locked
How to restrict DirectAccess for local admins RRS feed

  • Question

  • We're implementing full use of UAC.
    Users absolutely in need for administrative rights, will get a local account on their computer, with administrative rights.
    So we want to configure our NAP, checking for admin rights for the user accessing directAccess (in case someone should get the idea of granting themselves admin rights)

    How can this be done? We want to block DirectAccess and log the attempt.

    Tuesday, June 29, 2010 10:49 AM

Answers

  • If the user is logged in with a local account - the user won't be able to authenticate to establish the intranet tunnel and won't be able to access resources outside of those allowed to the machine account through the infrastructure tunnel.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Tuesday, June 29, 2010 8:57 PM
    Tuesday, June 29, 2010 5:45 PM

All replies

  • If the user is logged in with a local account - the user won't be able to authenticate to establish the intranet tunnel and won't be able to access resources outside of those allowed to the machine account through the infrastructure tunnel.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Erez Benari Tuesday, June 29, 2010 8:57 PM
    Tuesday, June 29, 2010 5:45 PM
  • Ok, I have to explain better. That's why we want to use a local account for their admin needs. But when you have the local admin account, you have the means to grant your domain user administrative rights. so if that it's done, we want to stop them from using DA and log that they have done so.
    Wednesday, June 30, 2010 7:30 AM
  • Hi Amigo. I don't think what you want to do can be restricted through standard NAP or other default configuration in DA. One anternative could be applying a Group Policy with Restricted Groups. This will allow to control membership and prevent the local admins group to be extended Hope it helps
    // Raúl - I love this game
    Wednesday, June 30, 2010 7:48 AM
  • Hi Amigo. I don't think what you want to do can be restricted through standard NAP or other default configuration in DA. One anternative could be applying a Group Policy with Restricted Groups. This will allow to control membership and prevent the local admins group to be extended Hope it helps
    // Raúl - I love this game


    I know standard NAP settings is not capable of doing this. That's why I try to figure out a solution. The solution you provide, will help if some of our admins, make the error granting a normal user account admins right. Or one of our admins is logged on with their admin account.

    We use this setup for a normal user.

    1. Local account on their computer, with administrative rights. this account is only valid on this computer and have no rights in the domain.

    2. Normal user account, with their needed privileges on the domain.

    For admin users. same  as the above, plus an account with admin rights

    We want only the Normal user account to be logged in when accessing our network. Even for our admins

     

    Wednesday, June 30, 2010 8:27 AM
  • Hi Amigo. Not sure if this will work, but DirectAccess is composed of a series of rules for firewall and IPSec. In IPsec rules you can specifiy authentication and users for whom the rule applies. Maybe excluding local admins could work.

    P.S: That could be done straightforward in UAG (SSLVPN not DirectAccess) with proprietary detection and endpoint policies


    // Raúl - I love this game
    Wednesday, June 30, 2010 9:42 AM
  • Local admins are not domain users, so you can't specify them exlusion list of the DA IPsec rules.

    Wednesday, June 30, 2010 11:17 AM
  • Is custom SHV's possible?
    Wednesday, June 30, 2010 11:41 AM
  • Ok, I have to explain better. That's why we want to use a local account for their admin needs. But when you have the local admin account, you have the means to grant your domain user administrative rights. so if that it's done, we want to stop them from using DA and log that they have done so.


    That's true - they can make their domain user accounts local admins - but it won't change their domain status - they will still be restricted users in the domain. Right?

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, June 30, 2010 1:35 PM
  • Hi Amigo. I don't think what you want to do can be restricted through standard NAP or other default configuration in DA. One anternative could be applying a Group Policy with Restricted Groups. This will allow to control membership and prevent the local admins group to be extended Hope it helps
    // Raúl - I love this game


    I know standard NAP settings is not capable of doing this. That's why I try to figure out a solution. The solution you provide, will help if some of our admins, make the error granting a normal user account admins right. Or one of our admins is logged on with their admin account.

    We use this setup for a normal user.

    1. Local account on their computer, with administrative rights. this account is only valid on this computer and have no rights in the domain.

    2. Normal user account, with their needed privileges on the domain.

    For admin users. same  as the above, plus an account with admin rights

    We want only the Normal user account to be logged in when accessing our network. Even for our admins

     


    Is this what you do for users when they are on the corpnet? Remember, DA is a bit different than VPN in that you need to consider the DA client as the same as an intranet client, and so whatever you do for intranet clients should be done similarly for DA clients.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, June 30, 2010 1:38 PM
  • Local admins are not domain users, so you can't specify them exlusion list of the DA IPsec rules.


    Hi Yaniv,

    I think the issue here is that they are concerned that the users will leverage the local admin account to grant the users' domain user account local admin rights. At that point, the user account, which has limited rights to domain resources, will have local admin rights - which might expose that machine to high risk than otherwise. However, I don't see what the difference is between DA clients and intranet clients in this regard.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, June 30, 2010 1:41 PM
  • If you know how to write them, they probably could detect this kind of situation.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, June 30, 2010 1:42 PM
  • You're absolutely right Thomas, we should catch this in the intranet too. But in the intranet, we have a lot of exceptions to the "no admin rights for domain users" rule. Way too many and we used DA to leverage the need for blocking admin rights for our domain users.

    This way we'll catch most of the laptops and they have been the real problem for us. With DA and NAP, we actually have somewhat control on them. So if we can make shure they don't run with admin rights, we have come a long way.

    Thursday, July 1, 2010 7:02 AM
  • Hi GardSx,

    I guess that using group policy, you can run a script on all machines that as soon as it detects the domain user has administrator permissions, it deletes the IPsec certificate from the machine.

    This way, DirectAccess will stop functioning until they renew their certificate.

    Thursday, July 1, 2010 11:49 AM
  • Seemed like a good idea, but it takes only a few seconds for DA to update the certifikate.
    Wednesday, July 7, 2010 11:44 AM
  • Or perhaps remove the machine account from the DirectAccess user group.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, July 7, 2010 11:47 AM
  • hehe, that would work. Not a very dynamic solution, but would get "the bad guys"
    Thursday, July 8, 2010 10:25 AM
  • Hey, give it a try and let us know how it goes!

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Friday, July 9, 2010 1:27 PM