-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Workstation logon restriction not taken into account #170
Comments
Hi jb, Thanks for taking the time to open up the issue. Unfortunately there are several mechanisms that could prevent a user from logging onto a system, including the workstation logon restriction you bring up. With any of those mechanisms it's important (for now) that:
This issue is further complicated by the fact that even though a user may have local admin rights due to being a member of a certain group, the workstation logon restriction is explicitly defined per-user. Because of those requirements, the complexity, and because in our experience the usage of the allowed workstations control is fairly rare, this is a low priority for us at this time. That can change though, and we may come back to this issue with a fix later. In the meantime, for issues like this and other issues, I would recommend attempting to collect and parse that information yourself and alter your graph accordingly. You may be able to do something like this:
That will at least let you see what computers users have admin rights to as well as being allowed to log onto them. There may also be a much more obvious solution I'm not seeing, so I'll keep this issue open for a few weeks to see if anyone has a good suggestion. :) Andy |
Thanks very much for your detailled reply :) |
Closing this, as I dont think we can realistically implement this |
Hi,
There is a feature to limit an account log on authorization to a set of workstation.
It seems this restriction is not taken into account to modelise the attack path.
I have an example where users get a specific domain account with restricted "log on to" the user workstation. All those domain accounts are member of a high priviledged group which is member of local admin group of every users PC in the domain. The "log on to" is what is preventing all those users from being admins of every workstations.
The graph is showing attack path that are not real because it is not taking into account this restriction.
https://ravingroo.com/267/active-directory-user-workstation-logon-restriction/
The text was updated successfully, but these errors were encountered: