In order to support some build processes on our Server 2003 development servers, we require a common user account that has administrative privs.
Unfortuantly, this also means that anyone that knows the password can also gain admin privs on a server. Assume that trying to keep the password secret is a failed exercise. Developers that need admin privs already have admin privs so should be able to log in as themselves.
So the question is a simple one: is there anything I can configure to prevent people (ab)using the account to gain administrator on servers they shouldn't have administrator on? I'm aware that devs could disable anything that is put in place, but that's then down to process and auditing to track and manage.
I don't mind where or how: it can be via the local security policy, group policy, a batch file executed in the user's profile, or something else.
Found the "proper" way to do it -- through group policy, I've added the user to the setting: Windows Settings\Security Settings\User Rights Assignment\Deny login through Terminal Services
This seems to work, so the Deny list takes precendence over the allowed list, which is what I want. I'm sure I've gone through this list a few times and failed to spot this setting before though...
This link details how to allow RDP sessions on a remote server by editing the registry remotely. I assume you could apply the same principle to disallow RDP connections.
You can assign Remote Desktop privileges separately to Administrative privileges and Administrators don't get the privilege by default so that basic approach should work. You will have to ensure that the relevant administrator accounts and groups are not members of the Remote Desktop Administrators group on the systems in question.
However anyone with full administrative privileges on the system can change those settings if they want to. You can enforce the settings via GPO to enable (and limit) this but completely preventing someone who has Administrator rights bypassing a policy like this is not entirely possible, you're just making it harder with the GPO.
I don't think that is your problem here though. You should be able to create this account such that it is a local admin on the servers it needs to be but is not a domain wide administrator, just create a normal domain account and add that directly to just the servers that are absolutely required. This will work well on Windows 2003 but changes to the security model (because of UAC) on Windows 2008 make it less straightforward.
If the account is as open to abuse as you describe it might also be a good idea to deny it the right to log in anywhere else. If you put the servers you want this account to work in in one OU in Active Directory and then change the user Rights assignment by GPU for all other machine OU's your domain to deny that account the right to log on locally and remotely.
The fact that you have a process that requires Admin rights is the fundamental problem - you should focus on trying to eliminate that requirement, although I appreciate that there are cases where that isn't possible it should always be the first thing that you look at.
I would created a Universal Group called banned, (or whatever you choose!) and add the particular user to that group. Then on the RDP server in question, explicitly deny users from that Group, Denies are processed before Allows, so even being an admin would not prevent being denied service.