One method used to gain unauthorized access to a computer is called elevation of privilege. The idea of elevation of privilege is that an attacker connects to a computer using credentials that have restricted rights on that computer, and then performs an action that gives the attacker's account additional rights. To help minimize the risk from this type of attack, you should only allow authorized users the ability to log on to your computer. Among other benefits, by reducing the number of accounts authorized to log on to your computer, you limit the available pool of accounts an attacker can use in this type of attack.
When you add a Windows computer to the Active Directory, Windows assumes that you want all users of the Active Directory to be able to log into your computer. For a vast majority of computers at Indiana University, this is not the case. This article will explain a couple of ways to restrict access to a computer.
First, let's take a look at the local users and groups on your computer. You can do this by opening the Control Panel, selecting Administrative Tools, and then Computer Management. In the left pane, under System Tools, expand Local Users and Groups, and then select Groups. Anyone listed in the Users group will be able to log on to this computer. You should remove ADS\Domain Users and NT Authority\Authenticated Users and replace them with groups of users that need access to this computer.
Hopefully by now, you are asking yourself, "why is it that anyone listed in the local users group can log into your computer by default?" Good question. These settings can be found using Local Security Policy (secpol.msc) or Group Policy (gpedit.msc) editor.
The two settings in the right window pane to note are Access this computer from the network, and Log on locally. Just like the local users group, you should remove the default groups (except perhaps for administrators) and add replace the default groups with users that need access to this computer.
Now you should start watching your security logs for successful and failed logon attempts. Any suspicious activity should be reported to the IT Security Office at it-incident@iu.edu. For information on how to enable auditing, see In Windows 2000 and XP, what is auditing and how do I use it? Note that some auditing is turned on by default for computers in the Indiana University Active Directory.
