September 19, 2020, 05:59:36 AM

Author Topic: Permissions required for non local admin  (Read 7883 times)

OlivierH

  • Member
  • *
  • Posts: 14
Permissions required for non local admin
« on: October 05, 2011, 10:06:52 AM »
Hi

We need to scan our domain controllers but don\'t want to add the account as a domain admin in order to achieve this. What would be the specific roles or user rights we have to allocate to the specific account in order to allow scanning?

Regards
Hardus

Komodo Support

  • Administrator
  • Member
  • *****
  • Posts: 2698
  • Dayton, Ohio, USA
    • Komodo Laboratories LLC
Permissions required for non local admin
« Reply #1 on: October 05, 2011, 08:44:26 PM »
Hi.  Basically you need an account that gives you administrator credentials.  In other words, you need to be able to get to \\\\ServerName\\ADMIN$ on the server using Windows Explorer.

You could supply domain credentials in NEWT that have admin credentials, such as \"DomainName\\Username\" and as long as that account had admin credentials, you should be be to scan.  I believe all servers must have at least one user in the Domain Admin group.  That\'s the account you\'ll want to supply.  Also, if there are still local admin. users on the server, you could also use that.

I hope that helps.

OlivierH

  • Member
  • *
  • Posts: 14
Permissions required for non local admin
« Reply #2 on: October 06, 2011, 02:00:48 AM »
We are using an admin account on all our servers. The thing is you don\'t get a local admin account on a domain controller. The only way to assign this level of permission is to make the account a Domain Admin. From a security stand point, this is not allowed in our organization. I need to know what specific rights I need to assign a account in order to scan. For instance, access to Admin$ share, Logon as a service, etc.

Komodo Support

  • Administrator
  • Member
  • *****
  • Posts: 2698
  • Dayton, Ohio, USA
    • Komodo Laboratories LLC
Permissions required for non local admin
« Reply #3 on: October 06, 2011, 01:59:27 PM »
You might be able to use a user account who is a member of the \"built-in\" Administrator account to get access to the ADMIN$ share, but as far as I know, there are no other accounts that give you ADMIN$ share access.

We may add a feature in the future that would install our service using a login script.  And at the same time, if we were to remove the administrator requirement in our software (ADMIN$ share checks, etc.), anyone on the network could scan with Newt.  Of course that may open up other possible security holes.  It\'s something we\'ll have to research further.

I do understand what you\'re wanting to do though.  You\'d like to allow non-admins the ability to scan with Newt, is that correct?

OlivierH

  • Member
  • *
  • Posts: 14
Permissions required for non local admin
« Reply #4 on: October 07, 2011, 01:29:30 AM »
I am happy to have NEWT use a local admin account. However, I want to scan my domain controllers and do not want to add the scan account to Domain Admins. But, it doesn\'t sound like I am going to win here. Thanks anyway.

Komodo Support

  • Administrator
  • Member
  • *****
  • Posts: 2698
  • Dayton, Ohio, USA
    • Komodo Laboratories LLC
Permissions required for non local admin
« Reply #5 on: October 07, 2011, 07:42:42 PM »
I\'m sorry if I caused any frustration, I didn\'t mean to.

The thing is, you shouldn\'t need to add a special scanning account for any machine as far as I know.  You can use a domain account or a local account, but either one must be part of the Administrator group in order to get to that machine\'s ADMIN$ share.

All servers have a user account that came with it during the install, but usually a few administrator accounts are created for different admins.  Any one of those could be used.  Unfortunately if you don\'t know the credentials of any of those accounts, you would either need to add one or add yourself to the Administrator group for that domain.

Those are the only methods to allow ADMIN$ share access we know of.  Perhaps Microsoft would be able to answer this, since ADMIN$ share access really does start with Windows security.  We\'re simply using that exposed ADMIN$ share to make scanning much easier than needing remote WMI & registry access as well.

If I\'m not understanding, please let me know.  We surely don\'t want an unhappy customer.

OlivierH

  • Member
  • *
  • Posts: 14
Permissions required for non local admin
« Reply #6 on: October 10, 2011, 03:16:38 AM »
Thanks for your help in this regard. We will have a look at using an account with restricted rights and will then let you know the outcome.