0

I have a Windows Web Server 2008 R2 Core, which runs several web sites. There is no AD.

One of the web applications requires Windows Authentication for a single user.

I would like to restrict the user from doing anything except being used for IIS Windows authentication.

Here's what I did so far?

  • Removed the user from the 'Users' group.
  • Added the user to the 'Guests' group.
  • Removed the user from the logon screen (added to SpecialAccounts\UserList)

When I do a 'whoami.exe /all' for the user, he still gets:

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Guests                         Alias            S-1-5-32-546 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192  Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Why does this still show 'BUILTIN\Users', even though 'net user' shows:

...
Logon hours allowed          All

Local Group Memberships      *Guests
Global Group memberships     *None
The command completed successfully.

When the user connects to a share on the server, he succeeds but then using the mapped drive gives him an 'Access is denied' because he has no permissions on the share or folder.

What else can I do to limit what this account can do?

I am worried that the account credentials will get compromised if the user uses an unsecure machine with a keyboard logger installed.

The site only allows SSL and the server is behind a firewall that only permits 80 and 443.

If someone gets the user credentials from another server in the data center, I want to make sure that this web server is still secure.

Bernie White
  • 1,024
  • 7
  • 17
Peter Hahndorf
  • 13,763
  • 3
  • 37
  • 58

1 Answers1

0

"Authenticated Users" are members of the built-in local Users group. As the user account is authenticated, it is indirectly a member of the Users group.

And no, you don't want to remove Authenticated Users from the Users group.

You can assign the following Windows rights to the account using gpedit:

Deny log on as a batch job
Deny log on as a service

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • being on Server Core, there is no gpedit, but I'm using ntrights.exe anyways. Setting SeDenyBatchLogonRight and SeDenyInteractiveLogonRight as well as SeDenyInteractiveLogonRight did not help. The user could still use 'net use' or 'net view' against the server. Setting SeDenyNetworkLogonRight does prevent this but doing so also disables the ability to log on through a web browser using Windows authentication. – Peter Hahndorf Oct 17 '12 at 09:25