Security Basics mailing list archives

RE: Log on the domain

From: "Security News" <security () speakeasy net>
Date: Thu, 17 Apr 2003 18:07:10 -0400

The last time I was in a NT Enviroment, we did not allow any local user
accounts to be created on any machines to prevent users from logging on
locally, and if we decided to not allow anyone to logon locally, we gave
"Logon Locally" to no one including the administrator, and if an
administrator tried to logon locally, it would deny them to logon on
locally.  I remember doing this for several laptops.

-----Original Message-----
From: marc () saharadigital com [mailto:marc () saharadigital com]
Sent: Thursday, April 17, 2003 12:19 PM
To: mwharbi () hotmail com; security-basics () securityfocus com
Subject: RE: Log on the domain


forgive if this is incorrect but it's been a while since I've done this. If
you only have the Local administrator as a local user and delete the local
administrator profile (as well as any other local profiles if they exist)
when you logon, you shouldn't even have an option to select a local logon.
If no domain access is available you will still be able to logon using
cached credentials/profiles which was a problem in NT4.

I'm sure others can verify as I'm not at a machine at the moment where I can
test it to make sure. I've done this before so I know it can be done and I
at least know I'm on the right track :)

-----Original Message-----
From: Rusty Morgan [mailto:RMorgan () mbaj com]
Sent: Wednesday, April 16, 2003 7:48 AM
To: gillettdavid () fhda edu; J.S; security-basics () securityfocus com
Subject: RE: Log on the domain


David, I think you are correct about the log on locally issue.  Meaning that
it controls whether they can log into the console of the server.

Regarding JS's issue I have not been able to find a policy or setting that
will do what you want in NT/2000.  As someone mentioned previously in Win98
you can use the Policy Editor to force a domain login.  They also mentioned
that it was not a foolproof method for keeping them out.

To keep my users from logging in locally I don't create any local accounts
and the admin password it unknown to them.  That password could always be
cracked, but overall this seems to be the easiest way to accomplish what you
want.

Rusty

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu]
Sent: Tuesday, April 15, 2003 7:13 PM
To: 'J.S'; security-basics () securityfocus com
Subject: RE: Log on the domain

-----Original Message-----
From: J.S [mailto:mwharbi () hotmail com]
To: security-basics () securityfocus com

How can we enforce the users log on to domain? I mean: Users
can not access
computer using admin or any other account, must log on the domain
controller. Is there any policy to do that?


  I've always interpreted the "Log on locally" policy as determining
whether a given user account can be used from the "console" keyboard
and monitor; i.e., an account without this right can only be used to
access the machine remotely.  I may have misunderstood that, since
multiple people seem to think it's what you want.

  I don't think there is a way to lock out all local access.  But
with Windows 2000 policies, you *can* prevent them from accessing any
network resources that are part of your domain structure.  Is that
good enough?

  (With NT domains, they can have access if their local account name
and password matches a domain account and password that has access.)

David Gillett



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------

Current thread:

Re: Log on the domain Chris Berry (Apr 15)
- <Possible follow-ups>
- RE: Log on the domain Lachlan McGill (Apr 15)
- Re: Log on the domain Chee Heng Chin (Apr 15)
- RE: Log on the domain Rusty Morgan (Apr 16)
- RE: Log on the domain marc (Apr 17)
  - RE: Log on the domain Security News (Apr 17)
  - RE: Log on the domain dave (Apr 21)