This has been bugging me for as long as I can remember:
By default, "Authenticated Users" is a member of the local Users group on all Windows Servers (2003/2008/2012).
My colleagues, and I, agree that this is a security hole. This default allows any domain user/computer to be granted user rights on the server. This results in "Domain Guests" group members being granted write access to the %systemroot% and public libraries, in addition to all other rights normally granted to users. This default effectively neuters the Domain Guests group. I'm referring to the Domain Guests group, not the built-in Guest account.
Let's review what is in the Authenticated Users group:
- All domain user accounts (Windows 2000)
- All domain user accounts except built-in Guest (Windows 2003+)
- All domain computer accounts
- All computer and user accounts in trusted domains except built-in Guest as noted above.
Security Concerns:
- Anyone (with any domain account) can logon to any system
- Everyone is granted at least user-level access to each system they access
On most servers, you don't want users to have any permissions. For example, why does anyone (other than the people who manage the server) need permission on a DHCP server? They don't, but with the default permissions, any domain user or domain joined computer connecting to the DHCP server would effectively be given user level rights. Unacceptable, right? Of course.
As networking professionals, our job is to plug/prevent these kinds of security holes/threats. So...
Workaround:
For years, we have been removing Domain Users, Authenticated Users, and INTERACTIVE from our server's local Users group, and adding Domain Admins instead. For systems where users need access, such as file/print, we simply re-add Domain Users.
We've been doing this for years on Windows Server without problems (mostly).
Another Example:
Many companies for which I've consult want to implement different levels of access for different people. This is simple: Visitors/Consultants are members of Domain Guests, Employees are members of Domain Users, and IT Staff are members of Domain Admins.
This works great when you implement the workaround above. But, with the default settings, visitors are granted the same permissions as employees. So, you cannot use the built-in groups, and instead you must create custom groups and implement elaborate GPO & ACL to treat the Users group as an un-trusted group and deploy a non-well known SID "Employee" group.
One more Example:
We have a network scanner that queries AD to obtain a list of user's email addresses so that it can email the scanned image. In our domain, anonymous LDAP is disabled, so the scanner must use a domain account to query the directory. We don't want to create a regular user account because the scanner doesn't need that access and it would give a hacker a "normal user account" if they breached the password. So, we placed the account in, and only in, the Doman Guests group. Now, this account has no access to our Windows servers, and can only query AD. (Of course, the "hacker" can query AD for admins and target them for hacking, but that's different issue).
With "Authenticated Users" in the local users group, someone using the scanner account, would have User level rights on every server in the domain. Scary!
You see how the default group membership neuters the Domain Guests group?
Problem with the Workaround:
Starting with Windows 2008, I've found situations where Windows doesn't operate properly if the Authenticated Users group has been removed from Users. There have been numerous scenarios where I encountered a problem for which I couldn't find any help on the Internet. When this happens, I think "let me add Authenticated Users in the users groups and test again". Voila! It usually fixes the problem. For example, a failover cluster cannot bring the network name online if authenticated users is not in the users group.
Summary:
Windows supports 4 core access levels: Guest, User, Power User (server operator), Administrator
But, the default permissions eliminates the usefulness of the Guest level. Essentially, EVERYBODY in the domain (including computers) are at least users!
Removing Domain Users, Authenticated Users, and INTERACTIVE from the server's local Users group, and adding Domain Admins, is a valid workaround (albeit with some one-off problems).
So why is this not the default?! At least for servers. Seriously! 12 years after the "Trustworthy Computing" program, this seems like a overlooked design flaw.
Someone please explain to me why EVERY user in the domain(s) should be able to logon to EVERY server in the domain(s), and create files/folders on the system drive - BY DEFAULT.
Thank you