| Author |
 Topic  |
|
|
koncan
Welcome Newcomer
Slovenia
2 Posts
Status: offline |
 Posted - 06/07/2012 : 10:53:18 AM
|
Hi everyone,
I have a question regarding hardening security on a win2008R2 domain.
We don't use the builtin administrator user account (as per MS best practices), but instead use special administrative accounts (they're members of the domain admins group) and they're stored in a special OU.
What I would like to know is:
Does removing the everyone group from the ACL of the OU, where these administrative users are stored, make any sense from a security standpoint?
When we tried this, the obvious consequence is, that normal users aren't able to find them in an LDAP query, for example a normal user isn't able to add file permissions for an admin user on his PC, because he can't locate the admin user.
Does it have any other ramifications other than that? Is it advisable to remove everyone from any OU? Or in other words, are those user accounts in said OU with everyone removed any more secure?
Thanks for any info,
Tomaz Koncan
|
|
|
wkasdo
Administrator
Netherlands
7425 Posts
Status: offline |
Posted - 06/07/2012 : 2:55:52 PM
|
Welcome to the forum, Tomaz! Not too many Slovenians here, I believe.
> make any sense from a security standpoint?
Not really... on the list of useful security measures, its a LONG way down. And it's hard to get right. For instance, if I you check the members of Domain Admins, what do you see?
my 2 cts, of course
|
Make it as simple as you can, but not simpler -- Albert Einstein |
 |
|
|
koncan
Welcome Newcomer
Slovenia
2 Posts
Status: offline |
Posted - 06/08/2012 : 03:39:38 AM
|
Willem, thanks for your prompt response,
> For instance, if I you check the members of Domain Admins, what do you see?
When logged on as a normal non-admin user, I am able to see the
"Domain Admins" group populated with the admin users (we were supposed to protect).
However, after clicking on one of those users I get this:
"The following Active Directory error occurred: Directory object not found". So it seems, that I am able to get a list of admins after all, which defeats the purpose of non-admin users not being able to obtain a list of administrative users... Sigh :)
Tomaz |
Edited by - koncan on 06/08/2012 03:40:33 AM |
|
|
|
Rambler
Major Contributor
Czech Republic
956 Posts
Status: offline |
Posted - 06/08/2012 : 04:23:03 AM
|
You would have to make further steps to prevent regular users from seeing into certain OUs, but as Willem said, it quickly gets complicated (removing AU from Pre-Windows 2000 Compatible Access, which has rather great impact on many things).
Btw. removing Everyone is not the best idea, since it's also used to set the option to "Protect object from accidental deletion" |
|
|
| |
Topic |
|
|
|
Removing "Everyone" on admins OU
