locked
How do I prevent the enumeration of Domain user's accounts by the net user command? RRS feed

  • Question

  • Hi all,

    I have been configuring group policy for a test environment I have been designing to improve my Windows Server security skills, and I have stumbled upon a vulnerability in my configuration. I am using Windows Server 2012 R2, all client machines are running Windows 10 Pro and above.

    The users in my domain are able to use the "net user" command and can enumerate domain users, groups and pull up detailed information regarding any user on the domain. Thankfully, unprivileged users are not able to change another user's password using the "net user <username> *" command, as access is denied.

    I would like to restrict the use of administrative commands for unprivileged users, but not disable access to the command line. Is there a way to harden or secure the use of certain commands? I would also like to do the same for PowerShell.

    Below are examples of my concerns with the net user command, using an unprivileged user account:

    Example 1:
    net user /domain (Enumerate all users on the domain)

    Example 2:
    net user /domain <username> (To pull more detailed information for a specific domain user)

    Example 3:
    net user /domain <username> *  (Changes a domain user's password, with the correct permissions)

    Thanks,
    Natasha L



    • Edited by Natasha L Thursday, August 24, 2017 12:51 PM
    Thursday, August 24, 2017 12:00 PM

Answers

  • Hi Natasha,
    Based on my test, you should right click to open the properties of the User node in the ADUC console:
     
    The go to the Security tab, click Add button to add the account which you want to deny permission, in my test, I add user1 account.
     

    After that, you should see the added account listed as below and click the added account, then check the all boxes in the Deny permission list as below:
     
    Then click OK. After doing all this on DC, please go to a client computer and reboot it, then log in with the user account which you have set the deny permission and run the net user /domain command to see if it works as my test did.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Friday, September 1, 2017 8:09 AM
    • Marked as answer by Natasha L Friday, September 1, 2017 3:13 PM
    Monday, August 28, 2017 7:55 AM

All replies

  • Hi Natasha,
    Based on my test in the lab, you could set the deny permission for the users on the properties of Users in the ADUC:
    1. Open ADUC on DC, and right-click the properties of Users tree;
     
    2. Set deny permission as below for the users which you want to prevent;
     
    Here is the result of my test, user1 is not able to list accounts, usera is not set deny permission and it is able to list accounts.
     
     
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Friday, September 1, 2017 8:09 AM
    Friday, August 25, 2017 7:24 AM
  • Hi Wendy,

    Thank you very much for your reply, as well as the screenshots. I've tried to implement this but it seems to go wrong. I navigated to ADUC, enabled the Advanced Features in the View tab so that I could see the security tab in user properties.

    I then denied some permissions, but I believe I did so incorrectly. In doing so, I accidentally blocked my user from gpupdate and user policies would no longer update. It didn't seem to prevent my use of the command, I believe I've taken the wrong approach. Would it be possible to get a little more guidance please? E.g. What permissions I should be denying.

    I've undone my changes and reset it to default:


    Thanks,
    Natasha L

    Friday, August 25, 2017 9:42 AM
  • Hi Natasha,
    Based on my test, you should right click to open the properties of the User node in the ADUC console:
     
    The go to the Security tab, click Add button to add the account which you want to deny permission, in my test, I add user1 account.
     

    After that, you should see the added account listed as below and click the added account, then check the all boxes in the Deny permission list as below:
     
    Then click OK. After doing all this on DC, please go to a client computer and reboot it, then log in with the user account which you have set the deny permission and run the net user /domain command to see if it works as my test did.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Friday, September 1, 2017 8:09 AM
    • Marked as answer by Natasha L Friday, September 1, 2017 3:13 PM
    Monday, August 28, 2017 7:55 AM
  • Hi Natasha,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 1, 2017 8:10 AM