Please advise me on how I can ensure that remote desktop users cannot install software onto the Active Directory Server they are logging into remotely.
Some Background:
I have a client whose Server Security is very screwed up. I'm typically more of a programmer than an Admin, so I need some help.
They are using their Active Directory Server to allow remote sales people to Remote Desktop into their network, essentially allowing that Active Directory Server to double as a desktop for 4 remote employees. This alone seems like a bad idea to me. I'd prefer setting up a separate server for these remote users.
However, what's worse, is I just logged in using the credentials of one of the sales people, and I was able to install firefox, using their credentials! So, essentially, each outside sales person has administrative privileges for installing applications onto the Active Directory Server!
Last week I removed a virus from the server that essentially took the business down. Today, there is another virus sending out mass emails (getting their company blacklisted).
I do intend to reinstall this server and try to lock it down, but until the weekend, I'm trying to at least figure out how to make it to where these remote sales people cannot install software onto the server.
The truth is, I don't have much experience with Active Directory. I've mostly locked down Windows Servers that do not have Active Directory (through the 'Computer Management > Users' console).
When I go into "Active Directory User's and Computers". I do not see that the sales person is a member of an administrator's group. And when I look at each group (that they are a member of), I'm not able to locate any permission setting that reveals why they are able to install software on the server.
Could you please direct me a bit. I must be over-looking something essential. Please advice.
Edit:
Here are the groups, the user is a memember of:
Name: ActiveDirectoryFolder
Custom Sales All domain.com/Users
Domain Users domain.com/Users
Remote Desktop Users domain.com/Builtin
Remote Users domain.com/Builtin
They are likely either a member of
BUILT-IN\Administrators,DOMAIN\Domain Admins, orDOMAIN\Enterprise Admins.Remove them from these groups and don't let anyone ever log into a DC that isn't a systems administrator.
The first thing I would suggest Lonnie is to convince them to shed out some money for a separate remove server. Remote Servers should be locked down in a way where the employee's have just enough access to do their work (known as The Rule of Least Privilege)
As far as viewing the permissions, Active Directory has a group of utilities, however the most useful in your situation will likely be the
dsget <user> -memberof -expandcommand. This will display that particular users group memberships and allow you to figure out why they're able to install software.More information on DSGET : http://technet.microsoft.com/en-us/library/cc732535%28v=ws.10%29