Follow

What is the best practice for managing override groups?

In addition to the Override Password, the AuthAnvil Windows Logon Agents offer another mechanism for controlling which users need two-factor authentication to log onto the system; the Override Group. The Override Group is either an Active Directory or a local group that is defined on a per-machine basis. The members of this group are allowed to log on without providing an AuthAnvil passcode. This means that you can use different groups for every machine if you want to. One thing to keep in mind is that if a machine is domain joined, it will use an Active Directory group, otherwise, it will use a local group. This is to prevent someone with local admin access from defining a local override group on a domain joined system and creating themselves a back door into the network. Also, Override Group members must be direct members, no group nesting allowed!

One common usage of Override Groups is to provide an outside user temporary access to a system. Most commonly, if a vendor or contractor needs to do some work on a recurring but sporadic basis, and you don’t want to issue them a token, their user account can be added to the override group during the times that they need access to the network. This way, you can allow them temporary, recurring access to the network, without having to issue them a token or give out the override password, as well as having logging information from every time they access a system.

Like Override Passwords, Override Groups provide an audit trail, writing event ID 7 to the Application event log any time a member logs in. This can be monitored either by your favorite RMM tool, or by triggering an action every time the event happens in Windows Server 2008 or later. This way you’ll know every time a member has logged in.

Today’s best practice is: use Override Groups to effectively manage who can log on without a token. Monitor their use, membership changes and tampering with the Logon Agent using our management packs for your favorite RMM tool, such asKaseya or LabTech.

If you don’t have an RMM tool available, or are using one that we haven’t built a management pack for yet, you can audit changes to the security group by:

    1. Enable Security Auditing. A screencast on configuring security auditing can be found at:http://silverstr.ufies.org/AccountAuditing/AccountAuditing.htm.
    2. Watch the event log for the group member added and group member removed events for your override group.

Windows Server 2003

Event Source Event ID Event Type Quick Description
Security 632 Success Audit Global Group Member Added
Security 633 Success Audit Global Group Member Removed
Security 636 Success Audit Local Group Member Added
Security 637 Success Audit Local Group Member Removed
Security 660 Success Audit Universal Group Member Added
Security 661 Success Audit Universal Group Member Removed

Windows Server 2008 and later

Event Source Event ID Event Type Quick Description
Microsoft Windows security auditing. 4728 Success Audit Global Group Member Added
Microsoft Windows security auditing. 4729 Success Audit Global Group Member Removed
Microsoft Windows security auditing. 4732 Success Audit Local Group Member Added
Microsoft Windows security auditing. 4733 Success Audit Local Group Member Removed
Microsoft Windows security auditing. 4756 Success Audit Universal Group Member Added
Microsoft Windows security auditing. 4757 Success Audit Universal Group Member Removed

Make good use of override groups, they’re a powerful tool, and can save you quite a bit of hassle. 

 

Questions?

If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk