2

An organization requires several administrators to have a role of a security auditor. They must have read-only (via network/remote) access to Windows Server 2008 / R2 systems and have permissions to view the server configuration. They must not be able to make any other changes to the server or the network, like restarting or making any configuration chanages.

However I can't find any built-in settings for a user like this. The closest thing is the "Users" user group [1], however from my understanding every user in the domain is in this group and cannot view the domain server's configuration.

So, what are other options of implementing a read-only user account in Windows Server 2008?

[1] http://technet.microsoft.com/en-us/library/cc771990.aspx

Babken Vardanyan
  • 133
  • 1
  • 1
  • 6
  • 1
    What do you mean "server configuration?" If you're talking the stuff in "Server Manager", it's restricted to Administrators only since it requires elevation. – Nathan C Aug 20 '14 at 16:55
  • @NathanC By that I mean a list of every configuration change done since the server was created. I am ok with both a GUI and text config/cmd output (if there is such a thing in Windows servers). – Babken Vardanyan Aug 21 '14 at 02:52
  • @user2529583 That's still impossibly broad. What do you define as a configuration change? Changing permissions on a file/folder? What about changing a registry key? Installing a patch? Configuring a role service or feature? What about adding a DNS server? (And so on, and so on.) – HopelessN00b Aug 21 '14 at 06:46
  • @HopelessN00b Yes to all the questions. They are all a security state changes since server installation moment. It's OK if some less important changes are excluded though. – Babken Vardanyan Aug 21 '14 at 15:18
  • @user2529583 That was actually supposed to be an indication of how impossibly broad your request is. The other problem is that you're making the implicit assumption that the server was created in a perfectly secure state, which it wasn't. Don't worry about changes, worry about its current state, and analyze that for vulnerabilities or exploits. (And again, this is usually performed by having admins pull data from the server for the auditors to analyze, not the way you're trying to go about it.) – HopelessN00b Aug 22 '14 at 12:36

2 Answers2

3

No, this is not plausible. It's technically possible to go through and create an account that has read-only privileges to everything, but that would be quite an undertaking, and there's nothing like that which currently exists, to my knowledge.

The issue is that, by default, most of the "configuration" settings you want to view are only accessible at all to administrative users, who can also modify them. So to create a read-only user that can access everything, you're basically looking at modifying everything (file system, registry, application permissions) to add read-only access for a given user.

Do like the rest of the world and have the auditors request information from the admins, if necessary, while the auditors watch the admins retrieve the required information.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • Can you please go into a bit more details about 1. How exactly to set read-only permissions to everything for given user; 2. Regarding the last paragraph - how exactly does/should the information retreival look like? There are thousands of settings on the server, should the auditor ask and watch the admins show him eveery single one? – Babken Vardanyan Aug 21 '14 at 02:59
  • @user2529583 1. - not really... I mean, you just add your user to the ACL/ACE on the thing in question (file, folder, registry key, application, etc), apply read permissions and... rinse and repeat for every object on the server. Obviously, inheritance will go a long way (for files, apply to the root of each drive and apply to all child objects, similar process for registry keys, application permissions and the like are going to be trickier). – HopelessN00b Aug 21 '14 at 06:53
  • 2. If your auditing process requires the auditors to view thousands of changes, your process is very broken. First off, they have to know what information they want, and "everything that's ever been changed" isn't even remotely close to qualifying. Typically, auditors will require a number of reports to be generated on specific categories. For example, in the most recent audit I suffered through, it was a list of all administrative accounts, all accounts with any access to our financial databases, permissions on applicable files and registry keys, and a number of global settings. – HopelessN00b Aug 21 '14 at 06:57
  • I think I didn't explain very well what I mean by "auditor". An auditor is the person who's job is to watch the actions of administrators and watch for / warn about dangerous actions (regarding information security). He's a full-time employee, not one-off guy from an external company. – Babken Vardanyan Aug 21 '14 at 15:25
  • @user2529583 Still, the way that's usually done is by checking the current configuration for known security issues and/or running exploit kits against your infrastructure to try to find existing vulnerabilities. Even with internal auditors (which we have too), the standard approach is "give me the following information/reports, and I'll run them through my tools and vulnerability lists." – HopelessN00b Aug 22 '14 at 12:33
1

going forward, your auditor should be using a system like Varonis to track system changes. Then they have their own interrogation tool that they alone can log into and it'll give them that kind of information.

Changing file system, registry etc permissions may lead to permission problems in future.

Anthony

Anthony P
  • 11
  • 1