Re: local admin can join computer to domain

  • Thread starter Thread starter barramundi
  • Start date Start date
B

barramundi

Here is the setup :

a new win2kPro installation, and a regular AD domain user account, say
domain\joeuser.

log on to the computer as local administrator create a local user called
joeuser, and put this user in the local admin group
log out and log in as local\joeuser
go to computer properties and join the computer to the Domain. when asked
for a domain acocunt, use domain\joeuser voila.


Now domain\joeuser is a regular user, member of the Domain Users group.
How can a regular user join a computer to a domain? Ounce it is done,
joeuser has explicit right on that domain computer account. he can rename
it, reset it or anything.

is there a fix to this bug, or is it a feature?
Click to expand...

This is too good to be true ;-)

Microsoft did it again!

No to be honest, I can't believe it. I'll try to check it out too. If only
I had the time...

BTW: Are we talking about W2k PRO with or without any SP's and/or security
rollup packages?

Greetz, barramundi...
 
I don't see this as a problem. You gave your trust to user when you gave him
right to log on to domain. Adding his computer to domain doesn't elevate his
privileges on domain in any way, and doesn't have any more rights to e.g.
domain resources then he did before his PC was in domain. It just makes
users work a bit easier... Still user has to be local admin on PC before he
can join PC to domain.
 
I don't see this as a problem.
Click to expand...

Well I do.

Person brings his homelaptop to work wich is infected with God knows what.
He joins the domain without permission of a domain admin and now
automatically has access to default shares on the network. Should I say
more?

Greetz, barramundi...
 
a) you can always disable Add Workstation do domain policy in AD
b) you should have your domain wide Antivirus policy :-)
c) you should have written security policy that will let users know what
they are allowed to do and what they are not allowed to do and what will
happen if they break the rules

There are more options that you can do (or better said you should do). E.g.
don't have every network outlet wired all the time. Only connect the ones
that are really needed.

In more then 3 years since Windows 2000 domain came out I never had any
problems with this...
 
I was shocked when the intern tech began adding workstation to the domain. I
still think it is a security flaw that any user can do this. For sure, your
a) b) and c) points are valid, but nonetheless, this should off by default.

I still don't understand the 10 limit thought. I'd think either you permit
it, or you don't. wy limit it to 10? and where is the counter? can it be
resetted.

Chris
 
Hi Chris,

well I can understand that this could be a problem in some environments ...
just like it can be a problem if you forget "deny ip any any" in e.g. access
list on some firewalls or routers :-). Is it a manufacturers problem for
this? You can be in deep trouble if you forget it :-).
So you HAVE to know what you are doing ... bout enough of this :-) since it
can go on and on and on :-) ...

Two articles on this subject:

Domain Users Cannot Join Workstation or Server to a Domain
http://support.microsoft.com/default.aspx?scid=kb;EN-US;251335
***
"You Have Exceeded the Maximum Number of Computer Accounts" Error Message
When You Try to Join a Windows XP Computer to a Windows 2000 Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;314462

Like I said. This can be turned on or changed to e.g. 0 or 5 or 100
workstations...
 
a) you can always disable Add Workstation do domain policy in AD b) you
should have your domain wide Antivirus policy :-) c) you should have
written security policy that will let users know what they are allowed to
do and what they are not allowed to do and what will happen if they break
the rules

There are more options that you can do (or better said you should do).
E.g. don't have every network outlet wired all the time. Only connect the
ones that are really needed.

In more then 3 years since Windows 2000 domain came out I never had any
problems with this...
Click to expand...

a) This should be the default.

Just like MS has learned from IIS 4 and 5 with its 'Lockdown' tool. IIS 6
is a lot safer...

b) Absolutely, but you can't be careful enough.

c) Idem

Greetz, barramundi...

PS: Is this checked by the MBSA tool? It should be.
 
Do you allow your users to use VPN to have access to the network from home
or public place?
 
Back
Top