We have an application to which I want to add a feature that grants additional access to domain admins of our corporate domain. The application runs outside of our domain as well. Obviously, I can query what domain the machine is joined to, and if it matches our corporate domain, enable the feature, but I'm concerned that a hypothetical "advanced" hacker might create their own domain at home with exactly the same name. How can I verify the identity of the domain, so that I can enable the feature only for our actual corporate domain, not just any domain whose name matches?
Related
How can we know if an SID(Windows Event security identifier) belongs to a domain account or local account?
There seems no simple general rule to distinguish local account SID and domain account SID. But there are some well-known SIDs you can recognize.
It is sure that all local account SIDs are unique in local scope and all accounts SIDs in the same domain are unique in the domain scope. Otherwise, there will be conflicts.
Domain identifier is used to distinguish the SIDs of one domain from the SIDs for other domain in the same enterprise.
Relative identifier is used to distinguish one SID from the other in the same domain.
More references: Machine SIDs and Domain SIDs, Security identifiers, SID Components.
I'd like to add basic authentication to a website in IIS, https only. For this I need to create a Windows user. It is important that this user can access nothing other than this website. So I need to add him to Deny log on locally & Deny log on through Remote Desktop Services in Local Computer Policy.
However I cannot add him to Deny access to this computer from the network or he can't access the website. Microsoft says about this permission:
Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources.
Users with permission to access shared folders and files can connect over the network and possibly view or modify data.
What can I do to create a user that I can be 100% sure can only access this website and absolutely nothing else?
To address your concern about the "Deny access to this computer from the network" policy, that shouldn't prohibit the account from be used to authenticate with the website since "access from the network" doesn't include the HTTP/S protocol and WWW service. Therefore, you can add the basic auth user account to the "deny access" policy as desired.
Sources...
https://www.itprotoday.com/compute-engines/understanding-access-computer-network-user-right
"Despite the broad-sounding name, the 'Access this computer from the network' user right applies only to the Server service and the resources it provides. The Server service primarily provides remote access to files and printers but also provides remote access to the resources you see in the Microsoft Management Console (MMC) Computer Management snap-in, including event logs, shared folders, local users and groups, logical disk management, and applications that use named pipes. However the Access this computer from the network user right has no effect on services such as World Wide Web Publishing, Telnet, and Terminal Services. To control access to these services, you must implement security settings specific to each service as necessary."
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network
"The Access this computer from the network policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+)."
Hope this helps.
Maybe you should use another account type. User account type should only be used for real humans (and for buggy applications).
https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts
https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities
I have a PC (Windows 7) that has a domain user. Because of some maintenance issues the PC is not in the company that has the domain user. There is no access to the domain through the internet.
I need to add this domain user into one of the local groups. I tried to to this by means of the Local Users and Groups panel of the Windows. It was not possible of course. Location of the user is only the local PC, domain is not accessible. As the local admin account I have also tried command line
net localgroup "My Group" Domain\user1 /add
However this also did not work. Is there any way to add a domain user into a local group when the domain is not available?
No, not without joining the computer to the domain containing the domain user to add locally or at least to a domain for which a trust exists with the domain containing the user to add locally.
http://technet.microsoft.com/en-us/library/cc739265(v=ws.10).aspx
• If the computer is joined to a domain, you can add user accounts, computer accounts, and group accounts from that domain and from trusted domains to a local group.
Using a server application with C#, how is it supposed to work when accessing users in the same domain if the authentication is only possible using:
OAuth2Authenticator interface?
I'm able to access the admin of the domain's Drive, but I'm missing the 3 legged OAuth in 2.0.
Looking at this description found at this link: https://developers.google.com/drive/delegation
Since this is not executed as a Service, and is not using Google Apps and cannot then
access: https://www.google.com/a/cpanel/mydomain
Also the IP is not known from where the machine running the server-application.
Currently I'm using: "Client ID for installed applications", and it works. But what I need is to also store files in other users in the same domain.
A other solution that works temporarily is to first store them at the admin domain account and then move them to the user domain account. But this removes the possibility to direct it to a parent/folder at the end user's drive. It will always be stored in root for that end user.
Basically what I want is following:
A Server application is running on a local machine (admin domain account can be used)
The application upload files to different users that are in the same domain, but with their own email address and also then have their own Drive.
Yes, you can do that through 2 legged oauth, which can provide domain-wide authorization.
Here are some links for your reference:
https://developers.google.com/gdata/docs/auth/oauth#2LeggedOAuth
http://support.google.com/a/bin/answer.py?hl=en&answer=2538798
Our developers have recently built a new internal 'image viewer' application for our staff to use. The image viewer runs as a website and uses Active Directory to authenticate the user and control what type of images that user is allowed to view.
I have this setup and working fine by running the website as an impersonated domain user. The problem I now face is that all the images are held on a non-domain share. How can I access this share using the domain user? The share is on a Novell Netware 6.5 server.
Alternatively I can run the website as a non-domain user and connect to the Netware server to retrieve the images, but then I am unable to query Active Directory.
Can I allow a non-domain user access to query AD? I don't wish to allow anonymous queries on my domain controllers.
No, a non-domain user cannot query Active Directory unless you configure your domain to allow anonymous queries.
Depending on how everything is setup in the web application, you may be able to insert some code to switch security contexts and impersonate a domain user at the point where the query happens.