Friday, October 23, 2009

Active Directory Group Policy Restricted Groups

This article is not a tutorial on how to create and use 'Restricted' groups, but mainly a commentary on why I use them and also some design concepts that I use in my environment. If you would like more information on how to create 'Restricted' groups, see these tutorials:

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.security-forums.com/viewtopic.php?t=57556

What
Restricted groups is a section of group policy that allows you to set permissions on (add users and groups to) the local groups (e.g. Administrators, Power Users, Remote Desktop Users, etc.) on a resource (Computer/Server) that the policy applies to.

Why
I use restricted groups as part of my quest to eliminate having to change security permissions on resources at the resource. Another benefit of using restricted groups is that it will reapply these settings every time group policy refreshes. So, if someone is able to escalate their privileges by adding themselves to the Administrators group on the local machine, the next time group policy refreshes it will remove them from the group (you will still need to monitor for this type of activity as they will be able to escalate their privileges for an entire logon session, or indefinitely, if they can find a way to stop group policy from refreshing).

Design
If you refer back to my post on Active Directory Structure here, you will see that for each location I have an OU called 'Restricted Security'. In this folder, are all of the restricted groups that I create for a location. These groups are 'Domain Local' groups (If I remember correctly, your domain needs to be at a certain functional level in order to use 'Domain Local' groups. So, if you have any problems assigning 'Domain Local' groups, you may want to check out what functional level you are at. Any time I am assigning groups to a resource (file/folder, computer, database, etc.) I use 'Domain Local' groups. This is because 'Domain Local' groups can contain groups from other domains while 'Global' groups cannot.). The following is a sample of the types of groups I have in the 'Restricted Groups' OU. I will use the placeholders [Location] and [Department] to show that I have groups for each location, department and location/department combo.

Under the OU HazarInc Groups > Enterprise > Restricted Security (If you have know clue what I am talking about here, please see my previous post here) you will find the following 'Restricted' gorups:

Restricted Admins - Local Administators on any machine in the domain
Restricted Power Users - Local Power Users on any machine in the domain
Restricted Remote Desktop Users - Local Remote Desktop Users on any machine in the domain

Under the OU HazarInc Groups > [Location] > Restricted Security you will find the following:

Restricted [Location] Admins - Local Administators on any machine in [Location]
Restricted [Location] Power Users - Local Power Users on any machine in [Location]
Restricted [Location] Remote Desktop Users - Local Remote Deskotp Users on any machine in [Location]
Restricted [Location] [Department] Admins - Local Administators on any machine in [Department] at [Location]
Restricted [Location] [Department] Power Users - Local Power Users on any machine in [Department] at [Location]
Restricted [Location] [Department] Remote Desktop Users - Local Remote Desktop Users on any machine in [Department] at [Location]

Now, here is a rule that must be followed (Ok, it is a rule that I made up, but I like to follow it).

Rule
'Domain Local' groups can never include 'User' objects. You can only assign 'Roles' ('Global' groups) to 'Domain Local' groups. Then, you assign 'Users' to 'Roles' ('Global' groups). (e.g. If users in 'Provo' that are in the 'Human Resource' department, need to be 'Power Users' you would add them to the 'Global' group 'Provo Human Resource Users' and then add that group to 'Restricted Provo Human Resource Power Users'. So, this means they would be 'Power Users' on any machine in 'Provo' that is assigned to the 'Human Resource' departments OU. Now, to filter that so that they can only log on to their machine we use an Active Directory add-on called 'LimitLogin' that was created by Microsoft and is free to use, but this is a topic for another day.

Alright, now you create group policy objects at the company/domain level, the location level, and the department level. Please refer to the tutorials above for information on creation of these policies. Also, the restricted group policy object is not additive. Meaning, if you have a policy at the company/domain level, that contains groups for the local 'Administrators' group. You will need to add these same groups at the location level and the department level. I will give an example below of how I set the groups at each level for the 'Administrators' group and then the 'Power Users' group.

Company/Domain Level Adminstrators Group
Administrator - I make sure I assign the default groups and users
[DOMAIN]\Domain Admins - I make sure I assign the default groups and users
[DOMAIN]\Restricted Admins

Location Level Administrators Group
Administrator - I make sure I assign the default groups and users
[DOMAIN]\Domain Admins - I make sure I assign the default groups and users
[DOMAIN]\Restricted Admins
[DOMAIN]\Restricted [Location] Admins

Department Level Administrators Group
Administrator - I make sure I assign the default groups and users
Domain Admins - I make sure I assign the default groups and users
[DOMAIN]\Restricted Admins
[DOMAIN]\Restricted [Location] Admins
[DOMAIN]\Restricted [Location] [Department] Admins

Company/Domain Level Power Users Group
[DOMAIN]\Restricted Power Users

Location Level Power Users Group
[DOMAIN]\Restricted Power Users
[DOMAIN]\Restricted [Location] Power Users

Department Level Power Users Group
[DOMAIN]\Restricted Power Users
[DOMAIN]\Restricted [Location] Power Users
[DOMAIN]\Restricted [Location] [Department] Power Users

Up Next: Active Directory Security - Rights Assignment - Permissions for Shares and Folders
Also: SQL Server Security Using Active Directory

4 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Replies
    1. I have a list of users, that comes up when I am working with permissions. There are strange users even under the Users folder in My Computer. It is called Updatuser. Have you ever heard of this or encountered it before. If you can help me out please send your response to calimo1960@gmail.com. I would appreciate any help. Due to a malicious program I had to wipe my entire hard drive and lost everything. Rather than pay $150 for Office Depot to reinstall Vista 32 bit SP2 I bought Windows 7 64 bit for $125 and installed it myself. I am worried that since this user thing showed up again I may be in trouble. Thank you in advance.

      Susan

      Delete
  3. If you have an NVidia graphics card and don't notice any other suspicious activity, I wouldn't worry about it. It looks like it is a user created for the NVidia updater.

    http://answers.microsoft.com/en-us/windows/forum/windows_vista-security/what-is-updatuser/01715f9e-99de-4df4-9ded-96c3b94cce06
    http://windows7forums.com/windows-7-support/65157-question-users.html

    ReplyDelete