Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
anthony

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 50
Reply with quote  #1 
https://reddit.com/r/sysadmin/comments/5fxghz/psa_to_file_server_admins_have_uac_enabled_ever

Do you get prompted for creds even though you are domain admin, and that group has permissions on a folder?

__________________
If Chewbacca lives on Endor - You must acquit!
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 166
Reply with quote  #2 
Good sum up. Just give rights to 'intteractive' and anyone on the server can change rights and access the files
__________________
Have SpaceSuit, Will Travel

0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 188
Reply with quote  #3 
Just disable UAC on fileservers. It is more trouble than it's worth.
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
anthony

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 50
Reply with quote  #4 
Some of us are forced to leave UAC enabled due to compliance. [frown]



__________________
If Chewbacca lives on Endor - You must acquit!
0
jsclmedave

Administrator
Registered:
Posts: 445
Reply with quote  #5 
Quote:
Originally Posted by anthony
Some of us are forced to leave UAC enabled due to compliance. [frown]




Yep!  Same here...  Also,,, we disabled the ability to use Scheduled Tasks on all our servers.  "To vulnerable..!"    <sigh>

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
anthony

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 50
Reply with quote  #6 
We have to get a special addendum to our security protocols on a case by case basis for scheduled tasks to run scripts. Each script has it's own AD account, and the password must be changed every 30 days. [frown] #thestruggleisreal


__________________
If Chewbacca lives on Endor - You must acquit!
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 227
Reply with quote  #7 
Quote:
Originally Posted by anthony
We have to get a special addendum to our security protocols on a case by case basis for scheduled tasks to run scripts. Each script has it's own AD account, and the password must be changed every 30 days. [frown] #thestruggleisreal



And what is this supposed to be able to accomplish? If someone manages to alter one of those scripts in a way that has to be described as 'nefarious', 30 days is more than enough time to hack your shop into oblivion, regardless of how big the shop is.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 227
Reply with quote  #8 
Quote:
Originally Posted by jsclmedave


Yep!  Same here...  Also,,, we disabled the ability to use Scheduled Tasks on all our servers.  "To vulnerable..!"    <sigh>


Which is perfectly OK if you have some kind of centrally managed orchestration engine at your disposal. If you don't, well... <sigh> [wink]

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
anthony

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 50
Reply with quote  #9 
Quote:
Originally Posted by cj_berlin


And what is this supposed to be able to accomplish? If someone manages to alter one of those scripts in a way that has to be described as 'nefarious', 30 days is more than enough time to hack your shop into oblivion, regardless of how big the shop is.


Not my policy. Made that argument myself. For show? Who knows...

__________________
If Chewbacca lives on Endor - You must acquit!
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 188
Reply with quote  #10 
Regarding scheduled tasks: did they limit access to it somehow, or did they disable it? The latter is not a great idea: https://blogs.technet.microsoft.com/askpfeplat/2013/07/14/why-you-shouldnt-disable-the-task-scheduler-service-in-windows-7-and-windows-8/.
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
jsclmedave

Administrator
Registered:
Posts: 445
Reply with quote  #11 
Quote:
Originally Posted by wkasdo
Regarding scheduled tasks: did they limit access to it somehow, or did they disable it? The latter is not a great idea: https://blogs.technet.microsoft.com/askpfeplat/2013/07/14/why-you-shouldnt-disable-the-task-scheduler-service-in-windows-7-and-windows-8/.


I will find the exact setting where they disabled the ability to set a PW for a Scheduled Task.

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 188
Reply with quote  #12 
They probably disabled credential manager? There is a GPO setting for that.
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
jsclmedave

Administrator
Registered:
Posts: 445
Reply with quote  #13 
Quote:
Originally Posted by wkasdo
They probably disabled credential manager? There is a GPO setting for that.


Yes I believe that was it...

They have since retracted that policy since our orchestration engine is lacking at best...

Once "they" get everything up to speed we can start talking about gMSA's instead of the old school way they are using now...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
anthony

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 50
Reply with quote  #14 

The setting is "allow Logon as Batch" I think...

BTW, we dont disable the Task Scheduler, it's just the setting above wont allow you to run a script from a scheduled task with elevating some privileges.


__________________
If Chewbacca lives on Endor - You must acquit!
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.