. This is an okay workaround for me at the moment.
If there's any better way of doing this I'm keen to hear.

I also need to set a max logged in time, because people don't seem to understand how to log off. I thought you were taught that the first day of IT class.
me: "you have not logged off, you have just disconnected"
them: "no mate I logged off"

:professorcat:

(I've also worked on a plan to add all of our RHEL systems into AD for the same experience.)

deanwebb

#1
August 04, 2016, 11:47:17 AM
Welcome to the hell of Windows security. Your workaround is quite likely your best bet at a permanent solution.

I'd mention maybe trying something in Powershell, but that is all I could do... mention... I'm no Powershell guy, at all.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#2
August 04, 2016, 08:42:46 PM
Same here  :awesome:

Luckily for me I have enough of an understanding where I can search for documentation, which gives step by steps on how to achieve things. I had to use powershell to disable ADFS checking cert CRL which was breaking jabber auth. a little while ago. No idea what the commands are now, but Google will help me. I'm glad Google never goes down.
:awesome:
Print
Go Up Pages1
User actions