If you disable use of LM hashing of passwords via group policy
and you use a long, strong pass phrase for the admin accounts then
you really should not be concerned about caching left on uplevel
workstations due to a login (I assume admin accounts do not have
roaming profiles).
As the Lanwench has indicated, users by default can add computers
to the domain up to ten times. If this is insufficent, adding computers
to the domain can be delegated so that they have no ten limit. As you
say you have no choice in this, you may want to make the best of it.
You may want to make sure that you either have basic sanity policy
settings for workstations in a domain linked GPO, or that you change
the default location for newly added computers so they end up in an
OU to which such a GPO is linked. With this, when a user adds a
workstation it will be subjected to your basic sanity policies right
from the start. Without either of these, a new computer ends up in
the Computers container to which only domain linked (assuming no
site linked) GPOs apply, and in the default, there are very few policy
settings made at the domain level.
As far as remote management of your server, there are those that
advocate managing the domain only when logged in at the physical
console (i.e. no TS). Given you are remote from the server and it
runs so much, it may be difficult for you to adjust to such a tight
practice. Notice that you can use the configuration settings of the
Tcp RDP connectoid within the TS Mgmt UI to configure exactly
which accounts are allowed to connect (as opposed to all admins
as is the default), and that there are quite a few policies that may
be used via GPO in the TS adm template which allow you to set
heightened security aspects, like encryption strength, etc..
As to your initial question, whether such an account can be defined,
if I understand you correctly, then the answer is no, it cannot. In
order of an account to be of any use at all it must have access to
a fair amount of binaries in the Windows directory, to a profile,
etc.. So, not being too sure what you are envisioning, it sounds as
if you want an account that is so severely crippled that it would not
be allowed a login session and/or network connection. But then
again, I do not see what is the need given that users can add computers
to the domain. What thus you really need to do is to protect user accounts
from being misappropriated.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
Eric H. Vela said:
TS in admin mode is what I was referring to. I'm not sure I particularly
like the idea. But it WOULD make certain aspects of management easier since
the target server is offsite.
The target DC and Domain are in a situation of being only one server in the
domain serving as DC, User, File, DNS and SQL servers. I know this is not
the recommended set up, but my hands are tied on that front so I am setting
up a test situation identical to that and wish to lock down the server
tighter than Ft. Knox with the intention of applying the same to the
server/domain in production. Though I'm out in the middle of nowhere, it
seems this area is a target for server hacking -- either that or the average
sys admin isn't knowledgable enough to protect their systems around these
parts. The current state of the target domain is poor on the security scale
and I intend to fix that as best as I can. Access to knowledgable personnel
locally is limited so I'm pretty much on my own on this one.
As always, the weakest link in the target domain is the users. My hands are
also tied on the local access of the workstations, but I can set the server
to any privilege I desire. Still formerly, the sys admin had used the
primary Domain Admin (was still named Administrator) for all administration
things on the workstations, and I'm aware that Windows 2K caches login
information locally on the workstations, and this information may be hacked
giving information about how to attack the server more easily with higher
access. However, if the Domain Admin logins never happen on the workstation,
the cached information is not created. Right? So my aim is to keep as much
information about the domain and its admins off of the workstations as
possible. The situation may arise where one of the above mentioned,
unrestrictable, workstation users will want to add another computer to the
domain themselves. (Again, not my recommendation, but my hands are tied.)
So essentially, it's a bad situation that I'm trying to make the best of. I
want to protect the server as best as possible if (or rather, when) a
workstation gets hacked. It is the heart of their entire operation.
Eric
"Lanwench [MVP - Exchange]"
Actually, I may be a little confused as to what you're trying to do, but
users themselves by default can join up to 10 computers to the domain.
What's your desired end goal here? You can delegate pretty much anything
you
want to an account, but I'm not sure what you're trying to do.
TS in admin mode is fine - if you mean in application mode, no, don't do
it.
