locked
Problem of security RRS feed

  • Question

  • I see a major security problem in access to "Administrator" accounts in WSE 2012.

    I use an administrator "adminTEMP" account to enable to other providers such as providers of accounting software or ERP, to install or update their programs on the server or on the PCs. This account is normally "disabled" and I activate it remotely on demand.

    I note with dismay, that this account not turns not on the client workstations !

    Indeed, if you disable the account on the server (via the Dashboard or Users and computers Active Directory), the connection to a function requiring administrator rights from a client workstation running with standard user session remains possible, if one enters the coordinates for the disabled administrator account !

    Worse yet, the problem is the same if you change the password of the administrator account on the server ; the old password remains active, as long as it has not seized once the new password !

    For information, I found that this problem also exists in the "Small Business Server 2011 Standard" version.

    This problem of safety is very dangerous, because each standard user can perform functions of administators without worries !

    The basic security principles are more worthless !

    Please provide us quickly a solution to correct this very important security issue !

    This problem exists in the differents  french versions :
    Server: SBS 2011 Standard / PCs: Windows 7 Pro
    Server: WSE 2012 / PCs: Windows 8 Pro
    Server: WSE 2012 R2 Preview / PCs: Windows 8 Pro

    Thanks in advance and excuse me for the translation.

    Wednesday, August 7, 2013 10:02 AM

Answers

  • that this account not turns not on the client workstations

    I'm not understanding that?

    If this is a domain admin account on the server - not a local admin but a domain admin, this account will have rights throughout the domain.  This is expected for domain admin accounts in a network and how they work in a domain.  This is how this works in any Windows domain, SBS or Essentials not withstanding.

    Wednesday, August 7, 2013 4:11 PM