Basic IT Security #8|淺談資訊保安 #8

Hi everyone! Thanks for your support on the IT security series. And I am very happy that here comes the 8th post for this series. Remember last time we have discussed about how to check the user permission by checking the user group in the computer. And you could amend the user from those user groups accordingly.

大家好！很感謝大家對資訊保安這個系列的支持，讓我可以繼續的跟大家分享這部份的內容。我們上一次談到如何在我們的電腦上面查找不同的用戶群組，然後透過這些用戶群組，我們就可以查看得到到底我們的用戶使用權限到底如何。然後大家就可以好好的根據現實的狀況，來作出相應的調整。

I have got some question to me that how if the computer have joint the domain? It would be kind of hard to track the access right for those domain users, as they are not added in the local computer, which lead we cannot check the user group for those domain users. And in the other hand, what if there are some kinds of domain group existed?

我有一些朋友看完帖子後問我，要是我的電腦加入了網域呢？這樣的話會挺難找尋用戶的使用權限，因為有許多用戶不是在電腦上加入，而是在網域中加入，在電腦上的計算機管理當中，可是找不到的啊。另一方面，如果在網域上有其他的群組建立了，又怎麼辦呢？

To be honest, it is quite a good question. If you are the domain administrator, you can just simply check those users in the user list in the domain server. However, what if you are not the domain administrator? So, I would like to introduce the below method for you to check the user access right if you are not the domain administrator.

其實這是一個很好的問題，如果你是網域的管理員的話，你可能只需要單純的在你的網域伺服器中查看那些網域用戶就可以看得到他們的權限了。不過，如果你不是的話怎麼辦了？所以，我打算推介以下的方法去幫助你查看某些用戶的權限。放心，即使你不是管理員，你也一樣能做得到。

First, open your command prompt, and I would like to introduce you the first command: net group /domain

首先，你需要在你的命令提示視窗中輸入你的第一個指令: net group /domain

By this command, you can generate all the groups created in your domain:

使用這個指令後，系統會自動生產你在網域上的用戶群組的列表:

If you have too much groups created like me, which lead you could not see the full list in your command prompt, you can export it into a file by the below command: net group /domain > sample.txt

如果你像我一樣有太多的用戶群組，以致你不能在一個命令提示視窗中看完，你可以使用以下的指令把它輸出到一個檔案: net group /domain > desktop\sample.txt

It will create a “sample” text file on your desktop, and you could open it to check the full list of groups created:

系統會在桌面上生成一個文字檔案，現在，你就可以打開它來查看你網域上用戶群組的完整列表:

And I noted that I have a group called “domain admins”, which seems to be a critical group:

然後，我發現了一個群組叫“domain admins”，好像是一個挺敏感的群組:

So, I type the following command: net group “domain admins” /domain

所以我輸入了以下的指令: net group “domain admins” /domain

According to the group description, it seems like I have found the critical group properly. And I found the above 5 users which have the domain administrator right. So, my job now should be checking who is the holder of those 5 accounts and see if those people really need that right. Remember what we have discussed last time? User authority should always be granted as the Principle of Least Privilege!

根據群組的描述，看來我是找對了這個敏感的群組了。然後，我找到了5位用戶有這個網域管理員的權限。所以，我接下來的工作就是要好好的查看一下，到底他們是不是真的需要這個權限了。還記得嗎？用戶的權限發放應該好好的遵守最小特權原則。

---

Thanks for reading, I hope you enjoy it!
And please follow me and see my other post if you like it: @victorier

感謝你的閱讀，希望你會喜歡!
如果你覺得不錯的話請你追蹤我，也可以看我其他的文章: @victorier