OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Vladimir Kraljevic (vladimir_kraljevicllbudapest.hu)
Date: Fri Jul 06 2001 - 04:55:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    "NT AUTHORITY\Authenticated Users" matches any authenticated user, no matter
    where it has been authenticated, as long as there is trust between
    authenticating domain and domain where you are applying security. "NT
    AUTHORITY\Authenticated Users" includes "BUILTIN\Users", "NT
    AUTHORITY\Dialup" etc., and "{Your domain}\{any user}" and "{Any
    domain}\{any user}" that has trusted relation with your domain. The things
    are going more complicated with new Win2000 "trusted for delegation" type
    accounts; I'm still investigating the real meaning and possible consequences
    of this flag (even MS itself warned about this one).

    "BUILTIN\Users" matches only users logged on locally, on machine you are
    applying security.

    "{Your domain}\Users" matches users logged only to your domain. If "{Your
    domain}\Users" are not members of any group on your local machine, they do
    not have access to your machine, "NT AUTHORITY\Authenticated Users" does, if
    your machine belongs to the "{Your domain}". By default, when joining WinNT
    domain, "{Your domain}\Administrators" are added to your machine
    "BUILTIN\Administrators" group.

    So, by my opinion, NSA approach is more strict and should be used, because
    it leaves less doors open. You should not deny access to "NT
    AUTHORITY\Authenticated Users", because this will close the doors to you,
    too, unless if you want to leave that object to be accessible only by the
    system and you are the owner (or you can take the ownership), thus you can
    gain access to it when you need, and you know what you are doing.

    HTH,

    Cheers,
    Vladimir

    C:\>-----Original Message-----
    C:\>From: Loschiavo, Dave [mailto:DLoschiavofrcc.cc.ca.us]
    C:\>Sent: Friday, July 06, 2001 0:30
    C:\>To: 'focus-mssecurityfocus.com '
    C:\>Subject: Users -vs- Authentciated Users
    C:\>
    C:\>
    C:\>Can someone please explain the functional differences
    C:\>between the built-in
    C:\>groups "Users" and "Authenticated Users" in Windows 2000?
    C:\>I'd like to
    C:\>understand what practical differance there is in assigning
    C:\>a right or
    C:\>permission to the group "Users" instead of the group
    C:\>"Authenticated Users",
    C:\>and vice versa. I'd also gladly accept a URL to a site that
    C:\>explains the
    C:\>same.
    C:\>
    C:\>I'm looking over security guidelines published by the NSA
    C:\>and DISA, and the
    C:\>NSA is using Users, while DISA is using Authenticated Users.
    C:\>