A vendor is at a clients site:
"Hey Oliver, I was told to give you a call. I'm having difficulty saving this file across the network. I've:
given the account admin access,and tried domain admin access
Shared the C:\ drive with everyone,
turned off the firewall,
and disabled antivirus,
and it's still not working. "
I look, finding that at somepoint the device has been given the topmost level administrator account to save the occasional file.
No, that device is not secure.
I start pulling at threads: of the machines have their C:\ and C:\users folder shared with the group "everyone".
What? Why aren't policies propogating?
We purposely create policies and settings to prevent this. But, over the years various vendors have defacto removed computers & users from the domain to get their solutions to work. Security & fallout are not their concerns.
I found the workstations had their network settings changed to take them out of the domain controllers' authority.
"How did this happen?" you may ask.
This client was setup before we became serious about preventing end-users from having admin access.
This is why we don't want end-users to have admin access. Or if we do give it to them, it's limited and can't change the settings which
Now i've spent 4 hours at a 10 device office cleaning this up.
I know, I know, monitoring should have highlighted an issue much sooner. But some of these sites are hourly, or were configured many years ago and policy changes (like no admin access) aren't verified or truly enacted. Left forgotten.
Really, both I & the client are appreciative this was brought to light before an issue happened.
edit; some policies I have which should interact with all this: - Enable Logging & syslog
- Force windows firewall on - and log
- define workstation administrators group
- password expiry
edit; some policies I have which should interact with all this: - Enable Logging & syslog
- Force windows firewall on - and log
- define workstation administrators group
- password expiry