GibitMemberJuly 11, 2017 at 10:06 am #167099
i’m tryin to find the best solution to a security concern.. i’ll explain
Our active directory domain has a group of users who only need access from the internet to one or more applications (tipically exchange mailbox and/or sharepoint) and will never connect to local network, authenticate on a domain computer, or access a file share.
They will only need to login to the applications, but since those apps need domain users i have these accounts in AD and i want to limit them, based on the least privilege principle.
The external users are the ones i have less control on, and i want their accounts to be completely useless if stolen, for anything else than logging onto those apps
I have considered using the “Log On to” feature in the account configuration, pointing to a single, disconnected computer, but it does not convince me
Do you have any suggestions? i think i’m not the first to have this concern, but i could not find any real answer on the forums
thanks a lot!
JeremyWModeratorJuly 11, 2017 at 10:19 am #271537
I haven’t dealt with this specific situation.You could try removing a user from Domain Users and see if the applications still function properly. If they do function properly then that would be the easiest.
GibitMemberJuly 12, 2017 at 7:47 am #305240
Thanks for your reply Jeremy
i tried to do as suggested, removing the account from the Domain Users group (to do so you need to assign the user another group membership as “Primary”)
Once removed from Domain Users the account is still able to log in to the application, but also able to logon to any workstation.
I checked the default permission assigned from the local group Users (in the Local Users and groups setup in Windows management) and when the computer is part of the domain three groups are automatically added:
NT AUTHORITYAuthenticated Users (S-1-5-11)
NT AUTHORITYINTERACTIVE (S-1-5-4)
Since the user is not part of the first group, i guess it’s allowed to logon through the second one. I can see the group in AD but not the contained members, it is probably dynamic somehow
Any other idea?
JeremyWModeratorJuly 12, 2017 at 9:01 am #271539
Ah yes, didn’t realize that Authenticated Users were part of the local Users group. Authenticated Users is a special identity and you cannot control its membership. More info: https://technet.microsoft.com/en-us/library/dn617202(v=ws.11).aspx
So in your situation you can use Group Policy to configure the Deny logon locally to prevent users and groups from logging on: https://technet.microsoft.com/en-us/library/cc957048.aspx
Let us know if that works for you.
You must be logged in to reply to this topic.