Security - Global group

  • Thread starter Thread starter Pravin
  • Start date Start date
P

Pravin

I created a global security group and added machine A into the group.
When I access the machine B through machine A, machine B checks
whether the mahine A is in the global security group. If so, give some
permissions. This works fine.
But when I remove the machine A from global group, machine B somehow
thinks machine A is still in the global group and give permissions to
the request.
Even after rebooting machine B, it does not help. Surprisingly when I
reboot machine A, machine B can realize that machine A is no more in
the global group and deny permissions.

I guess the machine B checks the group SID in the token supplied by machine
A. Does it never get updated?
Is there any way to force this? Doesn't machine B query active directory at
all?

Thanks
Kumaradhas
 
Isn't it a security flaw that even though the Server A is removed from the
global group, still it is not recognized by Server B?
It is surprising that the kerberos service ticket is not updated to reflect
the current settings.

Is there atleast any way to force the checking in Server B?

- Pravin
 
I don't consider it a security flaw. It is highly unusual for someone to change group
memberships on a frequent basis and if they are, they need to take a look at the
logic behind their configuration. I suppose extra checking could be implemented but
at a performance cost. If you have special needs you can configure the lifetime of
kerebros tickets in Domain Security Policy to suit your special needs. --- Steve
 
Back
Top