Hi everyone! Thanks for your support on the IT security series. And here comes to the 9th post for this series. Remember last time we have talked about how to check the user group and the users by using a command in the command prompt? You can list all the domain groups and domain user by the command mentioned in the last post.
大家好!很感謝大家對資訊保安這個系列的支持,讓這個系列到逹第九個帖子了。大家記不記得,我們上一次談到在命令提示視窗中輪入不同的指令,讓系統替我們查找網域群組跟群組中的用戶。然後,我們可以透過這些指令去協助我們的用戶管理。
However, I’ve got some friends asking me that although they can have a full list of groups and almost full list of user, however, it will take so much time to look through the list and select the critical groups to check the user in the group. In terms of completeness, they rather choose a less time consuming method and focus more on some critical user.
可是,我有一些朋友跟我說,我上次分享的指令是不錯,它可以列出所有的網域群組跟大部份的網域用戶,可是這個要花太多的時間了。因要又要先抽出群組列表,再要選出那些群組是比較重要的,這個要時間。如果在完整性跟時間上讓他們選,他們還比較注重效率呢。
I totally understand what they mean. And yes, in real world, we not always get time to ensure the completeness, so we have to make it by risk base and sample base. So, in this post, I would like to introduce some other commands and approach which is more focus on the how to drill down to the domain user area.
其實我對這個觀點相當明白跟接受,畢竟在現實生活中我們沒有太多的時間去關注所謂的完整性,所以我們很多時候都是透過風險程度跟樣本的形式去選擇。所以,在這個帖子中,我想要介紹一些指令跟另一種手法來專注於網域用戶的探索。
And let’s first start to select some users. Remember last time, we first list out all the user groups and select those critical groups. It will take some time for it, so I would like to introduce another command to list out the default domain administrator user. So, open the command prompt and input: net user administrator /domain
首先,讓我們來決定怎樣選擇用戶吧。記得上一次,我們是先抽出一個用戶群組的列表的再選擇群組嗎?這的確比較廢時,所以這一次我們就用以下的指令去查看預設的Administrator帳號。打開命令提示視窗然後輸入: net user administrator /domain
Once the command was executed, it will generate the user profile of the account “administrator”. As administrator is a default account, it will always be into your domain user list. So, we will always try “administrator” first. And you will see the below screen as the sample of the user profile.
當你輪入這個指令後,系統就會列出“administrator”這個帳戶的帳戶資料。而因為administrator是一個預設帳戶,所以我們基本上永遠都不會找不到它,而它永遠的是最重要的一個帳號。所以,我們記得永遠都先查看administrator。而你可以看下面的截圖作為參考。
Almost all the useful information of the user “administrator” has been shown out. And I would suggest you focus on the information marked in red as shown in the below screen capture:
基本上“administrator”所有的帳戶資料都會會被列了出來,而我個人建議大家多注意下面截圖中紅圈的資料:
First, which is the “account active”, it show the account status. We can see whether the account is still active or not. If it is not active, it is just fine, as no one can login to it. If it is still active, then you have to see the more area.
首先是“account active”,它會顯示帳號的狀態。如果看到被停止了,那就沒什麼需要注意,因為它登入不了。如果不是,就要多看看其他的方面了。
Second is the “password last set”, by this field, we can know how long the user has not changed his password. Remember in those previous posts in this series, we have talked about the password configuration requirement? And change the password regularly is definitely one or the criteria.
第二個是“password last set”,透過這個項目我們可以知道用戶有多久沒有改過他的密碼了。記得我們這個系列以往的帖子嗎? 我們討論過密碼設定的要求,而定時的更換密碼就是其中一個最基本的保安標準。
The third thing is “last login”. If the account have not been login in for decade, we have to consider what is going on for this account, is it just a backup account or what? How to safe guard the password of the account at the moment.
而第三個要看的就是“last login”,如何帳戶有太久沒有被登入過,我們可能就要去看一看到底這個帳戶有什麼目的,它是作為後備的帳戶嗎?那的密碼到底由誰人掌控,而現在又如何保護呢?
And the fourth thing would be again the user group. As you can have an idea from this administrator account that which user groups are those critical user groups. And then you should follow the process we have discussed in the last post to check what user was included in those critical user groups.
而第四樣要看又是用戶群組了。因為我們可以在administrator這個帳戶中找到一些概念,到底有那些群組是比較特別,比較重要的。而當你找到後,就可以用我們在上一個帖子中討論過的方法去查看那些重要的用戶了。
And you should use the command: net user administrator /domain by replacing the account for administrator to those critical users to see the detail of those critical users. By doing so, I think you can have a very good user management for those privilege user accounts. And remember? User authority should always be granted as the Principle of Least Privilege!
而你可以用改變指令中net user administrator /domain 中的administrator 一字為你想要查看的帳戶去查看那些重要帳戶的帳戶資料。透過這個方式,我相信你可以有一個很好的特權用戶管理。還記得嗎?用戶的權限發放應該好好的遵守最小特權原則。
Thanks for reading, I hope you enjoy it!
And please follow me and see my other post if you like it: @victorier
感謝你的閱讀,希望你會喜歡!
如果你覺得不錯的話請你追蹤我,也可以看我其他的文章: @victorier